Monday, May 13, 2013

Using packet captures to investigate IDS/IPS alerts

Packet data is an almost indispensable resource. For example, I had a series of alerts of someone hitting a web server and trying exploit a PHP vulnerability. Without knowing whether the site uses PHP or not (and if it's a vulnerable version) and not having a definitive server response in the alert, I went to the packet caps to see what transpired.

The Snort alert.

Event : SERVER-WEBAPP PHP-CGI remote file include attempt (1:22063), Timestamp : 2013-05-13 03:50:05
Classification : Attempted Administrator Privilege Gain
Priority : high
Detection Engine : mysensor-IPS / mysensor.somedomain.com
Protocol : tcp
Source IP : 85.1.1.1 (somesite.panel.com)
Source Port/ICMP Type : 38217/tcp
Destination IP : 10.1.2.3 (Cannot Resolve)
Destination Port/ICMP Code : 80 (http)/tcp
Intrusion Policy : DMZ Passive Intrusion Policy
HTTP Hostname : somewebserver.com
HTTP URI : /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input

The rule. 

Rule : alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; content:"auto_prepend_file"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-1823; reference:cve,2012-2311; classtype:attempted-admin; sid:22063; rev:5; )
Summary : This event is generated when an attempt is made to exploit a known vulnerability in php.

Packet Information

FRAME 1 (Expand All) Frame 1: 393 bytes on wire (393 bytes captured (3144 bits)
Ethernet II, Src: 00:22:90:9d:d6:b9, Dst: 00:0b:fc:fe:1b:03
Internet Protocol Version 4, Src: 85.1.1.1 (somesite.panel.com), Dst: 10.1.2.3 (Cannot Resolve)
Transmission Control Protocol, Src Port: 38217 (38217), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 339
Hypertext Transfer Protocol
Line-based text data: application/x-www-form-urlencoded
Packet Text
......."......E..{=.@.2...U...
S...I.P}../....P.9..Z..POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: somewebserver.com
Accept: */*
Content-Length: 26
Content-Type: application/x-www-form-urlencoded



So I went to to my packet audit server and looked for the May 13 captures for 3:00 AM:

[admin@mysensor mytap1]# ls -lah | grep 'May 13' | grep '03:'
-rw-r--r--. 1 root root 1.1G May 13 03:05 mytap.pcap.1368428365
-rw-r--r--. 1 root root 1.1G May 13 03:07 mytap.pcap.1368428709
-rw-r--r--. 1 root root 1.1G May 13 03:08 mytap.pcap.1368428873
-rw-r--r--. 1 root root 1.1G May 13 03:08 mytap.pcap.1368428904
-rw-r--r--. 1 root root 1.1G May 13 03:09 mytap.pcap.1368428937
-rw-r--r--. 1 root root 1.1G May 13 03:09 mytap.pcap.1368428969
-rw-r--r--. 1 root root 1.1G May 13 03:10 mytap.pcap.1368428999
-rw-r--r--. 1 root root 1.1G May 13 03:11 mytap.pcap.1368429036
-rw-r--r--. 1 root root 1.1G May 13 03:11 mytap.pcap.1368429068
-rw-r--r--. 1 root root 1.1G May 13 03:12 mytap.pcap.1368429100
-rw-r--r--. 1 root root 1.1G May 13 03:12 mytap.pcap.1368429133
-rw-r--r--. 1 root root 1.1G May 13 03:13 mytap.pcap.1368429171
-rw-r--r--. 1 root root 1.1G May 13 03:13 mytap.pcap.1368429202
-rw-r--r--. 1 root root 1.1G May 13 03:14 mytap.pcap.1368429233
-rw-r--r--. 1 root root 1.1G May 13 03:19 mytap.pcap.1368429294
-rw-r--r--. 1 root root 1.1G May 13 03:26 mytap.pcap.1368429571
-rw-r--r--. 1 root root 1.1G May 13 03:37 mytap.pcap.1368430013
-rw-r--r--. 1 root root 1.1G May 13 03:48 mytap.pcap.1368430639

I searched those pcaps for the external IP:

[admin@mysensor mytap1]# for i in $( ls -lah | grep 'May 13' | grep '03:' | awk '{print $9}' );do tcpdump -nn -r $i 'host 85.1.1.1';done
reading from file mytap.pcap.1368428365, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368428709, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368428873, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368428904, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368428937, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368428969, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368428999, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429036, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429068, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429100, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429133, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429171, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429202, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429233, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429294, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368429571, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368430013, link-type EN10MB (Ethernet)
reading from file mytap.pcap.1368430639, link-type EN10MB (Ethernet)

Nothing there. Since the alerts were at 3:50 AM, I assumed the capture must have closed with a time stamp in the 4 AM range since there was nothing in the 3 AM range. I could verify that by looking at the packets with the stat command, but since I'm fairly certain thats the case I went ahead and checked the 4 AM packets first.

