Legitimate Attacks

You are a security specialist working for ABC Incorporated.  ABC use SNORT as their NIDS which protects their IP sub-network being in the range of 203.40.27.128 – 203.40.27.255.

A recent security vulnerability has been found in OpenSSH.  A junior staff member within the security team developed a new SNORT rule to detect this attack.  Your supervisor has asked you to check the work of the junior staff member to ensure there are no errors in the SNORT rule.

The security vulnerability is described as follows:

A buffer overflow has been detected in the OpenSSH server.  Exploits have been released and exhibit the following characteristics:

  • A payload positioned 100 bytes from the start of the data with a string message “You are mine”
  • After the above payload, there is a variable field of 4 bytes specifying a return address.  These 4 bytes can be any value.
  • Following the variable 4 bytes return address is the exploit code signature given in HEX as AB 8F 23 8A BC 92

The rule should:

  • when triggered, drop and then log the packet only.
  • detect attacks from inside and outside their private network.
  • include a message with the log entry as “OpenSSH exploit attempt”.
  • include a reference to the CVE number CAN-2006-06-3318
  • Have a classification of attempted-admin

The rule written by the junior staff member is as follows:

alert udp !203.40.27.0/24 any -> 203.40.27.128/24 23 (msg: “OpenSSH exploit attempt”; cve:CAN-2006-06-3318; classtype: attempted-admin; content: “You are mine”; depth: 12; offset:100; content: “AB 8F 23 8A BC 92”; depth:6; offset:4;)

The rule above contains 10 syntax or logic errors.  Your task is to review the above rule and identify these errors which may prevent the rule from detecting legitimate attacks, or will cause false positives.  For all the mistakes, identify the error, explain why it is wrong, and then fix the error.

EXAMPLE:

Here is a sample rule with a mistake in it.

alert udp any 53 -> any 53 (msg: “DNS attack”; content: “XYZ”;)

Here is an example of the solution format:

Error 1: alert udp any 53 ->

The source port is given as 53, however requests to a DNS server from a client will use ephemeral ports, and therefore should be given as any.  To correct this mistake, the rule should read:

Solution 1: alert udp any any -> any 53

Do you need help with this assignment or any other? We got you! Place your order and leave the rest to our experts.

Place Your Order

Quality Guaranteed

Any Deadline

No Plagiarism