Spoofing exploitrules Traffic

You can execute snortspoof.pl from the command line as follows to spoof the attack packets in the Snort exploit.rules file (crafting them so they appear to come from the IP address 11.11.22.22) and send them to the target IP address 44.44.55.55:

[spoofer]# ./snortspoof.pl /etc/fwsnort/snort_rules/exploit.rules 11.11.22.22 44.44.55.55 [+] /etc/fwsnort/snort_rules/exploit.rules, 53 attacks sent.

Using tcpdump, we can confirm that snortspoof.pl functions as claimed and generates attack packets against the target IP address. The following example shows that Snort rule ID 315 EXPLOIT x86 Linux mountd overflow is sent over UDP port 635:

alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"A|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;)

Now we use the snortspoof.pl script to send the attacks described by the exploit.rules file (the content field from Snort rule ID 315 is shown in bold):

[spoofer]# tcpdump -i eth1 -l -nn -s 0 -X -c 1 port 635 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 23:32:08.563668 IP 11.11.22.22.10000 > 44.44.55.55.635: UDP, length 14

0x0000: 4510 002a 0000 4000 4011 b62f 0b0b 1616 E..*[email protected]@../____

0x0010: c0a8 0a03 2710 027b 0016 90cf 5eb0 0289 ____'..{____A...

1 packets captured

2 packets received by filter 0 packets dropped by kernel

The packet trace shows us that snortspoof.pl put a UDP packet on the wire directed at the 44.44.55.55 IP address on port 635, and the application layer data associated with this packet conforms exactly to what Snort rule ID 315 expects to see. Both Snort and fwsnort generate an event after monitoring such a packet, and the IP address 11.11.22.22 appears to be the culprit.

This appendix has discussed how an attacker might try to force Snort to generate false positive events by leveraging the Snort ruleset as a guide for creating malicious-looking traffic. The snortspoof.pl script automates this by parsing the Snort ruleset and using raw sockets to blast matching traffic against a target IP address. Although snortspoof.pl applies only to the Snort IDS, a similar strategy can be employed against any IDS that uses signatures to detect suspicious traffic; all you need is a copy of the signature set and a slightly modified version of snortspoof.pl.

Was this article helpful?

0 0

Post a comment