Using snort to block script-kiddin attacks
This article does not claim to complete the description of the snort system, but merely offers the user a ready-made solution for protecting its server from small playful pens.
I personally put the whole thing on OpenBSD, but the essence of the change of the system does not change.
Lyrical digression
snort ( http://snort.org ) is an attack detection system (NIDS) for ipv4 networks based on libpcap. By itself, the usual tcpdump. But to him you can create rules by which he will block harmful traffic and create security events (alert).
I have a bunch of snort-sensors connected to each other through a collector based on the prelude ( http://prelude-ids.org ). All the rules are written personally.
Results (according to work statistics for 4 months):
False positives - about 2% (average traffic - 120 Mb / s).
There are about 15 locks per day.
The number of missed attacks is 0 (after the implementation of the security system, no server was hacked. Hosting and VDS are protected).
In addition, autoabuse modules have been added to the RIPE database and traffic blocking on the root tsiska.
')
So, we have:
Some server with snort-inline installed on it (in the case of * BSD it is installed from the ports, in the case of Linux it is installed from the sources with the indication of the --enable-inline option).
To begin with, we configure snort itself (for your OS, the paths may differ - see the default config). /etc/snort/snort.conf
And create $ RULE_PATH / local.rules:
Run snort
snort -i em0 -c /etc/snort/snort.conf -D
Check and rejoice.
Note There are no security concerns for POST requests, but nothing is impossible.
PS This article is published at the request of a certain kreon, who is not present on Habré.
I personally put the whole thing on OpenBSD, but the essence of the change of the system does not change.
Lyrical digression
snort ( http://snort.org ) is an attack detection system (NIDS) for ipv4 networks based on libpcap. By itself, the usual tcpdump. But to him you can create rules by which he will block harmful traffic and create security events (alert).
I have a bunch of snort-sensors connected to each other through a collector based on the prelude ( http://prelude-ids.org ). All the rules are written personally.
Results (according to work statistics for 4 months):
False positives - about 2% (average traffic - 120 Mb / s).
There are about 15 locks per day.
The number of missed attacks is 0 (after the implementation of the security system, no server was hacked. Hosting and VDS are protected).
In addition, autoabuse modules have been added to the RIPE database and traffic blocking on the root tsiska.
')
So, we have:
Some server with snort-inline installed on it (in the case of * BSD it is installed from the ports, in the case of Linux it is installed from the sources with the indication of the --enable-inline option).
To begin with, we configure snort itself (for your OS, the paths may differ - see the default config). /etc/snort/snort.conf
# - SourceFire .
var HOME_NET 1.2.3.4 # ip-
var EXTERNAL_NET any
var HTTP_SERVERS $HOME_NET
portvar HTTP_PORTS [80,8080]
#
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
# -
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
#
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
# - tcp
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy linux
# tcp udp - httpinspect
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy linux
#preprocessor stream5_udp: ignore_any_rules
# http_inspect
# unicode.map 1251
preprocessor http_inspect: global iis_unicode_map unicode.map 1251
preprocessor http_inspect_server: server default profile apache no_alerts ports { 80 8080 8180 } oversize_dir_length 500
output alert_syslog: LOG_ALERT
#
include classification.config
include reference.config
#
include $RULE_PATH/local.rules
And create $ RULE_PATH / local.rules:
# UNION SQL injection
drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"UNION SQL Injection";uricontent:"union";nocase;uricontent:"select";nocase;sid:1;gid:666;)
# blind SQL injection
drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Blind SQL Injection";uricontent:"ascii";nocase;uricontent:"substr";nocase;uricontent:"select";nocase;sid:2;gid:666;)
# XSS/CSS
drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"XSS/CSS attack";uricontent:"";nocase;sid:4;gid:666;)
# XSS/CSS
drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"XSS/CSS attack";pcre:"/GET \/.*\?.*=(javascript:|onclick=|onmouseover=|onmouseout=|onload=).*\n/i";sid:5;gid:666;)
# ../../../etc/passwd
drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"PHP include attack";uricontent:"=../..";sid:6;gid:666;)
Run snort
snort -i em0 -c /etc/snort/snort.conf -D
Check and rejoice.
Note There are no security concerns for POST requests, but nothing is impossible.
PS This article is published at the request of a certain kreon, who is not present on Habré.
Source: https://habr.com/ru/post/69854/
All Articles