One of the best ways to understand application layer attacks is to browse through the Snort signature set.3 Although recent Snort signatures are no longer distributed with the Snort source code, the Bleeding Snort project generates signatures for recent attacks in Snort format (see http://www.bleedingsnort.com).
NOTE We will discuss Snort signatures in detail in Chapter 9, but here we introduce the application layer inspection capability provided by Snort. Linking iptables rules to Snort signatures is the key to getting true intrusion detection capabilities from iptables.
Consider the following Snort signature:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS / etc/shadow access"; content:"/etc/shadow"; flow:to_server,established; nocase; classtype:w eb-application-activity; sid:1372; rev:5;)
This signature detects when the string /etc/shadow (in bold above) is transferred from a web client to a webserver. The webserver (and any CGI scripts that it executes) most likely runs as a user without sufficient permissions to read the /etc/shadow file, but an adversary doesn't necessarily know this before trying to request the file. Snort is looking for the attempt to read the file.
In order to make iptables generate a log message when the /etc/shadow string is seen over an established TCP connection on port 80 in the FORWARD chain, you can use the following rule:
[iptablesfw]# iptables -I FORWARD 1 -p tcp --dport 80 -m state --state ESTABLISHED -m string --string "/etc/shadow" --algo bm -j LOG --log-prefix "ETC SHADOW "
Was this article helpful?