[Image] [Image] L0pht / NFR IDS Modules [Advisories] sili@L0pht.com Latest 1997 mudge@L0pht.com 1996 The Preface: [Soapbox] L0pht Not to long ago, a company called NFR released a package Soapbox entitled Network Flight Recorder. The tool promiscuously monitors your network and provides a framework for [Products] analyzing, reporting, and modeling the traffic that it software sees. While not initially designed as an Intrusion L0phtCrack Detection System, the functionality is there to at least SLINT the same degree as products on the market explicitly BCS designed as such. In many cases NFR is much more reliable Archives in the IDS realm than the other commercial IDS’ out there. This coupled with the fact that source code for service NFR was made publicly available piqued our curiosity. Consulting Product ---------------------------------------------------------- Certification The problem: [Lab] L0phtCrack Sitting on the nfr-users mailing list it became readily Palm Pilot apparent that there was a lack of sample code available POCSAG to the public that demonstrated IDS style functionality MDT for NFR. NFR IDS Wireless ---------------------------------------------------------- [Archives] The solution: Black Crawling So in playing around with NFR and N-Code (the scripting Systems language for the filters) language we threw together a Whacked Mac few quick samples which we are happy to offer back to the Cult of the community. Dead Cow Cybertek ---------------------------------------------------------- Tezcat Pictures The Disclaimer : IIRG This is just educational material. You are free to use [Lounge] these samples in any fashion you deem fit as long as Home Boyz proper credit/attribution is maintained. We, the L0pht, & Girlz take no responsibility or liability for said samples. The L0pht BBS ---------------------------------------------------------- Cons L0pht Eye The Warez: [Contact] ---------------------------------------------------------- FAQ General Back Orifice Detector This module detects patterns that Contact happen within Back Orifice client/server communications. Press This module does not rely on the poor encryption Contact technique used in BO. We believe this is the best Back Business Orifice detection tool out there - plus it is free and Contact you get the source code. What more could one want? Send Us News bo.nfr - the actual Back Orifice module N-Code Webmaster Snail Mail bo.cfg - the NFR config file for the BO module [Search] bo.desc - the NFR description file for the BO module ---------------------------------------------------------- Big Packet Detector Huge packets on your network? Potential denial of service attack underway. Use this module to spot them. bigpacket.nfr - the actual Big Packet module N-Code [Image] bigpacket.cfg - the NFR config file for the Big Packet module bigpacket.desc - the NFR description file for the Big [Image] Packet module ---------------------------------------------------------- DNS Iquery Exploit logger The net as a whole has been getting knocked over left and right due to the buffer [Image] overflow in bind versions. This module watches for Iquery requests going to TCP port 53. The RoTSB exploit always uses a query ID of 31337 so this is parsed for as well. iquery.nfr - the actual iquery module N-Code L0pht, the L0pht logo, iquery.cfg - the NFR config file for the iquery module its likeness, and these iquery.desc - the NFR description file for the iquery pages module Copyright © 1998 LHI ---------------------------------------------------------- Technologies, LLC All Lockd and NFS This module looks for NFS service requests Rights (service 100003) going to port 4045 (lockd). Silicosis Reserved. must have been playing with the customized nfs-shell that Read the mudge did. hrmmmmm... legal stuff. lockd.nfr - the actual lockd module N-Code lockd.cfg - the NFR config file for the lockd module lockd.desc - the NFR description file for the lockd module ---------------------------------------------------------- OOB (WinNuke) Module This module looks for the Urgent Pointer == 3, which causes Windows NT and 95 boxes of various patch levels to crash. Commonly referred to as winnuke. oob.nfr - the actual OOB module N-Code oob.cfg - the NFR config file for the OOB module oob.desc - the NFR description file for the OOB module ---------------------------------------------------------- Statd Exploit Watcher Two very common and widely used exploits are watched for here. The remote shell exploit (tcp)and the link and unlink of files (udp). statd.nfr - the actual statd module N-Code statd.cfg - the NFR config file for the statd module statd.desc - the NFR description file for the statd module ---------------------------------------------------------- rpc.ttdbserverd Exploit Detector This module looks for a buffer overflow being exploited in Solaris. A widely publicized exploit is available so maybe it is not such a bad idea to start looking for it. ttdb.nfr - the actual ttdbserverd module N-Code ttdb.cfg - the NFR config file for the ttdbserverd module ttdb.desc - the NFR description file for the ttdbserverd module ---------------------------------------------------------- Malicious web queries the badweb modules look for requests that indicate malicious activity or attempts to exploit known cgi/http vulnerabilities. Current maliciousness watched for includes: * test-cgi.tcl * nph-test-cgi * test-cgi * perl.exe * phr * snork.bat * direct shell invocation * finger * faxsurvey * robots.txt * AnyForm * AnyForm2 * formmail * guestbook * win-c-sample.exe * php.cgi * wrap * handler * aglimpse * uploader.exe * mlog * mylog * Count.cgi * newdsn.exe * MachineInfo * Password struct info badweb.nfr - the actual badweb module N-Code badweb.cfg - the NFR config file for the badweb module badweb.desc - the NFR description file for the badweb module ---------------------------------------------------------- finger watcher - the finger module simply watches and logs finger requests. It becomes interesting to see who is looking at the users on your machines or if people are doing finger bounces / old finger style attacks. finger.nfr - the actual finger module N-Code finger.cfg - the NFR config file for the finger module finger.desc - the NFR description file for the finger module ---------------------------------------------------------- external arp requests - the ext_arp_inside module looks for arp requests asking the response to be sent to an IP address not on the "internal" network(s). This backend accomplishes this by watching for machines being brought up on the wrong networks or potential strange homings of nets/hosts. One of the theories is that when the system first comes live it will gratuitously arp for itself (although Solaris is one of the few systems that does not do this). Another theory is that if another network stub is mis-attached, potentially between network legs that are treated at disparate security levels, you might see arps for a different net’s router with an external network IP in the arp packet. ext_arp_inside.nfr - the actual ext_arp module N-Code ext_arp_inside.cfg - the NFR config file for the ext_arp module ext_arp_inside.desc - the NFR description file for the ext_arp module ---------------------------------------------------------- external networks watcher - This backend watches for external IP addresses initiating connections across your local wire. Suppose you have an internal network setup where you allow people to initiate connections to the outside world but do not allow externally initiated connections to terminate on internal machines (ESTABLISHED in cisco lingo, or maybe some statefull filter like FW1, or ip-fil). Seeing TCP connections from external networks destined to internal machines with the SYN flag set in these situations would indicate a break in perimiter security. In addition, packets with SYN and any other tcp flags set except for RST are flagged as well. This is due to end systems handling them in different ways - to wit: Microsoft NT treats a SYN|FIN as a raw SYN and happily returns a SYN|ACK. This should alert you of more sophisticated attempts to circumvent filters. ext_net_inside.nfr - the actual ext-net watcher module N-code ext_net_inside.cfg - the NFR config file for the ext-net watcher module ext_net_inside.desc - the NFR description file for the ext-net watcher module ---------------------------------------------------------- land - This backend watches for land packets. These are packets with the same source and dest IP addresses. This should never be seen in the wild. Upon logging it records the ether address so you can hunt down the offender (that is if you are not passing it through your router… tsk tsk tsk!) land.nfr - the acutal land module N-code land.cfg - the NFR config file for the land module land.desc - the NFR description file for the land module ---------------------------------------------------------- rip1 - This backend watches what is being advertised via RIP Version 1. This is advantageous when users "accidentally" dual home internal and external networks and bring their machines live running routed. rip1.nfr - the actual rip1 module N-Code rip1.cfg - the NFR config file for the rip1 module rip1.desc - the NFR description file for the rip1 module ---------------------------------------------------------- rip2 - This backend watches what is being advertised via RIP Version 2. Again, the belief being people should watch for routes being advertised into or out of their network that they are unaware of. rip2.nfr - the actual rip2 module N-Code rip2.cfg - the NFR config file for the rip2 module rip2.desc - the NFR description file for the rip2 module ---------------------------------------------------------- X-Mas Tree Packet Watcher - This backend looks for packets with ALL tcp flags set (ie SYN|FIN|URG|ACK|RST|PSH). These packets should not exist in normal traffic and are almost always endemic of Denial of Service attacks. xmastree.nfr - the actual xmastree module N-Code xmastree.cfg - the NFR config file for the xmastree module xmastree.desc - the NFR description file for the xmastree module ---------------------------------------------------------- xoutside - This backend watches for what appear to be X connections initiated from internal networks directed to external networks. This could be a potential security concern in attempts to bypass statefull packet filters or if only encrypted and authenticated connections are allowed to internal networks and people are pointing unencrypted X sessions outside. xoutside.nfr - the actual xoutside module N-Code xoutside.cfg - the NFR config file for the xoutside module xoutside.desc - the NFR description file for the xoutside module ---------------------------------------------------------- Conclusion: Welp – hope people find some of this useful. Enjoy! mudge@l0pht.com sili@l0pht.com