Linux Firewalls - Michael Rash [51]
Note
Not all application layer encodings are expensive for an IDS to decode. For example, URL-encoded data in web sessions is decoded in real time by the Snort HTTP preprocessor with its uricontent keyword in the Snort signature language. This is possible because URL encoding is performed by a simple substitution operation with hex codes and percent signs—for example, A becomes %41 and is easily reversed in the same way. Such an encoding scheme is not computationally intensive.
* * *
[33] 7 There are some IDS products that offer SSL key escrow services so that encrypted webserver communications can be inspected after unraveling the encrypted data.
Application Layer Responses
Technically, a purely application layer response to an application layer attack should only involve constructs that exist at the application layer. For example, if users are abusing an application, their accounts should simply be disabled, or if an attacker attempts an SQL injection attack via a CGI application executed by a webserver, the query should be discarded and an HTTP error code should be returned to the client. Such a response does not require manipulation of packet header information that exists below the application layer.
However, strictly application layer responses are impractical for firewalls and network intrusion prevention systems because they are not usually tightly integrated with the applications themselves.[34] Further, if a highly malicious attack is discovered from a particular IP address over a TCP session (one that requires bidirectional communication), it may be more useful to disallow all subsequent communications from the attacker's IP address anyway. This is a network layer response to an application layer attack.
We emphasize in this book network and transport layer responses to application layer attacks instead of responses that applications can perform themselves. These responses are made possible by the ability of iptables to create and manage blocking rules (managed by the psad project) against an attacker's IP address and by using the REJECT target to tear down TCP connections via fwsnort. Chapter 10 and Chapter 11 cover such responses in detail.
* * *
[34] 8 There are security mechanisms that do tightly integrate with applications (such as the ModSecurity module for Apache webservers), but firewalls and intrusion detection systems have no visibility into the operations of these mechanisms.
Chapter 5. INTRODUCING PSAD: THE PORT SCAN ATTACK DETECTOR
In this chapter I'll introduce the Port Scan Attack Detector, or psad for short. We will cover installation, administration, and configuration issues in this chapter and leave the heavy lifting on psad operations and auto-response for the next two chapters.
History
The software project that became psad began as a part of Bastille Linux in the fall of 1999, when the Bastille development team decided that Bastille should offer a lightweight network intrusion detection component. At the time, Peter Watkins was developing the excellent firewalling scripts that are still bundled with Bastille today, so it was a natural next step to develop an IDS tool based on information provided in firewall logs. In addition, at that time, PortSentry (see http://sourceforge.net/projects/sentrytools)