Suricata之弱口令检测

文摘 2024-10-25 20:25 四川

在《Suricata之dnslog域名检测》中，介绍了dnslog域名检测规则一步步的优化过程，从最初的content匹配，到pcre正则匹配，再到最终的pcrexform+dataset匹配。实现了规则与特征数据的分离，使得特征数据的管理更加直观和方便。同样的优化过程和方案，也适用于弱口令检测规则。

本文重点以Wordpress弱口令登录的检测为例，展示弱口令规则的优化过程和思路，另外还会对弱口令检测中常见的一种误报场景及其解决方法进行介绍。最后再简单介绍其他协议的弱口令检测。

Wordpress弱口令登录数据包

登录请求数据包

POST /wordpress/wp-login.php HTTP/1.1Host: 192.168.169.160Connection: keep-aliveContent-Length: 117Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://192.168.169.160Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://192.168.169.160/wordpress/wp-login.phpAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: wordpress_test_cookie=WP+Cookie+check
log=admin&pwd=admin123&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.169.160%2Fwordpress%2Fwp-admin%2F&testcookie=1

登录成功响应数据包

HTTP/1.1 302 FoundDate: Mon, 03 Jun 2024 08:36:03 GMTServer: Apache/2.4.18 (Ubuntu)Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/wordpress/X-Frame-Options: SAMEORIGINSet-Cookie: wordpress_2593e528a51693ac78094651c5d056d0=admin%7C1717576563%7Ch1aXHKoJnXh3BHapbS5eT2Tcjc4HkhRjXSzI6u8GUVV%7C02fcacd58739efbc1aefc85cee484c00ac1b1905da728d9c36bf4d4cb84cbd50; path=/wordpress/wp-content/plugins; HttpOnlySet-Cookie: wordpress_2593e528a51693ac78094651c5d056d0=admin%7C1717576563%7Ch1aXHKoJnXh3BHapbS5eT2Tcjc4HkhRjXSzI6u8GUVV%7C02fcacd58739efbc1aefc85cee484c00ac1b1905da728d9c36bf4d4cb84cbd50; path=/wordpress/wp-admin; HttpOnlySet-Cookie: wordpress_logged_in_2593e528a51693ac78094651c5d056d0=admin%7C1717576563%7Ch1aXHKoJnXh3BHapbS5eT2Tcjc4HkhRjXSzI6u8GUVV%7C3b6eb5f371b94fe41cff9b0e9ff70cf64a62c9e7d9979a33747a26463336f619; path=/wordpress/; HttpOnlyX-Redirect-By: WordPressLocation: http://192.168.169.160/wordpress/wp-admin/profile.phpContent-Length: 0Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8

content规则检测弱口令

通过分析以上登录成功的请求和响应数据包，可以编写如下规则，用于检测使用弱口令admin123完成的登录：

alert http any any -> any any (msg:"content detect wordpress weakpass - attempt";flow:to_server,established;http.method;content:"POST";http.uri;content:"wp-login.php";http.request_body;content:"log=";content:"pwd=admin123";flowbits:set,wordpress-weakpass;sid:1001;)
alert http any any -> any any (msg:"content detect wordpress weakpass - success";flow:to_client,established;http.stat_code;content:"302";http.cookie;content:"wordpress_logged_in_";flowbits:isset,wordpress-weakpass;sid:1002;)

同样，如同使用content检测dnslog域名一样，通过content检测多个弱口令，就需要为每个不同的弱口令都编写一条content规则，这样既麻烦，也会产生额外的计算消耗。

所以在接下来的优化阶段，通常会尝试通过pcre在一条规则中实现对多个弱口令的判断。

pcre规则检测弱口令

如下规则通过将content:"pwd=admin123";优化为pcre:"/(123456|admin|admin123|password)(&|$)/RP";就能够实现对多个弱口令的检测，之后只需要维护pcre规则中正则部分的弱口令列表即可：

alert http any any -> any any (msg:"pcre detect wordpress weakpass - attempt";flow:to_server,established;http.method;content:"POST";http.uri;content:"wp-login.php";http.request_body;content:"log=";content:"pwd=";pcre:"/(123456|admin|admin123|password)(&|$)/RP";flowbits:set,wordpress-weakpass;sid:1001;)
alert http any any -> any any (msg:"pcre detect wordpress weakpass - success";flow:to_client,established;http.stat_code;content:"302";http.cookie;content:"wordpress_logged_in_";flowbits:isset,wordpress-weakpass;sid:1002;)

