Michael Rash, Security Researcher

Chapter 7: Advanced psad Topics: From Signature Matching
to OS Fingerprinting

This chapter introduces you to advanced psad functionality, including integrated passive OS fingerprinting, Snort signature detection via packet headers, verbose status information, and DShield reporting. This chapter is all about showing how far iptables log information can go toward providing security data.

Modifications that psad makes to syntax of the Snort rules language is discussed, and below are a few signatures from the /etc/psad/signatures file. These signatures are used by psad in order to use iptables log messages to detect malicious traffic that matches Snort rules that have no application layer pattern match requirement. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; psad_dsize:>20; flags:S; reference:url, IN-99-07.html; classtype:misc-activity; sid:207; psad_id:100000; psad_dl:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; psad_id:100197; psad_dl:2;)

alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url, advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; psad_id:100103; psad_dl:2;)

alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; classtype:misc-activity; sid:524; psad_id:100101; psad_dl:2;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,\;EN-US\;q138268; reference:url,; classtype:misc-activity; sid:1321; psad_id:100104; psad_dl:2;)