Chapter 11: Combining psad and fwsnort
Log messages that are generated by fwsnort are picked up and analyzed by psad for better reporting via email (integrated whois and reverse DNS lookups as well as passive OS fingerprinting are illustrated). This chapter represents the culmination of the attack detection and mitigation strategies that are possible with iptables.The chapter concludes with an example of how fwsnort and psad can be used to stop the Metasplot update process. That is, https sessions that transfer the Metasploit SSL certificate are shut down by an iptables rule that fwsnort builds to detect the SSL certificate as it is transferred across the network. The fwsnort script translates a Snort rule in the metasploit.rules file, and the resulting fwsnort script can be downloaded here (or see below). All updates in both the 2.x and 3.x Metasploit frameworks take place over https sessions; in 2.x the updates are driven by a custom script msfupdate script, whereas in 3.x updates are driven by Subversion.
#!/bin/sh
#
############################################################################
#
# File: /etc/fwsnort/fwsnort.sh
#
# Purpose: This script was auto-generated by fwsnort, and implements
# an iptables ruleset based upon Snort rules. For more
# information see the fwsnort man page or the documentation
# available at http://www.cipherdyne.org/fwsnort/
#
# Generated with: fwsnort --snort-sid 900001 --ipt-reject
# Generated on host: isengard
# Time stamp: Tue Sep 18 15:29:29 2007
#
# Author: Michael Rash <mbr@cipherdyne.org>
#
# Version: 1.0.2 (file revision: 400)
#
############################################################################
#
#==================== config ====================
ECHO=/bin/echo
IPTABLES=/sbin/iptables
#================== end config ==================
###
############ Create fwsnort iptables chains. ############
###
$IPTABLES -N FWSNORT_FORWARD 2> /dev/null
$IPTABLES -F FWSNORT_FORWARD
$IPTABLES -N FWSNORT_FORWARD_ESTAB 2> /dev/null
$IPTABLES -F FWSNORT_FORWARD_ESTAB
$IPTABLES -N FWSNORT_INPUT 2> /dev/null
$IPTABLES -F FWSNORT_INPUT
$IPTABLES -N FWSNORT_INPUT_ESTAB 2> /dev/null
$IPTABLES -F FWSNORT_INPUT_ESTAB
$IPTABLES -N FWSNORT_OUTPUT 2> /dev/null
$IPTABLES -F FWSNORT_OUTPUT
$IPTABLES -N FWSNORT_OUTPUT_ESTAB 2> /dev/null
$IPTABLES -F FWSNORT_OUTPUT_ESTAB
###
############ Inspect ESTABLISHED tcp connections. ############
###
$IPTABLES -A FWSNORT_FORWARD -p tcp -m state --state ESTABLISHED -j FWSNORT_FORWARD_ESTAB
$IPTABLES -A FWSNORT_INPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_INPUT_ESTAB
$IPTABLES -A FWSNORT_OUTPUT -p tcp -m state --state ESTABLISHED -j FWSNORT_OUTPUT_ESTAB
###
############ metasploit.rules ############
###
$ECHO "[+] Adding metasploit rules."
### alert tcp any 443 -> $HOME_NET any (msg:"Metasploit exploit DB update"; flow:established;
content:"cacert@metasploit.com"; classtype:misc-activity; sid:900001; rev:1;)
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --sport 443 -m string --string "cacert@metasploit.com"
--algo bm -m comment --comment "sid:900001; msg:Metasploit exploit DB update;
classtype:misc-activity; rev:1; FWS:1.0.2;" -j LOG --log-ip-options --log-tcp-options
--log-prefix "[1] REJ SID900001 ESTAB "
$IPTABLES -A FWSNORT_FORWARD_ESTAB -p tcp --sport 443 -m string --string "cacert@metasploit.com"
--algo bm -j REJECT --reject-with tcp-reset
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --sport 443 -m string --string "cacert@metasploit.com"
--algo bm -m comment --comment "sid:900001; msg:Metasploit exploit DB update;
classtype:misc-activity; rev:1; FWS:1.0.2;" -j LOG --log-ip-options --log-tcp-options
--log-prefix "[1] REJ SID900001 ESTAB "
$IPTABLES -A FWSNORT_INPUT_ESTAB -p tcp --sport 443 -m string --string "cacert@metasploit.com"
--algo bm -j REJECT --reject-with tcp-reset
$ECHO " Rules added: 4"
###
############ Jump traffic to the fwsnort chains. ############
###
$IPTABLES -D FORWARD -i ! lo -j FWSNORT_FORWARD 2> /dev/null
$IPTABLES -I FORWARD 1 -i ! lo -j FWSNORT_FORWARD
$IPTABLES -D INPUT -i ! lo -j FWSNORT_INPUT 2> /dev/null
$IPTABLES -I INPUT 1 -i ! lo -j FWSNORT_INPUT
$IPTABLES -D OUTPUT -o ! lo -j FWSNORT_OUTPUT 2> /dev/null
$IPTABLES -I OUTPUT 1 -o ! lo -j FWSNORT_OUTPUT
$ECHO "[+] Finished."
### EOF ###
