AlienVault Labs - Tag Archive

0-day in Microsoft IIS 5/6 FTP

September 1st, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Attacks | Vulnerability Management - (Comments Off)

A 0-day exploit in Microsoft IIS 5/6 FTP was recently published on Milw0rm while HDMoore is porting the bug to Metasploit.

Alienvault’s feed customers are protected with the directive released today:

45046 :AV Possible 0day IIS FTP Exploit against DST_IP

http://isc.sans.org/diary.html?storyid=7039

UPDATE:

We have previously coverage with two directives present on Alienvault Professional Feed:

45024: AV Possible FTP Exploit attempt against DST_IP

45025: AV Possible FTP Exploit attempt against DST_IP (FTP preprocessor)

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:

0day, directives, IIS, Internet Information Server, Microsoft IIS FTP, ossim

Ossim: 0-day in Microsoft DirectShow

July 7th, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Attacks | Exploits - (Comments Off)

A 0-day exploit in Microsoft Video ActiveX Control is being exploited by malicious sites. Many people is covering this vulnerability and seems that will be widely deployed.

Alienvault’s feed customers are protected and covered with these directives:

45046:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890)

45047:AV Possible Malicious Server exploiting MSVidCt against DST_IP (KB-972890)

45048:AV Possible MSVidCt Client Side Attack against DST_IP from a compromised host (KB-972890)

45049:AV Possible MSVidCtl Client side attack detected against SRC_IP (KB-972890) 2

http://isc.sans.org/diary.html?storyid=6733

http://www.microsoft.com/technet/security/advisory/972890.mspx

jaime.blasco

More Posts - Website

Follow Me:

0day, directives, KB-972890, Microsoft Video ActiveX Control, MSVidCtl, ossim

Ossim: Shellcode Detection and Analysis

March 10th, 2009 | Posted by jaime.blasco in Alienvault OSSIM | Exploits - (Comments Off)

I’m glad to announce a new feature we have added to forensic console. We use libemu to make shellcode detection and analysis to help on forensic analysis and reduce false positives, an example:

jaime.blasco

More Posts - Website

Follow Me:

attacks, correlation, directives, libemu, ossim, shellcodes

New Directives

February 3rd, 2009 | Posted by jaime.blasco in Alienvault OSSIM - (1 Comments)

I’ve just update the public CVS with some new directives as part of the effort we are doing to improve the upcoming installer:

Attacks:

Possible Successful Attack: Reverse Shell Access to the System

Possible POP3 Bruteforce against SRC_IP

Possible FTP Bruteforce against SRC_IP

Command execution against webserver on DST_IP

File /etc/passwd access on DST_IP

Possible SQL injection attempt against DST_IP

Possible attack against DST_IP (Symantec Remote Management RTVScan Exploit)

Possible sa account bruteforce against SRC_IP (SQL Server)

Possible VNC bruteforce against SRC_IP

Possible attack against DST_IP (Microsoft Server Service related attack)

Too many Cisco Firewall dropped events with destination DST_IP

Worms:

Possible Worm Infection against DST_IP

Possible Worm Infection against DST_IP via DCOM RPC vulnerability

Possible Worm Infection against DST_IP via Kill-Bill ASN1 vulnerability

Possible Worm Infection against DST_IP via Lsasrv.dll RPC vulnerability

Possible Worm Infection against DST_IP via WINS vulnerability

Possible attack against DST_IP (Microsoft Server Service related attack)

Possible worm scanning behavior on port DST_PORT

Misc:

Username gathering at SMTP server DST_IP

jaime.blasco

More Posts - Website

Follow Me:

attacks, correlation, directives, ossim

Tutorial 4: Correlation engine primer

December 18th, 2007 | Posted by DK in News - (Comments Off)

Introduction

In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this.

The exact question was:

Hello,

Is there a document talking about how the directives are processed?  One question
that I have is if you have multiple directives created and an event comes in
that matches the initial states of more than a single directive will both actually
process the event, or only the first match (which I think is the case)?

Thanks for any clarification you can provide.

Stephen

This post gives a bit of insight to how the correlation engine works and features some simple, custom made directives that help me answer that question.

The test environment features two events belonging to the ssh plugin (plugin_id 4003):

SSH password failed (plugin_sid 1)
SSH password accepted (plugin_sid 7)

In order to test this I’ve created three directives (plugin_id 1505)

Test directive 21, grouping one login failure and one success
Test directive 22, grouping one login failure and one success
Test directive 23, used in the second case, grouping those two

So, with all of this in place it was easy to simulate this failing a login and succeeding afterwards.

