“The rules exist to violate them” or advanced methods of using classic NIDS

Alexey Vishnyakov, Security Code

Backdoors, spyware, bankers… SQL injections, cross-site scripting, exploits… The common availability of Web resources leads to an annual increase of using tools (and just knowledge about the attacks and how to do them) against corporate systems, industrial facilities, government agencies, etc. Today we have a wide range of not only the variations of the attacks themselves, but also their quality. Moreover, the quality of their implementation also.

Everyone can now conduct an attack or write their own malicious software: PoC-samples of exploitation of vulnerabilities or the source code of well-known malware is not so difficult to find. However, ways to detect malicious network activity are also exist and known: that’s quite popular to use the classic NIDS “Snort” or “Suricata” as well with the writing of the relevant decisive rules. The power of such rules is very high, and it is possible to identify the loud malicious software successfully. However, what if the data transmission over the network organized more difficult or it is similar to a legitimate way? What if flexibility of the syntax does not allow covering a non-trivial situation without false positives?

In this research, we will talk about the advanced capabilities of NIDS Snort and Suricata: using dynamic detection modules and Lua scripts, respectively. We will look for concrete examples of non-standard network activity (DNS/TLS-tunneling, transmission of encrypted messages via HTTP, exploitation of vulnerabilities, etc.), which cannot be described by classic decision rules. We will consider the methods and techniques for detecting malicious packages, as well as laying out the code for improved rules.

Alexey Vishnyakov

Graduated from the National Research Nuclear University MEPhI in 2015. A senior network analyst in the network threats analysis lab at Security Code. His main responsibilities are threats research, signature detection and product evolution. Worked for Kaspersky Lab as malware analyst in the Shift AV Group for 3 years, from 2014 to 2017. Spoke at PHDays conference (Moscow, Russia) and AVAR conference (Beijing, China) in 2017.

The Dynamic Security Ecosystem
Other Topics