Revision to 2006380 POLICY Basic Auth Base64

Excellent idea Jon. I'm adding those now.

Matt

Jonathan Scheidell wrote:
> I really love this new signature, it's very interesting
to see how much
> information goes out in the clear (cough, cough,
cisco.com).
> 
> But there are several instances that might make it less
noisy.  I notice
> that several sites authenticate base64 but with the
credentials
> ("anonymous:"), or (":").  By
excluding those base64 strings from the
> sig it would not reduce the positive alerts but would
eliminate at least
> these FP's.  Then again, this list of excludes could go
on and on.  Just
> some food for thought.
> 
> Here's what I had in mind.
> 
> alert tcp $HOME_NET any -> any any
(msg:"BLEEDING-EDGE POLICY Basic Auth
> Base64 HTTP Password detected unencrypted";
flow:established,to_server;
> content:!"Og==";
content:!"YW5vbnltb3VzOg==";
content:"Authorization|3a
> 20|Basic"; nocase; classtype:policy-violation;
sid:2006380; rev:4;)
> 
> 
> Note:
> Og==        Is ":"
> YW5vbnltb3VzOg==    is "anonymous:"
> 
> 
> 
> -- 
> Jon Scheidell
> Security Engineer
> SECNAP Network Security
> (561) 999-5000 x:4110
> www.secnap.com
> 
> 
> 
>
------------------------------------------------------------
------------
> This email has been scanned and certified safe by
SpammerTrap^(TM).
> For Information please see www.spammertrap.com <http://www.spammertrap
.com>
>
------------------------------------------------------------
------------
> 
> 
>
------------------------------------------------------------
------------
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

My lord who has time for all these alerts!?  How does one
convey this
policy to their users?  "Hey user, don't be so stupid! 
Everyone knows
that you shouldn't use websites that require you to send
base64 encoded
passwords!"    Seriously, as a policy sig it's almost
impossible to
enforce.  As an alternative I've oink'd the sig to tell me
when this
kind of sensitive info 'exits' my networks.  It's much
easier to fix
something that you actually have a control over.  This is a
great sig
but it's a little azz-backwards for my use.

modifysid 2006380 "$HOME_NET any -> any" | 
	"$EXTERNAL_NET any -> $HOME_NET"

Jonathan Scheidell wrote:
> I really love this new signature, itıs very interesting
to see how much
> information goes out in the clear (cough, cough,
cisco.com).
> 
> But there are several instances that might make it less
noisy.  I notice
> that several sites authenticate base64 but with the
credentials
> (³anonymous:²), or (³:²).  By excluding those base64
strings from the sig it
> would not reduce the positive alerts but would
eliminate at least these
> FPıs.  Then again, this list of excludes could go on
and on.  Just some food
> for thought.
> 
> Hereıs what I had in mind.
> 
> alert tcp $HOME_NET any -> any any
(msg:"BLEEDING-EDGE POLICY Basic Auth
> Base64 HTTP Password detected unencrypted";
flow:established,to_server;
> content:!²Og==²; content:!²YW5vbnltb3VzOg==²;
content:"Authorization|3a
> 20|Basic"; nocase; classtype:policy-violation;
sid:2006380; rev:4;)
> 
> 
> Note:
> Og==        Is ³:²
> YW5vbnltb3VzOg==    is ³anonymous:²
> 
> 
> 
> 
> 
>
------------------------------------------------------------
------------
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

CONTENT:!"OG==";
MATCHES ON CONTENT:!"YW5VBNLTB3VZOG=="
DOESN'T IT?


