AZWALARO - Open Source IDS Project

A Crusoe Researches
Project

Parser

Le projet Azwalaro integre de nouveaux elements dans le parser Ethereal :
- msg.name = Permet de renvoyer un message dans le module output de Azwalaro
- msg.level = Permet de renvoyer le level dans le module output de Azwalaro
- msg.version = version de la regle
- msg.ref = reference externe de la regle (Bugtraq, Cve, ....)
- msg.class = differentes class sont disponibles : policy, protocol, dos, suspicious, misc
=> ces nouveaux elements font partie du patch03 dans la section download

Exemple de regles et leur optimisations par le projet Azwalaro :
A) rule on another product: alert tcp any any -> any 80 (msg:"test1"; flow:to_server,established; uricontent:"/test.pl";)
le resultat avec cet autre produit et le fichier pcap ci-joint: 08/30-12:03:45.183416 [**] [1:0:0] test1 [**] [Priority: 0] {TCP} 10.9.38.178:2336 -> 82.238.92.71:80
-> another product match test.pl but test.pl are not on uri !
Azwalaro rule: ip.src==0.0.0.0/0 and ip.dst==0.0.0.0/0 and tcp.port==80 and msg.name="test1" and lower(http.request.uri) contains "/test.pl"
Azwalaro result: no reply, GOOD

B) rule on another product: alert tcp any any -> any 80 (msg:"test2"; flow:to_server,established; uricontent:"/test2.pl"; content:"xxx";)
le resultat avec cet autre produit et le fichier pcap ci-joint: just reply 404 not found !
-> another product match test2.pl but xxx is not matched because \r\n is not on first line !
Azwalaro rule: ip.src==0.0.0.0/0 and ip.dst==0.0.0.0/0 and tcp.port==80 and msg.name="test2" and (http.request.uri) contains "/test.pl" and lower(http) contains "xxx"
result: Azwalaro found two content ! GOOD

C) rule on another product: alert tcp any any -> any 80 (msg:"test3"; flow:to_server,established; uricontent:"|3D 25|"; )
le resultat avec cet autre produit et le fichier pcap ci-joint: 08/30-15:34:27.212731 [**] [1:0:0] test3 [**] [Priority: 0] {TCP} 10.9.38.178:1834 -> 82.238.92.71:80
-> another product match "3D 25" but is NOT hexa !
Azwalaro rule: ip.src==0.0.0.0/0 and ip.dst==0.0.0.0/0 and tcp.port==80 and msg.name="test3" and lower(http.request.uri) contains "\x3D\x25"
result: Azwalaro not found content ! GOOD

D) rule on another product: alert tcp any any -> any 25 (msg:"test4"; flow:to_server,established; content:!"MAIL"; content:"DATA"; )
le resultat avec cet autre produit et le fichier pcap
-> another product not match DATA cmd without MAIL cmd !
Azwalaro rule: ip.src==0.0.0.0/0 and ip.dst==0.0.0.0/0 and tcp.port==25 and msg.name="test4" and upper(smtp.req.command) contains "DATA" and not upper(smtp.req.command) contains "MAIL"
result: Azwalaro alert because not found content MAIL cmd ! GOOD

E) not possible with another product create rule match HTTP GET cmd or HTTP POST cmd, another product must use two rule !
Azwalaro easy create easy with 'or' operator !
example: ip.src==0.0.0.0/0 and ip.dst==0.0.0.0/0 and tcp.port==80 and msg.name="test3" and upper(http.request.method) contains "GET" or upper(http.request.method) contains "POST" GOOD