Project

General

Profile

Writing Definitions » History » Version 8

Luke Murphey, 04/02/2010 09:02 PM

1 4 Luke Murphey
h1. Definitions
2 1 Luke Murphey
3 1 Luke Murphey
h2. Definition Types
4 1 Luke Murphey
5 1 Luke Murphey
NSIA supports two types of definitions:
6 1 Luke Murphey
7 1 Luke Murphey
 * ThreatPattern
8 1 Luke Murphey
 * ThreatScript
9 2 Luke Murphey
10 3 Luke Murphey
|*ThreatScript*                                                       |*ThreatPattern*|
11 2 Luke Murphey
|Written in ECMAScript / JavaScript                                   |Written in a format similar to Snort|
12 2 Luke Murphey
|Somewhat complex to create                                           |Simple and easy to create|
13 4 Luke Murphey
|Can auto-baseline tune itself                                        |Must be ignored completely when it triggers as a false positive|
14 2 Luke Murphey
|Is stateful (remember things from previous scans)                    |Is stateless (cannot remember things from previous scans)|
15 2 Luke Murphey
|Are slower than ThreatSignatures                                     |Are faster than ThreatScripts|
16 1 Luke Murphey
|Very flexible detection logic; can be used to detect nearly anything |Functionality limited to what regular expressions|
17 2 Luke Murphey
18 4 Luke Murphey
h2. Definition IDs
19 1 Luke Murphey
20 2 Luke Murphey
Custom definitions must have an ID of 1000000 or more; only official definitions can have IDs of less than 1000000.
21 1 Luke Murphey
22 4 Luke Murphey
h2. Identifying Definition Errors
23 1 Luke Murphey
24 1 Luke Murphey
NSIA will parse definitions before they are saved in order to identify syntax and some semantic errors. Errors that are discovered during runtime are noted on the definition errors page (e.g. http://127.0.0.1:8080/Definitions/Errors) and in the event logs (e.g. http://127.0.0.1:8080/System/Eventlog).
25 1 Luke Murphey
26 4 Luke Murphey
Note that ThreatScript definitions will be flagged as having an error if they fail to complete within 10 seconds (see ScriptDefinition.MAX_SCRIPT_RUNTIME).
27 1 Luke Murphey
28 4 Luke Murphey
h2. Creating a ThreatPattern
29 1 Luke Murphey
30 5 Luke Murphey
ThreatPattern's similar in concept to the signatures used by the Snort IDS system. Below is a sample rule:
31 5 Luke Murphey
32 4 Luke Murphey
<pre>
33 4 Luke Murphey
Alert("Abuse.DataHiding.Rar_File_In_Jpeg"){
34 4 Luke Murphey
        Message="A JPEG file with a RAR file appended was observed";
35 4 Luke Murphey
        Severity="Low";
36 4 Luke Murphey
        ID=194;
37 4 Luke Murphey
        Version=1;
38 4 Luke Murphey
        BasicEncoding;
39 4 Luke Murphey
        Byte="FF D9";
40 4 Luke Murphey
        String="Rar!"; Offset=0;
41 4 Luke Murphey
        ContentType="image/jpeg";
42 4 Luke Murphey
        Reference=url,lifehacker.com/software/encryption/hide-files-in-jpeg-images-207905.php;
43 4 Luke Murphey
        Reference=url,schmidt.devlib.org/file-formats/rar-archive-file-format.html;
44 4 Luke Murphey
}
45 4 Luke Murphey
</pre>
46 2 Luke Murphey
47 5 Luke Murphey
The rules start with a action that indicates what the system should do with the rule. The action verbs are as follows:
48 5 Luke Murphey
49 4 Luke Murphey
|*Verb*|*Operation*                                                |*Notes*|
50 4 Luke Murphey
|Eval  |Causes the rule to be evaluated but no action taken.       |Only valid when an Set option is used. Used to set a flag that may be used in another signature (allows the rules to maintain state).|
51 1 Luke Murphey
|Alert |Causes the rule to indicate that a match has been found.   |Used only to determine if the site may be compromised.|
52 5 Luke Murphey
|Block |Causes the resource to be blocked (end user cannot access) |Useful when using a proxy to control access to the servers; this is not currently used yet.|
53 1 Luke Murphey
54 5 Luke Murphey
The following is a list of the various options:
55 5 Luke Murphey
56 6 Luke Murphey
|*Option*         |*Required* |*Value*      |*Example*|*Description*|
57 5 Luke Murphey
| ID            | Yes     | <integer> | 10012441 | |
58 5 Luke Murphey
| Version       |         | <integer> | 3 | |
59 5 Luke Murphey
| String        |         | <string>  | haxored | Looks for the given String value |
60 5 Luke Murphey
| Regex         |         | PCRE      | /apple/i | Looks for the given Regex (in PCRE format) |
61 5 Luke Murphey
| Bytes         |         | Bytes     | 90 90 90 | Looks for the given bytes |
62 5 Luke Murphey
| Set           |         | <string>  | | Sets the given variable (allows rules to maintain state) |
63 5 Luke Murphey
| UnSet         |         | <string>  | | Unsets the given variable (allows rules to maintain state) |
64 5 Luke Murphey
| IfSet         |         | <string>  | | Makes the action dependent upon whether the variable exists |
65 5 Luke Murphey
| IfNotSet      |         | <string>  | | Opposite of above |
66 5 Luke Murphey
| Distance      |         | <string>  | | Sets a maximum depth into the data that the definition will examine (from the  |
67 5 Luke Murphey
| Offset        |         | <string>  | | Sets how much data should be skipped from the previous operator |
68 8 Luke Murphey
| Depth         |         | <integer> | | |
69 5 Luke Murphey
| Within        |         | <string>  | | |
70 7 Luke Murphey
| ByteTest      |         | operation | 4 digits >= 128 (hexadecimal) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value and can operate on both digits (character representations of a number) or bytes (integer values) |
71 7 Luke Murphey
| ByteJump      |         | operation | 4 bytes (big-endian, align-8) | Can accept options such as big-endian, little-endian, hexadecimal, absolute-value, octal, align-4 and align-8 and can operate on both digits (character representations of a number) or bytes (integer values)|
72 7 Luke Murphey
| Reference     |         | <string>  | url,threatfactor.com | |
73 1 Luke Murphey
| BasicEncoding |         | <string>  | | Causes the evaluator to skip character set encoding and treat the data as if it is raw bytes (or ASCII encoded) |
74 8 Luke Murphey
| IsDataAt      |         | <integer> | |  |
75 8 Luke Murphey
| Toggle        |         | <string>  | |  |
76 8 Luke Murphey
| Severity      |         | <integer> | |  |
77 8 Luke Murphey
| ContentType   |         | <string>  | |  |
78 8 Luke Murphey
| URI           |         | <string>  | |  |
79 8 Luke Murphey
| IgnoreCase    |         |           | |  |
80 2 Luke Murphey
81 2 Luke Murphey
82 4 Luke Murphey
h2. Creating a ThreatScript