Suricata-vs-snort/Test-cases/Evasion-techniques

From aldeid
Jump to navigation Jump to search
You are here:
Evasion techniques

Synthesis

Test Suricata Snort
Nmap decoy test (6th position) 2 2
Nmap decoy test (7th position) 2 2
Hex encoding 2 2
Nmap scan with fragmentation 2 2
Nikto Random URI encoding 1 2
Nikto Directory self reference 1 2
Nikto Premature URL ending 2 2
Nikto Prepend long random string 1 2
Nikto Fake paramater 1 2
Nikto TAB as request spacer 2 2
Nikto Change the case of the URL 1 2
Nikto Windows directory separator 1 2
Nikto Carriage return as request spacer 2 2
Nikto Binary value as request spacer 1 2
JavaScript obfuscation 0 1
TOTAL 21 29

Nmap decoy test (6th position)

  • Test: Nmap decoy test (6th position)
  • Payload:
sudo nmap -sS -A -D 192.168.100.1,192.168.100.2,192.168.100.3,192.168.100.4,192.168.100.5,ME 192.168.100.35
  • Suricata trace: detected
  • Suricata score: 2
  • Snort trace: detected. In addition, following alert has been triggered:
[**] [122:2:1] PSNG_TCP_DECOY_PORTSCAN [**]
[Classification: Attempted Information Leak] [Priority: 2]
  • Snort score: 2

Nmap decoy test (7th position)

  • Test: Nmap decoy test (7th position)
  • Payload:
sudo nmap -sS -A -D 192.168.100.1,192.168.100.2,192.168.100.3,192.168.100.4,192.168.100.5,192.168.100.6,ME 192.168.100.35
  • Suricata trace: detected
  • Suricata score: 2
  • Snort trace: detected. In addition, following alert has been triggered:
[**] [122:2:1] PSNG_TCP_DECOY_PORTSCAN [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-13:07:56.901966 192.168.100.1 -> 192.168.100.48
PROTO:255 TTL:38 TOS:0x0 ID:52445 IpLen:20 DgmLen:169
  • Snort score: 2

Hex encoding

  • Test: Hex payload encoding of ../../../etc/passwd attack
  • Payload:
echo "GET /index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 HTTP/1.1\r\nHost: 127.0.0.1\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041202 Firefox/1.0\r\n\r\n" | nc 192.168.100.48 80
  • Suricata trace:
03/14/2011-08:48:24.534110  [**] [1:2011037:3] ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:34341 -> 192.168.100.35:80
03/14/2011-08:48:24.534110  [**] [1:2006446:11] ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:34341 -> 192.168.100.35:80
  • Suricata score: 2
  • Snort trace:
[**] [1:1122:8] WEB-MISC /etc/passwd [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-13:15:57.919152 192.168.100.45:44986 -> 192.168.100.48:80
TCP TTL:64 TOS:0x0 ID:63402 IpLen:20 DgmLen:266 DF
***AP*** Seq: 0x6A4F4C21  Ack: 0x3509E488  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 7256969 2405050 

[**] [1:2570:12] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
04/20-13:15:57.919152 192.168.100.45:44986 -> 192.168.100.48:80
TCP TTL:64 TOS:0x0 ID:63402 IpLen:20 DgmLen:266 DF
***AP*** Seq: 0x6A4F4C21  Ack: 0x3509E488  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 7256969 2405050 
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0478][Xref => http://www.securityfocus.com/bid/9809][Xref => http://www.securityfocus.com/bid/34240]
  • Snort score: 2

Nmap scan with fragmentation

  • Test: Nmap scan with fragmentation and no discovery (-Pn)
  • Payload:
sudo nmap -Pn -sS -A -f 192.168.100.35
  • Suricata trace:
[...TRUNCATED...]
03/14/2011-10:39:05.015978  [**] [1:2009358:3] ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:39370 -> 192.168.100.35:80
03/14/2011-10:39:14.605304  [**] [1:410:5] ICMP Fragment Reassembly Time Exceeded [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.100.35:11 -> 192.168.100.18:1
03/14/2011-10:39:15.661284  [**] [1:410:5] ICMP Fragment Reassembly Time Exceeded [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.100.35:11 -> 192.168.100.18:1
  • Suricata score: 2
  • Snort trace:
[**] [122:1:1] PSNG_TCP_PORTSCAN [**]
[Classification: Attempted Information Leak] [Priority: 2] 
04/20-13:21:02.240599 192.168.100.45 -> 192.168.100.48
PROTO:255 TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:164 DF

[**] [123:13:1] (spp_frag3) Tiny fragment [**]
[Classification: Attempted Denial of Service] [Priority: 2] 
04/20-13:21:02.240815 192.168.100.45 -> 192.168.100.48
TCP TTL:51 TOS:0x0 ID:38285 IpLen:20 DgmLen:28 MF
Frag Offset: 0x0001   Frag Size: 0x0008
  • Snort score: 2