[admin@mysensor mytap1]# for i in $( ls -lah | grep 'May 13' | grep '04:' | awk '{print $9}' );do tcpdump -nn -r $i 'host 85.1.1.1';done
reading from file mytap.pcap.1368431312, link-type EN10MB (Ethernet)
03:50:05.582600 IP 85.1.1.1.38217 > 10.1.2.3.80: Flags [S], seq 2100199726, win 14600, options [mss 1380,sackOK,TS val 227240121 ecr 0,nop,wscale 7], length 0
03:50:05.582660 IP 10.1.2.3.80 > 85.1.1.1.38217: Flags [S.], seq 519966411, ack 2100199727, win 32768, options [mss 1380], length 0
03:50:05.658221 IP 85.1.1.1.38219 > 10.1.2.3.80: Flags [S], seq 9029262, win 14600, options [mss 1380,sackOK,TS val 227240197 ecr 0,nop,wscale 7], length 0
03:50:05.658286 IP 10.1.2.3.80 > 85.1.1.1.38219: Flags [S.], seq 1996989516, ack 9029263, win 32768, options [mss 1380], length 0
03:50:05.704707 IP 85.1.1.1.38217 > 10.1.2.3.80: Flags [.], ack 1, win 14600, length 0
03:50:05.704894 IP 85.1.1.1.38217 > 10.1.2.3.80: Flags [P.], seq 1:340, ack 1, win 14600, length 339
03:50:05.705068 IP 10.1.2.3.80 > 85.1.1.1.38217: Flags [.], ack 340, win 32429, length 0
03:50:05.705128 IP 10.1.2.3.80 > 85.1.1.1.38217: Flags [FP.], seq 1:103, ack 340, win 32768, length 102
03:50:05.779582 IP 85.1.1.1.38219 > 10.1.2.3.80: Flags [.], ack 1, win 14600, length 0
03:50:05.779895 IP 85.1.1.1.38219 > 10.1.2.3.80: Flags [P.], seq 1:332, ack 1, win 14600, length 331
03:50:05.780021 IP 10.1.2.3.80 > 85.1.1.1.38219: Flags [.], ack 332, win 32437, length 0
03:50:05.780065 IP 10.1.2.3.80 > 85.1.1.1.38219: Flags [FP.], seq 1:103, ack 332, win 32768, length 102
03:50:05.827525 IP 85.1.1.1.38217 > 10.1.2.3.80: Flags [F.], seq 340, ack 104, win 14600, length 0
03:50:05.827569 IP 10.1.2.3.80 > 85.1.1.1.38217: Flags [.], ack 341, win 32768, length 0
03:50:05.901888 IP 85.1.1.1.38219 > 10.1.2.3.80: Flags [F.], seq 332, ack 104, win 14600, length 0
03:50:05.901903 IP 10.1.2.3.80 > 85.1.1.1.38219: Flags [.], ack 333, win 32768, length 0
03:50:06.192994 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [S], seq 48424518, win 14600, options [mss 1380,sackOK,TS val 227240732 ecr 0,nop,wscale 7], length 0
03:50:06.194918 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [S.], seq 1830927041, ack 48424519, win 8192, options [mss 1380], length 0
03:50:06.316231 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 1, win 14600, length 0
03:50:06.316284 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [P.], seq 1:186, ack 1, win 14600, length 185
03:50:06.340483 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 1:1381, ack 186, win 64860, length 1380
03:50:06.340534 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 1381:2761, ack 186, win 64860, length 1380
03:50:06.462634 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 1381, win 16560, length 0
03:50:06.462635 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 2761, win 19320, length 0
03:50:06.464475 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 2761:4141, ack 186, win 64860, length 1380
03:50:06.464660 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 4141:8281, ack 186, win 64860, length 4140
03:50:06.586261 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 4141, win 22080, length 0
03:50:06.586475 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 5521, win 26220, length 0
03:50:06.586485 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 6901, win 28980, length 0
03:50:06.586542 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 8281, win 31740, length 0
03:50:06.588096 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 8281:11041, ack 186, win 64860, length 2760
03:50:06.588265 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 11041:15181, ack 186, win 64860, length 4140
03:50:06.588433 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 15181:16561, ack 186, win 64860, length 1380
03:50:06.588448 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 16561:19321, ack 186, win 64860, length 2760
03:50:06.709723 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 9661, win 34500, length 0
03:50:06.709961 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 11041, win 37260, length 0
03:50:06.710085 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 12421, win 40020, length 0
03:50:06.710211 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 13801, win 41400, length 0
03:50:06.710333 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 15181, win 41400, length 0
03:50:06.710462 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 16561, win 41400, length 0
03:50:06.710510 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 17941, win 41400, length 0
03:50:06.710709 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 19321, win 41400, length 0
03:50:06.711660 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 19321:20701, ack 186, win 64860, length 1380
03:50:06.711707 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [.], seq 20701:22081, ack 186, win 64860, length 1380
03:50:06.711776 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [P.], seq 22081:23950, ack 186, win 64860, length 1869
03:50:06.833710 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 22081, win 41400, length 0
03:50:06.833891 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 23950, win 41400, length 0
03:50:06.833895 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [F.], seq 186, ack 23950, win 41400, length 0
03:50:06.835162 IP 10.2.3.4.80 > 85.1.1.1.36413: Flags [F.], seq 23950, ack 187, win 64860, length 0
03:50:06.956383 IP 85.1.1.1.36413 > 10.2.3.4.80: Flags [.], ack 23951, win 41400, length

