IDS signature matching with iptables, psad, and fwsnort
20 March, 2008
The UK's Unix & Open Systems User Group has re-printed
an article I wrote originally for the December, 2007 security issue of
USENIX ;login: Magazine
The article is entitled
"IDS signature matching with iptables, psad, and fwsnort"
and concentrates on how to use the iptables infrastructure in the Linux kernel as a source of
intrusion detection data. That is, iptables offers many features (such as application layer
string matching) that allow a significant fraction of Snort rules to be converted into
iptables rules, and fwsnort automates the conversion process. The
end result is an iptables policy that is looking for evidence of malicious traffic. Also
covered in the article is the concept of log analysis with an emphasis on passive OS
fingerprinting. The completeness of the iptables logging format - which even includes
the options portion of the TCP header when the --log-tcp-options argument is given on the
iptables command line when building a LOG rule - allows psad to run
the same algorithm that p0f uses to
passively fingerprint remote operating systems.
In other news, Carla Schroder has written an article on psad for Enterprise Networking Planet. She recommends running psad alongside Snort, which falls nicely within the principle of defense-in-depth in order to maintain a strong defensive stance. Also, Noah Schiffman has written an article on port knocking for Network World. He mentions the usage of port knocking within some malware applications as an authentication mechanism, and he also touches on Single Packet Authorization.
