0 Replies Latest reply on Sep 24, 2014 4:15 AM by dmease729

    Custom signature assistance - Basic HTTP POST signature

    dmease729

      Hi,

       

      I am attempting to create a custom signature in a lab environment in an attempt to learn a little more, and am struggling to get what should be a fairly simple signature to work.  I have basic knowledge of HTTP but it is not something I am expert in, and was wondering if somebody could highlight where I am going wrong...

       

      My target is a Windows 2008 R2 server running DVWA.  The site has been configured in such a way that it is vulnerable to command execution.  A vulnerable page is designed to allow for a ping test.  The ping test in the screenshot below shows a ping to the ePO server.

       

      01 - ping.JPG

       

      Due to lack of input validation, the following screenshot shows the output from entering the following into the text field: 192.168.211.50 & type C:\xampp\apache\conf\ssl.key\server.key (note for those that know DVWA, the security level has been set to 'low' for this test)

       

      02 - ping and ssl key.JPG

       

      I wanted to think about a custom signature that triggered on this type of attack, and was initially looking at looking for ampersands in the resultant POST, complicated somewhat by the fact that an ampersand already exists.  The following is an example TCP stream captured from the browsing host:

       

      03 - wshark.jpg

       

      After numerous attempts and not getting my signature to trigger, I 'went back to basics' and thought as this is a lab I will just get it triggering simply on all POST requests, so have attempted to configure this as below (rule is assigned to an IPS rules policy assigned to the DVWA host, and the protection policy is set to log,log,log,ignore).  Note that an executable has been configured as this is a Standard Rule and p41 of the '8.0 for ePO 4.5' Product Guide seems to advise that an executable needs to be included.  Wildcard configured as per p42 in same guide.

       

      04 - sig 01.JPG

      05 - sig 02.JPG

      06 - sig 03.JPG

       

      So Host IPS 8.0.0.2933 (Patch 4), with content 8.0.0.5782 deployed, and new policies picked up and enforced.  Following shows output from ClientControl /exportConfig <file> 4:

       

      07 - custom sig.JPG

       

      So... to test, I simply post anything via the website page above.  HipShield.log shows hits against signature 1148 (CMD Tool Access by a Network Aware Application), but nothing against my custom signature.

       

      Are there any thoughts as to where I am going wrong?  Any feedback greatly appreciated!

       

      Cheers,