Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 4

Question 1: Snort Rules

(10 Marks)

This question presents a fictitious security vulnerability in a range of

lasers printers. The question requires that you develop SNORT IDS rules
to detect exploits of this fictitious vulnerability. All information regarding
this vulnerability is fabricated to give the illusion of a real security threat.
As a result, searches on the Internet will not yield any information
regarding the signature of this vulnerability. All the information required
to detect exploits for this vulnerability are presented in this question,
except where noted otherwise.
You are a security specialist working for XYZ Incorporated. XYZ use
SNORT as their NIDS which protects both their IP sub-networks being and
A security vulnerability has been detected in the Humphrey Pollard
Laserprint 12050 printer model. This vulnerability is remotely exploitable
and allows the execution of arbitrary code.
There is a bug in the way the printer processes the postscript spool
management header. A sample of a spool header is given below:
%!PS-Adobe-3.0 %%Creator: texttops/CUPS v1.2.2%%CreationDate: Thu
21 Sep 2006 11:49:57 AM EST%%Title: TODO %%For: username %
%DocumentNeededResources: font Courier-Bold

The printers code which parses these headers only allows 8 bytes for the
%%For field value buffer in memory. In the example above, the field
value is username. It is possible to overflow the buffer by providing a
value to the %%For field that is greater than 8 bytes. The %%For field
can be found anywhere in the packet.
An exploit has been released in the form of a worm which when infecting
the Laser printers memory, tricks the laser printer into emailing all
documents received for printing to an email account in Russia. The worm
propagates by scanning networks in proximity of its own for other
vulnerable printers. On finding vulnerable machines, it copies itself to
them and the cycle continues.
It also propagates via email as a PDF attachment. The malicious code is
embedded in the PDF file. The email message suggests that the attached
document contains a joke and requires printing to a laser printer to view.
When the user prints the PDF, its payload is sent to the printer either
directly, or via a printer spooling server. Effectively, this means the worm
can attack printers from any host on the network.
If a printer is found to be compromised, power-cycling (turning off and
then on) the printer will erase the worm from the printers volatile
memory. However, this does not prevent the printer from being reinfected.

You are required to write 2 SNORT IDS rules labelled (ONE) and
(TWO) to manage this vulnerability until patches are applied and printers
Rule (ONE) must detect attempts to exploit this vulnerability on any
printer in the company network. The rule should scan for attempts from
any host on the network to any host on the network. It should also scan
only for connections to the Jetdirect printing TCP/IP port number, used by
this range of printers. You may need to research Jetdirect to identify which
port number it uses for printing and what transport protocol. Google is a
good place to start.
The signature of the exploit is given as follows:
%%For: username
The value username can be any sequence of characters, but must be
exactly 8 characters long. For example, username could be abcdefgh.
Note also there is a space between the colon and username.
Immediately following the 8 characters for the username is the payload of
the exploit, which is given below as decimal byte values:
124 185 30 135 99 214 51 29
Your rule should match the entire sequence as described above starting
from %%For: through to the last decimal byte of the exploit payload
29. On detecting packets, your rule should generate an alert with a
message stating: Attempt to exploit laser printer vulnerability.
Rule (TWO) must detect attempts by the malicious payload running on
any infected printers to email documents to the Internet.
You have 6 printers on your network that are vulnerable to this attack.
Their IP addresses are:
Your email rule must apply only to the vulnerable printers on the network.
In other words, your rule should detect attempts to email the hacker from
only the above printers, and no other hosts.
This model of laser printer also provides scanning and faxing capabilities.
When the scanning function is used, the unit will email the scanned
document to an Internet email address given by the user when scanning.
As a result, it is normal behaviour for these printers to send emails via
SMTP. Therefore, it is necessary to check the recipient email address of
the document. The rule should detect attempts to email users outside of

the organisation, as no document should be emailed outside the company

from a printer. The organisations domain name is: So
any emails sent to an address of form: should not be
detected as these addresses are for company employees. Any other
email addresses without the exact domain name above should be
detected. Any mail server could be used to deliver the email. On
detecting an email from one of these printers to an address outside the
organisation, your rule should generate an alert with the message:
Compromised printer attempting to email document outside
For both rules, be sure to complete the following:
1. Allocate an appropriate SID value and a revision number
2. Designate an appropriate class type for this attack.
3. Annotate your rules with comments describing what each component
of the rule does, so other security specialists in your team can see how
your rules are written. Comments can be introduced to your rules file
snort.conf by preceding each line with a hash character #. Anything
after the hash character to the end of the line will be treated as a
comment by SNORT and ignored by the rule parsing code. This is how
you should comment your rules.
An example of how to present your rules in your assignment document is
shown below:
# Your explanation of the below in italics
# Your explanation of the below
drop udp $EXTERNAL_NET any -> $HOME_NET 993 \
#Your explanation of the below, and so on...
... \
An example explanation for a SNORT rule option:
# The content of the packet must contain the string USER root to be
# Furthermore, the offset option specifies that the string USER root
should be
# matched exactly 10 bytes from the beginning of the packet. In other
words, it will
# only match packets where 10 bytes from the start of the payload, the
# USER root is specified.
content: USER root; offset:10; \

Search for the SMTP RFC document RFC0821 via google. In particular,
you will need to familiarise yourself with the RCPT TO: SMTP command.
This is the format you need to check for to detect safe receiving email
Certain characters are special in SNORT rules. These characters must
be escaped to tell SNORT to treat them literally, rather than interpret
their special meaning. To escape a special character, you simply precede
it with a back-slash \. For example, if you wish to continue your rule on
a new line in the configuration file, then you end the line with a \
character to escape the special meaning of the ENTER character at the
end of the line. SNORT treats the ENTER character as special. It means it
is the end of the current rule. With a \ at the end of the line, it tells
SNORT to treat it as a literal ENTER which will be interpreted as just
spacing for your rule and allows it to continue on the next line. If you
receive the following error when you attempt to run your rule through
SNORT: ParsePattern Got Null enclosed in quotation marks (")!, then
you have a special character in your rule content that needs to be
escaped. Refer to the SNORT documentation website for details on which
characters have special meanings.
Research how to express a group of unrelated individual IP addresses as
a source or destination.
Make sure you include the classtype in your rule. Refer to the SNORT
documentation to determine which classtype is appropriate for this
exploit as described above. You will probably have to make use of the
classification.config file (located in the Snort\etc\ directory)
research how to make reference to this file from your rules file.
Failure to use the correct syntax in your rule will mean the rule is
ineffective. This means you will lose marks on this question.
Refer to the Snort manual for assistance in writing the rules a link to the
manual is availed from the Software Resources section of the course web
Note: Duplicating the contents from the text, lecture slides, weekly notes
or the Internet is not acceptable (even if it is referenced) and will not
attract any marks. Your solutions must be written in your own words. If
you cannot write your answer in your own words, then you have not yet
mastered the topic and require further reading or advice from your tutor.
Any information taken from an external source (either from the textbook
or any other source) must be referenced appropriately. Failure to do so
constitutes plagiarism.

You might also like