The very first packet inspected yielded hits. So I then used tcpdump to check just that capture and used –A just to look at packet data.

03:50:05.582600 IP 85.1.1.1.38217 > 10.1.2.3.80: Flags [S], seq 2100199726, win 14600, options [mss 1380,sackOK,TS val 227240121 ecr 0,nop,wscale 7], length 0
E..<=.@.2...U...
S...I.P}.........9........d...
^M.h.........
03:50:05.582660 IP 10.1.2.3.80 > 85.1.1.1.38217: Flags [S.], seq 519966411, ack 2100199727, win 32768, options [mss 1380], length 0
E..,........
S..U....P.I....}../`...7......d..
03:50:05.658221 IP 85.1.1.1.38219 > 10.1.2.3.80: Flags [S], seq 9029262, win 14600, options [mss 1380,sackOK,TS val 227240197 ecr 0,nop,wscale 7], length 0
E..</.@.2...U...
S...K.P..........9........d...
^M.i.........
03:50:05.658286 IP 10.1.2.3.80 > 85.1.1.1.38219: Flags [S.], seq 1996989516, ack 9029263, win 32768, options [mss 1380], length 0
E..,........
S..U....P.Kw..L....`....P.....d..
03:50:05.704707 IP 85.1.1.1.38217 > 10.1.2.3.80: Flags [.], ack 1, win 14600, length 0
E..(=.@.2..AU...
S...I.P}../....P.9...........
03:50:05.704894 IP 85.1.1.1.38217 > 10.1.2.3.80: Flags [P.], seq 1:340, ack 1, win 14600, length 339
E..{=.@.2...U...
S...I.P}../....P.9..Z..POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: somewebserver.com
Accept: */*
Content-Length: 26
Content-Type: application/x-www-form-urlencoded



03:50:05.705068 IP 10.1.2.3.80 > 85.1.1.1.38217: Flags [.], ack 340, win 32429, length 0
E..(........
S..U....P.I....}...P.~.O.........
03:50:05.705128 IP 10.1.2.3.80 > 85.1.1.1.38217: Flags [FP.], seq 1:103, ack 340, win 32768, length 102
E..........]
S..U....P.I....}...P...5...HTTP/1.1 301 Moved Permanently
Connection: close
Location: http://www.somewebserver.com


03:50:05.779582 IP 85.1.1.1.38219 > 10.1.2.3.80: Flags [.], ack 1, win 14600, length 0
E..(/.@.2..+U...
S...K.P....w..MP.9...........
03:50:05.779895 IP 85.1.1.1.38219 > 10.1.2.3.80: Flags [P.], seq 1:332, ack 1, win 14600, length 331
E..s/.@.2...U...
S...K.P....w..MP.9.....POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: somesite.com
Accept: */*
Content-Length: 26
Content-Type: application/x-www-form-urlencoded


03:50:05.780021 IP 10.1.2.3.80 > 85.1.1.1.38219: Flags [.], ack 332, win 32437, length 0
E..(........
S..U....P.Kw..M....P.~...........
03:50:05.780065 IP 10.1.2.3.80 > 85.1.1.1.38219: Flags [FP.], seq 1:103, ack 332, win 32768, length 102
E..........U
S..U....P.Kw..M....P.......HTTP/1.1 301 Moved Permanently
Connection: close
Location: http://www.somewebserver.com

So we saw the packets in the alert hit and the server respond and throw a 301 error and close the connection.

This is why packet data is so important. I never could have gleaned that from just the IDS alerts, and without server logs to correlate, the packet data does almost just as well.


Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)

Blog Archive