Nikto Random URI encoding

  • Test: Nikto scan (only cgi plugin) with evasion technique #1: Random URI encoding (non-UTF8)
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 1
  • Suricata trace:
03/14/2011-10:42:39.344710  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:39380
  • Suricata score: 1
  • Snort trace:
     1 [**] [1:1029:14] WEB-IIS scripts-browse access [**]
     1 [**] [1:1044:12] WEB-IIS webhits access [**]
     1 [**] [1:1071:8] WEB-MISC .htpasswd access [**]
     2 [**] [1:1129:9] WEB-MISC .htaccess access [**]
     1 [**] [1:1130:8] WEB-MISC .wwwacl access [**]
     1 [**] [1:1131:8] WEB-MISC .wwwacl access [**]
     1 [**] [1:1201:8] ATTACK-RESPONSES 403 Forbidden [**]
     1 [**] [1:1233:13] WEB-CLIENT Outlook EML access [**]
     1 [**] [1:1242:17] WEB-IIS ISAPI .ida access [**]
     1 [**] [1:1245:17] WEB-IIS ISAPI .idq access [**]
     1 [**] [1:1325:8] EXPLOIT ssh CRC32 overflow filler [**]
     1 [**] [1:16629:2] POLICY download of .bin file [**]
     1 [**] [1:16630:2] POLICY download of .dat file [**]
     1 [**] [1:1668:10] WEB-CGI /cgi-bin/ access [**]
   176 [**] [1:17276:5] WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt [**]
     1 [**] [1:1880:7] WEB-MISC oracle web application server access [**]
    27 [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
     2 [**] [138:5:1] SENSITIVE-DATA Email Addresses [**]
     2 [**] [139:1:1] SDF_COMBO_ALERT [**]
     1 [**] [1:971:17] WEB-IIS ISAPI .printer access [**]
     1 [**] [1:977:19] WEB-IIS .cnf access [**]
     1 [**] [1:987:21] WEB-IIS .htr access [**]
   152 [**] [3:17429:3] WEB-MISC Microsoft ASP.NET information disclosure attempt [**]
  • Snort score: 2

Nikto Directory self reference

  • Test: Nikto scan (only cgi plugin) with evasion technique #2: Directory self-reference (/./)
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 2
  • Suricata trace:
03/14/2011-11:28:34.176995  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:51779
  • Suricata score: 1
  • Snort trace:
     1 [**] [1:1029:14] WEB-IIS scripts-browse access [**]
     1 [**] [1:1044:12] WEB-IIS webhits access [**]
     1 [**] [1:1071:8] WEB-MISC .htpasswd access [**]
     2 [**] [1:1129:9] WEB-MISC .htaccess access [**]
     1 [**] [1:1130:8] WEB-MISC .wwwacl access [**]
     1 [**] [1:1131:8] WEB-MISC .wwwacl access [**]
     1 [**] [1:1201:8] ATTACK-RESPONSES 403 Forbidden [**]
     1 [**] [1:1233:13] WEB-CLIENT Outlook EML access [**]
     1 [**] [1:1242:17] WEB-IIS ISAPI .ida access [**]
     1 [**] [1:1245:17] WEB-IIS ISAPI .idq access [**]
     1 [**] [1:1325:8] EXPLOIT ssh CRC32 overflow filler [**]
     1 [**] [1:16629:2] POLICY download of .bin file [**]
     1 [**] [1:16630:2] POLICY download of .dat file [**]
     1 [**] [1:1668:10] WEB-CGI /cgi-bin/ access [**]
    85 [**] [1:17276:5] WEB-MISC Multiple vendor Antivirus magic byte detection evasion attempt [**]
     1 [**] [1:1880:7] WEB-MISC oracle web application server access [**]
     2 [**] [138:5:1] SENSITIVE-DATA Email Addresses [**]
     2 [**] [139:1:1] SDF_COMBO_ALERT [**]
     1 [**] [1:971:17] WEB-IIS ISAPI .printer access [**]
     1 [**] [1:977:19] WEB-IIS .cnf access [**]
     1 [**] [1:987:21] WEB-IIS .htr access [**]
   152 [**] [3:17429:3] WEB-MISC Microsoft ASP.NET information disclosure attempt [**]
  • Snort score: 2

Nikto Premature URL ending

  • Test: Nikto scan (only cgi plugin) with evasion technique #3: Premature URL ending
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 3
  • Suricata trace:
03/14/2011-11:29:12.579304  [**] [1:2002677:10] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:41385 -> 192.168.100.35:80
03/14/2011-11:29:12.985315  [**] [1:1071:6] GPL WEB_SERVER .htpasswd access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:41385 -> 192.168.100.35:80
03/14/2011-11:29:13.075404  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:41386
  • Suricata score: 2
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:40:39.702148 192.168.100.37:53341 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:60252 IpLen:20 DgmLen:205 DF
***AP*** Seq: 0x1F066970  Ack: 0xA9F9D3C2  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 757314 165854268 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

