Linux Firewalls - Michael Rash [73]
Because psad treats packets that are logged in the INPUT chain as having been directed at the home network (regardless of whether they come from internal addresses), the following signature detects Windows pop-up spam attempts when they are directed at the firewall (note at ❶ the UDP with a destination port range from 1026 to 1029 at ❷ and an application layer data size greater than 100 bytes with the psad_dsize test at ❸).
alert ❶udp $EXTERNAL_NET any -> $HOME_NET ❷1026:1029 (msg:"MISC Windows popup spam
attempt"; classtype:misc-activity; reference:url,www.linklogger.com/UDP1026.htm;
❸ psad_dsize:>100; psad_id:100196; psad_dl:2;)
The log message shows how iptables sees a pop-up spam message attempt (note that the destination port is 1026 and the size of the UDP packet, including the 8-byte UDP header, is 516 bytes):
Jul 14 15:03:24 iptablesfw kernel: DROP IN=eth0 OUT= MAC=00:13:d3:38:b6:e4:00:90:1a:
a0:1c:ec:08:00 SRC=65.182.197.125 DST=71.157.X.X LEN=536 TOS=0x00 PREC=0x00 TTL=
117
ID=6090 PROTO=UDP SPT=3515 DPT=1026 LEN=516
psad notices the traffic and generates a syslog alert:
Jul 14 15:03:29 iptablesfw psad: src: 65.182.197.125 signature match: "MISC Windows
popup spam attempt" (sid: 100196) udp port: 1026
Note
Although the previous examples have highlighted psad's Snort rule detection capability with an emphasis on rules that test packet headers, running fwsnort provides a huge improvement: The detection capabilities of psad are extended to include application layer data, as you'll see in detail in Chapter 11.
* * *
[44] 1 The ability to test the application layer is, of course, very important when attempting to detect the majority of today's attacks, and psad offers this capability when combined with fwsnort (which uses the Netfilter string match extension). For more detail, see Chapter 11.
psad Signature Updates
Each psad release usually includes an updated signature set bundled within the psad tar archive or RPM file as the "signatures" file. Signature development is an ongoing process, however, and in some cases a new signature is developed for psad well before the next release is available.
In order for people to make use of the signature as quickly as possible, the latest signature set is published at http://www.cipherdyne.org/psad/signatures. With the psad --sig-update command-line argument, psad downloads and places this file in the filesystem at /etc/psad/signatures, as shown in the following output:
[iptablesfw]# psad --sig-update
[+] Archiving original /etc/psad/signatures -> signatures.old1
[+] Downloading latest signatures from:
http://www.cipherdyne.org/psad/signatures
--03:19:16-- http://www.cipherdyne.org/psad/signatures
=> 'signatures'
Resolving www.cipherdyne.org... 204.174.223.204
Connecting to www.cipherdyne.org|204.174.223.204|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45,078 (44K) [text/plain]
100%[==========================================>] 45,078 74.63K/s
03:19:17 (74.46 KB/s) - 'signatures' saved [45078/45078]
[+] New signature file /etc/psad/signatures has been put in place
You can restart psad (or use 'psad -H') to import the new
signatures.
As you can see, the latest signature set has been downloaded and you can either restart psad altogether with the init script (/etc/init.d/psad restart) or send the running psad daemon a HUP signal (psad -H) so that it will import the new signature set.
OS Fingerprinting