quinta-feira, 18 de fevereiro de 2010

SRW - Snort Rules Week (VRT e ET) - edição 3 (08 Fev 2010/14 Fev 2010)

Essa semana o SRW saiu com um pequeno atraso visto que também pulo Carnaval como todo Brasileiro =)!

Semana passada foi a famosa semana da black tuesday (ótimo post da SANS aqui ), ou seja, segunda terça-feira do mês no qual a Microsoft lança seus queridissimos updates .

O VRT lançou as seguintes regras para essa semana , frisando bem a cobertura das ameaças que a Microsoft fez os updates.

16395 <-> NETBIOS SMB COPY command oversized pathname attempt
16405 <-> ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt
16409 <-> WEB-CLIENT Microsoft PowerPoint improper filename remote code execution attempt
16410 <-> WEB-CLIENT Microsoft PowerPoint file LinkedSlide10Atom record parsing heap corruption attempt
16411 <-> WEB-CLIENT Microsoft PowerPoint out of bounds value remote code execution attempt
16412 <-> WEB-CLIENT Microsoft PowerPoint invalid TextByteAtom remote code execution attempt
16413 <-> WEB-CLIENT Microsoft PowerPoint invalid TextCharsAtom remote code execution attempt
16414 <-> WEB-CLIENT Windows Shell Handler remote code execution attempt
16415 <-> WEB-CLIENT Microsoft DirectShow memory corruption attempt
16416 <-> WEB-CLIENT Malformed XLS MSODrawing Record
16417 <-> NETBIOS SMB Negotiate Protocol Response overflow attempt
16418 <-> NETBIOS DELETED SMB client NULL deref race condition attempt - DISABLED
16419 <-> WEB-ACTIVEX Microsoft Data Analyzer 3.5 ActiveX clsid access
16420 <-> WEB-ACTIVEX Microsoft Data Analyzer 3.5 ActiveX clsid unicode access
16421 <-> EXPLOIT Microsoft PowerPoint out of bounds value remote code execution attempt
16422 <-> EXPLOIT JPEG with malformed SOFx field
16423 <-> WEB-CLIENT IE7/8 execute local file in Internet zone redirect attempt
16394 <-> DOS Active Directory Kerberos referral TGT renewal DoS attempt
16396 <-> NETBIOS SMB server srvnet.sys driver race condition attempt
16408 <-> DOS Microsoft Windows TCP SACK invalid range denial of service attempt
16397 <-> NETBIOS SMB andx invalid server name share access
16398 <-> NETBIOS SMB invalid server name share access
16399 <-> NETBIOS SMB unicode andx invalid server name share access
16400 <-> NETBIOS SMB unicode invalid server name share access
16401 <-> NETBIOS NETBIOS-DG SMB andx invalid server name share access
16402 <-> NETBIOS NETBIOS-DG SMB invalid server name share access
16403 <-> NETBIOS NETBIOS-DG SMB unicode andx invalid server name share access
16404 <-> NETBIOS NETBIOS-DG SMB unicode invalid server name share access
16406 <-> WEB-MISC JPEG file download attempt
16407 <-> WEB-MISC JPEG file download attempt

Como esse update visa a maioria dos updates da MS eu utilizaria inicialmente todas as regras habilitadas (logicamente caso eu tenha 100% de certeza que não possua algo não precisa habilitar) e analisaria o resultado tanto em performance como possiveis falsos positivos. Vale lembrar que o ideal para essas regras é utilizar um sensor interno protegendo sua LAN visto que a maioria dos problemas de NETBIOS e Client-Side não estao expostos na DMZ ou para o mundo o que não tera validade habilitar essas regras .

Link completo do update http://www.snort.org/vrt/docs/ruleset_changelogs/CURRENT/changes-2010-02-09.html

O Emerging Threats na possui regras para a maioria das ameaças, vale lembrar o que sempre saliento que VRT e ET são regras totalmente complementares e de suma importancia usar os dois rulesets (se quiser saber sobre as regras de uma olhada http://snort.org.br/index.php?option=com_content&task=view&id=24&Itemid=31 )

Nessa semana do SRW edição 3 tivemos as seguintes regras:

2010771 - ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.rules)
2010772 - ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules)
2010773 - ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt (emerging-web_specific_apps.
rules)
2010774 - ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.
rules)
2010775 - ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.
rules)
2010776 - ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.
rules)
2010777 - ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt (emerging-web_specific_apps.
rules)
2010778 - ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 (emerging-web_client.rules)
2010779 - ET WEB_CLIENT HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 (emerging-web_client.rules)
2010780 - ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt (emerging-web_specific_apps.
rules)
2010781 - ET POLICY PsExec service created (emerging-policy.rules)
2010782 - ET POLICY RemoteControlX rctrlx service created (emerging-policy.rules)
2010783 - ET EXPLOIT GsecDump executed (emerging-exploit.rules)
2010784 - ET POLICY Facebook Chat (send message) (emerging-policy.rules)
2010785 - ET POLICY Facebook Chat (buddy list) (emerging-policy.rules)
2010786 - ET POLICY Facebook Chat (settings) (emerging-policy.rules)
2010787 - ET TROJAN Knockbot Proxy Response From Controller (emerging-virus.rules)
2010788 - ET TROJAN Knockbot Proxy Response From Controller (empty command) (emerging-virus.rules)
2010789 - ET TROJAN SpyBye Bot Checkin (emerging-virus.rules)
2010790 - ET TROJAN Bredavi Configuration Update Response (emerging-virus.rules)
2010791 - ET TROJAN Bredavi Checkin (emerging-virus.rules)
2010792 - ET TROJAN Bredavi Proxy Registration (emerging-virus.rules)
2010793 - ET TROJAN Bredavi Binary Download Request (emerging-virus.rules)

Como citado minhas regras foram aceitas no ruleset (sid's 2010784, 2010785, 2010786 ) . Uma regra que achei bem interessante mas não testei foi ET POLICY PsExec service created.

Como citei eu gosto das regras de Trojans, Botnet e caso tenha uma grande rede monitorando sua LAN/Intranet eu habilitaria as mesma. Sempre frisando que voce pode habilitar, acompanhar como a mesma se porta visto que nunca sabemos o que nossos usuários clicarão =) .

A referência completa das mudanças http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-February/006145.html

No próximo domingo na data correta o SRW edição 4.

Happy Snorting!

Rodrigo Montoro(Sp0oKeR)

Nenhum comentário: