Detecting Linux Shellcode Traffic

Because exploit developers sometimes share some of the same shellcode, the shellcode.rules file in the Snort signature set looks for this common base of bytes in network traffic. The content field in the following signature shows a smattering of common shellcode used against Linux systems:

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;)

Translating this signature with fwsnort --snort-sid 652 builds the iptables command below. While the original Snort rule applies to all IP traffic, the destination port requirement forces iptables to match only on TCP or UDP packets.

Here is the translated Snort rule applied to TCP traffic:

$IPTABLES -A FWSNORT_FORWARD -d 192.168.10.0/24 -p tcp --sport ! 80 -m string --hex-string "|90 90 90 E8 Co FF FF FF|/bin/sh" --algo bm -m comment --comment "sid:652; msg: SHELLCODE Linux shellcode; classtype: shellcode-detect; reference: arachnids,343; rev: 9; FWS:1.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] SID652 "

To trigger the signature match within iptables, first execute the fwsnort.sh script on the iptablesfw system, and then execute the Perl command below from the ext_scanner system. As required by the signature, the source port of the TCP session built by Netcat is not port 80, since it chooses a random high port above 1024 according to how the local TCP stack instantiates a client TCP socket:

[iptablesfw]# /etc/fwsnort/fwsnort.sh [+] Adding shellcode rules. Rules added: 2

[ext_scanner]$ perl -e 'print "\x90\x90\x90\xE8\xC0\xFF\xFF\xFF/bin/sh"' | nc 71.157.X.X 80

The simulated attack is caught by iptables, and this log message appears:

[iptablesfw]# grep SID652 /var/log/messages | tail -n 1

Jul 19 23:48:18 iptablesfw kernel: [1] SID652 IN=eth0 OUT=ethl SRC=144.202.X.X DST=192.168.10.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=570 DF PROTO=TCP SPT=54629 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0 OPT (0101080A2B3139EFAD325718)

This shows that fwsnort, with guidance from the Snort signature set, is effective at detecting the simulated attack.

Was this article helpful?

0 0

Post a comment