Automated Translation Automated Translation Between Attack Languages Between Attack Languages (Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Eckmann Eckmann Steven T. Reliable Software Group Reliable Software Group University of California University of California Santa Barbara, CA 93106 Santa Barbara, CA 93106 http://www.cs.ucsb.edu/~ http://www.cs.ucsb.edu/~rsg rsg/STAT/ /STAT/ 10 October 2001 10 October 2001
Outline Outline STAT • Problem • Problem • Proposed solution • Proposed solution • Translating Snort to STATL • Translating Snort to STATL • Other translations • Other translations • Lessons learned • Lessons learned • Conclusions and future work • Conclusions and future work 2
The Problem The Problem STAT • Developing IDS signatures is labor-intensive • Developing IDS signatures is labor-intensive • There are many signature-based IDSs IDSs • There are many signature-based • Sharing signatures between IDSs IDSs would conserve valuable would conserve valuable • Sharing signatures between resources resources • Each IDS has its own signature “language”, so sharing • Each IDS has its own signature “language”, so sharing signatures is not trivial signatures is not trivial 3
Proposed solution Proposed solution STAT • Automated translation between signature languages • Automated translation between signature languages – Simplifies signature sharing – Simplifies signature sharing – Supports easier comparison of different signatures for similar attacks Supports easier comparison of different signatures for similar attacks – • express signatures in (or translate to) a common language express signatures in (or translate to) a common language • • • Potential benefits of research Potential benefits of research – Leads to greater insight into attack language requirements Leads to greater insight into attack language requirements – • what can language A do that B cannot, and vice versa? what can language A do that B cannot, and vice versa? • – Has not been done before Has not been done before – • ArachNIDS ArachNIDS database supports generation of signatures for several database supports generation of signatures for several IDSs IDSs • with similar rule languages with similar rule languages – Snort, Dragon, Snort, Dragon, Pakemon Pakemon, DefenseWorx DefenseWorx, Shoki Shoki 4
Translation issues Translation issues STAT • Language compatibility • Language compatibility – Cannot translate features that don’t exist in target language – Cannot translate features that don’t exist in target language – Domain-dependent factors Domain-dependent factors – • protocols ( protocols (ethernet ethernet, IP, TCP, UDP, ICMP, DNS, ...) , IP, TCP, UDP, ICMP, DNS, ...) • • protocol fields protocol fields • • user-defined functions user-defined functions • – Domain-independent factors – Domain-independent factors • multi-event patterns • multi-event patterns – sequence, or, and, loop, time, ... sequence, or, and, loop, time, ... • Other factors • Other factors – Are generated signatures “as good as” hand-crafted signatures? Are generated signatures “as good as” hand-crafted signatures? – – Is automated translation cost-effective? – Is automated translation cost-effective? 5
Why snort Why snort STAT • Snort has a simple, concise language for expressing • Snort has a simple, concise language for expressing detection signatures detection signatures • Snort signatures are readily available • Snort signatures are readily available • Several other network IDSs IDSs have signature languages have signature languages • Several other network essentially equivalent to snort essentially equivalent to snort 6
