Linux Firewalls - Michael Rash [126]
Signature Development
In the section above, we collected a packet trace of the Metasploit update SSL session, which allows us to see what the SSL certificate looks like. The first step in writing a Snort rule to accurately detect the Metasploit update is to analyze this packet trace with your favorite sniffer or protocol decoder. Our goal is to write a Snort rule that fwsnort can translate into an equivalent iptables rule.
Because the Metasploit update process uses SSL with a self-signed SSL certificate, one strategy to develop such a Snort rule is to have Snort look for this certificate as it is transferred between a client and server. Because the certificate name is advertised in the clear over the SSL session, it's easy to extract this name from the packet trace with a tool like Wireshark[68] or tcpdump. We use tcpdump below (with some output abbreviated):
[iptablesfw]# tcpdump -r metasploit_update.pcap -s 0 -nn -X
22:52:30.178782 IP 216.75.15.231.443 > 192.168.10.200.49356: . 1:1449(1448)
ack 127 win 46 0x0000: 4500 05dc d24f 4000 2f06 c0ee d84b 0fe7 E....O@./....K.. 0x0010: c0a8 0a03 01bb c0cc ee22 4bef 43a2 a027 ........."K.C..' 0x0020: 8010 002e 82eb 0000 0101 080a 1ff4 99a7 ................ 0x0030: 2591 f0c9 1603 0100 4a02 0000 4603 0145 %.......J...F..E 0x0040: 42c5 ce81 9f02 eb05 ed30 ca9b 0973 a4d7 B........0...s.. 0x0050: 4182 de5a 5d7b 4c0c 59eb f300 0000 0020 A..Z]{L.Y....... 0x0060: 6e67 1dfa 6363 78fb c180 d6d4 05f4 640e ng..ccx.......d. 0x0070: be4f 4eb6 3fcf 8af7 ad95 3fd4 e901 c81d .ON.?.....?..... 0x0080: 0039 0016 0301 0674 0b00 0670 0006 6d00 .9.....t...p..m. 0x0090: 066a 3082 0666 3082 054e a003 0201 0202 .j0..f0..N...... 0x00a0: 0101 300d 0609 2a86 4886 f70d 0101 0405 ..0...*.H....... 0x00b0: 0030 81a8 310b 3009 0603 5504 0613 0255 .0..1.0...U....U 0x00c0: 5331 0e30 0c06 0355 0408 1305 5465 7861 S1.0...U....Texa 0x00d0: 7331 1430 1206 0355 0407 130b 5361 6e20 s1.0...U....San. 0x00e0: 416e 746f 6e69 6f31 1f30 1d06 0355 040a Antonio1.0...U.. 0x00f0: 1316 5468 6520 4d65 7461 7370 6c6f 6974 ..The.Metasploit 0x0100: 2050 726f 6a65 6374 3114 3012 0603 5504 .Project1.0...U. 0x0110: 0b13 0b44 6576 656c 6f70 6d65 6e74 3116 ...Development1. 0x0120: 3014 0603 5504 0313 0d4d 6574 6173 706c 0...U....Metaspl 0x0130: 6f69 7420 4341 3124 3022 0609 2a86 4886 oit.CA1$0"..*.H. 0x0140: f70d 0109 0116 1563 6163 6572 7440 6d65 .......cacert@me 0x0150: 7461 7370 6c6f 6974 2e63 6f6d 301e 170d tasploit.com0... Notice that nice unique string (in bold above) that advertises the Metasploit webserver as the email address associated with the SSL certificate. We'll use the email address portion of the certificate for the content field of a custom Snort rule, which we'll call rule ID 900001 and place within a file called metasploit.rules: [iptablesfw]# cat metasploit.rules alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"Metasploit exploit DB update"; flow:established; content:"cacert@metasploit.com"; classtype:misc-activity; sid:900001; rev:1;) Busting Metasploit Updates with fwsnort and psad Armed with our new Snort rule, we can use fwsnort and psad to identify and stop the SSL sessions initiated by the svn update or msfupdate commands. Note Our rule would not stop other methods of updating Metasploit such as using rsync over SSH against an external machine with a previously updated database, of course. In addition, we don't deploy fwsnort or psad responses that could interfere with basic DNS lookups or web requests to metasploit.com unless an SSL session is seen first. As mentioned earlier, the first step in getting fwsnort to stop the Metasploit update process is to translate our new Snort rule into equivalent iptables rules. To do so, we copy the metasploit.rules file into the /etc/fwsnort/snort_rules directory and run fwsnort. Because we are focusing on stopping Metasploit updates, we use the --ipt-reject command-line argument to fwsnort: [iptablesfw]# cp metasploit.rules /etc/fwsnort/snort_rules [iptablesfw]# fwsnort --snort-sid