Security Incidents mailing list archives
Pretty Park IDS Detection
From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Tue, 29 Feb 2000 04:47:00 -0500
I think trying to come up with a finger-print to detect PP would be useful if we got any major IDS db-administrators to include it in their detectors. I'm afraid the sequence may be too fuzzy for any effective way to spot it, but this is an example case: src:any -> any:6667 data: 'USER <rchar(5)> <rchar(6)> <rchar(7)> :<rchar(8)>' ie. windows:1042 -> box:6667 data: 'USER dP{DC TyPvaR Q}FwDHv :oAOKNI{q' (without the quotes)
Hi there - I'm Ron Gula from Network Security Wizards. We've been playing around with some Dragon sigs to catch Pretty Park's IRC activity. Looking for the email Subject line is easy enough, but the IRC activity has some forensic value, such as trying to find out who may be listening in on the other side. We tried some test signatures based on the above IRC description which was posted here by Ville. Without explaining our signature format too in depth, this is what we pushed to a few Dragon sensors: T A A S 20 0 6667 IRC:PPARK user/20?????/20??????/20???????/20:???????? At one particular ISP that has had some PPARK activity, here is a typical log: bash-2.03# mklog -l -e IRC:PPARK ** Make Logs Tool - Copyright 1999 Network Security Wizards ** http://www.securitywizards.com ** Printing 'dragon.log' style data ** Printing events of type [IRC:PPARK ** Date: Monday February 28 2000 10:34:36 [F] 105.153.74.172 207.152.95.10 [IRC:PPARK] (tcp,dp=6667,sp=1187) (dragon.example.net) 10:35:37 [F] 105.153.74.172 193.55.113.134 [IRC:PPARK] (tcp,dp=6667,sp=1212) (dragon.example.net) 10:37:07 [F] 105.153.74.172 206.252.192.20 [IRC:PPARK] (tcp,dp=6667,sp=1244) (dragon.example.net) 12:49:38 [F] 105.153.73.144 207.152.95.10 [IRC:PPARK] (tcp,dp=6667,sp=1028) (dragon.example.net) 12:50:35 [F] 105.153.73.144 193.55.113.134 [IRC:PPARK] (tcp,dp=6667,sp=1035) (dragon.example.net) 13:23:18 [F] 105.153.73.132 193.55.113.134 [IRC:PPARK] (tcp,dp=6667,sp=1034) (dragon.example.net) 13:24:51 [F] 105.153.73.132 206.252.192.20 [IRC:PPARK] (tcp,dp=6667,sp=1086) (dragon.example.net) 13:26:48 [F] 105.153.73.132 194.158.96.24 [IRC:PPARK] (tcp,dp=6667,sp=1103) (dragon.example.net) 20:35:29 [F] 105.153.73.193 207.152.95.10 [IRC:PPARK] (tcp,dp=6667,sp=1113) (dragon.example.net) 20:36:28 [F] 105.153.73.193 193.55.113.134 [IRC:PPARK] (tcp,dp=6667,sp=1125) (dragon.example.net) 20:38:00 [F] 105.153.73.193 206.252.192.20 [IRC:PPARK] (tcp,dp=6667,sp=1132) (dragon.example.net) 21:39:46 [F] 105.153.74.207 207.152.95.10 [IRC:PPARK] (tcp,dp=6667,sp=3082) (dragon.example.net) 21:40:45 [F] 105.153.74.207 193.55.113.134 [IRC:PPARK] (tcp,dp=6667,sp=3087) (dragon.example.net) 21:46:46 [F] 105.153.74.207 207.152.95.10 [IRC:PPARK] (tcp,dp=6667,sp=3109) (dragon.example.net) 21:47:46 [F] 105.153.74.207 193.55.113.134 [IRC:PPARK] (tcp,dp=6667,sp=3117) (dragon.example.net) 21:49:16 [F] 105.153.74.207 206.252.192.20 [IRC:PPARK] (tcp,dp=6667,sp=3123) (dragon.example.net) 21:59:42 [F] 105.153.73.26 207.152.95.10 [IRC:PPARK] (tcp,dp=6667,sp=1538) (dragon.example.net) 22:38:12 [F] 105.153.74.77 207.152.95.10 [IRC:PPARK] (tcp,dp=6667,sp=1070) (dragon.example.net) 22:39:07 [F] 105.153.74.77 193.55.113.134 [IRC:PPARK] (tcp,dp=6667,sp=1074) (dragon.example.net) 22:40:37 [F] 105.153.74.77 206.252.192.20 [IRC:PPARK] (tcp,dp=6667,sp=1080) (dragon.example.net) Notice how the source IPs at the ISP try to connect to various IRC servers over and over and then give up .... Here is the client side of one of those sessions: bash-2.03# mksession -ip1 105.153.73.132 -ip2 194.158.96.24 -p1 1103 -p2 6667 -r | more ** Make Session Tool - Copyright 1999 Network Security Wizards ** http://www.securitywizards.com ** Watching for sessions on 105.153.73.132 ** Watching for sessions on 194.158.96.24 ** Watching for sessions on port 1103 ** Watching for sessions on port 6667 ** Replaying this session ** Date: Monday February 28 2000 NICK PiD{HmnY\{D}{A} USER nIYgK {[RZ`Z NbGdKzA :KbAYTkRx{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A} Ron Gula Network Security Wizards http://www.securitywizards.com
Current thread:
- Pretty Park IDS Detection Ron Gula (Feb 29)