L0pht / NFR IDS Modules
Not to long ago, a company called NFR released a package entitled Network Flight Recorder. The tool promiscuously monitors your network and provides a framework for analyzing, reporting, and modeling the traffic that it sees. While not initially designed as an Intrusion Detection System, the functionality is there to at least the same degree as products on the market explicitly designed as such. In many cases NFR is much more reliable in the IDS realm than the other commercial IDS’ out there. This coupled with the fact that source code for NFR was made publicly available piqued our curiosity.
Sitting on the nfr-users mailing list it became readily apparent that there was a lack of sample code available to the public that demonstrated IDS style functionality for NFR.
So in playing around with NFR and N-Code (the scripting language for the filters) language we threw together a few quick samples which we are happy to offer back to the community.
This is just educational material. You are free to use these samples in any fashion you deem fit as long as proper credit/attribution is maintained. We, the L0pht, take no responsibility or liability for said samples.
Back Orifice DetectorThis module detects patterns that happen within Back Orifice client/server communications. This module does not rely on the poor encryption technique used in BO. We believe this is the best Back Orifice detection tool out there - plus it is free and you get the source code. What more could one want?
bo.nfr - the actual Back Orifice module N-Code
bo.cfg - the NFR config file for the BO module
bo.desc - the NFR description file for the BO module
Big Packet DetectorHuge packets on your network? Potential denial of service attack underway. Use this module to spot them.
bigpacket.nfr - the actual Big Packet module N-Code
bigpacket.cfg - the NFR config file for the Big Packet module
bigpacket.desc - the NFR description file for the Big Packet module
DNS Iquery Exploit loggerThe net as a whole has been getting knocked over left and right due to the buffer overflow in bind versions. This module watches for Iquery requests going to TCP port 53. The RoTSB exploit always uses a query ID of 31337 so this is parsed for as well.
iquery.nfr - the actual iquery module N-Code
iquery.cfg - the NFR config file for the iquery module
iquery.desc - the NFR description file for the iquery module
Lockd and NFSThis module looks for NFS service requests (service 100003) going to port 4045 (lockd). Silicosis must have been playing with the customized nfs-shell that mudge did. hrmmmmm...
lockd.nfr - the actual lockd module N-Code
lockd.cfg - the NFR config file for the lockd module
lockd.desc - the NFR description file for the lockd module
OOB (WinNuke) ModuleThis module looks for the Urgent Pointer == 3, which causes Windows NT and 95 boxes of various patch levels to crash. Commonly referred to as winnuke.
oob.nfr - the actual OOB module N-Code
oob.cfg - the NFR config file for the OOB module
oob.desc - the NFR description file for the OOB module
Statd Exploit WatcherTwo very common and widely used exploits are watched for here. The remote shell exploit (tcp)and the link and unlink of files (udp).
statd.nfr - the actual statd module N-Code
statd.cfg - the NFR config file for the statd module
statd.desc - the NFR description file for the statd module
rpc.ttdbserverd Exploit DetectorThis module looks for a buffer overflow being exploited in Solaris. A widely publicized exploit is available so maybe it is not such a bad idea to start looking for it.
ttdb.nfr - the actual ttdbserverd module N-Code
ttdb.cfg - the NFR config file for the ttdbserverd module
ttdb.desc - the NFR description file for the ttdbserverd module
Malicious web queriesthe badweb modules look for requests that indicate malicious activity or attempts to exploit known cgi/http vulnerabilities. Current maliciousness watched for includes:
badweb.nfr - the actual badweb module N-Code
badweb.cfg - the NFR config file for the badweb module
badweb.desc - the NFR description file for the badweb module
finger watcher- the finger module simply watches and logs finger requests. It becomes interesting to see who is looking at the users on your machines or if people are doing finger bounces / old finger style attacks.
finger.nfr - the actual finger module N-Code
finger.cfg - the NFR config file for the finger module
finger.desc - the NFR description file for the finger module
external arp requests- the ext_arp_inside module looks for arp requests asking the response to be sent to an IP address not on the "internal" network(s). This backend accomplishes this by watching for machines being brought up on the wrong networks or potential strange homings of nets/hosts. One of the theories is that when the system first comes live it will gratuitously arp for itself (although Solaris is one of the few systems that does not do this). Another theory is that if another network stub is mis-attached, potentially between network legs that are treated at disparate security levels, you might see arps for a different net’s router with an external network IP in the arp packet.
ext_arp_inside.nfr - the actual ext_arp module N-Code
ext_arp_inside.cfg - the NFR config file for the ext_arp module
ext_arp_inside.desc - the NFR description file for the ext_arp module
external networks watcher- This backend watches for external IP addresses initiating connections across your local wire. Suppose you have an internal network setup where you allow people to initiate connections to the outside world but do not allow externally initiated connections to terminate on internal machines (ESTABLISHED in cisco lingo, or maybe some statefull filter like FW1, or ip-fil). Seeing TCP connections from external networks destined to internal machines with the SYN flag set in these situations would indicate a break in perimiter security. In addition, packets with SYN and any other tcp flags set except for RST are flagged as well. This is due to end systems handling them in different ways - to wit: Microsoft NT treats a SYN|FIN as a raw SYN and happily returns a SYN|ACK. This should alert you of more sophisticated attempts to circumvent filters.
ext_net_inside.nfr - the actual ext-net watcher module N-code
ext_net_inside.cfg - the NFR config file for the ext-net watcher module
ext_net_inside.desc - the NFR description file for the ext-net watcher module
land- This backend watches for land packets. These are packets with the same source and dest IP addresses. This should never be seen in the wild. Upon logging it records the ether address so you can hunt down the offender (that is if you are not passing it through your router… tsk tsk tsk!)
land.nfr - the acutal land module N-code
land.cfg - the NFR config file for the land module
land.desc - the NFR description file for the land module
rip1- This backend watches what is being advertised via RIP Version 1. This is advantageous when users "accidentally" dual home internal and external networks and bring their machines live running routed.
rip1.nfr - the actual rip1 module N-Code
rip1.cfg - the NFR config file for the rip1 module
rip1.desc - the NFR description file for the rip1 module
rip2- This backend watches what is being advertised via RIP Version 2. Again, the belief being people should watch for routes being advertised into or out of their network that they are unaware of.
rip2.nfr - the actual rip2 module N-Code
rip2.cfg - the NFR config file for the rip2 module
rip2.desc - the NFR description file for the rip2 module
X-Mas Tree Packet Watcher- This backend looks for packets with ALL tcp flags set (ie SYN|FIN|URG|ACK|RST|PSH). These packets should not exist in normal traffic and are almost always endemic of Denial of Service attacks.
xmastree.nfr - the actual xmastree module N-Code
xmastree.cfg - the NFR config file for the xmastree module
xmastree.desc - the NFR description file for the xmastree module
xoutside- This backend watches for what appear to be X connections initiated from internal networks directed to external networks. This could be a potential security concern in attempts to bypass statefull packet filters or if only encrypted and authenticated connections are allowed to internal networks and people are pointing unencrypted X sessions outside.
xoutside.nfr - the actual xoutside module N-Code
xoutside.cfg - the NFR config file for the xoutside module
xoutside.desc - the NFR description file for the xoutside module
Welp – hope people find some of this useful. Enjoy!