socket数据流丢失_如何在数据丢失防护中使用备用数据流

socket数据流丢失

Have you ever wanted to try out alternate data streams in a legitimate data loss prevention case?

您是否曾经想过在合法的数据丢失防护案例中尝试备用数据流？

I’ve finally had some time this weekend to try out NTFS Alternate Data Streams (ADS) in various network DLP based applications. Although this isn’t really new or surprising to the rest of us security professionals, it is a nifty way to potentially use these technologies in identifying files that may be attempting to leave the perimeter through watermarking. As always, this is merely for informational purposes only, your mileage may vary on applicability and results.

我终于在这个周末有一些时间来尝试各种基于网络DLP的应用程序中的NTFS备用数据流 (ADS)。 尽管这对于我们其余的安全专业人员来说并不是什么新奇的事情或让您感到惊讶，但这是潜在地使用这些技术来识别可能试图通过加水印离开外围的文件的好方法。 与往常一样，这仅出于提供信息的目的，您的里程可能因适用性和结果而异。

This weekend’s mini project provides readers with the following abilities:

这个周末的迷你项目为读者提供以下功能：

• Allows an administrator to recurse through selected files and automatically add in a hashed string into an alternate data stream for Windows NTFS enabled hosts
  允许管理员递归浏览选定的文件，并自动将散列的字符串添加到启用Windows NTFS的主机的备用数据流中
• Utilizes a Snort IDS example signature to detect the hash when it is traversing or leaving the network
  利用Snort IDS示例签名在遍历或离开网络时检测哈希
• General information and cautions using ADS for DLP applications
  将ADS用于DLP应用程序的一般信息和注意事项

为什么选择ADS for DLP？ (Why ADS for DLP?)

You might be asking why ADS over water-marking a file directly or some other method (perhaps even MiTM packet based marking). There’s a few reasons for this:

您可能会问，为什么ADS会直接对文件加水印或其他方法(甚至是基于MiTM数据包的标记)。 这有几个原因：

• In an Windows enterprise environment, any sensitive data that isn’t already encrypted are very likely in various Office document formats (.docx, .pptx, .xlsx) and so forth. These documents have their own structures and do not act like normal CSV or other text only files where you can just append additional information. Attempting to do this corrupts the file structure rendering the data unreadable when opening in the Office suite

  在Windows企业环境中，任何尚未加密的敏感数据很可能以各种Office文档格式 (.docx，.pptx，.xlsx)等等。 这些文档具有自己的结构，不能像普通的CSV或其他仅纯文本的文件那样工作，您可以在其中附加附加信息。 尝试执行此操作会损坏文件结构，从而在Office套件中打开时无法读取数据

• To actually add data properly to Office based documents requires different scripts and is dependent on the actual format itself for each type. This creates hassle in trying to account for various file types and testing

  要将数据正确正确地添加到基于Office的文档中，需要使用不同的脚本，并且每种类型都取决于实际的格式本身。 这在尝试考虑各种文件类型和测试时带来麻烦

• In addition, your users or customers may not want to even see something added on such as a file hash anywhere on their document or file for cosmetic or even parsing reasons
  另外，出于修饰甚至分析的原因，您的用户或客户可能甚至不想在其文档或文件的任何位置看到添加的内容，例如文件哈希
• Hashes can offer very specific content to search based on your data classification level or anything else you want to alert on
  哈希可以根据您的数据分类级别或您要提醒的其他内容提供非常具体的内容以进行搜索

在DLP中不使用ADS的注意事项 (Considerations for not using ADS in DLP)

• NTFS based ADS specifically is only supported in NTFS based file systems and may not be applicable to all environments. There are other forms of alternate data streams between file systems
  仅基于NTFS的文件系统仅支持基于NTFS的ADS，并且可能不适用于所有环境。 文件系统之间还有其他形式的备用数据流
• Applications may strip out ADS due to security related practices, support, or other numerous reasons. Examples in our cases I’ve tested this to be true included FileZilla’s FTP client, TeamViewer, some Antivirus vendors, and Skype.
  由于安全相关的做法，支持或其他许多原因，应用程序可能会剥离ADS。 在我们的案例中，我测试过的示例包括FileZilla的FTP客户端，TeamViewer，一些防病毒供应商和Skype。

• The detection of ADS using “DIR /R” is available in Vista hosts and newer. Additionally, conventional display of a file using standard out does not show your ADS contents. Using pipes and other methods can be used as a work around.

