Signature Inspection and Log Generation

The fourth section of fwsnort.sh is where the heavyweight packet inspection takes place. All of the rules within this section are added to one of the fwsnort chains mentioned above. Each rule contains elements from the Snort rule header and rule options such as source and destination IP addresses and port numbers, and content strings, length, ttl, or tos matches, and so on.

By default, every Snort rule translated by fwsnort results in an iptables command that uses the LOG target along with a logging prefix that is designed to communicate signature specifics to the user. The logging prefixes built by fwsnort contain the rule number within the fwsnort chain and the Snort signature ID value, and they indicate whether the signature is logged from an established TCP connection.

For example, the first rule in the FWSNORT_FORWARD_ESTAB chain contains a logging prefix that is built up from the Volume Serial Number signature (Snort ID 1292) and looks like this: [1] SID1292 ESTAB.

By default each iptables LOG rule makes use of the comment match to annotate the rule with the Snort sid, msg, classtype, rev, and reference fields, and the fwsnort version number. For example, for Snort rule ID 1292, the associated comment is:

sid:l292; msg:ATTACK-RESPONSES directory listing; classtype: bad-unknown; rev: 9; FWS:1.0

Below is the signature section of the fwsnort.sh script. (Note that the iptables rules are organized by the corresponding Snort rules file.)

############ attack-responses.rules ############ $ECHO "[+] Adding attack-responses rules."

### alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:9;)

$IPTABLES -A FWSNORT_FORWARD_ESTAB -s 192.168.10.0/24 -p tcp -m string --string "Volume Serial Number" --algo bm -m comment --comment "sid:1292; msg: ATTACK-RESPONSES directory listing; classtype: bad-unknown; rev: 9; FWS:1.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] SID1292 ESTAB " $IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp -m string --string "Volume Serial Number" --algo bm -m comment --comment "sid:1291; msg: ATTACK-RESPONSES directory listing; classtype: bad-unknown; rev: 9; FWS:1.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[1] SID1292 ESTAB " ### alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:494; rev:10;)

$IPTABLES -A FWSNORT_FORWARD_ESTAB -s 192.168.10.0/24 -p tcp --sport 80 -m string --string "Command completed" --algo bm -m comment --comment "sid:494; msg: ATTACK-RESPONSES command completed; classtype: bad-unknown; reference: bugtraq,1806; rev: 10; FWS:1.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[2] SID494 ESTAB "

$IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp --sport 80 -m string --string "Command completed" --algo bm -m comment --comment "sid:494; msg: ATTACK-RESPONSES command completed; classtype: bad-unknown; reference: bugtraq,1806; rev: 10; FWS:1.0;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[2] SID494 ESTAB "

Was this article helpful?

0 0

Post a comment