pcrexform + dataset检测弱口令

同样为了实现规则与特征数据的分离，以及特征数据的扩展性和可维护性。在弱口令列表数据量不断增大后，就需要将pcre规则优化为dataset规则，通过pcrexform将弱口令部分进行提取，再交给dataset进行弱口令列表的匹配

alert http any any -> any any (msg:"Woredpress Weakpass - attempt";flow:to_server, established;http.method;content:"POST";http.uri;content:"wp-login.php";http.request_body;content:"log=";content:"pwd=";pcrexform:"pwd=(.*?)(?:&|$)";dataset:isset,weakpass,type string,load datasets/weakpass.list;flowbits:set,wordpress-weakpass;sid:1001;)
alert http any any -> any any (msg:"Woredpress Weakpass - success";flow:to_client, established;http.stat_code;content:"302";http.header.raw;content:"wordpress_logged_in_";flowbits:isset,wordpress-weakpass; sid:1002;)

通用性误报问题

如果直接以当前完成的规则上线到生产，一定会发现误报。这也是弱口令、未授权访问等规则中一类常见的误报场景。这主要与suricata的流检测机制有关。

suricata官方文档有一张用于解释使用flowbits进行流数据包检测原理的图片：

参考该图片，我们先画出理想状态下Wordpress弱口令检测的图片：

但是由于keep-alive机制的存在，通常一个流当中会有多个请求响应包，此时如果用户或攻击者通过首先尝试利用一个弱口令进行登录，会得到一个登录失败的响应。如果紧接着又使用了一个强口令成功登录，则会造成我们的规则产生误报。

误报过程分别用文字和图片描述如下：

1.请求弱口令登录：命中规则1001，标记flowbits:set,wordpress-weakpass2.响应登录失败：未命中规则3.请求强口令登录：未命中规则4.响应登录成功：命中规则1002，flowbits:isset,wordpress-weakpass，产生告警

登录失败响应数据包

HTTP/1.1 200 OKDate: Tue, 08 Oct 2024 15:11:16 GMTServer: Apache/2.4.7 (Ubuntu)X-Powered-By: PHP/5.5.9-1ubuntu4.19Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Pragma: no-cacheSet-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/X-Frame-Options: SAMEORIGINVary: Accept-EncodingContent-Encoding: gzipContent-Length: 1579Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8
<!DOCTYPE html>......省略中间不关键部分.....  <div id="login">    <h1><a href="https://cn.wordpress.org/" title="......WordPress" tabindex="-1">WPVulDemo</a></h1>  <div id="login_error">  <strong>......</strong>...............<strong>admin</strong>........................... <a href="http://localhost:8000/wp-login.php?action=lostpassword">...............</a><br /></div>
<form name="loginform" id="loginform" action="http://localhost:8000/wp-login.php" method="post">  <p>    <label for="user_login">..............................<br />    <input type="text" name="log" id="user_login" aria-describedby="login_error" class="input" value="admin" size="20" /></label>  </p>  <p>    <label for="user_pass">......<br />    <input type="password" name="pwd" id="user_pass" aria-describedby="login_error" class="input" value="" size="20" /></label>

为解决如上的误报场景，就需要新增一条规则，用于当发现流中存在登录失败的响应后，将flowbits标志给删除。

alert http any any -> any any (msg:"Woredpress Weakpass - error";flow:to_client, established;http.stat_code;content:"200";http.response_body;content:"aria-describedby=\"login_error\"";flowbits:isset,wordpress-weakpass;flowbits:unset,wordpress-weakpass;noalert;sid:1003;)

需要特别注意的是，虽然这条规则的目的仅仅是用于删除flowbits标志，但是由于其本身也是一条alert规则，因此同样会产生告警。所以需要添加noalert来抑制此条规则产生的告警。

其他协议弱口令检测

通过完成Wordpress弱口令检测规则，其他基于HTTP协议的弱口令规则也会是信手拈来，自然也想将pcrexform+dataset检测弱口令的模式应用于其他协议。但是pcrexform+dataset模式有其本身的局限性，这两个关键字，本身都只能用于从sticky buffer中匹配数据。如果其前面跟的不是sticky buffer，引擎会在规则加载阶段提示错误。

FTP协议

suricata支持FTP协议，但是提供的sticky buffer仅限于文件操作相关的指令（https://docs.suricata.io/en/latest/rules/ftp-keywords.html）。所以如果想要进行弱口令的匹配，只能直接在整个tcp数据中匹配。此时尝试使用pcrexform、dataset，就产生了规则引擎报错。

alert ftp any any -> any any (msg:"FTP Weakpass - attempt";flow:to_server,established;content:"PASS";startswith;pcrexform:"^PASS (.*?)\r\n";)
报错：Problem starting Suricata daemon: [76 - Suricata-Main] 2024-10-11 02:38:31 Error: detect-parse: transforms must directly follow stickybuffers

alert ftp any any -> any any (msg:"FTP Weakpass - attempt";flow:to_server,established;content:"PASS";startswith;dataset:isset,weakpass;)
报错：Problem starting Suricata daemon: [88 - Suricata-Main] 2024-10-11 02:40:08 Error: detect-dataset: datasets are only supported for sticky buffers

这种情况下只能暂时退而求其次，使用pcre规则，进行弱口令的匹配：

alert ftp any any -> any any (msg:"FTP Weakpass - attempt";flow:to_server,established;content:"PASS ";pcre:"/(echo|123456|password)\r\n/R";)

SMTP协议

其实suricata对协议的支持是会不断完善的，例如对SMTP协议的支持。截止目前最新的稳定版本是本月初（10月1日）发布的7.0.7，通过该版本的文档（https://docs.suricata.io/en/suricata-7.0.7/）找不到对suricata规则对该协议的支持，suricata在该版本中仅支持smtp协议的识别。

但是在8.0.0-dev版本的文档（https://docs.suricata.io/en/latest/rules/smtp-keywords.html）可以发现suricata会增加多个STMP协议的sticky buffer。

其中使用smtp.command_line存储了客户端请求给服务端的数据，因此我们可以预见，之后应该能写出使用dataset检测弱口令的规则：

alert smtp any any -> any any (msg:"STMP - request - 334 password";flow:to_client,established; frame:smtp.response_line;content:"334 UGFzc3dvcmQ6";startswith;flowbits:set,smtp-request-334;noalert;)
alert smtp any any -> any any (msg:"STMP - response - detect weakpass - attempt";flow:to_server,established; frame:smtp.command_line;datasets:isset,weakpass-base64,type string,load datasets/weakpass-base64.list;flowbits:isset,smtp-request-334;flowbits:unset,smtp-request-334;flowbits:set,smtp-weakpass-login;)
alert smtp any any -> any any (msg:"STMP - request - detect weakpass - success";flow:to_client,established; frame:smtp.response_line;content:"235 Authentication succe";startswith;flowbits:isset,smtp-weakpass-login;)
alert smtp any any -> any any (msg:"STMP - response - detect weakpass - failed";flow:to_client,established; frame:smtp.response_line;content:"535 ";startswith;flowbits:isset,smtp-weakpass-login;flowbits:unset,smtp-weakpass-login;noalert;)

只不过按照官方计划，想要用上suricata 8的beta版也要等到2025年4月1日了。当然，现在也可以像检测FTP弱口令那样，使用pcre来直接匹配tcp流量，进行SMTP弱口令检测。

alert smtp any any -> any any (msg:"STMP - request - 334 password";flow:to_client,established; content:"334 UGFzc3dvcmQ6";startswith;flowbits:set,smtp-request-334;noalert;)
alert smtp any any -> any any (msg:"STMP - response - detect weakpass - attempt";flow:to_server; pcre:"/(MTIzNDU2|YWRtaW4=|cGFzc3dvcmQ=|cHVuamFiQDEyMw==)\r\n/";flowbits:isset,smtp-request-334;flowbits:unset,smtp-request-334;flowbits:set,smtp-weakpass-login;)
alert tcp any any -> any any (msg:"STMP - response - detect weakpass - success";flow:to_client;content:"235 Authentication succe";flowbits:isset,smtp-weakpass-login;)
alert tcp any any -> any any (msg:"STMP - response - detect weakpass - failed";flow:to_client,established; content:"535 ";flowbits:isset,smtp-weakpass-login;flowbits:unset,smtp-weakpass-login;noalert;)

综上可以看出，pcrexform+dataset的检测能力是局限于suricata所支持的协议以及提供的sticky buffer的。好在由于suricata本身是开源的，如果确实有需求，可以自己实现特定协议的解析，来增加相关的sticky buffer。由于本人的C已经完全还给大学老师了，因此无法给大家做具体示例的展示，有需要可参考《suricata 开源工具学习-自定义协议开发》。

川云安全团队

川云安全团队官方公众号，不定期推送技术文章，渗透技巧和热点新网等文章。