|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [CIEL] Extracts from the Draft CIEL
================================================================== Extracts from the Draft CIEL ================================================================== Following is some information extracted from the draft Common Intrusion Event List (CIEL). Detailed explanations will take place at the Board meeting on Friday, but you can consult the meeting agenda for background and status information. ================================================================== CIEL Summary ================================================================== ICMP Decodes ------------ CIEL1 ICMP-EVENT TCP Decodes ----------- CIEL2 TCP-CONNECTION UDP Decodes ----------- CIEL37 UDP-TRAFFIC IP Decodes ---------- CIEL3 IP-OPTIONS Application Layer Decodes ------------------------- CIEL4 TCP-PROTOCOL-COMMAND-DECODE CIEL5 UDP-PROTOCOL-COMMAND-DECODE CIEL6 DECODE-CONTENT-TYPE CIEL7 RPC-PORTMAPPER-DECODE Application Layer Detects ------------------------- CIEL8 TELNET-CLIENT-CONNECT CIEL9 RS-SESSION-KILL CIEL10 WEB-PERL Miscellaneous application layer detects/decodes ----------------------------------------------- CIEL11 WEB-APPLICATION-ACTIVITY Detects of Specific Strings or Keywords --------------------------------------- CIEL12 SPECIFIC-STRING-DETECT CIEL13 SUSPICIOUS-FILENAME-DETECT CIEL14 SYSTEM-CALL-DETECT CIEL15 BUFFER-OVERFLOW-DETECT IP Layer Alarms --------------- CIEL16 IP-SPOOFING CIEL17 DUPLICATE-IP-ADDRESS TCP Layer Alarms ---------------- CIEL18 TCP-HIJACKING Application Layer Alarms ------------------------ CIEL19 FTP-BOUNCE CIEL20 FINGER-REDIRECTION CIEL21 BRUTE-FORCE-LOGIN Miscellaneous Alarms -------------------- CIEL22 VULNERABILITY-EXPLOIT Trojan Horses / Malware Events ------------------------------ CIEL23 NETWORKED-TROJAN-ACTIVITY Nonstandard Protocols or Protocol Violations -------------------------------------------- CIEL24 NONSTANDARD-IP-PROTOCOL CIEL25 NETWORKING-PROTOCOL-VIOLATION Windows-specific Events ----------------------- CIEL26 REGISTRY-KEY-ACCESS CIEL27 WINDOWS-PASSWORD-CACHE CIEL28 WINDOWS-NT-SAM CIEL29 CLEARTEXT-SMB-PASSWORD Probes ------ CIEL30 PORT-SCAN CIEL31 HOST-SWEEP CIEL32 ASSESSMENT-TOOL-SCAN Flooding/Storm Events --------------------- CIEL33 ICMP-FLOOD CIEL34 TCP-FLOOD Miscellaneous Events -------------------- CIEL35 TUNNELING CIEL36 OS-FINGERPRINTING ================================================================== Sample CIEL Entries ================================================================== CIEL1 ------------------------------------------------------------------ :NAME ICMP-EVENT Context1: field number (type) Context2: code Context3: source (tool) that caused the event Description: A specific, single ICMP event (ping, protocol unreachable, etc.) Notes: Context1 and Context2 should be as defined in RFC792; e.g. 8 for echo request, 0 for echo reply. Should the tool that caused the event have a context? Should there be a general "tool" attribute for each CIEL entry? CIEL2 ------------------------------------------------------------------ :NAME TCP-CONNECTION Context1: source and destination port numbers Description: Completed connection (i.e. three-way handshake) for TCP traffic Notes: The source and destination port numbers are in the form: SRC/DEST CIEL3 ------------------------------------------------------------------ :NAME IP-OPTIONS Context1: Option name Description: IP packet detected with an option enabled. Notes: Option name is Loose Source Routing, Strict Source Routing, Record Route, Security, etc. CIEL4 ------------------------------------------------------------------ :NAME TCP-PROTOCOL-COMMAND-DECODE Context1: port number Context2: command Context3: arguments Description: Extraction of commands and arguments for a TCP protocol CIEL13 ------------------------------------------------------------------ :NAME SUSPICIOUS-FILENAME-DETECT Context1: filename that was matched Context2: port number Context3: command Description: Suspicious file name detected in TCP or UDP traffic CIEL19 ------------------------------------------------------------------ :NAME FTP-BOUNCE Description: FTP bounce attack. Notes: Rationale: FTP bounce is a unique attack that is specific to the FTP protocol, thus it can't be "abstracted" to a higher level. CIEL22 ------------------------------------------------------------------ :NAME VULNERABILITY-EXPLOIT Context1: Identifier source Context2: Identifier Description: An exploitation or attack on a specific vulnerability or exposure. Notes: "Identifier source" is the organization/database that provides the identification scheme (e.g. CVE, Bugtraq ID). The "Identifier" is the actual name/number/identifier that's used (e.g. CVE-1999-0067). This approach is in line with IETF IDWG. If more than one identifier is used, should they be separated by a single space, e.g.: "CVE-XXXX-YYYY CVE-XXXX-ZZZZ CVE-XXXX-WWWW"? Or should there be different instances of this CIEL? (But could make it look like there are multiple events, instead of one event with several different "interpretations"). ================================================================== Example CIEL Mapping: Snort signatures ================================================================== NOTE: the syntax for CIEL names is not yet finalized. Attacks on specific vulnerabilities ----------------------------------- Name: IDS124 - SMTP-exploit8610ha CIEL: CIEL22:CVE:CVE-1999-0203 Name: CVE-1999-0833 - OVERFLOW-Named-ADM-NXT - 8.2->8.2.1 CIEL: CIEL22:CVE:CVE-1999-0833 Trojan Horse traffic ----------------------------------- Name: IDS399 - BackOrifice1-info CIEL: CIEL23:BackOrifice:info Name: IDS398 - BackOrifice1-dir CIEL: CIEL23:BackOrifice:dir Name: IDS401 - Netbus-active-12345 CIEL: CIEL23:Netbus ICMP Stuff ---------- Name: PING-ICMP Source Quench CIEL: CIEL1:4 Other "sample" CIEL names (non-Snort) ------------------------------------- Name: ping CIEL: CIEL1:8 Name: ping reply CIEL: CIEL1:0 TCP Stuff --------- Name: FTP connect CIEL: CIEL2:any/21 CIEL: CIEL2:21/any Name: NETBIOS name service CIEL: CIEL2:any/137 CIEL: CIEL2:137/any Name: HTTP traffic CIEL: CIEL2:any/80 CIEL: CIEL2:80/any Name: HTTP GET request decode CIEL: CIEL4:80:GET:* -> the 2nd context field can only be filled in dynamically! -> note relationship between CIEL4:x and CIEL2:x Name: /etc/passwd seen in web traffic CIEL: CIEL13:80:/etc/passwd
|
||||
