[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CIEL] Extracts from the Draft CIEL



==================================================================
Extracts from the Draft CIEL
==================================================================

Following is some information extracted from the draft Common
Intrusion Event List (CIEL).  Detailed explanations will take place at
the Board meeting on Friday, but you can consult the meeting agenda
for background and status information.

==================================================================
CIEL Summary
==================================================================

ICMP Decodes
------------
 CIEL1 ICMP-EVENT

TCP Decodes
-----------
 CIEL2 TCP-CONNECTION

UDP Decodes
-----------
 CIEL37 UDP-TRAFFIC

IP Decodes
----------
 CIEL3 IP-OPTIONS

Application Layer Decodes
-------------------------
 CIEL4 TCP-PROTOCOL-COMMAND-DECODE
 CIEL5 UDP-PROTOCOL-COMMAND-DECODE
 CIEL6 DECODE-CONTENT-TYPE
 CIEL7 RPC-PORTMAPPER-DECODE

Application Layer Detects
-------------------------
 CIEL8 TELNET-CLIENT-CONNECT
 CIEL9 RS-SESSION-KILL
 CIEL10 WEB-PERL

Miscellaneous application layer detects/decodes
-----------------------------------------------
 CIEL11 WEB-APPLICATION-ACTIVITY

Detects of Specific Strings or Keywords
---------------------------------------
 CIEL12 SPECIFIC-STRING-DETECT
 CIEL13 SUSPICIOUS-FILENAME-DETECT
 CIEL14 SYSTEM-CALL-DETECT
 CIEL15 BUFFER-OVERFLOW-DETECT

IP Layer Alarms
---------------
 CIEL16 IP-SPOOFING
 CIEL17 DUPLICATE-IP-ADDRESS

TCP Layer Alarms
----------------
 CIEL18 TCP-HIJACKING

Application Layer Alarms
------------------------
 CIEL19 FTP-BOUNCE
 CIEL20 FINGER-REDIRECTION
 CIEL21 BRUTE-FORCE-LOGIN

Miscellaneous Alarms
--------------------
 CIEL22 VULNERABILITY-EXPLOIT

Trojan Horses / Malware Events
------------------------------
 CIEL23 NETWORKED-TROJAN-ACTIVITY

Nonstandard Protocols or Protocol Violations
--------------------------------------------
 CIEL24 NONSTANDARD-IP-PROTOCOL
 CIEL25 NETWORKING-PROTOCOL-VIOLATION

Windows-specific Events
-----------------------
 CIEL26 REGISTRY-KEY-ACCESS
 CIEL27 WINDOWS-PASSWORD-CACHE
 CIEL28 WINDOWS-NT-SAM
 CIEL29 CLEARTEXT-SMB-PASSWORD

Probes
------
 CIEL30 PORT-SCAN
 CIEL31 HOST-SWEEP
 CIEL32 ASSESSMENT-TOOL-SCAN

Flooding/Storm Events
---------------------
 CIEL33 ICMP-FLOOD
 CIEL34 TCP-FLOOD

Miscellaneous Events
--------------------
 CIEL35 TUNNELING
 CIEL36 OS-FINGERPRINTING


==================================================================
Sample CIEL Entries
==================================================================

CIEL1
------------------------------------------------------------------
:NAME ICMP-EVENT

Context1: field number (type)

Context2: code

Context3: source (tool) that caused the event

Description:

A specific, single ICMP event (ping, protocol unreachable, etc.)


Notes:

Context1 and Context2 should be as defined in RFC792; e.g. 8 for echo
request, 0 for echo reply.

Should the tool that caused the event have a context?  Should there be
a general "tool" attribute for each CIEL entry?


CIEL2
------------------------------------------------------------------
:NAME TCP-CONNECTION

Context1: source and destination port numbers

Description:

Completed connection (i.e. three-way handshake) for TCP traffic

Notes:

The source and destination port numbers are in the form: SRC/DEST


CIEL3
------------------------------------------------------------------
:NAME IP-OPTIONS

Context1: Option name

Description:

IP packet detected with an option enabled.

Notes:

Option name is Loose Source Routing, Strict Source Routing, Record
Route, Security, etc.


CIEL4
------------------------------------------------------------------
:NAME TCP-PROTOCOL-COMMAND-DECODE

Context1: port number

Context2: command

Context3: arguments

Description:

Extraction of commands and arguments for a TCP protocol


CIEL13
------------------------------------------------------------------
:NAME SUSPICIOUS-FILENAME-DETECT

Context1: filename that was matched

Context2: port number

Context3: command

Description:

Suspicious file name detected in TCP or UDP traffic


CIEL19
------------------------------------------------------------------
:NAME FTP-BOUNCE

Description:

FTP bounce attack.

Notes:

Rationale: FTP bounce is a unique attack that is specific to the FTP
protocol, thus it can't be "abstracted" to a higher level.


CIEL22
------------------------------------------------------------------
:NAME VULNERABILITY-EXPLOIT

Context1: Identifier source

Context2: Identifier

Description:

An exploitation or attack on a specific vulnerability or exposure.

Notes:

"Identifier source" is the organization/database that provides the
identification scheme (e.g. CVE, Bugtraq ID).

The "Identifier" is the actual name/number/identifier that's used
(e.g. CVE-1999-0067).

This approach is in line with IETF IDWG.

If more than one identifier is used, should they be separated by a
single space, e.g.: "CVE-XXXX-YYYY CVE-XXXX-ZZZZ CVE-XXXX-WWWW"?  Or
should there be different instances of this CIEL?  (But could make it
look like there are multiple events, instead of one event with several
different "interpretations").


==================================================================
Example CIEL Mapping: Snort signatures
==================================================================

NOTE: the syntax for CIEL names is not yet finalized.

Attacks on specific vulnerabilities
-----------------------------------

Name: IDS124 - SMTP-exploit8610ha
CIEL: CIEL22:CVE:CVE-1999-0203

Name: CVE-1999-0833 - OVERFLOW-Named-ADM-NXT - 8.2->8.2.1
CIEL: CIEL22:CVE:CVE-1999-0833

Trojan Horse traffic
-----------------------------------
Name: IDS399 - BackOrifice1-info
CIEL: CIEL23:BackOrifice:info

Name: IDS398 - BackOrifice1-dir
CIEL: CIEL23:BackOrifice:dir

Name: IDS401 - Netbus-active-12345
CIEL: CIEL23:Netbus

ICMP Stuff
----------
Name: PING-ICMP Source Quench
CIEL: CIEL1:4

Other "sample" CIEL names (non-Snort)
-------------------------------------

Name: ping
CIEL: CIEL1:8

Name: ping reply
CIEL: CIEL1:0

TCP Stuff
---------
Name: FTP connect
CIEL: CIEL2:any/21
CIEL: CIEL2:21/any

Name: NETBIOS name service
CIEL: CIEL2:any/137
CIEL: CIEL2:137/any

Name: HTTP traffic
CIEL: CIEL2:any/80
CIEL: CIEL2:80/any

Name: HTTP GET request decode
CIEL: CIEL4:80:GET:*
  -> the 2nd context field can only be filled in dynamically!
  -> note relationship between CIEL4:x and CIEL2:x

Name: /etc/passwd seen in web traffic
CIEL: CIEL13:80:/etc/passwd

 
Page Last Updated: May 22, 2007