ThreatPattern Definitions » History » Version 3
Version 2 (Luke Murphey, 04/03/2010 01:35 AM) → Version 3/15 (Luke Murphey, 04/03/2010 03:18 AM)
h1. ThreatPattern Definitions
ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule:
<pre>
Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
Message="A JPEG file with a RAR file appended was observed";
Severity="Low";
ID=1000194;
Version=1;
BasicEncoding;
Byte="FF D9";
String="Rar!"; Offset=0;
ContentType="image/jpeg";
Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
}
</pre>
h2. Definition Verb
The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows:
|*Verb*|*Operation* |*Notes*|
|Eval |Causes the rule to be evaluated but no action taken. |Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).|
|Alert |Causes the rule to indicate that a match has been found. |Used only to determine if the site may be compromised.|
|Block |Causes the resource to be blocked (end user cannot access) |Useful when using a proxy to control access to the servers; this is not currently used yet.|
{{include(Definition_Naming_Convention)}}
h2. Definition Body
The definition is composed of options that are used to make conclusions about the data provided. Below is a list of the various options:
h3. Meta-Data Options
The following options are used to provide information about the definition:
|*Option* |*Required*|*Value* |*Example* |*Description*|
| ID | Yes | <integer> | ID=10012441 | |
| Message | Yes | <string> | Message="Malicious Website Discovered" | |
| Version | | <integer> | Version=3 | |
| Reference | | <string> | url,threatfactor.com | Types of references are: url ,bugtraq, cve, nessus, arachnids, mcafee |
| Severity | | <string> | Severity="Medium" | Must be either low, medium or high and is required if the definition verb is alert or block |
h3. Data Analysis Options (Evaluators)
|*Option* |*Required*|*Value* |*Example* |*Description*|
| String | | <string> | String=haxored | Looks for the given String value |
| Regex | | PCRE | Regex=/apple/i | Looks for the given Regex (in PCRE format) |
| Byte | | Bytes | Byte=90 90 90 | Looks for the given bytes |
| ContentType Set | | PCRE or <string> | ContentType=/text.*//i | Matches a Set="IframeFound"| Sets the given content type. The content type is inferred by the scanning engine based upon the file contents, HTTP headers and file extension. variable (allows rules to maintain state) |
| URI UnSet | | <string> | URI="http://google.com" UnSet="IframeFound"| Unsets the given variable (allows rules to maintain state) | |
| IgnoreCase IfSet | | <string> | IfSet="ActiveX"| Makes the action dependent upon whether the variable exists | Synonymous with "NoCase" |
| BasicEncoding IfNotSet | | <string> | IfNotSet="ActiveX"| Opposite of above | Causes the evaluator to skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) |
| IsDataAt Toggle | | <integer> <string> | Toggle="JavaScriptFound" | Determines if data is at the given position (i.e. equates to false if the data stream ends before the value provided) |
| Offset | | <integer> | Offset=128 | Sets how much data should be skipped from the previous operator |
| Depth | | <integer> | Depth=1024 | Sets a maximum depth into the data that the definition will examine (relative to the beginning of the data stream)|
| Within | | <integer> | Within=512 | Sets how many characters or bytes to analyze for the previous option before giving up. This is oftentimes used to increase the performance of definitions by limiting the amount of data they have to analyze. |
| ByteTest | | operation | 4 digits >= 128 (hexadecimal) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value and can operate on both digits (character representations of a number) or bytes (integer values) |
| ByteJump | | operation | 4 bytes (big-endian, align-8) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value, octal, align-4 and align-8 and can operate on both digits (character representations of a number) or bytes (integer values)|
h3. Variable Options
|*Option* |*Required*|*Value* |*Example* |*Description*|
| Set Reference | | <string> | Set="IframeFound"| Sets the given variable (allows rules to maintain state) url,threatfactor.com | Types of references are: url ,bugtraq, cve, nessus, arachnids, mcafee |
| UnSet BasicEncoding | | <string> | UnSet="IframeFound"| Unsets | Causes the given variable (allows rules evaluator to maintain state) skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) |
| IfSet IsDataAt | | <integer> | | Determines if data is at the given position (i.e. equates to false if the data stream ends before the value provided) |
| Severity | | <string> | IfSet="ActiveX"| Makes Severity="Medium" | Must be either low, medium or high and is required if the action dependent upon whether the variable exists definition verb is alert or block |
| IfNotSet ContentType | | PCRE or <string> | IfNotSet="ActiveX"| Opposite of above ContentType=/text.*//i | Matches a given content type. The content type is inferred by the scanning engine based upon the file contents, HTTP headers and file extension. |
| Toggle URI | | <string> | Toggle="JavaScriptFound" URI="http://google.com" | |
h2. How Definitions Analyze Data
A definition is considered a match when none of the
h2. Relative Evaluators
Options can be made relative by adding the
