L0pht / NFR IDS Modules

mudge@L0pht.com

The Preface:

Not to long ago, a company called NFR released a package entitled Network Flight Recorder. The tool promiscuously monitors your network and provides a framework for analyzing, reporting, and modeling the traffic that it sees. While not initially designed as an Intrusion Detection System, the functionality is there to at least the same degree as products on the market explicitly designed as such. In many cases NFR is much more reliable in the IDS realm than the other commercial IDS’ out there. This coupled with the fact that source code for NFR was made publicly available piqued our curiosity.


The problem:

Sitting on the nfr-users mailing list it became readily apparent that there was a lack of sample code available to the public that demonstrated IDS style functionality for NFR.


The solution:

So in playing around with NFR and N-Code (the scripting language for the filters) language we threw together a few quick samples which we are happy to offer back to the community.


The Disclaimer :

This is just educational material. You are free to use these samples in any fashion you deem fit as long as proper credit/attribution is maintained. We, the L0pht, take no responsibility or liability for said samples.


The Warez:


Back Orifice Detector This module detects patterns that happen within Back Orifice client/server communications. This module does not rely on the poor encryption technique used in BO. We believe this is the best Back Orifice detection tool out there - plus it is free and you get the source code. What more could one want?

bo.nfr - the actual Back Orifice module N-Code

bo.cfg - the NFR config file for the BO module

bo.desc - the NFR description file for the BO module


Big Packet Detector Huge packets on your network? Potential denial of service attack underway. Use this module to spot them.

bigpacket.nfr - the actual Big Packet module N-Code

bigpacket.cfg - the NFR config file for the Big Packet module

bigpacket.desc - the NFR description file for the Big Packet module


DNS Iquery Exploit logger The net as a whole has been getting knocked over left and right due to the buffer overflow in bind versions. This module watches for Iquery requests going to TCP port 53. The RoTSB exploit always uses a query ID of 31337 so this is parsed for as well.

iquery.nfr - the actual iquery module N-Code

iquery.cfg - the NFR config file for the iquery module

iquery.desc - the NFR description file for the iquery module


Lockd and NFS This module looks for NFS service requests (service 100003) going to port 4045 (lockd). Silicosis must have been playing with the customized nfs-shell that mudge did. hrmmmmm...

lockd.nfr - the actual lockd module N-Code

lockd.cfg - the NFR config file for the lockd module

lockd.desc - the NFR description file for the lockd module


OOB (WinNuke) Module This module looks for the Urgent Pointer == 3, which causes Windows NT and 95 boxes of various patch levels to crash. Commonly referred to as winnuke.

oob.nfr - the actual OOB module N-Code

oob.cfg - the NFR config file for the OOB module

oob.desc - the NFR description file for the OOB module


Statd Exploit Watcher Two very common and widely used exploits are watched for here. The remote shell exploit (tcp)and the link and unlink of files (udp).

statd.nfr - the actual statd module N-Code

statd.cfg - the NFR config file for the statd module

statd.desc - the NFR description file for the statd module


rpc.ttdbserverd Exploit Detector This module looks for a buffer overflow being exploited in Solaris. A widely publicized exploit is available so maybe it is not such a bad idea to start looking for it.

ttdb.nfr - the actual ttdbserverd module N-Code

ttdb.cfg - the NFR config file for the ttdbserverd module

ttdb.desc - the NFR description file for the ttdbserverd module


Malicious web queries the badweb modules look for requests that indicate malicious activity or attempts to exploit known cgi/http vulnerabilities. Current maliciousness watched for includes:

  • test-cgi.tcl
  • nph-test-cgi
  • test-cgi
  • perl.exe
  • phr
  • snork.bat
  • direct shell invocation
  • finger
  • faxsurvey
  • robots.txt
  • AnyForm
  • AnyForm2
  • formmail
  • guestbook
  • win-c-sample.exe
  • php.cgi
  • wrap
  • handler
  • aglimpse
  • uploader.exe
  • mlog
  • mylog
  • Count.cgi
  • newdsn.exe
  • MachineInfo
  • Password struct info

badweb.nfr - the actual badweb module N-Code

badweb.cfg - the NFR config file for the badweb module

badweb.desc - the NFR description file for the badweb module


 

finger watcher - the finger module simply watches and logs finger requests. It becomes interesting to see who is looking at the users on your machines or if people are doing finger bounces / old finger style attacks.

