Linux Firewalls - Michael Rash [96]
Any Snort rule that uses such an option (i.e., an option that is logged by iptables but cannot be used as a match criteria) requires a userland application to parse the logging message in order to detect attacks described by such a rule. Consequently, for attacks matching these Snort rules, iptables cannot itself take any action against them—only a userland application can take action after parsing the attack out of the iptables log messages. Therefore, fwsnort does not translate Snort rules that contain options in the following list, because there are no equivalent iptables matching/filtering options:
ack
Matches the 32-bit acknowledgment number in the TCP header
icmp_id
Matches the ID value present in some ICMP packets
icmp_seq
Matches the sequence value present in some ICMP packets
id
Matches the 16-bit IP ID field in the IP header
sameip
Searches for identical source and destination IP addresses
seq
Matches the 32-bit sequence number in the TCP header
window
Matches the 16-bit window value in the TCP header
However, all of the packet header information in the above list is included within iptables logs for easy analysis by an application such as psad.
For example, the IP ID, ICMP ID, and ICMP sequence numbers are all included in the default iptables log message generated by an ICMP Echo Request packet:
Jun 9 11:41:22 iptablesfw kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:
08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=
ICMP TYPE=8 CODE=0 ID=547 SEQ=1
Even though there is no way within iptables to match a packet if the source and destination IP addresses are the same (for arbitrary addresses), the sameip Snort rule option can be emulated simply by checking to see if the SRC and DST values are the same within an iptables log message.
This check must be performed by a userland process and is made possible because the log message contains both the source and destination IP addresses, which makes it easy to see if they are the same.
The sameip option is important for detecting the LAND attack (see http://www.insecure.org/sploits/land.ip.dos.html) in which a spoofed TCP SYN packet from the attacker that's destined for a particular IP address looks as though it came from the target IP address itself—that is, the source IP address in the spoofed packet is identical to its destination. Many older operating systems, including Windows NT 4.0 and Windows 95, mishandle this type of packet by completely crashing, thus making LAND an effective Denial of Service (DoS) attack against these systems (although such systems are not widely deployed anymore).
The seq and ack Snort options apply to the sequence and acknowledgment numbers in the TCP header, but the LOG target does not include these fields by default when a packet hits an iptables logging rule in the kernel; the --log-tcp-sequence argument must be given to the iptables binary in order for these header fields to be logged. The window option allows Snort to match against the TCP window size, and this value is included by default in iptables log messages. The TCP sequence and acknowledgment numbers, as well as the window size, are displayed in bold below:
[iptablesfw]# iptables -I INPUT 1 -i lo -p tcp --dport 5001 -j LOG --log-tcp-sequence
[iptablesfw]# nc -v localhost 5001
localhost.cipherdyne.org [127.0.0.1] 5001 (?) : Connection refused
[iptablesfw]# grep SEQ /var/log/messages | tail -n 1
Jun 9 11:49:54 iptablesfw kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:
08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2838 DF PROTO=
TCP SPT=43827 DPT=5001 SEQ=336880890 ACK=0 WINDOW=32767 RES=0x00 SYN URGP=0
Note
All of the Snort rule options listed above, such as id, seq, and icode, and so on, instruct Snort to match against specific fields within the network and transport layer headers. None of these options involves processing any application layer data whatsoever.
Snort Options and iptables Packet Filtering