Alexey Vishnyakov, Security Code

Backdoors, spyware, bankers… SQL injections, cross-site scripting, exploits… The common availability of Web resources leads to an annual increase of using tools (and just knowledge about the attacks and how to do them) against corporate systems, industrial facilities, government agencies, etc. Today we have a wide range of not only the variations of the attacks themselves, but also their quality. Moreover, the quality of their implementation also.

Everyone can now conduct an attack or write their own malicious software: PoC-samples of exploitation of vulnerabilities or the source code of well-known malware is not so difficult to find. However, ways to detect malicious network activity are also exist and known: that’s quite popular to use the classic NIDS “Snort” or “Suricata” as well with the writing of the relevant decisive rules. The power of such rules is very high, and it is possible to identify the loud malicious software successfully. However, what if the data transmission over the network organized more difficult or it is similar to a legitimate way? What if flexibility of the syntax does not allow covering a non-trivial situation without false positives?

In this research, we will talk about the advanced capabilities of NIDS Snort and Suricata: using dynamic detection modules and Lua scripts, respectively. We will look for concrete examples of non-standard network activity (DNS/TLS-tunneling, transmission of encrypted messages via HTTP, exploitation of vulnerabilities, etc.), which cannot be described by classic decision rules. We will consider the methods and techniques for detecting malicious packages, as well as laying out the code for improved rules.