h2. Mixed Mode Options
| IgnoreCase | | | | Synonymous with "NoCase" |
ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule:
<pre>
Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
Message="A JPEG file with a RAR file appended was observed";
Severity="Low";
ID=1000194;
Version=1;
BasicEncoding;
Byte="FF D9";
String="Rar!"; Offset=0;
ContentType="image/jpeg";
Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
}
</pre>
h2. Definition Verb
The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows:
|*Verb*|*Operation* |*Notes*|
|Eval |Causes the rule to be evaluated but no action taken. |Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).|
|Alert |Causes the rule to indicate that a match has been found. |Used only to determine if the site may be compromised.|
|Block |Causes the resource to be blocked (end user cannot access) |Useful when using a proxy to control access to the servers; this is not currently used yet.|
{{include(Definition_Naming_Convention)}}
h2. Definition Body
The definition is composed of options that are used to make conclusions about the data provided. Below is a list of the various options:
h3. Meta-Data Options
The following options are used to provide information about the definition:
|*Option* |*Required*|*Value* |*Example* |*Description*|
| ID | Yes | <integer> | ID=10012441 | |
| Message | Yes | <string> | Message="Malicious Website Discovered" | |
| Version | | <integer> | Version=3 | |
| Reference | | <string> | url,threatfactor.com | Types of references are: url ,bugtraq, cve, nessus, arachnids, mcafee |
| Severity | | <string> | Severity="Medium" | Must be either low, medium or high and is required if the definition verb is alert or block |
h3. Data Analysis Options (Evaluators)
|*Option* |*Required*|*Value* |*Example* |*Description*|
| String | | <string> | String=haxored | Looks for the given String value |
| Regex | | PCRE | Regex=/apple/i | Looks for the given Regex (in PCRE format) |
| Byte | | Bytes | Byte=90 90 90 | Looks for the given bytes |
| ContentType Set | | PCRE or <string> | ContentType=/text.*//i | Matches a Set="IframeFound"| Sets the given content type. The content type is inferred by the scanning engine based upon the file contents, HTTP headers and file extension. variable (allows rules to maintain state) |
| URI UnSet | | <string> | URI="http://google.com" UnSet="IframeFound"| Unsets the given variable (allows rules to maintain state) | |
| IgnoreCase IfSet | | <string> | IfSet="ActiveX"| Makes the action dependent upon whether the variable exists | Synonymous with "NoCase" |
| BasicEncoding IfNotSet | | <string> | IfNotSet="ActiveX"| Opposite of above | Causes the evaluator to skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) |
| IsDataAt Toggle | | <integer> <string> | Toggle="JavaScriptFound" | Determines if data is at the given position (i.e. equates to false if the data stream ends before the value provided) |
| Offset | | <integer> | Offset=128 | Sets how much data should be skipped from the previous operator |
| Depth | | <integer> | Depth=1024 | Sets a maximum depth into the data that the definition will examine (relative to the beginning of the data stream)|
| Within | | <integer> | Within=512 | Sets how many characters or bytes to analyze for the previous option before giving up. This is oftentimes used to increase the performance of definitions by limiting the amount of data they have to analyze. |
| ByteTest | | operation | 4 digits >= 128 (hexadecimal) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value and can operate on both digits (character representations of a number) or bytes (integer values) |
| ByteJump | | operation | 4 bytes (big-endian, align-8) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value, octal, align-4 and align-8 and can operate on both digits (character representations of a number) or bytes (integer values)|
h3. Variable Options
|*Option* |*Required*|*Value* |*Example* |*Description*|
| Set Reference | | <string> | Set="IframeFound"| Sets the given variable (allows rules to maintain state) url,threatfactor.com | Types of references are: url ,bugtraq, cve, nessus, arachnids, mcafee |
| UnSet BasicEncoding | | <string> | UnSet="IframeFound"| Unsets | Causes the given variable (allows rules evaluator to maintain state) skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) |
| IfSet IsDataAt | | <integer> | | Determines if data is at the given position (i.e. equates to false if the data stream ends before the value provided) |
| Severity | | <string> | IfSet="ActiveX"| Makes Severity="Medium" | Must be either low, medium or high and is required if the action dependent upon whether the variable exists definition verb is alert or block |
| IfNotSet ContentType | | PCRE or <string> | IfNotSet="ActiveX"| Opposite of above ContentType=/text.*//i | Matches a given content type. The content type is inferred by the scanning engine based upon the file contents, HTTP headers and file extension. |
| Toggle URI | | <string> | Toggle="JavaScriptFound" URI="http://google.com" | |
h2. How Definitions Analyze Data
A definition is considered a match when none of the
h2. Relative Evaluators
Options can be made relative by adding the
h2. Mixed Mode Options
| IgnoreCase | | | | Synonymous with "NoCase" |