Passive Host Auditing

guideflannelΔιακομιστές

4 Δεκ 2013 (πριν από 4 χρόνια και 7 μήνες)

113 εμφανίσεις

Passive Host Auditing

Using Snort And Other Free Tools



by John Ives aka. jives

The Importance Of Auditing



Identify assets to better protect



Inventory of what you have and where it is on
your network

The State Of Auditing Today


Relies primarily on active network scanning



Makes heavy usage of client agents



Difficult to impossible in chaotic
decentralized environments

What Is Passive Auditing


Uses packets on the network to answer the
question about the hosts


Does not affect end system logging


Uses black hat scans for white hat purposes


Aids policy enforcement


Ultimately its using event correlation to
profile a host.

What Can Be Monitored Passively


OS


OS updates


Antivirus/firewall/spyware updates


Network services (e.g. telnet, ftp, http, etc.)


Open Ports


Service versions


Network Application Versions


Policies

What are its Downsides?


Getting started can be labor intensive.


It requires a lot of Data to build an accurate
picture


It requires a commitment of time and money


It can be bypassed, but most end users won’t


It actually benefits from an ugly network!

Example Rule
(AV/Firewall update)

Symantec LiveUpdate

---------------------------------------------------------------------------


alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\

(msg:"PHA
-

user
-
agent Symantec liveupdate";
\

flow:to_server,established;
\

content:"|0d0a|User
-
Agent
\
: Symantec LiveUpdate"; nocase;
\

content:"|0d0a|Host
\
: liveupdate.symantecliveupdate.com"; nocase;
\

threshold: type limit, track by_src, count 1, seconds 1800; )

Example packets
(AV/Firewall update)

Symantec LiveUpdate

---------------------------------------------------------------------------



IP: 10.10.29.25
-
> 38.113.220.7 hlen=20 TOS=00 dgramlen=283 id=946B


MF/DF=0/1 frag=0 TTL=126 proto=TCP cksum=CC44


TCP: port 1694
-
> 80 seq=3152470340 ack=3992596721


hlen=20 (data=243) UAPRSF=011000 wnd=65535 cksum=74B4 urg=0

DATA: GET
/
symantec
$20
antivirus
$20
corporate
$20
client
$20
nt_9.0
_
english
_livetri.zip
HTTP/1.0.


Accept: */*.


Cache
-
Control: max
-
age=0.


User
-
Agent:
Symantec LiveUpdate
.


Host: liveupdate.symantecliveupdate.com.


----------
:
----------
.


Pragma: no
-
cache.


.



Example Rule
(OS Update)

Windows updating for KB896358 (MS05
-
026)

---------------------------------------------------------------------------



alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\

(msg:"PHA
-

Windows Update download KB896358 MS05
-
026";
\

content:"GET |2F|"; depth:5; nocase;
\

content:"kb896358"; nocase;
\

content:".exe HTTP|2F|1.1|0d0a|"; nocase;)

Example packets
(OS Update)

Windows ME updating for KB896358 (MS05
-
026)

---------------------------------------------------------------------------



IP: 10.11.19.24
-
> 207.46.249.25 hlen=20 TOS=00 dgramlen=282 id=2498


MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=EE37


TCP: port 1493
-
> 80 seq=0370010218 ack=2679330397


hlen=20 (data=242) UAPRSF=011000 wnd=17520 cksum=8456 urg=0

DATA: GET /msdownload/update/v3
-
19990518/cabpool/
WindowsME
-
KB896358
-
ENU
_7e9ddccce2504c0ee808dffaf52c841.EXE HTTP/1.1.


Accept: */*.


Range: bytes=0
-
16384.


User
-
Agent:
Progressive Download
.


Host: download.windowsupdate.com.


Cache
-
Control: no
-
cache.

Example Rule
(Anti
-
Spyware Detection)

Microsoft Windows Malicious Software Removal Tool

---------------------------------------------------------------------------


alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\

(msg:"PHA
-

Windows Spyware Tool KB890830";
\

content:"GET |2F|"; depth:5; nocase;
\

content:"kb890830"; nocase;
\

content:".exe HTTP|2F|1.1|0d0a|"; nocase;
\

Content:"|0d0a|User
-
Agent: Microsoft BITS"; nocase;)






Example packets
(Spyware Detection)

Microsoft Windows Malicious Software Removal Tool

---------------------------------------------------------------------------



IP: 10.11.60.7
-
> 65.59.184.62 hlen=20 TOS=00 dgramlen=326 id=0611


MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=4CFC


TCP: port 1078
-
> 80 seq=0643000275 ack=3277861441


hlen=20 (data=286) UAPRSF=011000 wnd=65535 cksum=0FBC urg=0

DATA: GET /msdownload/update/v3
-
19990518/cabpool/
windows
-
kb890830
-
v1.5
-
delta
-
enu
_21d25af37346306a6b2dee41479b947829a529db.exe HTTP/1.1.


Accept: */*.


Accept
-
Encoding: identity.


Range: bytes=0
-
5622.


User
-
Agent:
Microsoft BITS
/6.6.


Host: au.download.windowsupdate.com.


Connection: Keep
-
Alive.



Example Rule
(OS Update Check
-
In)

RedHat looking for updates via up2date

---------------------------------------------------------------------------


alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\

(msg:"PHA
-

RedHat Update Up2Date check
-
in"; flow:to_server,established;
\

content:"GET |2F|"; depth:5; nocase;
\

content:"header.info HTTP/1.1|0d0a|"; nocase;
\

content:"|0d0a|User
\
-
agent
\
: Up2date
\
/"; nocase;)

Example packets
(OS Update Check
-
In)

RedHat updating via up2date

---------------------------------------------------------------------------



IP: 10.11.26.94
-
> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11


MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667


TCP: port 36102
-
> 80 seq=0480187150 ack=3321205591


hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0

DATA: GET /pub/
fedora
/linux/
core
/
3
/
i386
/os/headers/header.info HTTP/1.1.


Host: download.fedora.redhat.com.


Accept
-
Encoding: identity.


If
-
Modified
-
Since: Wed, 03 Nov 2004 23:16:42 GMT.


User
-
Agent:
RHN
-
Applet
/2.1.16.

Example Rule
(another OS update)

RedHat updating via up2date

---------------------------------------------------------------------------





alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\

(msg:"PHA
-

RedHat Update Up2Date check
-
in"; flow:to_server,established;
\

content:"GET |2F|"; depth:5; nocase;
\

content:“.rpm HTTP/1.1|0d0a|"; nocase;
\

content:"|0d0a|User
\
-
agent
\
: Up2date
\
/"; nocase;)

Example packets
(another OS update)

RedHat updating via up2date

---------------------------------------------------------------------------



IP: 10.11.26.94
-
> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11


MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667


TCP: port 36102
-
> 80 seq=0480187150 ack=3321205591


hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0

DATA: GET /pub/
fedora
/
linux
/
core
/updates/
4
/i386//
kernel
-
2.6.12
-
1.1398
_FC4.
i686
.rpm HTTP/1.1



Accept
-
Encoding: identity



Host:
download.fedora.redhat.com



Connection: close



User
-
agent:
Up2date

4.4.23
-
4/Yum

Misc. Example Rules


Syn Packets for p0f

---------------------------------------------------------------------------

alert tcp $HOME_NET any
-
> any any (msg:"PHA syn packet capture for p0f";
\

flags:s; threshold: type limit, track by_src, count 1, seconds 1800; )

---------------------------------------------------------------------------

IIS 5.1 on Windows XP

---------------------------------------------------------------------------

alert tcp $HOME_NET 80
-
> $EXTERNAL_NET any
\

(msg:"PHA
-

IIS 5.1 running on Windows XP"; flow: from_server;
\

content:"|0D 0A|Server
\
: Microsoft
-
IIS/5.1|0D 0A|"; nocase;
\

threshold: type limit, track by_src, count 1, seconds 1800;)

Tools


Snort


p0f


tcpdump


tcpshow and/or ngrep


Bro IDS


Custom Scripts


Database

Thank You

Thank you for coming today


If you are interested in getting more information or
volunteering to help out, you can email me at
jives@passiveaudit.org


Updated scripts, rules, etc will be available at


http://www.passiveaudit.org