Linux Firewalls - Michael Rash [70]
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless;
ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon;
sid:
613; rev:6;)
There are no tests in this Snort rule that examine application layer data, and there are about 150 such rules in the Snort ruleset. Modified versions of all of these rules are imported by psad from the /etc/psad/signatures file.[44] If you look at a random signature in the /etc/psad/signatures file, such as the BAD-TRAFFIC data in TCP SYN packet signature (shown below), you can see that psad has extended the usual Snort rules syntax with some additional keywords shown at ❶, ❷, and ❸):
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN
packet; ❶psad_dsize:>20; flags:S; reference:url,www.cert.org/incident_notes/IN-99-07.
html;classtype:misc-activity; sid:207; ❷psad_id:100000; ❸psad_dl:2;)
These keyword additions add specific information to the signature that makes the signature compatible with psad. Here are the definitions of all psad keyword additions to Snort rules:
psad_id
This keyword defines a unique ID number so that signatures can be tracked and new signatures can be added to psad. The psad_id field is analogous to the Snort sid field. All psad_id values are six digits long, and they begin at 10,000 in order to distinguish them from Snort sid values. This method of defining custom ID values is similar to the Bleeding Snort project (http://www.bleedingsnort.com) where signature ID values are seven digits long and generally begin with the year the signature is created.
psad_dl
This keyword specifies the danger level that psad should assign to an IP address that triggers the signature. The psad_dl field accepts a value between 1 and 5.
psad_dsize
This keyword specifies match criteria for the size of a packet payload by subtracting the header length from the value of the iptables LEN field. This option is analogous to the Snort dsize keyword, but because the LEN field of iptables log messages is the total length of the logged packet, including the IP header, psad must subtract out the header length. The psad_dsize keyword supports range matches of the form n:m, psad_derived_sids This keyword allows psad to track original Snort sid values from which a psad signature is derived. Some psad signatures are built up from several Snort rules, and this keyword tracks which ones. psad_ip_len This keyword specifies match criteria for the LEN field of an iptables log message (this is similar to the psad_dsize keyword, but it does not subtract the length of the network and transport layer headers). Like the psad_dsize keyword, the psad_ip_len keyword also supports range matches of the form n:m, Next, we highlight a selection of specific Snort rules to show how psad can detect the traffic represented by these rules. Taking automated response measures against IP addresses that trigger Snort rules is covered in Chapter 11. Detecting the ipEye Port Scanner The ipEye port scanner (http://ntsecurity.nu/toolbox/ipeye) is a piece of software that allows the user to port scan a remote host. In this sense, ipEye is similar to Nmap (although not nearly as feature-rich), and it runs on Windows systems. Snort rule ID 622 detects when the ipEye scanner is being used on a network: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; psad_id: 100197; psad_dl:2;) The above Snort rule does not require the use of any application layer tests; instead, it just detects whether the SYN flag and a specific TCP sequence number 1958810375