StoneBlog.stonesoft.com

This document exploits the power within StoneGate IPS Fingerprinting RegExp to allow “Fingerprint-based anomaly detection”.

This is somewhat different from regular IDS/IPS devices, since they normally try to detect something defined as a fingerprint, while this document instructs to do the exact contrary: in case we know what to expect as “normality”, we ask that everything deviating from that is reported as “anomalous”… and all this using Fingerprinting to allow maximum flexibility.

For additional references about StoneGate IPS Fingerprinting language, you can consult StoneGate IPS Reference Guide available on our public website.

Suppose we have a case where application payload is structured as follows:

• First 8 bytes mixed data we’re not interested in inspecting
• Byte number 9 device type
• 10th to 17th byte device identity
• 18-19th bytes mixed data we’re not interested in inspecting

Definition of normality

We need to check that first 8 bytes contain some sort of data.
We know that device type we’re interested in is a Terminal, and this is defined by the numeric decimal value 6 of 9th byte.
We know that device identity allowed to communicate is defined by numeric ID 90008888 (decimal values).
Packet is 19th bytes in length.
The above statement defines the normality, and need is to alert on everything which is deviating by normality.
Solution is to structure the sensor fingerprint as follows:

---------------------------------------------------------------------

(?x)

# check the identity for Terminal ==> 6

.{8}6

# or if the identity is not the desired

90008888(?{legitimate=1,ignore})|

.{19}(?{legitimate==0})

---------------------------------------------------------------------

Fingerprint Structure Explanation

At the beginning of fingerprint we use (?x) to tell to fingerprint processor not to consider text after # sign nor linefeeds or space in the matching process.

This allows usage of comments in fingerprint structure, empowering readability.

Without comments, the fingeprint above would be:

.{8}690008888(?{legitimate=1,ignore})|.{19}(?{legitimate==0})

We start fingerprint asking to check first 8 bytes for whatever content.
The dot (.) checks any content (including null characters) and the following number in curly braces tells to repeat the previous action n times (thus for the first 8 bytes).
After the curly braces we put the content to be checked in either decimal (6) or hexadecimal (\x06) notation.
Then we follow with the string to check from 10th to 17th byte.
If we find a match, we set a variable (we called this legitimate) to 1.
Then we use a special extension with keyword ignore.
The effect is that if it finds a match it does not trigger any response until another valid match is found.

Then comes the magic!
Using an OR condition (| sign) we insert a new matching pattern to check that in first 19 bytes there is some sort of content (this will always match if packet is proper).

This latter condition will match only if value of legitimate variable is 0, which is in contrast with first part of the fingerprint.
The final effect is that fingerprint as a whole will match if and only if:
1. First 8 bytes are containing any value
2. String from 9th to 17th byte is different from 690008888 (because value of legitimate remains 0)
3. First 19 bytes of payload are existing and are containing whatever value

Three lines above define the deviation from the normality we defined, causing the fingerprint to match and a proper action (alert, drop, reset, blacklist, etc.) to be taken.

written by RoarinPenguin - 2,224 views \\ tags: anomaly detection, fingerprint, IPS, regular expression