BREAK

Case 1: Two concurrent correlation rules

Directives

Put these into generic.xml for example

&lt;directive id="21" name="Testing concurrency 1" priority="5"&gt;
  &lt;rule type="detector" name="Level 1:1" reliability="7"
    from="ANY" to="ANY" port_from="ANY" port_to="ANY"
    time_out="160" plugin_id="4003" plugin_sid="1" &gt;
        &lt;rules&gt;
                &lt;rule type="detector" name="Level 1:2" reliability="10"
                occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
                plugin_id="4003" plugin_sid="7" /&gt;
        &lt;/rules&gt;
  &lt;/rule&gt;
&lt;/directive&gt;

&lt;directive id="22" name="Testing concurrency 2" priority="5"&gt;
  &lt;rule type="detector" name="Level 2:1" reliability="7"
    from="ANY" to="ANY" port_from="ANY" port_to="ANY"
    time_out="160" plugin_id="4003" plugin_sid="1" &gt;
        &lt;rules&gt;
                &lt;rule type="detector" name="Level 2:2" reliability="10"
                occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
                plugin_id="4003" plugin_sid="7" /&gt;
        &lt;/rules&gt;
  &lt;/rule&gt;
&lt;/directive&gt;

Logs

2007-12-10 04:19:56 OSSIM-Message: Event received: event id="0" alarm="0" type="detector"
date="2007-12-10 04:19:53" plugin_id="4003" plugin_sid="1" src_ip="10.0.1.3" src_port="64270"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" asset_src="1" asset_dst="1"
log="Dec 10 04:19:53 ossim sshd[11366]: Failed password for root from 10.0.1.3 port 64270 ssh2"
username="root" 

2007-12-10 04:20:06 OSSIM-Message: Event received: event id="0" alarm="0" type="detector"
date="2007-12-10 04:20:05" plugin_id="4003" plugin_sid="7" src_ip="10.0.1.3" src_port="64270"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" asset_src="1" asset_dst="1"
log="Dec 10 04:20:05 ossim sshd[11366]: Accepted password for root from 10.0.1.3 port 64270 ssh2"
username="root" 

2007-12-10 04:20:06 OSSIM-Message: Event received: event id="3" alarm="0" type="detector"
date="2007-12-10 04:20:06" plugin_id="1505" plugin_sid="21" src_ip="10.0.1.3" src_port="64270"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" priority="5" reliability="10"
asset_src="1" asset_dst="1" data="directive_event: Testing concurrency 1, Priority: 5
Rule 1 [2007-12-10 04:20:00] [4003:1] [Rel: 7] 10.0.1.3:64270 -&gt; 0.0.0.0:0
Rule 2 [2007-12-10 04:20:06] [4003:7] [Rel: 10] 10.0.1.3:64270 -&gt; 0.0.0.0:0
" 

2007-12-10 04:20:07 OSSIM-Message: Event received: event id="4" alarm="0" type="detector"
date="2007-12-10 04:20:06" plugin_id="1505" plugin_sid="22" src_ip="10.0.1.3" src_port="64270"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" priority="5" reliability="10"
asset_src="1" asset_dst="1" data="directive_event: Testing concurrency 2, Priority: 5
Rule 1 [2007-12-10 04:20:01] [4003:1] [Rel: 7] 10.0.1.3:64270 -&gt; 0.0.0.0:0
Rule 2 [2007-12-10 04:20:06] [4003:7] [Rel: 10] 10.0.1.3:64270 -&gt; 0.0.0.0:0

Explanation

Here we wrote two directives with exactly the same events matching, naming it differently. That way we’ll be able to answer the concurrency question since I honestly don’t remember how that part worked.

As you can see in the logs, two events arrived, and two directives got matched.

Result: two alarms

(Image removed, broken link, I’m very sorry. DK.)

Case 2: Two concurrent correlation rules, a third grouping rule

Directives

&lt;directive id="21" name="Testing concurrency 1" priority="5"&gt;
  &lt;rule type="detector" name="Level 1:1" reliability="7"
    from="ANY" to="ANY" port_from="ANY" port_to="ANY"
    time_out="160" plugin_id="4003" plugin_sid="1" &gt;
        &lt;rules&gt;
                &lt;rule type="detector" name="Level 1:2" reliability="10"
                occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
                plugin_id="4003" plugin_sid="7" /&gt;
        &lt;/rules&gt;
  &lt;/rule&gt;
&lt;/directive&gt;

&lt;directive id="22" name="Testing concurrency 2" priority="5"&gt;
  &lt;rule type="detector" name="Level 2:1" reliability="7"
    from="ANY" to="ANY" port_from="ANY" port_to="ANY"
    time_out="160" plugin_id="4003" plugin_sid="1" &gt;
        &lt;rules&gt;
                &lt;rule type="detector" name="Level 2:2" reliability="10"
                occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
                plugin_id="4003" plugin_sid="7" /&gt;
        &lt;/rules&gt;
  &lt;/rule&gt;
&lt;/directive&gt;

&lt;directive id="23" name="Aggregated test directive" priority="5"&gt;
  &lt;rule type="detector" name="Directive 1" reliability="7"
    from="ANY" to="ANY" port_from="ANY" port_to="ANY"
    time_out="160" <strong>plugin_id="1505" plugin_sid="21,22"</strong> &gt;
        &lt;rules&gt;
                &lt;rule type="detector" name="Directive 2" reliability="10"
                occurrence="1" from="ANY" time_out="300" to="ANY" port_from="ANY" port_to="ANY"
                <strong>plugin_id="1505" plugin_sid="21,22" sticky="true" sticky_different="SRC_IP"</strong> /&gt;
        &lt;/rules&gt;
  &lt;/rule&gt;
&lt;/directive&gt;

Logs

2007-12-10 06:24:56 OSSIM-Message: Event received: event id="0" alarm="0" type="detector"
date="2007-12-10 06:24:55" plugin_id="4003" plugin_sid="7" src_ip="10.0.1.3" src_port="64620"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" asset_src="1" asset_dst="1"
log="Dec 10 06:24:55 ossim sshd[19967]: Accepted password for root from 10.0.1.3 port 64620 ssh2"
username="root" 

2007-12-10 06:24:56 OSSIM-Message: Event received: event id="35" alarm="0" type="detector"
date="2007-12-10 06:24:56" plugin_id="1505" plugin_sid="21" src_ip="10.0.1.3" src_port="64620"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" priority="5" reliability="10"
asset_src="1" asset_dst="1" data="directive_event: Testing concurrency 1, Priority: 5
Rule 1 [2007-12-10 06:24:51] [4003:1] [Rel: 7] 10.0.1.3:64620 -&gt; 0.0.0.0:0
Rule 2 [2007-12-10 06:24:56] [4003:7] [Rel: 10] 10.0.1.3:64620 -&gt; 0.0.0.0:0
" 

2007-12-10 06:24:56 OSSIM-Message: Event received: event id="36" alarm="0" type="detector"
date="2007-12-10 06:24:56" plugin_id="1505" plugin_sid="22" src_ip="10.0.1.3" src_port="64620"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" priority="5" reliability="10"
asset_src="1" asset_dst="1" data="directive_event: Testing concurrency 2, Priority: 5
Rule 1 [2007-12-10 06:24:51] [4003:1] [Rel: 7] 10.0.1.3:64620 -&gt; 0.0.0.0:0
Rule 2 [2007-12-10 06:24:56] [4003:7] [Rel: 10] 10.0.1.3:64620 -&gt; 0.0.0.0:0
" 

2007-12-10 06:24:56 OSSIM-Message: Event received: event id="37" alarm="0" type="detector"
date="2007-12-10 06:24:56" plugin_id="1505" plugin_sid="23" src_ip="10.0.1.3" src_port="64620"
dst_ip="0.0.0.0" sensor="10.0.1.50" interface="eth2" protocol="OTHER" priority="5" reliability="10"
asset_src="1" asset_dst="1" data="directive_event: Aggregated test directive, Priority: 5
Rule 1 [2007-12-10 06:24:56] [1505:21] [Rel: 3] 10.0.1.3:64620 -&gt; 0.0.0.0:0
Rule 2 [2007-12-10 06:24:56] [1505:22] [Rel: 10] 10.0.1.3:64620 -&gt; 0.0.0.0:0

Explanation

This is exactly the same event as before with two added features: a grouping directive with our two recently created directives and a couple of keywords that prevent our grouping directive to fire twice, since the same event is used for level 1 and level 2. Using sticky=”true” and sticky_different=”SRC_IP” we are telling the engine to not spawn a second instance of the directive if it comes from the same source IP.

I think everything is quite self-explanatory (having read the other correlation docs avaiable at the ossim.net docs section).

Result: one alarm, grouping two others

(Image removed, broken link, I’m very sorry. DK.)

Foot note

I’ve detected some glitches during these tests, mainly in the alarm panel grouping code. As you can see on the screenshots event count isn’t correctly interpreted and separate alarms are being spawned, besides the grouped one. I’ll check that asap.

DK

Mr Wolf Wannabe.

More Posts - Website

correlation, directives, ossim, tutorial

0-day in Microsoft IIS 5/6 FTP

jaime.blasco

Ossim: 0-day in Microsoft DirectShow

jaime.blasco

Ossim: Shellcode Detection and Analysis

jaime.blasco

New Directives

jaime.blasco

Tutorial 4: Correlation engine primer

Introduction

Case 1: Two concurrent correlation rules

Directives

Logs

Explanation

Result: two alarms

Case 2: Two concurrent correlation rules, a third grouping rule

Directives

Logs

Explanation

Result: one alarm, grouping two others

Foot note

DK

Navigation

Search IP in reputation database

Labs on twitter

Tags

Recent Discussions

People Online