ON TUESDAY 17 JULY 2007 20:28, JONATHAN SCHEIDELL WROTE:
> I REALLY LOVE THIS NEW SIGNATURE, ITıS VERY INTERESTING
TO SEE HOW MUCH
> INFORMATION GOES OUT IN THE CLEAR (COUGH, COUGH,
CISCO.COM).
>
> BUT THERE ARE SEVERAL INSTANCES THAT MIGHT MAKE IT LESS
NOISY.  I NOTICE
> THAT SEVERAL SITES AUTHENTICATE BASE64 BUT WITH THE
CREDENTIALS
> (³ANONYMOUS:²), OR (³:²).  BY EXCLUDING THOSE BASE64
STRINGS FROM THE SIG
> IT WOULD NOT REDUCE THE POSITIVE ALERTS BUT WOULD
ELIMINATE AT LEAST THESE
> FPıS.  THEN AGAIN, THIS LIST OF EXCLUDES COULD GO ON
AND ON.  JUST SOME
> FOOD FOR THOUGHT.
>
> HEREıS WHAT I HAD IN MIND.
>
> ALERT TCP $HOME_NET ANY -> ANY ANY
(MSG:"BLEEDING-EDGE POLICY BASIC AUTH
> BASE64 HTTP PASSWORD DETECTED UNENCRYPTED";
FLOW:ESTABLISHED,TO_SERVER;
> CONTENT:!²OG==²; CONTENT:!²YW5VBNLTB3VZOG==²;
CONTENT:"AUTHORIZATION|3A
> 20|BASIC"; NOCASE; CLASSTYPE:POLICY-VIOLATION;
SID:2006380; REV:4;)
>
>
> NOTE:
> OG==        IS ³:²
> YW5VBNLTB3VZOG==    IS ³ANONYMOUS:²
_______________________________________________
BLEEDING-SIGS MAILING LIST
BLEEDING-SIGSBLEEDINGTHREATS.NET
HTTP://LISTS.BLEEDINGTHREATS.NET/CGI-BIN/MAILMAN/LISTINFO/BL
EEDING-SIGS

You're right, it does. The first string is the : and space
after, which
of course in a base64 encode doesn't change.

To that end though, Og== will be in all of the auth's, since
thats the
beginning of the string.

I need to remove that one, I think it's breaking the sig!

Matt

bleeding-sigskatar.eclipse.co.uk wrote:
> content:!"Og==";
> Matches on content:!"YW5vbnltb3VzOg=="
> doesn't it?
> 
> 
> On Tuesday 17 July 2007 20:28, Jonathan Scheidell
wrote:
>> I really love this new signature, itıs very
interesting to see how much
>> information goes out in the clear (cough, cough,
cisco.com).
>>
>> But there are several instances that might make it
less noisy.  I notice
>> that several sites authenticate base64 but with the
credentials
>> (³anonymous:²), or (³:²).  By excluding those
base64 strings from the sig
>> it would not reduce the positive alerts but would
eliminate at least these
>> FPıs.  Then again, this list of excludes could go
on and on.  Just some
>> food for thought.
>>
>> Hereıs what I had in mind.
>>
>> alert tcp $HOME_NET any -> any any
(msg:"BLEEDING-EDGE POLICY Basic Auth
>> Base64 HTTP Password detected unencrypted";
flow:established,to_server;
>> content:!²Og==²; content:!²YW5vbnltb3VzOg==²;
content:"Authorization|3a
>> 20|Basic"; nocase; classtype:policy-violation;
sid:2006380; rev:4;)
>>
>>
>> Note:
>> Og==        Is ³:²
>> YW5vbnltb3VzOg==    is ³anonymous:²
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

I think the Initial purpose of this sig applied your
environment is possibly 
irrelevant then.  While you may  not be concerned about this
kind of traffic 
flowing over your network there could well be others that
do.

This sig has caught enterprise admin accounts connecting to
a developers web 
app in a live environment I have been in.  Within my network
I am glad the 
issue was spotted and stopped  before someone else abused
it.  But that's my 
network... yours if of course yours =)

kATAR. 




