ThreatPattern Definitions » History » Version 1
Luke Murphey, 04/03/2010 12:54 AM
| 1 | 1 | Luke Murphey | h1. ThreatPattern Definitions |
|---|---|---|---|
| 2 | 1 | Luke Murphey | |
| 3 | 1 | Luke Murphey | ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule: |
| 4 | 1 | Luke Murphey | |
| 5 | 1 | Luke Murphey | <pre> |
| 6 | 1 | Luke Murphey | Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){ |
| 7 | 1 | Luke Murphey | Message="A JPEG file with a RAR file appended was observed"; |
| 8 | 1 | Luke Murphey | Severity="Low"; |
| 9 | 1 | Luke Murphey | ID=1000194; |
| 10 | 1 | Luke Murphey | Version=1; |
| 11 | 1 | Luke Murphey | BasicEncoding; |
| 12 | 1 | Luke Murphey | Byte="FF D9"; |
| 13 | 1 | Luke Murphey | String="Rar!"; Offset=0; |
| 14 | 1 | Luke Murphey | ContentType="image/jpeg"; |
| 15 | 1 | Luke Murphey | Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php; |
| 16 | 1 | Luke Murphey | Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html; |
| 17 | 1 | Luke Murphey | } |
| 18 | 1 | Luke Murphey | </pre> |
| 19 | 1 | Luke Murphey | |
| 20 | 1 | Luke Murphey | h2. Definition Verb |
| 21 | 1 | Luke Murphey | |
| 22 | 1 | Luke Murphey | The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows: |
| 23 | 1 | Luke Murphey | |
| 24 | 1 | Luke Murphey | |*Verb*|*Operation* |*Notes*| |
| 25 | 1 | Luke Murphey | |Eval |Causes the rule to be evaluated but no action taken. |Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).| |
| 26 | 1 | Luke Murphey | |Alert |Causes the rule to indicate that a match has been found. |Used only to determine if the site may be compromised.| |
| 27 | 1 | Luke Murphey | |Block |Causes the resource to be blocked (end user cannot access) |Useful when using a proxy to control access to the servers; this is not currently used yet.| |
| 28 | 1 | Luke Murphey | |
| 29 | 1 | Luke Murphey | {{include(Definition_Naming_Convention)}} |
| 30 | 1 | Luke Murphey | |
| 31 | 1 | Luke Murphey | h2. Definition Body |
| 32 | 1 | Luke Murphey | |
| 33 | 1 | Luke Murphey | The definition is composed of options that are used to make conclusions about the data provided. Below is a list of the various options: |
| 34 | 1 | Luke Murphey | |
| 35 | 1 | Luke Murphey | |*Option* |*Required*|*Value* |*Example* |*Description*| |
| 36 | 1 | Luke Murphey | | ID | Yes | <integer> | 10012441 | | |
| 37 | 1 | Luke Murphey | | Message | Yes | <string> | | | |
| 38 | 1 | Luke Murphey | | Version | | <integer> | 3 | | |
| 39 | 1 | Luke Murphey | | String | | <string> | haxored | Looks for the given String value | |
| 40 | 1 | Luke Murphey | | Regex | | PCRE | /apple/i | Looks for the given Regex (in PCRE format) | |
| 41 | 1 | Luke Murphey | | Bytes | | Bytes | 90 90 90 | Looks for the given bytes | |
| 42 | 1 | Luke Murphey | | Set | | <string> | | Sets the given variable (allows rules to maintain state) | |
| 43 | 1 | Luke Murphey | | UnSet | | <string> | | Unsets the given variable (allows rules to maintain state) | |
| 44 | 1 | Luke Murphey | | IfSet | | <string> | | Makes the action dependent upon whether the variable exists | |
| 45 | 1 | Luke Murphey | | IfNotSet | | <string> | | Opposite of above | |
| 46 | 1 | Luke Murphey | | Distance | | <string> | | Sets a maximum depth into the data that the definition will examine (from the | |
| 47 | 1 | Luke Murphey | | Offset | | <string> | | Sets how much data should be skipped from the previous operator | |
| 48 | 1 | Luke Murphey | | Depth | | <integer> | | | |
| 49 | 1 | Luke Murphey | | Within | | <string> | | | |
| 50 | 1 | Luke Murphey | | ByteTest | | operation | 4 digits >= 128 (hexadecimal) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value and can operate on both digits (character representations of a number) or bytes (integer values) | |
| 51 | 1 | Luke Murphey | | ByteJump | | operation | 4 bytes (big-endian, align-8) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value, octal, align-4 and align-8 and can operate on both digits (character representations of a number) or bytes (integer values)| |
| 52 | 1 | Luke Murphey | | Reference | | <string> | url,threatfactor.com | | |
| 53 | 1 | Luke Murphey | | BasicEncoding | | <string> | | Causes the evaluator to skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) | |
| 54 | 1 | Luke Murphey | | IsDataAt | | <integer> | | | |
| 55 | 1 | Luke Murphey | | Toggle | | <string> | | | |
| 56 | 1 | Luke Murphey | | Severity | | <integer> | | | |
| 57 | 1 | Luke Murphey | | ContentType | | <string> | | | |
| 58 | 1 | Luke Murphey | | URI | | <string> | | | |
| 59 | 1 | Luke Murphey | | IgnoreCase | | | | | |