Published in April of 2003, RFC 3514 defines an “evil” bit. The RFC requires that any packet sent on a network MUST set this bit to 1 and that any non malicious packets MUST set the bit to 0. The goal of course is to make defending systems easier since “Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual.”
“If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note that this part of the spec is already implemented by many common desktop operating systems.)”
Sure, I may be about 4 years late to this but it’s still an entertaining read. It’s not quite up there with RFC 1149, Standard for the Transmission of IP Datagrams on Avian Carriers, but it’s good. As for how I came across this gem on the wide and vast interweb?? Perusing through the Reverse Engineering Wikibook of course!
As a follow up to the previous post I thought it might be useful to give an example of how these multiple sets of information could be used.
Here’s the process:
1) Snort Alert about WMF NumObjects being 0
2) I’m unable to determine if the machine is patched
3) I look at network sessions leading up to and then after the WMF file was accessed, nothing I wouldn’t expect
4) Look at event logs on the affected host and conclude there was no abnormal activity on the host
At this point I’m pretty sure the alert was a false positive. But I’d like to know for sure. My plan of action then becomes to pull the pull the suspect file out of my full content collection system onto a *nix box. From there it can be easily sent to www.virustotal.com for a quick check, as well as manually analyzed by me.
Here’s some commands I ran and their respective results.
- file attach.wmz results in attach.wmz: gzip compressed data, from Win/32, max speed
- gzip –dvf –suffix .wmz attach.wmz replaces it with attach
- file attach results in attach: ms-windows metafont .wmf
- xxd attach provides the following output:
From here I was able to verify that the file did indeed have a (ZERO) in the NumberOfObjects field using the information provided at this site: http://wvware.sourceforge.net/caolan/ora-wmf.html
Didier Stevens kindly provided some assistance through the Security Catalyst Community by providing a template for the 010 Editor. The template along with my analysis of the file is coming…
I’ve sometimes heard that some people treat their Intrusion Detection Systems (IDS) as both the beginning and end of their investigative process for network security. Alerts generated by these systems should be treated like alarms from physical security systems. They trigger a response process. Sometimes that response is short after concluding the alert was a false positive, but sometimes it can be quite lengthy; like in the case of a real intrusion.
Here’s a quick list of some items to look into after receiving an IDS alert and is by no means totally inclusive.
- Determine the OS Type and Version with what the attack requires and check this against the target machine
- Determine if the services/applications required for the attack are installed
- Determine if the services/applications are at a patch level that makes them vulnerable to the attack
- Look at host based logs for any signs of a foreign executable running on the system (Process Executed in Windows for example)
- Look at AV/HIPS logs for any allowed or denied actions
- Look at web proxy logs for any subsequent contact or multi-stage downloads coming from the target machine
- Pull traffic from a full content system to manually verify any malicious code ( be careful with this! don’t accidentally run it on your own system)
My other issue has been finding time to post due to many personal happenings surrounding my everyday life. I’m freed up once again and getting ready to start a new term in my Master’s program. I’m excited and hope to share much of my struggles and triumphs here.
As before, this blog is primarily a dumping ground for my thoughts surrounding technical and corporate issues. Generally, they will be security related as it is not only my current job but my passion as well. I look forward to a promising journey and the ability to share it online. It’s my hope that someone somewhere will find what I have to say helpful. If not, at least it’ll help me :)