Signature Development

In the section above, we collected a packet trace of the Metasploit update SSL session, which allows us to see what the SSL certificate looks like. The first step in writing a Snort rule to accurately detect the Metasploit update is to analyze this packet trace with your favorite sniffer or protocol decoder. Our goal is to write a Snort rule that fwsnort can translate into an equivalent iptables rule.

Because the Metasploit update process uses SSL with a self-signed SSL certificate, one strategy to develop such a Snort rule is to have Snort look for this certificate as it is transferred between a client and server. Because the certificate name is advertised in the clear over the SSL session, it's easy to extract this name from the packet trace with a tool like Wireshark5 or tcpdump. We use tcpdump below (with some output abbreviated):

[iptablesfw]# tcpdump -r metasploit_update.pcap -s 0 -22:52:30.178782 IP 216.75.15.231.443 > 192.168.10.200.

127 win

46 <nop,nop,timestamp

536123815

630321353>

0x0000

4500

05dc

d24f

4000

2f06

c0ee

d84b

0fe7

E [email protected]/ K..

0x0010

c0a8

0a03

01bb

c0cc

ee22

4bef

43a2

a027

"K.C..'

0x0020

8010

002e

82eb

0000

0101

080a

1ff4

99a7

0x0030

2591

f0c9

1603

0100

4a02

0000

4603

0145

% J...F..E

0x0040

42c5

ce81

9f02

eb05

ed30

ca9b

0973

a4d7

B 0...s..

0x0050

4182

de5a

5d7b

4c0c

59eb

f300

0000

0020

A..Z]{L.Y

0x0060

6e67

1dfa

6363

78fb

c180

d6d4

05f4

640e

ng..ccx d.

0x0070

be4f

4eb6

3fcf

8af7

ad95

3fd4

e901

c81d

.ON.? ?

0x0080

0039

0016

0301

0674

0b00

0670

0006

6d00

.9 t...p..m.

0x0090

066a

3082

0666

3082

054e

a003

0201

0202

.j0..f0..N

0x00a0

0101

300d

0609

2a86

4886

f70d

0101

0405

..0...*.H

0x00b0

0030

81a8

310b

3009

0603

5504

0613

0255

.0..1.0...U U

0x00c0

5331

0e30

0c06

0355

0408

1305

5465

7861

S1.0...U____Texa

0x00d0

7331

1430

1206

0355

0407

130b

5361

6e20

s1.0...U____San.

0x00e0

416e

746f

6e69

6f31

1f30

1d06

0355

040a

Antonio1.0...U..

0x00f0

1316

5468

6520

4d65

7461

7370

6c6f

6974

..The.Metasploit

0x0100

2050

726f

6a65

6374

3114

3012

0603

5504

.Project1.0...U.

0x0110

0b13

0b44

6576

656c

6f70

6d65

6e74

3116

.. .Developments

0x0120

3014

0603

5504

0313

0d4d

6574

6173

706c

0...U____Metaspl

0x0130

6f69

7420

4341

3124

3022

0609

2a86

4886

oit.CA1$0"..*.H.

0x0140

f70d

0109

0116

1563

6163

6572

7440

6d65

[email protected]

0x0150

7461

7370

6c6f

6974

2e63

6f6d

301e

170d

tasploit.com0...

Notice that nice unique string (in bold above) that advertises the Metasploit webserver as the email address associated with the SSL certificate. We'll use the email address portion of the certificate for the content field of a custom Snort rule, which we'll call rule ID 900001 and place within a file called metasploit.rules:

[iptablesfw]# cat metasploit.rules alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"Metasploit exploit DB update"; flow:established; content:"[email protected]"; classtype:misc-activity; sid:90000l; rev:l;)

Using the Follow TCP Stream feature in Wireshark makes looking at application layer data particularly easy.

Was this article helpful?

0 0

Post a comment