L0pht / NFR IDS Modules

mudge@L0pht.com

The Preface:

Not to long ago, a company called NFR released a package entitled Network Flight Recorder. The tool promiscuously monitors your network and provides a framework for analyzing, reporting, and modeling the traffic that it sees. While not initially designed as an Intrusion Detection System, the functionality is there to at least the same degree as products on the market explicitly designed as such. In many cases NFR is much more reliable in the IDS realm than the other commercial IDS’ out there. This coupled with the fact that source code for NFR was made publicly available piqued our curiosity.

The problem:

Sitting on the nfr-users mailing list it became readily apparent that there was a lack of sample code available to the public that demonstrated IDS style functionality for NFR.

The solution:

So in playing around with NFR and N-Code (the scripting language for the filters) language we threw together a few quick samples which we are happy to offer back to the community.

The Disclaimer :

This is just educational material. You are free to use these samples in any fashion you deem fit as long as proper credit/attribution is maintained. We, the L0pht, take no responsibility or liability for said samples.

The Warez:

Malicious web queries the badweb modules look for requests that indicate malicious activity or attempts to exploit known cgi/http vulnerabilities. Current maliciousness watched for includes:

  • test-cgi.tcl
  • nph-test-cgi
  • test-cgi
  • perl.exe
  • phr
  • snork.bat
  • direct shell invocation
  • finger
  • faxsurvey
  • robots.txt
  • AnyForm
  • AnyForm2
  • formmail
  • guestbook
  • win-c-sample.exe
  • php.cgi
  • wrap
  • handler
  • aglimpse
  • uploader.exe
  • mlog
  • mylog
  • Count.cgi
  • newdsn.exe
  • MachineInfo
  • Password struct info

    • badweb.nfr - the actual badweb module N-Code

    badweb.cfg - the NFR config file for the badweb module

    badweb.desc - the NFR description file for the badweb module

     

    finger watcher - the finger module simply watches and logs finger requests. It becomes interesting to see who is looking at the users on your machines or if people are doing finger bounces / old finger style attacks.

    finger.nfr - the actual finger module N-Code

    finger.cfg - the NFR config file for the finger module

    finger.desc - the NFR description file for the finger module

     

    external arp requests - the ext_arp_inside module looks for arp requests asking the response to be sent to an IP address not on the "internal" network(s). This backend accomplishes this by watching for machines being brought up on the wrong networks or potential strange homings of nets/hosts. One of the theories is that when the system first comes live it will gratuitously arp for itself (although Solaris is one of the few systems that does not do this). Another theory is that if another network stub is mis-attached, potentially between network legs that are treated at disparate security levels, you might see arps for a different net’s router with an external network IP in the arp packet.

    ext_arp_inside.nfr - the actual ext_arp module N-Code

    ext_arp_inside.cfg - the NFR config file for the ext_arp module

    ext_arp_inside.desc - the NFR description file for the ext_arp module

     

    external networks watcher - This backend watches for external IP addresses initiating connections across your local wire. Suppose you have an internal network setup where you allow people to initiate connections to the outside world but do not allow externally initiated connections to terminate on internal machines (ESTABLISHED in cisco lingo, or maybe some statefull filter like FW1, or ip-fil). Seeing TCP connections from external networks destined to internal machines with the SYN flag set in these situations would indicate a break in perimiter security. In addition, packets with SYN and any other tcp flags set except for RST are flagged as well. This is due to end systems handling them in different ways - to wit: Microsoft NT treats a SYN|FIN as a raw SYN and happily returns a SYN|ACK. This should alert you of more sophisticated attempts to circumvent filters.

    ext_net_inside.nfr - the actual ext-net watcher module N-code

    ext_net_inside.cfg - the NFR config file for the ext-net watcher module

    ext_net_inside.desc - the NFR description file for the ext-net watcher module

     

    land - This backend watches for land packets. These are packets with the same source and dest IP addresses. This should never be seen in the wild. Upon logging it records the ether address so you can hunt down the offender (that is if you are not passing it through your router… tsk tsk tsk!)

    land.nfr - the acutal land module N-code

    land.cfg - the NFR config file for the land module

    land.desc - the NFR description file for the land module

     

    rip1 - This backend watches what is being advertised via RIP Version 1. This is advantageous when users "accidentally" dual home internal and external networks and bring their machines live running routed.

    rip1.nfr - the actual rip1 module N-Code

    rip1.cfg - the NFR config file for the rip1 module

    rip1.desc - the NFR description file for the rip1 module

     

    rip2 - This backend watches what is being advertised via RIP Version 2. Again, the belief being people should watch for routes being advertised into or out of their network that they are unaware of.

    rip2.nfr - the actual rip2 module N-Code

    rip2.cfg - the NFR config file for the rip2 module

    rip2.desc - the NFR description file for the rip2 module

     

    X-Mas Tree Packet Watcher - This backend looks for packets with ALL tcp flags set (ie SYN|FIN|URG|ACK|RST|PSH). These packets should not exist in normal traffic and are almost always endemic of Denial of Service attacks.

    xmastree.nfr - the actual xmastree module N-Code

    xmastree.cfg - the NFR config file for the xmastree module

    xmastree.desc - the NFR description file for the xmastree module

    xoutside - This backend watches for what appear to be X connections initiated from internal networks directed to external networks. This could be a potential security concern in attempts to bypass statefull packet filters or if only encrypted and authenticated connections are allowed to internal networks and people are pointing unencrypted X sessions outside.

    xoutside.nfr - the actual xoutside module N-Code

    xoutside.cfg - the NFR config file for the xoutside module

    xoutside.desc - the NFR description file for the xoutside module

    Conclusion:

    Welp – hope people find some of this useful. Enjoy!

    mudge@l0pht.com