  Vista主机及更高版本中提供了使用“ DIR / R”检测ADS的功能。 此外，使用标准输出的常规文件显示不会显示您的ADS内容。 使用管道和其他方法可以解决。

• Performance considerations for adding extra work for your network IDS or IPS
  为网络IDS或IPS添加额外工作的性能注意事项

案例测试实验室设置： (Case Test Lab Setup:)

• Mac and Windows host on the same virtualized network segment using SMB over TCP and SAMBA
  Mac和Windows使用TCP和SAMBA上的SMB托管在同一虚拟网段上
• Snort 2.9.6.1 , Snort.conf “tuned down” to exclude dynamic pre-procs, all other rules, fast alerting on, and local.rules to include an example custom signature.
  Snort 2.9.6.1，“ Snort.conf”已“调低”以排除动态预进程，所有其他规则，快速警报开启以及local.rules以包括示例自定义签名。
• Wireshark
  Wireshark

• Online Text to SHA 256 Converter (or any other hashing tool)

  在线文本转SHA 256转换器 (或任何其他哈希工具)

强调： (Highlights:)

We start off by creating an alternate data stream on some test files. It doesn’t matter what file you use, or what name, or even what hash. We simply redirect the contents of hash.txt into a new data stream. Using find or findstr with a negate switch can show us our hash within the stream created.

我们首先在一些测试文件上创建备用数据流。 使用什么文件，什么名称，甚至什么哈希都没有关系。 我们只需将hash.txt的内容重定向到新的数据流中。 将find或findstr与否定开关一起使用可以向我们显示创建的流中的哈希。

Next, we can create a example Snort rule to detect that string for DLP purposes. Note, that this is only an example rule and is NOT tuned for performance. You should use content modifiers depending on the type and size of data you’re using in accordance with your sensor performance:. Notice that I used rawbytes; as your Snort pre-processors may not always parse the ADS in the manner you want.

接下来，我们可以创建一个示例Snort规则来检测该字符串以用于DLP。 请注意，这只是一个示例规则，并未针对性能进行调整。 您应该根据传感器的性能，根据所使用数据的类型和大小使用内容修饰符： 注意，我使用了rawbytes。 因为您的Snort预处理器可能并不总是以您想要的方式解析ADS。

Next, setup a simple CIFS/SMB/SAMBA share or any other clear text protocol that you can detect and start a capture between the hosts. You should notice that while the data streams are different being traversed over, this should still be within the same TCP stream.

接下来，设置一个简单的CIFS / SMB / SAMBA共享或任何其他可检测到并在主机之间进行捕获的明文协议。 您应注意，尽管遍历数据流不同，但它们仍应位于同一TCP流中。

Reconstruct the stream and now you can see both the original text AND the hash that you’ve added.

重建流，现在您既可以看到原始文本，也可以看到添加的哈希。

Either save your pcap and run it with snort in read mode or have in NIDS mode. Using the signature we created earlier, we can see numerous alerts.

保存您的pcap并在读取模式下以snort方式运行它，或者在NIDS模式下运行。 使用我们之前创建的签名，我们可以看到大量警报。

自动化 (Automation)

If you’re thinking “So what? You’ve added a hash that can be detected via ADS to ONE file. how am I supposed to do this as a mass? How do I even know which files to perform ADS on?” Well, that’s really dependent on your organizational requirements and resources. You’ll have to work on identifying and discovering data to classify and tag.

如果您在想“那又如何？ 您已将可以通过ADS检测到的哈希添加到一个文件中。 我应该怎么做？ 我什至不知道要对哪些文件执行ADS？” 好吧，这实际上取决于您的组织要求和资源。 您将不得不识别和发现数据以进行分类和标记。

You might be able to use a dirty words list or other indicators and perform counts per file and use basic probability to help ID data you need to mark. To assist with performing ADS on multiple directories and folders recursively, I’ve started a small batch script to assist with this. I can’t stress enough that you need to test, tune, and validate before you use this on any production data. Make sure to have backups!

您可能可以使用脏话列表或其他指标，并对每个文件进行计数，并使用基本概率来帮助您标记所需的ID数据。 为了帮助递归地在多个目录和文件夹上执行ADS，我启动了一个小批处理脚本来协助完成此任务。 我无法承受太大的压力，您需要先对它们进行测试，调整和验证，然后再将其用于任何生产数据。 确保有备份！

ADS的其他用例 (Other Use Cases for ADS)

There are also not so legitimate use cases for ADS. One method is to hide data in different files by payload injection and to call it externally from other shell commands or exploits. The researcher, enigma0x3 show cases his solution involving Powershell scripts to inject ADS based payload in user and administrative context methods. The full write up can be found here.

ADS也没有那么合法的用例。 一种方法是通过有效负载注入将数据隐藏在不同的文件中，并从其他Shell命令或漏洞利用程序外部调用它。 研究人员enigma0x3展示了他的解决方案，其中涉及使用Powershell脚本在用户和管理上下文方法中注入基于ADS的有效负载。 完整的文章可以在这里找到。

Find out about more ways to bolster your cyber defense operations at: www.scissecurity.com

在www.scissecurity.com上找到有关增强网络防御运营的更多方法的信息。

翻译自: https://medium.com/swlh/using-alternate-data-streams-in-data-loss-prevention-ff0c2e57af6c

socket数据流丢失