Snort rules Snort rules STAT • A snort rule is a detection signature for matching single • A snort rule is a detection signature for matching single events events – Snort uses Snort uses preprocessors preprocessors to match signatures too complex for rule to match signatures too complex for rule – language language • Each rule has a rule header rule header and and rule options rule options • Each rule has a – Rule header matches “action”, IP addresses, and ports Rule header matches “action”, IP addresses, and ports – – Rule options match protocol fields and payload content Rule options match protocol fields and payload content – • • Example Example alert alert tcp tcp $EXTERNAL_NET any $EXTERNAL_NET any -> $HOME_NET 21 > $HOME_NET 21 ( (msg msg:"FTP :"FTP passwd passwd attempt";flags: A+; content:" attempt";flags: A+; content:"passwd passwd";) ";) 7
Why STATL Why STATL STAT • Domain-independent attack language • Domain-independent attack language – Extensions for – Extensions for • IP networks ( • IP networks (NetSTAT NetSTAT) ) • Solaris BSM Solaris BSM • • WinNT event logging facility WinNT event logging facility • • Apache event logs • Apache event logs • Syslog Syslog facility facility • • IDMEF alerts IDMEF alerts • • Much more expressive than snort, etc. • Much more expressive than snort, etc. • Text and graphical form • Text and graphical form • Potentially the “common language” mentioned earlier • Potentially the “common language” mentioned earlier 8
STATL basic abstractions STATL basic abstractions STAT • Scenario • Scenario – States – States – Transitions (consuming, Transitions (consuming, nonconsuming nonconsuming, unwinding) , unwinding) – – Signature actions – Signature actions – Assertions Assertions – – Global environment Global environment – – Local environment Local environment – – Code blocks Code blocks – • Events • Events • Timers • Timers 9
NetSTAT example example NetSTAT STAT use use tcpip tcpip; transition transition data (data->data) data (data->data) consuming consuming { { [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && scenario streambin scenario streambin { { s.header.id == sid s.header.id == sid && !s. && !s.containsBinary containsBinary()) ()) string CLASSIFICATION_NAME = "Streambin string CLASSIFICATION_NAME = " Streambin"; "; } } string CLASSIFICATION_URL = "http://www. string CLASSIFICATION_URL = "http://www.cs cs.ucsb ucsb.edu edu/~ /~rsg rsg"; "; string SOURCE_NODEADDRESS = "unknown"; string SOURCE_NODEADDRESS = "unknown"; transition transition binary (data->binary) binary (data->binary) consuming consuming { { string SOURCE_PORT = "unknown"; string SOURCE_PORT = "unknown"; [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && string TARGET_NODEADDRESS = "unknown"; string TARGET_NODEADDRESS = "unknown"; s.header.id == sid s.header.id == sid && s. && s.containsBinary containsBinary()) ()) string TARGET_PORT = "unknown"; string TARGET_PORT = "unknown"; { ADDITIONAL_DATA += s. { ADDITIONAL_DATA += s.asString asString(); } (); } string ADDITIONAL_DATA = "Binary packet: "; string ADDITIONAL_DATA = "Binary packet: "; } } int sid; int sid transition transition close (data->s0) close (data->s0) unwinding unwinding { { transition transition open (s0->data) open (s0->data) nonconsuming nonconsuming { { [ [STREAMClose STREAMClose s] : s.header.id == s] : s.header.id == sid sid [ [STREAMOpen STREAMOpen s] : s.header.type == STREAM_EVENT_OPEN_C2S && s] : s.header.type == STREAM_EVENT_OPEN_C2S && } } (s.header.getDstPort (s.header. getDstPort() == 25 || // () == 25 || //smtp smtp s.header. s.header.getDstPort getDstPort() == 21 || //ftp () == 21 || //ftp initial initial state state s0 { } s0 { } s.header.getDstPort s.header. getDstPort() == 110) //pop () == 110) //pop state state data { } data { } { { state state binary { binary { sid sid = s.header.id; = s.header.id; { log("Streambin { log(" Streambin compromised"); } compromised"); } SOURCE_NODEADDRESS = s.header.getSrcStr SOURCE_NODEADDRESS = s.header. getSrcStr(); (); } } SOURCE_PORT = s.header.getSrcPortStr SOURCE_PORT = s.header. getSrcPortStr(); (); } TARGET_NODEADDRESS = s.header.getDstStr TARGET_NODEADDRESS = s.header. getDstStr(); (); TARGET_PORT = s.header.getDstPortStr TARGET_PORT = s.header. getDstPortStr(); (); } } } } 10
NetSTAT example example NetSTAT STAT data open binary s0 data binary close 11
Recommend
More recommend