Project

General

Profile

ThreatPattern Definitions » History » Version 3

Luke Murphey, 04/03/2010 03:18 AM

1 1 Luke Murphey
h1. ThreatPattern Definitions
2 1 Luke Murphey
3 1 Luke Murphey
ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule:
4 1 Luke Murphey
5 1 Luke Murphey
<pre>
6 1 Luke Murphey
Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
7 1 Luke Murphey
        Message="A JPEG file with a RAR file appended was observed";
8 1 Luke Murphey
        Severity="Low";
9 1 Luke Murphey
        ID=1000194;
10 1 Luke Murphey
        Version=1;
11 1 Luke Murphey
        BasicEncoding;
12 1 Luke Murphey
        Byte="FF D9";
13 1 Luke Murphey
        String="Rar!"; Offset=0;
14 1 Luke Murphey
        ContentType="image/jpeg";
15 1 Luke Murphey
        Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
16 1 Luke Murphey
        Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
17 1 Luke Murphey
}
18 1 Luke Murphey
</pre>
19 1 Luke Murphey
20 1 Luke Murphey
h2. Definition Verb
21 1 Luke Murphey
22 1 Luke Murphey
The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows:
23 1 Luke Murphey
24 1 Luke Murphey
|*Verb*|*Operation*                                                |*Notes*|
25 1 Luke Murphey
|Eval  |Causes the rule to be evaluated but no action taken.       |Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).|
26 1 Luke Murphey
|Alert |Causes the rule to indicate that a match has been found.   |Used only to determine if the site may be compromised.|
27 1 Luke Murphey
|Block |Causes the resource to be blocked (end user cannot access) |Useful when using a proxy to control access to the servers; this is not currently used yet.|
28 1 Luke Murphey
29 1 Luke Murphey
{{include(Definition_Naming_Convention)}}
30 1 Luke Murphey
31 1 Luke Murphey
h2. Definition Body
32 1 Luke Murphey
33 1 Luke Murphey
The definition is composed of options that are used to make conclusions about the data provided. Below is a list of the various options:
34 1 Luke Murphey
35 3 Luke Murphey
h3. Meta-Data Options
36 3 Luke Murphey
37 3 Luke Murphey
The following options are used to provide information about the definition:
38 3 Luke Murphey
39 1 Luke Murphey
|*Option*       |*Required*|*Value*   |*Example*   |*Description*|
40 2 Luke Murphey
| ID            | Yes     | <integer> | ID=10012441   |             |
41 2 Luke Murphey
| Message       | Yes     | <string>  | Message="Malicious Website Discovered" | |
42 2 Luke Murphey
| Version       |         | <integer> | Version=3 | |
43 3 Luke Murphey
| Reference     |         | <string>  | url,threatfactor.com | Types of references are: url ,bugtraq, cve, nessus, arachnids, mcafee |
44 3 Luke Murphey
| Severity      |         | <string>  | Severity="Medium" | Must be either low, medium or high and is required if the definition verb is alert or block |
45 3 Luke Murphey
46 3 Luke Murphey
47 3 Luke Murphey
h3. Data Analysis Options (Evaluators)
48 3 Luke Murphey
49 3 Luke Murphey
|*Option*       |*Required*|*Value*   |*Example*   |*Description*|
50 1 Luke Murphey
| String        |         | <string>  | String=haxored | Looks for the given String value |
51 1 Luke Murphey
| Regex         |         | PCRE      | Regex=/apple/i | Looks for the given Regex (in PCRE format) |
52 1 Luke Murphey
| Byte          |         | Bytes     | Byte=90 90 90 | Looks for the given bytes |
53 3 Luke Murphey
| ContentType   |         | PCRE or <string>  | ContentType=/text.*//i | Matches a given content type. The content type is inferred by the scanning engine based upon the file contents, HTTP headers and file extension. |
54 3 Luke Murphey
| URI           |         | <string>  | URI="http://google.com" |  |
55 3 Luke Murphey
| IgnoreCase    |         |           | | Synonymous with "NoCase" |
56 3 Luke Murphey
| BasicEncoding |         | <string>  | | Causes the evaluator to skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) |
57 3 Luke Murphey
| IsDataAt      |         | <integer> | | Determines if data is at the given position (i.e. equates to false if the data stream ends before the value provided) |
58 1 Luke Murphey
| Offset        |         | <integer> | Offset=128 | Sets how much data should be skipped from the previous operator |
59 1 Luke Murphey
| Depth         |         | <integer> | Depth=1024 | Sets a maximum depth into the data that the definition will examine (relative to the beginning of the data stream)|
60 1 Luke Murphey
| Within        |         | <integer> | Within=512 | Sets how many characters or bytes to analyze for the previous option before giving up. This is oftentimes used to increase the performance of definitions by limiting the amount of data they have to analyze. |
61 1 Luke Murphey
| ByteTest      |         | operation | 4 digits >= 128 (hexadecimal) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value and can operate on both digits (character representations of a number) or bytes (integer values) |
62 1 Luke Murphey
| ByteJump      |         | operation | 4 bytes (big-endian, align-8) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value, octal, align-4 and align-8 and can operate on both digits (character representations of a number) or bytes (integer values)|
63 3 Luke Murphey
64 3 Luke Murphey
h3. Variable Options
65 3 Luke Murphey
66 3 Luke Murphey
|*Option*       |*Required*|*Value*   |*Example*   |*Description*|
67 3 Luke Murphey
| Set           |         | <string>  | Set="IframeFound"| Sets the given variable (allows rules to maintain state) |
68 3 Luke Murphey
| UnSet         |         | <string>  | UnSet="IframeFound"| Unsets the given variable (allows rules to maintain state) |
69 3 Luke Murphey
| IfSet         |         | <string>  | IfSet="ActiveX"| Makes the action dependent upon whether the variable exists |
70 3 Luke Murphey
| IfNotSet      |         | <string>  | IfNotSet="ActiveX"| Opposite of above |
71 3 Luke Murphey
| Toggle        |         | <string>  | Toggle="JavaScriptFound" |  |
72 3 Luke Murphey
73 3 Luke Murphey
h2. How Definitions Analyze Data
74 3 Luke Murphey
75 3 Luke Murphey
A definition is considered a match when none of the 
76 3 Luke Murphey
77 3 Luke Murphey
78 3 Luke Murphey
h2. Relative Evaluators
79 3 Luke Murphey
80 3 Luke Murphey
Options can be made relative by adding the 
81 3 Luke Murphey
82 3 Luke Murphey
83 3 Luke Murphey
h2. Mixed Mode Options