[prev in list] [next in list] [prev in thread] [next in thread]
List: psad-discuss
Subject: Re: [psad-discuss] custom signature.
From: Muhammad Yousuf Khan <sirtcp () gmail ! com>
Date: 2014-11-12 11:27:12
Message-ID: CAGWVfM=EO28arZFHyN7cEm6j2nQo2KSEizwM6OiAa4rjsV8vSQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Michael Rash, you cleared my confusion. i was always confused about
the way they work together.
Thanks for designing such a wonderful product.
On Tue, Nov 11, 2014 at 6:29 PM, Michael Rash <michael.rash@gmail.com>
wrote:
>
> On Mon, Nov 10, 2014 at 8:12 AM, Muhammad Yousuf Khan <sirtcp@gmail.com>
> wrote:
>
>> Thanks for sharing, but just confirming as i am not native english
>> speaker.
>> correct me if i am wrong. what i am getting from your email is that,
>> fwsnort daemon work individually and inspect all the traffic coming through
>> the interface. ones its finds any packet matching in snore rule, it trigger
>> and logs a code in iptables log so that PSAD can understand it. then
>> further PSAD daemon find that log and perform its actions according to
>> psad.conf.
>>
>> am i correct with the understanding?
>>
>
> Yes, that is correct.
>
> --Mike
>
>
>
>
>>
>> Thanks,
>>
>>
>> On Sun, Nov 9, 2014 at 3:20 AM, Michael Rash <michael.rash@gmail.com>
>> wrote:
>>
>>>
>>> On Sat, Nov 8, 2014 at 3:42 PM, Muhammad Yousuf Khan <sirtcp@gmail.com>
>>> wrote:
>>>
>>>> Thanks for sharing Micheal it is very informative i will start working
>>>> on this on monday.
>>>> but i also have another question for my learning that iptables logs are
>>>> very limited. and what PSAD does is just read the iptable logs and make the
>>>> decisions set in conf file and signature file.
>>>> i had experience working in fwsnort and fwsnort is run in conjunction
>>>> with psad. and give psad the ability to read packets in more details. like
>>>> it can find and trigger rules with mimetype and other deep level
>>>> inspection. so my question is where psad read all the information of the
>>>> packet because Firewall log is very limited it does not contain mime types
>>>> or other deep packet information. as far as i know. because the firewall
>>>> log i see in /var/log/messages does not contain any deep level information.
>>>>
>>>
>>> If you are also running fwsnort, then the linkage between an fwsnort
>>> rule match and psad is the Snort ID value. When fwsnort triggers on
>>> application layer data (which of course is not natively included in any
>>> iptables log message), then the iptables log prefix will include the SID in
>>> a string like "SID12345" in the log message. psad is always looking for
>>> these strings, and once it sees one, then it knows that fwsnort made a
>>> match against application layer data.
>>>
>>> Thanks,
>>>
>>> --Mike
>>>
>>>
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> On Sat, Nov 8, 2014 at 7:46 AM, Michael Rash <michael.rash@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan <sirtcp@gmail.com
>>>>> > wrote:
>>>>>
>>>>>> HI,
>>>>>>
>>>>>> Can anyone please explain that how can i make custom rule.
>>>>>> i can see rules in /etc/psad/signatures however i can not understand
>>>>>> the format.
>>>>>> can anyone throw some light on this.
>>>>>>
>>>>>> for example if i want to trigger an alarm and block IP if traffic
>>>>>> found on 5060 TCP or UDP both.
>>>>>>
>>>>>> and
>>>>>>
>>>>>> for example if i want to block traffic on TCP flag bases.
>>>>>>
>>>>>
>>>>> Sure, given the scenario you've described above, here is a candidate
>>>>> signature:
>>>>>
>>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port 5060
>>>>> traffic"; flags:S; classtype:misc-activity; psad_id:200001; psad_dl:5;)
>>>>>
>>>>> Note that some of the keywords like 'psad_derived_sids' etc. are
>>>>> optional - the above rule should assign danger level 5 (the highest) to any
>>>>> external IP that sends a SYN packet to TCP port 5060 (and when this packet
>>>>> is logged by iptables of course). This will result in a dedicated alert
>>>>> from psad. If you also want psad to block the source IP, then you would
>>>>> need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf
>>>>> file.
