Linux Firewalls - Michael Rash [114]
The Dumador trojan is malware that contains both a keylogger (for collecting and transmitting sensitive information typed on a keyboard back to an attacker), and a backdoor server that listens on ports 9125 and 64972. The Bleeding Snort ruleset contains a signature designed to detect when the Dumador trojan attempts to send information back to an attacker via a web session, as shown here:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN
Dumador Reporting User Activity"; flow:established,to_server; uricontent:".php?p=";
nocase;
uricontent:"?machineid="; nocase; uricontent:"&connection="; nocase; uricontent:"&
iplan="; nocase; classtype:trojan-activity; reference:url,www.norman.com/Virus/Virus_
descriptions/24279/; sid:2002763; rev:2;)
This signature is particularly interesting in the context of fwsnort because it requires multiple application layer content matches. In order to translate the signature, we execute the following:
[iptablesfw]# fwsnort --snort-sid 2002763
[+] Parsing Snort rules files...
[+] Found sid: 2002763 in bleeding-all.rules
Successful translation.
This results in the lengthy iptables command you see below, which searches for each of the strings required by the original Bleeding Snort rule by using the iptables string match four times (as shown in bold):
$IPTABLES -A FWSNORT_FORWARD_ESTAB -s 192.168.10.0/24 -p tcp --dport 80 -m string
--string ".php?p=" --algo bm -m string --string "?machineid=" --algo bm -m string
--string "&connection=" --algo bm -m string --string "&iplan=" --algo bm -m comment
--comment "sid:2002763; msg: BLEEDING-EDGE TROJAN Dumador Reporting User Activity;
classtype: trojan-activity; reference: url,www.norman.com/Virus/Virus_descriptions/
24279/; rev:
2; FWS:1.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] SID2002763
ESTAB "
Now we make the signature active in the Linux kernel by executing the fwsnort.sh script:
[iptablesfw]# /etc/fwsnort/fwsnort.sh
[+] Adding bleeding-all rules.
Rules added: 2
With the signature active, it is time to test it, and for this we refer to the network diagram in Figure 1-2. On the system labeled lan_client, we execute the following Perl command (the usage of the A character is optional and just provides filler data between the separate match criteria) and pipe the output through Netcat to direct it to the webserver labeled ext_web:
[lan_client]$ perl -e 'print ".php?p=AAAAA?machineid=AAAAA&connection=AAAAA&iplan="' |
nc 12.34.X.X 80
On the firewall system, iptables catches the activity and outputs this succinct log message:
[iptablesfw]# grep SID2002763 /var/log/messages | tail -n 1
Jul 20 01:12:53 iptablesfw kernel: [1] SID2002763 ESTAB IN=eth1 OUT=eth0 SRC=192.168.
10.3 DST=12.34.X.X LEN=104 TOS=0x00 PREC=0x00 TTL=63 ID=17247 DF PROTO=TCP SPT=
55040
DPT=80 WINDOW=1460 RES=0x00 ACK PSH URGP=0 OPT (0101080AAD7FC90A2B44969B)
With a rule in place to detect when the Dumador trojan attempts to call home with a juicy payload of information, fwsnort can refuse to play nicely by forcing Dumador's TCP session to close by using the --ipt-reject command-line argument:
[iptablesfw]# fwsnort --snort-sid 2002763 --ipt-reject
[+] Parsing Snort rules files...
[+] Found sid: 2002763 in bleeding-all.rules
Successful translation.
[iptablesfw]# /etc/fwsnort.fwsnort.sh
[+] Adding bleeding-all rules.
Rules added: 4
Now, rerunning our simulation results in a different iptables log message. (The logging prefix [1] REJ SID2002763 indicates that fwsnort took action against the web session by generating a RST.)
[iptablesfw]# grep SID2002763 /var/log/messages | tail -n 1
Jul 20 01:16:41 iptablesfw kernel: [1] REJ SID2002763 ESTAB IN=eth1 OUT=eth0 SRC=
192.168.10.3 DST=12.34.X.X LEN=104 TOS=0x00 PREC=0x00