On Wednesday 18 July 2007 13:54, RPG wrote:
> My lord who has time for all these alerts!?  How does
one convey this
> policy to their users?  "Hey user, don't be so
stupid!  Everyone knows
> that you shouldn't use websites that require you to
send base64 encoded
> passwords!"    Seriously, as a policy sig it's
almost impossible to
> enforce.  As an alternative I've oink'd the sig to tell
me when this
> kind of sensitive info 'exits' my networks.  It's much
easier to fix
> something that you actually have a control over.  This
is a great sig
> but it's a little azz-backwards for my use.
>
> modifysid 2006380 "$HOME_NET any -> any"
| 
> 	"$EXTERNAL_NET any -> $HOME_NET"
>
> Jonathan Scheidell wrote:
> > I really love this new signature, itıs very
interesting to see how much
> > information goes out in the clear (cough, cough,
cisco.com).
> >
> > But there are several instances that might make it
less noisy.  I notice
> > that several sites authenticate base64 but with
the credentials
> > (³anonymous:²), or (³:²).  By excluding those
base64 strings from the sig
> > it would not reduce the positive alerts but would
eliminate at least
> > these FPıs.  Then again, this list of excludes
could go on and on.  Just
> > some food for thought.
> >
> > Hereıs what I had in mind.
> >
> > alert tcp $HOME_NET any -> any any
(msg:"BLEEDING-EDGE POLICY Basic Auth
> > Base64 HTTP Password detected unencrypted";
flow:established,to_server;
> > content:!²Og==²; content:!²YW5vbnltb3VzOg==²;
content:"Authorization|3a
> > 20|Basic"; nocase;
classtype:policy-violation; sid:2006380; rev:4;)
> >
> >
> > Note:
> > Og==        Is ³:²
> > YW5vbnltb3VzOg==    is ³anonymous:²
> >
> >
> >
> >
> >
> >
------------------------------------------------------------
------------
> >
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigsbleedingthreats.net
> > http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

You make a good point. This may generate a number of alerts,
that's why
it's in the policy set.

If you define your external net as !$HOME_NET (which is
feasible in many
cases, but not all) then it'll only show you stuff going
outbound. Those
are of interest, it's a favorite pen testers trick to get a
user to
click on a link that'll force ntlm auth via http, then they
have your
hash. A few minutes in john the ripper and they have a
really good
chance of having your VPN password, then the game's 3/4
over.

It might be a lot of alerts to start, but you can pair that
down by
educating folks, or blocking access to suspicious things.

Bottom line, it's an interesting sig, but not appropriate
for
everywhere. Which can be said about most IDS sigs.   Use them
where
they are appropriate. 

Matt

bleeding-sigskatar.eclipse.co.uk wrote:

> On Wednesday 18 July 2007 13:54, RPG wrote:
>> My lord who has time for all these alerts!?  How
does one convey this
>> policy to their users?  "Hey user, don't be so
stupid!  Everyone knows
>> that you shouldn't use websites that require you to
send base64 encoded
>> passwords!"    Seriously, as a policy sig it's
almost impossible to
>> enforce.  As an alternative I've oink'd the sig to
tell me when this
>> kind of sensitive info 'exits' my networks.  It's
much easier to fix
>> something that you actually have a control over. 
This is a great sig
>> but it's a little azz-backwards for my use.
>>
>> modifysid 2006380 "$HOME_NET any ->
any" | 
>> 	"$EXTERNAL_NET any -> $HOME_NET"
>>
>> Jonathan Scheidell wrote:
>>> I really love this new signature, itıs very
interesting to see how much
>>> information goes out in the clear (cough,
cough, cisco.com).
>>>
>>> But there are several instances that might make
it less noisy.  I notice
>>> that several sites authenticate base64 but with
the credentials
>>> (³anonymous:²), or (³:²).  By excluding those
base64 strings from the sig
>>> it would not reduce the positive alerts but
would eliminate at least
>>> these FPıs.  Then again, this list of excludes
could go on and on.  Just
>>> some food for thought.
>>>
>>> Hereıs what I had in mind.
>>>
>>> alert tcp $HOME_NET any -> any any
(msg:"BLEEDING-EDGE POLICY Basic Auth
>>> Base64 HTTP Password detected
unencrypted"; flow:established,to_server;
>>> content:!²Og==²; content:!²YW5vbnltb3VzOg==²;
content:"Authorization|3a
>>> 20|Basic"; nocase;
classtype:policy-violation; sid:2006380; rev:4;)
>>>
>>>
>>> Note:
>>> Og==        Is ³:²
>>> YW5vbnltb3VzOg==    is ³anonymous:²
>>>
>>>
>>>
>>>
>>>
>>>
------------------------------------------------------------
------------
>>>
>>>
_______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigsbleedingthreats.net
>>> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigsbleedingthreats.net
>> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs