Security Incidents mailing list archives

Pretty Park IDS Detection

From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Tue, 29 Feb 2000 04:47:00 -0500

I think trying to come up with a finger-print to detect PP would be
useful  if we got any major  IDS db-administrators to include it in
their detectors.

I'm afraid the sequence may be too fuzzy for  any effective  way to
spot it, but this is an example case:

      src:any -> any:6667
      data: 'USER <rchar(5)> <rchar(6)> <rchar(7)> :<rchar(8)>'

ie.
      windows:1042 -> box:6667
      data: 'USER dP{DC TyPvaR Q}FwDHv :oAOKNI{q'

      (without the quotes)


Hi there - I'm Ron Gula from Network Security Wizards. We've been playing
around with some Dragon sigs to catch Pretty Park's IRC activity. Looking
for the email Subject line is easy enough, but the IRC activity has some
forensic value, such as trying to find out who may be listening in on the
other side. We tried some test signatures based on the above IRC description
which was posted here by Ville. Without explaining our signature format too
in depth, this is what we pushed to a few Dragon sensors:

T A A S 20 0 6667 IRC:PPARK user/20?????/20??????/20???????/20:????????

At one particular ISP that has had some PPARK activity, here is a typical
log:

bash-2.03# mklog -l -e IRC:PPARK
** Make Logs Tool - Copyright 1999 Network Security Wizards
** http://www.securitywizards.com
** Printing 'dragon.log' style data
** Printing events of type [IRC:PPARK
** Date: Monday February 28 2000
10:34:36  [F]  105.153.74.172  207.152.95.10   [IRC:PPARK]
(tcp,dp=6667,sp=1187) (dragon.example.net)
10:35:37  [F]  105.153.74.172  193.55.113.134  [IRC:PPARK]
(tcp,dp=6667,sp=1212) (dragon.example.net)
10:37:07  [F]  105.153.74.172  206.252.192.20  [IRC:PPARK]
(tcp,dp=6667,sp=1244) (dragon.example.net)
12:49:38  [F]  105.153.73.144  207.152.95.10   [IRC:PPARK]
(tcp,dp=6667,sp=1028) (dragon.example.net)
12:50:35  [F]  105.153.73.144  193.55.113.134  [IRC:PPARK]
(tcp,dp=6667,sp=1035) (dragon.example.net)
13:23:18  [F]  105.153.73.132  193.55.113.134  [IRC:PPARK]
(tcp,dp=6667,sp=1034) (dragon.example.net)
13:24:51  [F]  105.153.73.132  206.252.192.20  [IRC:PPARK]
(tcp,dp=6667,sp=1086) (dragon.example.net)
13:26:48  [F]  105.153.73.132  194.158.96.24   [IRC:PPARK]
(tcp,dp=6667,sp=1103) (dragon.example.net)
20:35:29  [F]  105.153.73.193  207.152.95.10   [IRC:PPARK]
(tcp,dp=6667,sp=1113) (dragon.example.net)
20:36:28  [F]  105.153.73.193  193.55.113.134  [IRC:PPARK]
(tcp,dp=6667,sp=1125) (dragon.example.net)
20:38:00  [F]  105.153.73.193  206.252.192.20  [IRC:PPARK]
(tcp,dp=6667,sp=1132) (dragon.example.net)
21:39:46  [F]  105.153.74.207  207.152.95.10   [IRC:PPARK]
(tcp,dp=6667,sp=3082) (dragon.example.net)
21:40:45  [F]  105.153.74.207  193.55.113.134  [IRC:PPARK]
(tcp,dp=6667,sp=3087) (dragon.example.net)
21:46:46  [F]  105.153.74.207  207.152.95.10   [IRC:PPARK]
(tcp,dp=6667,sp=3109) (dragon.example.net)
21:47:46  [F]  105.153.74.207  193.55.113.134  [IRC:PPARK]
(tcp,dp=6667,sp=3117) (dragon.example.net)
21:49:16  [F]  105.153.74.207  206.252.192.20  [IRC:PPARK]
(tcp,dp=6667,sp=3123) (dragon.example.net)
21:59:42  [F]  105.153.73.26   207.152.95.10   [IRC:PPARK]
(tcp,dp=6667,sp=1538) (dragon.example.net)
22:38:12  [F]  105.153.74.77   207.152.95.10   [IRC:PPARK]
(tcp,dp=6667,sp=1070) (dragon.example.net)
22:39:07  [F]  105.153.74.77   193.55.113.134  [IRC:PPARK]
(tcp,dp=6667,sp=1074) (dragon.example.net)
22:40:37  [F]  105.153.74.77   206.252.192.20  [IRC:PPARK]
(tcp,dp=6667,sp=1080) (dragon.example.net)

Notice how the source IPs at the ISP try to connect to various IRC servers
over and
over and then give up .... Here is the client side of one of those sessions:

bash-2.03# mksession -ip1 105.153.73.132 -ip2 194.158.96.24 -p1 1103 -p2
6667 -r | more
** Make Session Tool - Copyright 1999 Network Security Wizards
** http://www.securitywizards.com
** Watching for sessions on 105.153.73.132
** Watching for sessions on 194.158.96.24
** Watching for sessions on port 1103
** Watching for sessions on port 6667
** Replaying this session
** Date: Monday February 28 2000
NICK PiD{HmnY\{D}{A}
USER nIYgK {[RZ`Z NbGdKzA :KbAYTkRx{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}
join #{1F}{2}{B6}{3}4ch{2}{1F}0 {3}{1F}{1F}{2}{2}{3}{D}{A}

Ron Gula
Network Security Wizards
http://www.securitywizards.com

Current thread:

Pretty Park IDS Detection Ron Gula (Feb 29)