Nikto Prepend long random string

  • Test: Nikto scan (only cgi plugin) with evasion technique #4: Prepend long random string
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 4
  • Suricata trace:
03/14/2011-11:47:00.797391  [**] [1:1071:6] GPL WEB_SERVER .htpasswd access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:41866 -> 192.168.100.35:80
03/14/2011-11:48:36.765363  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:41871
  • Suricata score: 1
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:43:02.927040 192.168.100.37:53346 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:57819 IpLen:20 DgmLen:198 DF
***AP*** Seq: 0xA4FBFAC8  Ack: 0x2FFBE02A  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 793121 165890074 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

Nikto Fake paramater

  • Test: Nikto scan (only cgi plugin) with evasion technique #5: Fake parameter
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 5
  • Suricata trace:
03/14/2011-11:49:23.888489  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:44156
  • Suricata score: 1
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:44:26.459730 192.168.100.37:53349 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:30189 IpLen:20 DgmLen:201 DF
***AP*** Seq: 0xF2C3216D  Ack: 0x7EDFCAD8  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 814004 165910957 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

Nikto TAB as request spacer

  • Test: Nikto scan (only cgi plugin) with evasion technique #6: TAB as request spacer
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 6
  • Suricata trace:
03/14/2011-11:50:16.713041  [**] [1:2002677:10] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:44165 -> 192.168.100.35:80
03/14/2011-11:50:17.267461  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:44166
  • Suricata score: 2
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:46:11.502120 192.168.100.37:49699 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:7547 IpLen:20 DgmLen:199 DF
***AP*** Seq: 0x55A9CF55  Ack: 0xDFD04C23  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 840265 165937218 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

Nikto Change the case of the URL

  • Test: Nikto scan (only cgi plugin) with evasion technique #7: Change the case of the URL
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 7
  • Suricata trace:
03/14/2011-11:50:48.868291  [**] [1:1071:6] GPL WEB_SERVER .htpasswd access [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:44168 -> 192.168.100.35:80
03/14/2011-11:50:48.982049  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:44169
  • Suricata score: 1
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:50:11.543876 192.168.100.37:49705 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:61672 IpLen:20 DgmLen:197 DF
***AP*** Seq: 0x346D4F3F  Ack: 0xC0E14834  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 900277 165997229 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

Nikto Windows directory separator

  • Test: Nikto scan (only cgi plugin) with evasion technique #8: Use Windows directory separator (\)
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion 8
  • Suricata trace:
03/14/2011-11:51:25.433342  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:44173
  • Suricata score: 1
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:51:25.115899 192.168.100.37:41395 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:25600 IpLen:20 DgmLen:199 DF
***AP*** Seq: 0x7A316A94  Ack: 0x55FE6CB  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 918671 166015622 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

Nikto Carriage return as request spacer

  • Test: Nikto scan (only cgi plugin) with evasion technique A: Use a carriage return (0x0d) as a request spacer
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion A
  • Suricata trace:
03/14/2011-11:51:55.454872  [**] [1:2002677:10] ET SCAN Nikto Web App Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.100.18:44175 -> 192.168.100.35:80
  • Suricata score: 2
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:52:39.874340 192.168.100.37:41398 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:45046 IpLen:20 DgmLen:201 DF
***AP*** Seq: 0xC002E57F  Ack: 0x4B51324B  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 937360 166034311 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

Nikto Binary value as request spacer

  • Test: Nikto scan (only cgi plugin) with evasion technique B: Use binary value 0x0b as a request spacer
  • Payload:
sudo ./nikto.pl -h 192.168.100.35 -Plugins cgi -evasion B
  • Suricata trace:
03/14/2011-11:52:24.850697  [**] [1:1201:7] GPL WEB_SERVER 403 Forbidden [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.100.35:80 -> 192.168.100.18:44180
  • Suricata score: 1
  • Snort trace:
[**] [1:2002677:12] ET SCAN Nikto Web App Scan in Progress [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:53:57.835856 192.168.100.37:41401 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:30108 IpLen:20 DgmLen:197 DF
***AP*** Seq: 0x884EF97  Ack: 0x949FDE42  Win: 0xB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 956851 166053801 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Nikto][Xref => http://doc.emergingthreats.net/2002677][Xref => http://www.cirt.net/code/nikto.shtml]
  • Snort score: 2

JavaScript obfuscation

  • Test: JavaScript obfuscation
  • Payload:
echo "GET /?page=%sCscript%3Ealert%28%29%3C%2Fscript%3E HTTP/1.1\r\nHost: 127.0.0.1\r\n\r\n" | nc 192.168.100.35 80
  • Suricata trace: N/A
  • Suricata score: 0
  • Snort trace:
[**] [1:2009714:6] ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
03/19-00:02:08.859462 192.168.100.37:36039 -> 192.168.100.36:80
TCP TTL:64 TOS:0x0 ID:63467 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xAEFE4A6F  Ack: 0x3B021E1A  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 179592 165276558 
[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_CSS][Xref => http://doc.emergingthreats.net/2009714][Xref => http://ha.ckers.org/xss.html]
  • Snort score: 1

Comments

Talk:Suricata-vs-snort/Test-cases/Evasion-techniques