Linux Firewalls - Michael Rash [61]
alert udp $EXTERNAL_NET any -> $HOME_NET 1026:1029 (msg:"MISC Windows popup spam
attempt"; classtype:misc-activity; reference:url,www.linklogger.com/UDP1026.htm;
psad_dsize:>100; psad_id:100196; psad_dl:2;)
The fields in bold above are custom fields added to the Snort rules language by psad. In this case, the psad_dsize field requires the data portion of the UDP packet to be larger than 100 bytes, the psad_id field defines a unique ID for this rule, and the psad_dl field tells psad to assign a danger level of two to any IP address that triggers this signature. A complete discussion of the modifications psad makes to the Snort rules language is provided in Chapter 7.
/etc/psad/snort_rule_dl
Similarly to the /etc/psad/auto_dl file, the snort_rule_dl file instructs psad to utomatically set the danger level of any IP address that triggers a Snort rule match. The syntax of this file is the following:
sid danger level
If the danger level is zero, psad ignores the signature match altogether and no alerts are sent. Some signature matches are worse than others, though—if psad detects traffic that matches Snort rule ID 1812 (EXPLOIT gobbles SSH exploit attempt[41]), this is potentially far more damaging than a match for Snort rule ID 469 (ICMP PING NMAP). Of course, the best strategy for limiting the effects of the Gobbles SSH exploit is not to run a vulnerable SSH daemon in the first place, but it is still important to detect attacks for this exploit. You can elevate the danger level of an IP address that matched Snort rule 1812 to 5, like so:
1812 5;
/etc/psad/ip_options
As discussed in Chapter 2, the options portion of the IP header is not often used in IP communications, but iptables can log IP options with the --log-ip-options command-line argument. If an iptables log message contains IP options, psad parses these options for suspicious activity, such as source routing attempts. A few Snort rules define suspicious usages of IP options, and psad references the /etc/psad/ip_options file in order to decode IP options in iptables log messages. This file defines commonly used IP options and their corresponding identifying numbers, according to the following syntax:
option value length (−1 for variable) ipopts argument description
For example, this is how the Snort lsrr (Loose Source Route) option is included:
131 −1 lsrr Loose Source Route
/etc/psad/pf.os
The OS database from the p0f project is used by psad to passively fingerprint remote operating systems. This database is installed by psad as the file /etc/psad/pf.os and is imported at psad startup (or when psad receives a hangup or HUP signal via the kill command or from psad -H).
Here is an example of a p0f fingerprint for Linux:
S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7
You can find more material on the topic of passive OS fingerprinting (including a breakdown of the p0f signature format above) in Chapter 7.
* * *
[40] 6 ulogd is the user space logging daemon provided by the Netfilter project to allow more flexible logging options than those provided by the standard LOG target. In particular, packets are managed by various ulogd plug-ins, which can do things such as log packets in pcap format to disk or even write them to a MySQL database. ulogd can be downloaded from http://www.gnumonks.org/projects.
[41] 7 This requires fwsnort to perform a string match against SSH application layer data; there is more on this topic in Chapter 9.
Concluding Thoughts
This chapter has focused on the installation and configuration of psad on a Linux system running iptables. Some of the more important configuration variables from the psad.conf file were presented, and now we are ready to delve into operational aspects of psad in the next chapter. For reference, you will