finger.nfr - the actual finger module N-Code

finger.cfg - the NFR config file for the finger module

finger.desc - the NFR description file for the finger module


 

external arp requests - the ext_arp_inside module looks for arp requests asking the response to be sent to an IP address not on the "internal" network(s). This backend accomplishes this by watching for machines being brought up on the wrong networks or potential strange homings of nets/hosts. One of the theories is that when the system first comes live it will gratuitously arp for itself (although Solaris is one of the few systems that does not do this). Another theory is that if another network stub is mis-attached, potentially between network legs that are treated at disparate security levels, you might see arps for a different net’s router with an external network IP in the arp packet.

ext_arp_inside.nfr - the actual ext_arp module N-Code

ext_arp_inside.cfg - the NFR config file for the ext_arp module

ext_arp_inside.desc - the NFR description file for the ext_arp module


 

external networks watcher - This backend watches for external IP addresses initiating connections across your local wire. Suppose you have an internal network setup where you allow people to initiate connections to the outside world but do not allow externally initiated connections to terminate on internal machines (ESTABLISHED in cisco lingo, or maybe some statefull filter like FW1, or ip-fil). Seeing TCP connections from external networks destined to internal machines with the SYN flag set in these situations would indicate a break in perimiter security. In addition, packets with SYN and any other tcp flags set except for RST are flagged as well. This is due to end systems handling them in different ways - to wit: Microsoft NT treats a SYN|FIN as a raw SYN and happily returns a SYN|ACK. This should alert you of more sophisticated attempts to circumvent filters.

ext_net_inside.nfr - the actual ext-net watcher module N-code

ext_net_inside.cfg - the NFR config file for the ext-net watcher module

ext_net_inside.desc - the NFR description file for the ext-net watcher module


 

land - This backend watches for land packets. These are packets with the same source and dest IP addresses. This should never be seen in the wild. Upon logging it records the ether address so you can hunt down the offender (that is if you are not passing it through your router… tsk tsk tsk!)

land.nfr - the acutal land module N-code

land.cfg - the NFR config file for the land module

land.desc - the NFR description file for the land module


 

rip1 - This backend watches what is being advertised via RIP Version 1. This is advantageous when users "accidentally" dual home internal and external networks and bring their machines live running routed.

rip1.nfr - the actual rip1 module N-Code

rip1.cfg - the NFR config file for the rip1 module

rip1.desc - the NFR description file for the rip1 module


 

rip2 - This backend watches what is being advertised via RIP Version 2. Again, the belief being people should watch for routes being advertised into or out of their network that they are unaware of.

rip2.nfr - the actual rip2 module N-Code

rip2.cfg - the NFR config file for the rip2 module

rip2.desc - the NFR description file for the rip2 module


 

X-Mas Tree Packet Watcher - This backend looks for packets with ALL tcp flags set (ie SYN|FIN|URG|ACK|RST|PSH). These packets should not exist in normal traffic and are almost always endemic of Denial of Service attacks.

xmastree.nfr - the actual xmastree module N-Code

xmastree.cfg - the NFR config file for the xmastree module

xmastree.desc - the NFR description file for the xmastree module


xoutside - This backend watches for what appear to be X connections initiated from internal networks directed to external networks. This could be a potential security concern in attempts to bypass statefull packet filters or if only encrypted and authenticated connections are allowed to internal networks and people are pointing unencrypted X sessions outside.

xoutside.nfr - the actual xoutside module N-Code

xoutside.cfg - the NFR config file for the xoutside module

xoutside.desc - the NFR description file for the xoutside module


Conclusion:

Welp – hope people find some of this useful. Enjoy!

mudge@l0pht.com