ipchains code for strings (from: Re: [suse-security] WEB IIS cmd exe requests)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 18 September 2001 10:27 am, you wrote:
I have this for the older ones: $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .ida -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset
After searching google and man, I'm guessing that there's no equivalent for ipchains, and that a second tool such as Snort or the like would need to be used in my case...? TIA geo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7qHIXo2oOGEnz8fYRAgViAJ0SwBbTHUzRDbP78ef76/8xh1NpBgCgtxbR Z9CDeyCVfKvJ4wgImLANIQo= =xk6Y -----END PGP SIGNATURE-----
Hi, On 19-Sep-01 Fluffy Bananachunks wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday 18 September 2001 10:27 am, you wrote:
I have this for the older ones: $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .ida -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset
After searching google and man, I'm guessing that there's no equivalent for ipchains, and that a second tool such as Snort or the like would need to be used in my case...?
You�re right, there�s no such thing like stateful inspection with ipchains, you should use snort as well if you want to tap into the flow of packets. The latest snortrules contain attack signatures for the Unicode exploit/cmd.exe, but you should be able to construct some default.ida-rules yourself. Writing snort rules is not too difficult and heavily documented. Just take a look at http://www.snort.org .
TIA geo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE7qHIXo2oOGEnz8fYRAgViAJ0SwBbTHUzRDbP78ef76/8xh1NpBgCgtxbR Z9CDeyCVfKvJ4wgImLANIQo= =xk6Y -----END PGP SIGNATURE-----
Boris Lorenz <bolo@lupa.de> ---
* Boris Lorenz; <bolo@lupa.de> on 19 Sep, 2001 wrote:
You�re right, there�s no such thing like stateful inspection with ipchains, you should use snort as well if you want to tap into the flow of packets. The latest snortrules contain attack signatures for the Unicode exploit/cmd.exe, but you should be able to construct some default.ida-rules yourself. Writing snort rules is not too difficult and heavily documented. Just take a look at http://www.snort.org .
Though not with ipchains yet a) configure the webserver for another port ie 81 and using return-rst to reset port 80 requests b) better I think use hogwash http://hogwash.sourceforge.net HTH -- Togan Muftuoglu
Togan Muftuoglu wrote:
Though not with ipchains yet hm, whats about a squid? redirect all traffic to the squid instead of passing it directly to the webserver and you can define acl's to deny these requests...
just my 2 cent -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
Hi all! Boris Lorenz wrote:
. . .
You´re right, there´s no such thing like stateful inspection with ipchains, you should use snort as well if you want to tap into the flow of packets. The latest snortrules contain attack signatures for the Unicode exploit/cmd.exe, but you should be able to construct some default.ida-rules yourself. Writing snort rules is not too difficult and heavily documented. Just take a look at http://www.snort.org .
. . .
<bashful-stolen-from-another-list> Subject: Snort sigs Date: Wed, 19 Sep 2001 13:10:03 +0100 from: "JustinMacCarthy" <macarthy@iol.ie> FYI There seems to be a few added already http://www.snort.org/downloads/snortrules.tar.gz some NOT all -> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin; sid: 1256; rev: 1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS outlook web dos"; flags:A+; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"|25 25 25|"; classtype:attempted-dos; reference:bugtraq,3223; sid:1283; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS msdac access"; flags:A+; uricontent:"/msdac/"; nocase; classtype:bad-unknown; sid:1285; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS _mem_bin access"; flags:A+; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; sid:1286; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:bad-unknown; sid:1287; rev:1;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml attempt"; flags:A+; uricontent:"readme.eml"; nocase; classtype:bad-unknown; sid:1284; rev:1;) ~J </bashful-stolen-from-another-list> Hope that helps -- best greetings from Solingen /GERMANY Dieter Hürten
participants (5)
-
Boris Lorenz -
Dieter Huerten -
Fluffy Bananachunks -
Sven Michels -
Togan Muftuoglu