>>>>>
>>>>> Another way to look at this is that if you already know that you want
>>>>> to block and IP that tries to communicate with port 5060, then you could
>>>>> instantiate a default blocking rule in your iptables policy for such
>>>>> traffic. Or, if you want to block IP's that try TCP flags that don't match
>>>>> the normal sequence of flags as defined by TCP itself and tracked by the
>>>>> iptables connection tracking code, then your policy could accept traffic
>>>>> via the NEW/ESTABLISHED/RELATED args to conntrack, and log/block those that
>>>>> are outside these criteria. In this case, psad can apply persistent
>>>>> blocking rules to IP's that fall into this category. For example, you could
>>>>> change the "flags: S;" in the rule above to "flags: F;" if you want to
>>>>> block IP's that issue a FIN scan.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> --Mike
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> any help will be highly appreciated.
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> MYK
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>>
>>>>>> _______________________________________________
>>>>>> psad-discuss mailing list
>>>>>> psad-discuss@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> psad-discuss mailing list
>>>>> psad-discuss@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Michael Rash | Founder
>>> http://www.cipherdyne.org/
>>> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> psad-discuss mailing list
>>> psad-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>>>
>>>
>>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Thanks Michael Rash, you cleared my confusion. i was always confused \
about the way they work together. <div>Thanks for designing such a wonderful \
product.</div><div> </div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Nov 11, 2014 at 6:29 PM, Michael Rash <span \
dir="ltr"><<a href="mailto:michael.rash@gmail.com" \
target="_blank">michael.rash@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><span class="">On \
Mon, Nov 10, 2014 at 8:12 AM, Muhammad Yousuf Khan <span dir="ltr"><<a \
href="mailto:sirtcp@gmail.com" target="_blank">sirtcp@gmail.com</a>></span> \
wrote:<br></span><div class="gmail_quote"><span class=""><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Thanks for sharing, but just confirming as i \
am not native english speaker. <div>correct me if i am wrong. what i am getting from \
your email is that, fwsnort daemon work individually and inspect all the traffic \
coming through the interface. ones its finds any packet matching in snore rule, it \
trigger and logs a code in iptables log so that PSAD can understand it. then further \
PSAD daemon find that log and perform its actions according to \
psad.conf.</div><div><br></div><div>am i correct with the \
understanding?</div></div></blockquote><div><br></div></span><div>Yes, that is \
correct.<br><br></div><div>--Mike<br><br><br></div><div><div class="h5"><div> \
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div \
dir="ltr"><div><br></div><div>Thanks,</div><div><br></div></div><div><div><div \
class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 9, 2014 at 3:20 AM, \
Michael Rash <span dir="ltr"><<a href="mailto:michael.rash@gmail.com" \
target="_blank">michael.rash@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><span>On Sat, Nov \
8, 2014 at 3:42 PM, Muhammad Yousuf Khan <span dir="ltr"><<a \
href="mailto:sirtcp@gmail.com" target="_blank">sirtcp@gmail.com</a>></span> \
wrote:<br></span><div class="gmail_quote"><span><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr"><div><div><div>Thanks for sharing Micheal it is very informative i will \
start working on this on monday. <br></div>but i also have another question for my \
learning that iptables logs are very limited. and what PSAD does is just read the \
iptable logs and make the decisions set in conf file and signature file.<br></div>i \
had experience working in fwsnort and fwsnort is run in conjunction with psad. and \
give psad the ability to read packets in more details. like it can find and trigger \
rules with mimetype and other deep level inspection. so my question is where psad \
read all the information of the packet because Firewall log is very limited it does \
not contain mime types or other deep packet information. as far as i know. because \
the firewall log i see in /var/log/messages does not contain any deep level \
information.<br></div></div></blockquote><div><br></div></span><div>If you are also \
running fwsnort, then the linkage between an fwsnort rule match and psad is the Snort \
ID value. When fwsnort triggers on application layer data (which of course is not \
natively included in any iptables log message), then the iptables log prefix will \
include the SID in a string like "SID12345" in the log message. psad is \
always looking for these strings, and once it sees one, then it knows that fwsnort \
made a match against application layer \
data.<br><br></div><div>Thanks,<br><br></div><div>--Mike<br></div><div><div><div> \
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div \
dir="ltr"><div><br><br></div><div><br></div>Thanks,<br><br></div><div><div><div \
class="gmail_extra"><br><div class="gmail_quote">On Sat, Nov 8, 2014 at 7:46 AM, \
Michael Rash <span dir="ltr"><<a href="mailto:michael.rash@gmail.com" \
target="_blank">michael.rash@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><div \
class="gmail_quote"><span>On Fri, Nov 7, 2014 at 9:24 AM, Muhammad Yousuf Khan <span \
dir="ltr"><<a href="mailto:sirtcp@gmail.com" \
target="_blank">sirtcp@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">HI,<div><br></div><div>Can anyone \
please explain that how can i make custom rule.</div><div>i can see rules in \
/etc/psad/signatures however i can not understand the format. </div><div>can anyone \
throw some light on this.</div><div><br></div><div>for example if i want to trigger \
an alarm and block IP if traffic found on 5060 TCP or UDP \
both.</div><div><br></div><div>and</div><div><br></div><div>for example if i want to \
block traffic on TCP flag bases. </div></div></blockquote></span><div><br>Sure, \
given the scenario you've described above, here is a candidate \
signature:<br><br>alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"port \
5060 traffic"; flags:S; classtype:misc-activity; psad_id:200001; \
psad_dl:5;)<br><br></div><div>Note that some of the keywords like \
'psad_derived_sids' etc. are optional - the above rule should assign danger \
level 5 (the highest) to any external IP that sends a SYN packet to TCP port 5060 \
(and when this packet is logged by iptables of course). This will result in a \
dedicated alert from psad. If you also want psad to block the source IP, then you \
would need to set the ENABLE_AUTO_IDS variable to Y in the /etc/psad/psad.conf \
file.<br><br></div><div>Another way to look at this is that if you already know that \
you want to block and IP that tries to communicate with port 5060, then you could \
instantiate a default blocking rule in your iptables policy for such traffic. Or, if \
you want to block IP's that try TCP flags that don't match the normal \
sequence of flags as defined by TCP itself and tracked by the iptables connection \
tracking code, then your policy could accept traffic via the NEW/ESTABLISHED/RELATED \
args to conntrack, and log/block those that are outside these criteria. In this case, \
psad can apply persistent blocking rules to IP's that fall into this category. \
For example, you could change the "flags: S;" in the rule above to \
"flags: F;" if you want to block IP's that issue a FIN \
scan.<br><br>Thanks,<br><br></div><div>--Mike<br></div><div><br> </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><span><div \
dir="ltr"><div><br></div><div><br></div><div>any help will be highly \
appreciated.</div><div><br></div><div><br></div><div>Thanks,</div><div>MYK</div></div>
<br></span>------------------------------------------------------------------------------<br>
<br>_______________________________________________<br>
psad-discuss mailing list<br>
<a href="mailto:psad-discuss@lists.sourceforge.net" \
target="_blank">psad-discuss@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/psad-discuss" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/psad-discuss</a><br> \
<br></blockquote></div><br></div></div> \
<br>------------------------------------------------------------------------------<br>
<br>_______________________________________________<br>
psad-discuss mailing list<br>
<a href="mailto:psad-discuss@lists.sourceforge.net" \
target="_blank">psad-discuss@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/psad-discuss" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/psad-discuss</a><br> \
<br></blockquote></div><br></div> \
</div></div></blockquote></div></div></div><span><font color="#888888"><br><br \
clear="all"><br>-- <br><div>Michael Rash | Founder<br><a \
href="http://www.cipherdyne.org/" \
target="_blank">http://www.cipherdyne.org/</a><br>Key fingerprint = 53EA 13EA 472E \
3771 894F AC69 95D8 5D6B A742 839F</div> </font></span></div></div>
<br>------------------------------------------------------------------------------<br>
<br>_______________________________________________<br>
psad-discuss mailing list<br>
<a href="mailto:psad-discuss@lists.sourceforge.net" \
target="_blank">psad-discuss@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/psad-discuss" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/psad-discuss</a><br> \
<br></blockquote></div><br></div> \
</div></div></blockquote></div></div></div><div><div class="h5"><br><br \
clear="all"><br>-- <br><div>Michael Rash | Founder<br><a \
href="http://www.cipherdyne.org/" \
target="_blank">http://www.cipherdyne.org/</a><br>Key fingerprint = 53EA 13EA 472E \
3771 894F AC69 95D8 5D6B A742 839F</div> </div></div></div></div>
<br>------------------------------------------------------------------------------<br>
Comprehensive Server Monitoring with Site24x7.<br>
Monitor 10 servers for $9/Month.<br>
Get alerted through email, SMS, voice calls or mobile push notifications.<br>
Take corrective actions from your mobile device.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk" \
target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk</a><br>_______________________________________________<br>
psad-discuss mailing list<br>
<a href="mailto:psad-discuss@lists.sourceforge.net">psad-discuss@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/psad-discuss" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/psad-discuss</a><br> \
<br></blockquote></div><br></div>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic