用Snort从原理上检测MS05-051攻击

2008-04-09 04:07:54来源：互联网阅读 ()

MS05-051漏洞及相关的攻击代码和蠕虫已经出现一些日子了，从IDS的角度来看，如何检测利用MS05-051漏洞的攻击呢？

Snort虽然提供了一些规则来检测攻击相关的请求，但并远不是攻击本身：

alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP IXnRemote BuildContextW little endian attempt"; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT v4 IXnRemote BuildContextW attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; pcre:"/^./sR";)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP v4 IXnRemote BuildContextW attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; pcre:"/^./sR";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT IXnRemote BuildContextW attempt"; flow:established,to_server; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT IXnRemote BuildContextW little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP IXnRemote BuildContextW attempt"; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT v4 IXnRemote BuildContextW little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; pcre:"/^./sR";)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP v4 IXnRemote BuildContextW little endian attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; pcre:"/^./sR";)

对于正常的请求，这些规则也可能触发告警，显然这是不令人满意的。

漏洞分析
--------

要检测攻击当然需要先对MS05-051漏洞作一下比较深入的成因分析，以下的分析完全整理自小四（scz at nsfocus dot com）的工作。

漏洞的成因在于远程调用msdtcprx!BuildContextW()时存在内存破坏问题，msdtcprx.dll!BuildContextW()对应DCE-RPC 7号调用，相应的最简请求报文参数手工解码如下:

--------------------------------------------------------------------------
0x00, 0x00,?????????????????? // 0x000 param0开始，2字节长
0x00, 0x00,?????????????????? // 填充字节，4字节对齐
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // 0x004 param1开始，24字节长
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00,???????????? // 0x018 param2开始，参数最大可能长度，4字节长
0x00, 0x00, 0x00, 0x00,???????????? // 参数最小可能长度，4字节长
0x01, 0x00, 0x00, 0x00,???????????? // 参数实际长度，4字节长
0x00, 0x00,?????????????????? // 参数串，Unicode格式
0x00, 0x00,?????????????????? // 填充字节，4字节对齐
0x01, 0x00, 0x00, 0x00,???????????? // 0x028 pwszHostName，param3开始，参数最大可能长度，4字节长
0x00, 0x00, 0x00, 0x00,???????????? // 参数最小可能长度，4字节长
0x01, 0x00, 0x00, 0x00,???????????? // 参数实际长度，4字节长
0x00, 0x00,?????????????????? // 参数串，Unicode格式
0x00, 0x00,?????????????????? // 填充字节，4字节对齐
0x01, 0x00, 0x00, 0x00,???????????? // 0x038 pwszUuidString param4开始，参数最大可能长度，4字节长，正常情况下应该是0x00000025，如果大于此值则是畸形的
0x00, 0x00, 0x00, 0x00,???????????? // 参数最小可能长度，4字节长

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有