Introduction to Ngrep
During the source of investigating the wu-ftpd exploit, analysts were reminded of the one of the limitations of current Intrusion Detection Systems; the inability to handle regular expressions. When the attack has identifiable fixed strings of characters, the signature is reasonably straightforward:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21
(msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flags: A+;
classtype:attempted-user; sid:348; rev:1;)
This Snort signature recognizes packets sent to an FTP server with the hex characters 2e2e313 followed by the word "venglin@" in them.
The problem comes when we don't have a fixed series of characters to match against. The November 2001 wu-ftpd exploit used the fact that a sequence of whitespace, a tilde, optional characters, a left curly brace, and any other characters without a matching right curly brace would crash wu-ftpd, allowing a buffer overflow exploit to take over.
Because of the possibility of additional characters and the requirement that the second block of characters not contain a "}", we need to use something stronger than fixed strings.
[ Read more ]