Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Transcription

1 Some IPS systems can be easily fingered using simple techniques. The unintentional disclosure of which security devices are deployed within your defences could put your network at significant risk. Security Advisory IPS Discovery and Passive Reconnaissance

2 The technical content of this advisory was correct at the time of publication but may be amended or changed from time to time. A number of Snort security rules attempt to identify a threat by looking for a single plain text string of characters across a broad range of IP protocols. This simple string of characters is the only condition required to trigger the rule and generate an alert. Using these passive reconnaissance techniques to determine the vendor or type of a security system in use could make further attacks against the network easier to accomplish. Traffic IQ Professional Security rule false positive assessment. Overview The text strings being sought by these rules are trivial to create and can be introduced into a network by various legitimate means including HTTP GET requests, Telnet and messages. If a security device using these rules identifies the particular text strings within the crafted network traffic, a false positive alert will be generated but more importantly, the blocking of this traffic may now inadvertently reveal information such as the presence of a particular security system. 2 next page previous page

3 Traffic IQ Professional, with its extensive traffic library and advanced traffic transmission capabilities, makes it ideally suited to auditing and proving your security s ability to identify and mitigate threats and to validate the capabilities and configuration of packet filtering devices on your network, including application layer firewalls, routers and intrusion prevention systems. Used as part of your on-going network security assessment and enhancement procedures, Traffic IQ Professional will accurately audit and validate your defensive capabilities and enhance them by providing high quality security rules to maximise threat recognition and significantly lower the probability of attack penetration. Applying high quality security rules specifically developed to identify an attack against a vulnerability rather than identifying a specific instance of an attack, will enhance performance and decrease the number of rules required to be loaded by security devices. Understanding the configuration and capabilities of your defences, will enable you to enhance and accelerate performance and extending the life of your existing network security devices. The on-going assessment and enhancement of security defences is essential to limiting inappropriate packet ingress, maintaining the highest levels of network security and lowering risk to your organisation. How we can help 3

4 Threat Description Take a r look at the current Snort security rule with ID:1390. This rule simply looks for any IP traffic sent from external to internal that contains 24 of the uppercase character C. By requesting a web page from a remote web server and passing a fake parameter on the URL, it will usually be possible to determine if the Snort IPS system is running on the network. CCCCCCCCCCCCCCCCCCCCCCCC If your connection is reset or the web page is not displayed, yet it is displayed if you change the uppercase C s to lower case, then it is likely that an IPS system running Snort rules, is deployed on the network. The same type of passive reconnaissance can be performed using Telnet, FTP and even messages. Correspond with someone via plain text messages, to prove that your can be received by the recipient, then again or reply to a previous message, specifying 24 of the upper case character C somewhere in the body of the message. Not receiving a reply or receiving a delivery failure notice, will be another indication that a Snort IPS (or variant), is running on the target network. Many such passive reconnaissance tests can be devised using simple text strings that can be legitimately introduce into a network by means of standard clear text protocols. Permitting your security defences to be fingered in this way, is likely to lead to further directed attacks, specifically tailored to evading your intrusion prevention systems. Threat A simple test with a web browser or client could inadvertently dis to a hacker the vendor, or type of security system deployed, to protect your network. 4

5 idappcom recommends regular network security assessments, applying and validating high quality security rules, written to identify any attack against a vulnerability rather than just identifying a specific attack instance or variant. It is also recommended that poor quality plain text string rules are removed or enhanced to increase threat detection performance, lower false positive alerts and to limit the possibility of allowing IPS fingering or passive reconnaissance techniques to be affective. 5 References and Further Reading Product Examined Snort Rule set 2910 Download Some example Snort rules prone to false positive and remote triggering via legitimate means. SID:17340 SID:17325 SID:17338 SID:17339 SID:19286 SID:19287 SID:1390 SID:1394 Security Assessment and Enhancement Traffic IQ Professional, as part of your continual network security assessment and enhancement procedures, will ensure that your network security devices maintain the highest levels of threat identification and mitigation. Our high quality security rules will help you enhance the capabilities, accelerate the performance and extend the life of your existing network security devices. Remediation

6 Detailed white papers are available from our web site or by request to idappcom limited Barham Court, Teston, Kent ME18 5BZ. UK t: +44 (0) Toll Free USA: Freephone UK: Worldwide: OR e: client.services@idappcom.com 6 SECADV (rev 2). ID1344