ISSA Journal's Toolsmith on fwsnort and iptables IDS
02 October, 2008
Russ McRee of holisticinfosec.org
has written the October Toolsmith
issue from the ISSA Journal about fwsnort and intrusion detection.
Russ emphasizes practical usages of fwsnort with tuning the Snort signature set it translates into
an iptables policy, and after using fwsnort to build a detection policy, he sends several example
attacks at a webserver. These attacks include directory traversal, XSS, and CSRF attacks, and
he illustrates how the attacks are detected by fwsnort via the iptables log messages it generates.
Here is an attack identified as ET WEB-MISC Poison Null Byte by Snort rule ID 2003099, and
below is the log message generated by fwsnort when the attack is sent against a webserver:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"ET WEB-MISC Poison Null Byte"; flow:established,to_server;
uricontent:"|00|"; depth:400; reference:cve,2006-4542; reference:cve,2006-4458;
reference:cve,2006-3602;
reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf;
classtype: web-application-activity; sid:2003099; rev:3;)
Sep 4 16:59:45 holisticinfosec01 kernel: [29567.666562] [234]
SID2003099 ESTAB IN=eth0 OUT= MAC=00:0c:6e:3c:b4:71:00:13:e8:e8:81:37:08:00
SRC=192.168.248.101 DST=192.168.248.104 LEN=40 TOS=0x00 PREC=0x00
TTL=128 ID=24638 DF PROTO=TCP SPT=7987 DPT=80
WINDOW=16126 RES=0x00 ACK URGP=0
Note the iptables log prefix "[234] SID2003099 ESTAB" above. This indicates
that rule number 234 (from the custom FWSNORT_INPUT_ESTAB chain in this case which is
jumped to from the built-in INPUT chain) matched traffic described by
Snort rule ID 234, and that the match took place in an ESTABLISHED TCP connection.
By using the iptables state tracking extensions, fwsnort matches up TCP connection
states to packets on the wire in order to emulate the Snort flow keyword -
at least to the extent that bi-directional communication is required before an
event is generated.
Russ also mentions the fwsnort --ipt-drop and --ipt-reject command line arguments that change the stance of fwsnort from a detection engine to a mechanism that can drop malicious packets before forwarding them to their intended target. Given that iptables is firewall, it runs inline to network traffic by definition, and therefore is in ideal position to respond in this way.
