The ASN.1 Keyword
The
asn1
keyword allows you to decode a packet or a portion
of a packet, looking for various malicious encodings.
The following table describes the arguments for the
asn1
keyword.
Argument |
Description |
---|---|
Bitstring Overflow |
Detects invalid, remotely exploitable bitstring encodings. |
Double Overflow |
Detects a double ASCII encoding that is larger than a standard buffer. This is known to be an exploitable function in Microsoft Windows, but it is unknown at this time which services may be exploitable. |
Oversize Length |
Detects ASN.1 type lengths greater than the supplied argument. For example, if you set the Oversize Length to 500, any ASN.1 type greater than 500 triggers the rule. |
Absolute Offset |
Sets an absolute offset from the beginning of the packet payload. (Remember that the offset counter starts at byte 0.) For example, if you want to decode SNMP packets, set Absolute Offset to 0 and do not set a Relative Offset. Absolute Offset may be positive or negative. |
Relative Offset |
This is the relative offset from the last successful content
match,
|
For example, there is a known vulnerability in the Microsoft
ASN.1 Library that creates a buffer overflow, allowing an attacker to exploit
the condition with a specially crafted authentication packet. When the system
decodes the asn.1 data, exploit code in the packet could execute on the host
with system-level privileges or could cause a DoS condition. The following rule
uses the
asn1
keyword to detect attempts to exploit this
vulnerability:
alert tcp $EXTERNAL_NET any -> $HOME_NET 445
(flow:to_server, established; content:”|FF|SMB|73|”;
nocase; offset:4; depth:5;
asn1:bitstring_overflow,double_overflow,oversize_length 100,
relative_offset 54;)
The above rule generates an event against TCP traffic traveling
from any IP address defined in the $EXTERNAL_NET variable, from any port, to
any IP address defined in the $HOME_NET variable using port 445. In addition,
it only executes the rule on established TCP connections to servers. The rule
then tests for specific content in specific locations. Finally, the rule uses
the
asn1
keyword to detect bitstring encodings and double
ASCII encodings and to identify asn.1 type lengths over 100 bytes in length
starting 55 bytes from the end of the last successful content match. (Remember
that the
offset
counter starts at byte 0.)