LOGS: GIAC GCIA Version 3.5 Practical Detect James Affeld

Here's my last detect before I submit.  I'd appreciate
a review.  

It looks at some an http_inspect IIS UNICODE CODEPOINT
ENCODING alert, which has generated some calls for
help on the net.  

Source of Trace:
http://www.incidents.org/logs/Raw/2002.9.28
 
Detect was Generated by: Snort v. 2.1.2 with a default
ruleset.  The alert was:

[**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT
ENCODING [**]
10/27-21:40:37.066507 32.245.166.236:62998 ->
216.239.53.101:80
TCP TTL:122 TOS:0x0 ID:17747 IpLen:20 DgmLen:517 DF
***AP*** Seq: 0xEBF2726B Ack: 0x79264B6C Win: 0xFAF0
TcpLen: 20

The leading tag, [119:7:1], indicates that the
HTTP_INSPECT preprocessor was the generator that made
this alert, rule #7.  Number 119 indicates which
generator was responsible.  The â??(http_inspect)â??
string that comes next is another clue.  The â??IIS
UNICODE CODEPOINT ENCODINGâ?? alert checks for a what
appears to be deliberate obfuscation of characters
through the use of IIS unicode encoding.  Unicode is a
means of representing characters that arenâ??t present
in ASCII.  IIS unicode codepoint encoding is an
additional means of representing characters, some of
which have multiple definitions. This obfuscation
could be an attempt to bypass IDS systems, application
firewalls, and defeat ill-conceived IIS patches.  This
preprocessor sees whether they are representing
ordinary ASCII characters through IIS unicode.  

Probability the Source Address was Spoofed: low.  It
is difficult to spoof tcp connections, and the HTTP
protocol requires a correctly established tcp
connection.  
TCP connections can be spoofed if the attacker is in
control of a router between the source and
destination, and source routing attacks can make this
more likely.  But for the most part, this is hard to
pull off.  

Description of the Attack: This isnâ??t an attack per
se, but possibly an attempt to hide one.  What weâ??re
looking for is unicode representations of what could
be put in plain old ASCII.  

Hereâ??s the raw dump:

21:40:37.066507 IP (tos 0x0, ttl 122, id 17747, len
517) 32.245.166.236.62998 >
216.239.53.101.80: P [bad tcp cksum f9c3 (->8406)!]
3958534763:3958535240(477) a
ck 2032552812 win 64240 (DF)bad cksum ce51 (->e369)!
0x0000   4500 0205 4553 4000 7a06 ce51 20f5 a6ec      
 E...ES@.z..Q....
0x0010   d8ef 3565 f616 0050 ebf2 726b 7926 4b6c      
 ..5e...P..rky&Kl
0x0020   5018 faf0 f9c3 0000 4745 5420 2f73 6561      
 P.......GET./sea
0x0030   7263 683f 713d 2545 3825 3842 2538 4626      
 rch?q=%E8%8B%8F&
0x0040   6965 3d55 5446 2d38 266f 653d 5554 462d      
 ie=UTF-8&oe=UTF-
0x0050   3826 686c 3d7a 682d 434e 266c 723d 2054      
 8&hl=zh-CN&lr=.T
0x0060   462d 3826 686c 3d7a 682d 434e 266c 723d      
 F-8&hl=zh-CN&lr=
0x0070   2048 5454 502f 312e 310d 0a41 6363 6570      
 .HTTP/1.1..Accep
0x0080   743a 2069 6d61 6765 2f67 6966 2c20 696d      
 t:.image/gif,.im
0x0090   6167 652f 782d 7862 6974 6d61 702c 2069      
 age/x-xbitmap,.i
0x00a0   6d61 6765 2f6a 7065 672c 2069 6d61 6765      
 mage/jpeg,.image
0x00b0   2f70 6a70 6567 2c20 6170 706c 6963 6174      
 /pjpeg,.applicat
0x00c0   696f 6e2f 766e 642e 6d73 2d65 7863 656c      
 ion/vnd.ms-excel
0x00d0   2c20 6170 706c 6963 6174 696f 6e2f 6d73      
 ,.application/ms
0x00e0   776f 7264 2c20 2a2f 2a0d 0a52 6566 6572      
 word,.*/*..Refer
0x00f0   6572 3a20 6874 7470 3a2f 2f77 7777 2e67      
 er:.http://www.g
0x0100   6f6f 676c 652e 636f 6d2f 0d0a 4163 6365      
 oogle.com/..Acce
0x0110   7074 2d4c 616e 6775 6167 653a 207a 682d      
 pt-Language:.zh-
0x0120   636e 0d0a 4163 6365 7074 2d45 6e63 6f64      
 cn..Accept-Encod
0x0130   696e 673a 2067 7a69 702c 2064 6566 6c61      
 ing:.gzip,.defla
0x0140   7465 0d0a 5573 6572 2d41 6765 6e74 3a20      
 te..User-Agent:.
0x0150   4d6f 7a69 6c6c 612f 342e 3020 2863 6f6d      
 Mozilla/4.0.(com
0x0160   7061 7469 626c 653b 204d 5349 4520 362e      
 patible;.MSIE.6.
0x0170   303b 2057 696e 646f 7773 204e 5420 352e      
 0;.Windows.NT.5.
0x0180   3129 0d0a 486f 7374 3a20 7777 772e 676f      
 1)..Host:.www.go
0x0190   6f67 6c65 2e63 6f6d 0d0a 436f 6e6e 6563      
 ogle.com..Connec
0x01a0   7469 6f6e 3a20 4b65 6570 2d41 6c69 7665      
 tion:.Keep-Alive
 
What weâ??re looking for is hex characters preceded by
the â??%â?? character.  We find the following in the
above ASCII dump of the packet:

%E8%8B%8F

This translates as:

è??

This doesnâ??t look like ASCII to me.  If we pull the
whole thing together, we basically get:

        http://www.google.com/search?q=%E8%8B%8F

This brings up a perfectly ordinary Google search
results page primarily in Chinese Simplified.  We
could treat the characters as separate, but thatâ??s
not how the Firebird browser interprets it.  In
addition, the string â??UTF-8&hl=zh-CNâ?? specifically
asks for Chinese.  

Attacking Mechanism: I suspect the mechanism is really
a bug in the parsing of unicode.  The Snort source
code indicates that they check up to 3 bytes (each
pair of hex numbers is a byte) but the above three
characters do not appear in the default unicode map.  


Correlations: I checked a number of other alerts of
this type and found that each unicode representation
in each alert was located in the CJK - Chinese,
Japanese, Korean - range of unicode characters.  In
addition, many of the destination sites were written
in Chinese.  

Evidence of Active Targeting: There is no evidence of
randomness in the connections, so this is active. 
â??Targetingâ?? is too strong a term for a
false-positive.  

Severity: Severity of the incident is given by the
formula:
severity = (criticality + lethality) - (system
countermeasures + network countermeasures)

Criticality: 3  We have consider the criticality of
the local host, rather than the remote.  We donâ??t
really know what the host was, but we can infer that
it is one that performs fairly ordinary web surfing. 
This would indicate it is likely a workstation rather
than a server.  Based on that, Iâ??d give it a 2, with
a pessimistic boost to 3 because of the uncertainty. 
Criticality = 3 

Lethality: 0  This is a false positive.  Even if it
were an actual attack, the mere obfuscation of the
attack would not itself be that lethal.  

System Countermeasures:  Unknown, so go worst-case. 
System Countermeasures = 0

Network Countermeasures:  There is Intrusion Detection
going on.  Network Countermeasures  = 3

Severity = (3 + 0) â?? (0 + 3) = 0

Defensive Recommendation: 
A web proxy might be able to scrub outbound traffic to
keep this stuff in line.  That is, it could keep
attacks that this traffic inadvertently resembled
down. 

The remote hosts should be sure their web servers are
patched and secured.  There are web proxies you can
put in front of a web server to normalize and
otherwise clean up inbound traffic.  

Multiple Choice Question:

Unicode attacks work by:

A) Exploiting buffer overflows in character encoding
routines
B) Repeatedly sending single-byte packets to network
infrastructure devices like routers and switches,
causing resource exhaustion.
C) Representing characters in ways that obscure them
from pattern matching defenses like IDS
D) All of the above

Answer: C.  Unicode can defeat a defense that looks
for a string like â??//////â?? by representing the
string as â??/%2F%2F%2F%2F/â??



        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions