Tuesday, October 01, 2013

Fun with IDS funtime

We've been scanning the entire Internet for a while, and amuse ourselves reading the "abuse" complaints. Those with firewalls dropping the packets are sensible, and send relatively sane requests on the matter. Those with IDS (intrusion detection systems) are sometimes a bit hysterical, using automated messages claiming that we are "hacking" them and that are activity is "illegal". They have too much faith that when an IDS labels something as an "intrusion" that the IDS is telling the truth.

The latest IDS behavior to annoy me is the EmergingThreats rule #2008597, generating lots of automated abuse messages from an MSSP (several for each of their customers). It triggers on the pattern (hex) of:

30 0C 06 08 2B 06 01 02 01 01 01 00 05 00

Ok, that's an easy fix, I'll just change my scanner's packet to have the following pattern, to evade the above rules. This is from my DEF CON 8 presentation in 2000, BTW, so it's a 13 year old technique:

30 0D 06 08 2B 06 01 80 02 01 01 01 00 05 00

This just adds a "80" byte in the middle of the pattern, which is legal according to the protocol, but which changes the pattern.

The attractive part of this change is that it now makes my scanner more detectable in the future, despite evading old signatures. Using the old pattern, my scanner looks a lot like other port scanners, and printers, and management tools, and pretty much anything that speaks SNMP. This new pattern is only generated by my masscan port scanner. If you IDS sig writers can please give it a nice name like "Bob's friendly SNMP scan" rather than "BLACKHAT EVILDOER DETECTED! ALERT!! ALERT!!!" I'd really appreciate it. It'll cut down on the panic next time I SNMP scan the entire Internet.

BTW, blame Dan Kaminsky (@dakami) for pointing out that it's okay for me to evade existing IDS signatures because in the long run, it makes my tool more distinctive and fingerprintable.

1 comment:

Chris said...

That is until an evildoer starts using your scan format for recon.