Cisco Cisco Firepower Management Center 4000
32-54
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
The following table describes the arguments for the
asn1
keyword.
For example, there is a known vulnerability in the Microsoft ASN.1 Library that creates a buffer
overflow, allowing an attacker to exploit the condition with a specially crafted authentication packet.
When the system decodes the asn.1 data, exploit code in the packet could execute on the host with
system-level privileges or could cause a DoS condition. The following rule uses the
overflow, allowing an attacker to exploit the condition with a specially crafted authentication packet.
When the system decodes the asn.1 data, exploit code in the packet could execute on the host with
system-level privileges or could cause a DoS condition. The following rule uses the
asn1
keyword to
detect attempts to exploit this vulnerability:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445
(flow:to_server, established; content:”|FF|SMB|73|”; nocase;
offset:4; depth:5;
asn1:bitstring_overflow,double_overflow,oversize_length
100,relative_offset 54;)
The above rule generates an event against TCP traffic traveling from any IP address defined in the
$EXTERNAL_NET variable, from any port, to any IP address defined in the $HOME_NET variable
using port 445. In addition, it only executes the rule on established TCP connections to servers. The rule
then tests for specific content in specific locations. Finally, the rule uses the
$EXTERNAL_NET variable, from any port, to any IP address defined in the $HOME_NET variable
using port 445. In addition, it only executes the rule on established TCP connections to servers. The rule
then tests for specific content in specific locations. Finally, the rule uses the
asn1
keyword to detect
bitstring encodings and double ASCII encodings and to identify asn.1 type lengths over 100 bytes in
length starting 55 bytes from the end of the last successful content match. (Remember that the
length starting 55 bytes from the end of the last successful content match. (Remember that the
offset
counter starts at byte 0.)
urilen
License:
Protection
You can use the
urilen
keyword in conjunction with the HTTP Inspect preprocessor to inspect HTTP
traffic for URIs of a specific length, less than a maximum length, greater than a minimum length, or
within a specified range.
within a specified range.
After the HTTP Inspect preprocessor normalizes and inspects the packet, the rules engine evaluates the
packet against the rule and determines whether the URI matches the length condition specified by the
packet against the rule and determines whether the URI matches the length condition specified by the
urilen
keyword. You can use this keyword to detect exploits that attempt to take advantage of URI
length vulnerabilities, for example, by creating a buffer overflow that allows the attacker to cause a DoS
condition or execute code on the host with system-level privileges.
condition or execute code on the host with system-level privileges.
Table 32-36
asn.1 Keyword Arguments
Argument
Description
Bitstring Overflow
Detects invalid, remotely exploitable bitstring encodings.
Double Overflow
Detects a double ASCII encoding that is larger than a standard buffer. This
is known to be an exploitable function in Microsoft Windows, but it is
unknown at this time which services may be exploitable.
is known to be an exploitable function in Microsoft Windows, but it is
unknown at this time which services may be exploitable.
Oversize Length
Detects ASN.1 type lengths greater than the supplied argument. For
example, if you set the Oversize Length to 500, any ASN.1 type greater than
500 triggers the rule.
example, if you set the Oversize Length to 500, any ASN.1 type greater than
500 triggers the rule.
Absolute Offset
Sets an absolute offset from the beginning of the packet payload.
(Remember that the offset counter starts at byte 0.) For example, if you
want to decode SNMP packets, set Absolute Offset to 0 and do not set a
Relative Offset. Absolute Offset may be positive or negative.
(Remember that the offset counter starts at byte 0.) For example, if you
want to decode SNMP packets, set Absolute Offset to 0 and do not set a
Relative Offset. Absolute Offset may be positive or negative.
Relative Offset
This is the relative offset from the last successful content match,
pcre
, or
byte_jump
. To decode an ASN.1 sequence right after the content "foo", set
Relative Offset to 0, and do not set an Absolute Offset. Relative Offset may
be positive or negative. (Remember that the offset counter starts at 0.)
be positive or negative. (Remember that the offset counter starts at 0.)