Linux Firewalls - Michael Rash [167]
--string "nc%20" --algo bm -m comment --comment "msg: WEB-ATTACKS netcat command
attempt;
classtype: web-application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-options
--log-tcp-options --log-prefix "[7] SID1360 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --dport 80 -m string --string "nc%20" --algo
bm -m comment --comment "msg: WEB-ATTACKS netcat command attempt; classtype: web
-application-attack; rev: 5; FWS:0.9.0;" -j LOG --log-ip-options --log-tcp-options
--log-prefix
"[7] SID1360 ESTAB "
$ECHO " Rules added: 14"
###
############ Jump traffic to the fwsnort chains. ############
###
❺ $IPTABLES -D FORWARD -i ! lo -j FWSNORT_FORWARD 2> /dev/null
$IPTABLES -I FORWARD 1 -i ! lo -j FWSNORT_FORWARD
$IPTABLES -D INPUT -i ! lo -j FWSNORT_INPUT 2> /dev/null
$IPTABLES -I INPUT 1 -i ! lo -j FWSNORT_INPUT
$IPTABLES -D OUTPUT -o ! lo -j FWSNORT_OUTPUT 2> /dev/null
$IPTABLES -I OUTPUT 1 -o ! lo -j FWSNORT_OUTPUT
### EOF ###
At ❶ the command-line arguments used to execute fwsnort are included as part of the fwsnort.sh header. This is useful for determining exactly how fwsnort builds the fwsnort.sh script. At ❷ fwsnort.sh creates the set of custom chains to which all signature-matching rules are added. This maintains a degree of separation between fwsnort rules and the rules of any existing iptables policy on the system. The result is that the fwsnort policy is compatible with any existing iptables policy.
A set of iptables rules begins at ❸; these rules use the Netfilter connection-tracking system to send TCP packets that are part of ESTABLISHED connections through the fwsnort chains FWSNORT_FORWARD_ESTAB, FWSNORT_INPUT_ESTAB, and FWSNORT_OUTPUT_ESTAB. This allows fwsnort to restrict expensive application layer string-matching operations to packets that are part of real TCP connections. All translated Snort rules that are added to these chains contain the flow: established; option. More on this topic can be found in Chapter 9.
The real meat of the fwsnort.sh script starts at ❹. Here, iptables is instructed to search application layer data for the strings described by each of the seven Snort signatures. If any of the iptables rules triggers on a web session, then an iptables syslog message is generated for analysis by psad. Finally, at ❺ the fwsnort policy deletes and then adds rules to jump network traffic from the built-in INPUT, OUTPUT, and FORWARD chains to the custom fwsnort chains FWSNORT_INPUT, FWSNORT_OUTPUT, and FWSNORT_FORWARD. (Deleting the jump rules first allows the fwsnort.sh script to be executed multiple times without adding multiple copies of each jump rule.) Once network traffic is jumped into the fwsnort chains, the fwsnort whitelist, blacklist, and signature inspection operations are performed for each packet.
To activate the fwsnort policy within the Linux kernel, just execute the fwsnort.sh script:
[iptablesfw]# /etc/fwsnort/fwsnort.sh
[+] Adding web-attacks rules.
Rules added: 14
Lastly, to see that the fwsnort policy is doing its job, you can send the string /usr/bin/gcc as a part of a contrived web request from an external system to the internal webserver (see the network diagram in Figure 1-2):
[ext_scanner]$ wget http://71.157.X.X/cgi/test.cgi?cmd=/usr/bin/gcc%20%2dWall%20
test%2e
--19:44:58-- http://71.157.X.X/cgi/test.cgi?cmd=/usr/bin/gcc%20%2dWall%20test%2e
=> 'test.cgi?cmd=%2Fusr%2Fbin%2Fgcc -Wall test.'
Connecting to 71.157.X.X:80... connected.
HTTP request sent, awaiting response... 404 Not Found
19:44:58 ERROR 404: Not Found.
After sending the web request you will see the following log message written to syslog on the iptables system:
Mar 18 19:45:03 iptablesfw kernel: [5] SID1341 ESTAB IN=eth0 OUT=eth1 SRC=144.202.X.
X DST=192.168.10.3 LEN=198 TOS=0x00 PREC=0x00 TTL=63 ID=60529 DF PROTO=TCP SPT=42180
DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0
COLOPHON
Linux Firewalls was laid out in Adobe FrameMaker. The font families used are New Baskerville for body text, Futura for headings and tables,