Linux Firewalls - Michael Rash [93]
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-ATTACKS nmap
command success"; flow:from_server,established; content:"Interesting ports on";
classtype:
web-application-attack; sid:2007008; rev:1;)
Bleeding Snort "Bancos Trojan" Signature
The Bancos Trojan is a nasty piece of code that can steal passwords by masquerading as an interface for certain banks in Brazil. (See the symantec.com web link in the reference field in the Snort rule below for more information.) The Bleeding Snort project developed the signature, which can be found in the bleeding-all.rules file in the fwsnort sources. This signature is more complex than the previous Nmap execution signature because it requires the two application content matches shown in bold:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS
Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:
"[AspackDie!]";
content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f
3138 d0|"; classtype: trojan-activity; reference:url,
securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; sid: 2001726;
rev:6; )
The equivalent iptables command generated by fwsnort is shown below. (The two content matches are shown in bold.) Note that in the translated rule the iptables --hex-string command-line option is used so that the iptables rule can easily match non-printable ASCII characters within the kernel as it inspects network traffic.
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --sport 80 -m string --string
"[AspackDie!]" --algo bm -m string --hex-string "|0f 6d 07 9e 6c 62 6c 68 00 d2 2f
63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|" --algo bm -m comment --comment "sid:
2001726; msg:
BLEEDING-EDGE VIRUS Trojan-Spy.Win32.Bancos Download; classtype: trojan-activity;
reference:
url,securityresponse.symantec
.com/avcenter/venc/data/pwsteal.bancos.b.html; rev: 6; FWS:1.0;" -j LOG --log-ip-
options --log-tcp-options --log-prefix "[199] SID2001726 ESTAB "
PGPNet connection attempt Signature
The content fields in Snort rules can be quite long, as illustrated by the PGPNet connection attempt signature below from the policy.rules file:
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection
attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00
00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|
01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80
0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03
00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:
protocol-command-decode; sid:1771; rev:6;)
Long command-line arguments are no problem for iptables. This time we tell fwsnort to not just LOG the packet, but we also use the REJECT target in a separate rule to prevent the packet from being communicated up the stack to any userland server listening on UDP port 500:
$IPTABLES -A FWSNORT_FORWARD -p udp --dport 500 -m string --hex-string "|00 00 00 00
00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00
01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02
80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80
01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00
04 00 01|Q|80 00 00 00
10|" --algo bm -m comment --comment "sid:1771; msg: POLICY IPSec PGPNet connection
attempt; classtype: protocol-command-decode; rev: 6; FWS:1.0;" -j LOG --log-ip-options
--log-prefix "[601] REJ SID1771 "
$IPTABLES -A FWSNORT_INPUT -p udp --dport 500 -m string --hex-string "|00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01
00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80
03 00