R-fx Networks

HowTo

Snorting the Web Farm

by on Jun.10, 2009, under Development, HowTo

Here are some rules for you snort freaks to chew on that I have found useful in web heavy environments.

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE x2300 phpshell detected"; content:"Locus7Shell"; nocase; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300010; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE RFI Scanner detected"; content:"RFI Scanner"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300020; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE lila.jpg phpshell detected"; content:"CMD PHP"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300030; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE ALBANIA id.php detected"; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300040; rev:2;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE Data Cha0s Backdoor"; content:"Data Cha0s Connect Back Backdoor"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300050; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE Data Cha0s Backdoor"; content:"Spawning Shell"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300051; rev:1;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE c99 phpshell variant"; content:"c999shell v."; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300060; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE c99 phpshell variant"; content:"C99 Modified"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300061; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE c99 phpshell variant"; content:"RootShell Security Group"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300062; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE c99 phpshell variant"; content:"Modded by Shadow & Preddy"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300063; rev:1;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE js insert redirect"; content:"META HTTP-EQUIV='Refresh' CONTENT='0"; nocase; content:"text/javascript"; nocase; pcre:"/daobrains\.info|engaolika\.info|globalsecurityscans\.com|goscanpark\.com|goscansome\.com|goscansoon\.com|goslimscan\.com|neborin\.info|safetyshareonline\.com|securityexamineonline\.com/i"; classtype:web-application-activity; reference:url,blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/; sid:300070; rev:3;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE DarkMailer"; uricontent:"cgi"; nocase; uricontent:"m="; nocase;  pcre:"/dark\.cgi|dm\.cgi|da\.cgi/iU"; classtype: web-application-attack; sid: 300080; rev:1;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE DarkMailer"; content:"yellsoft"; nocase; content:"DirectMailer v"; nocase; classtype: web-application-attack; sid: 300081; rev:1;)

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; content:"http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:4;)
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; content:"by 1dt.w0lf"; content:"GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:5;)

alert tcp any any -> any any (msg:"ET ATTACK RESPONSE devil_ shellbot: conback request"; content:"Conectando-se em"; classtype:attempted-admin; reference:url,www.rfxn.com; sid:300090; rev:1;)
alert tcp any any -> any any (msg:"ET ATTACK RESPONSE devil_ shellbot: udp flood"; content:"pacotando"; content:"temp"; classtype:attempted-dos; reference:url,www.rfxn.com; sid:300091; rev:1;)
alert tcp any any -> any any (msg:"ET ATTACK RESPONSE devil_ shellbot: udp flood"; content:"de envio"; content:"Total pacotes"; content:"Total bytes"; content:"Tempo"; classtype:attempted-dos; reference:url,www.rfxn.com; sid:300092; rev:1;)

alert tcp any any -> any any (msg:"ET ATTACK RESPONSE /bin/sh shell spawn"; content:"no job control in this shell"; classtype:attempted-admin; reference:url,www.rfxn.com; sid:300100; rev:1;)
1 Comment :, more...

BOGON Filtering, Update It

by on Apr.17, 2009, under Development, HowTo

One of the features used by APF to prevent address spoofing is that it filters reserved IP address space, also known as BOGON filtering. This is an otherwise very reliable method to keep out random unallocated spoofed addresses from injecting traffic towards your server, assuming of course the list is updated regularly.

We decided a few months ago that we would disable by default all remote features in APF, including the auto updating of the reserved networks file (BOGON filter list), however this was done with one ill-fated consequence… That if you do not turn on the update feature yourself you may inadvertently start filtering newly allocated address space. This was a change that in hind sight was probably not the best of ideas and as such has now been turned back on by default in the current APF release.

That is then the purpose of this post, every feature even in its best intentions has the capacity when it goes unmanaged to cause more harm than good and that is exactly what the BOGON filtering will do over time if left enabled and it goes unmanaged. The quick fix to this issue is that you enable the reserved network update feature or disable the use of the reserved network filtering in conf.apf all together; below are details on conducting either task:

1) This change will make APF download and update to the latest reserved network file daily at 4am (recommended):
edit /etc/apf/conf.apf and set the option DLIST_RESERVED=”1″
restart APF with /etc/init.d/apf restart

OR

2) This change will disable the use of reserved network filtering from APF all together (not recommended!):
edit /etc/apf/conf.apf and set the option BLK_RESNET=”0″
restart APF with /etc/init.d/apf restart

I hope this assists anyone who is experiencing random connection issues from clients or to better decide if this feature is right for you. The BOGON list APF uses is maintained at http://www.rfxn.com/downloads/reserved.networks , which is updated twice daily with the latest data from ARIN.

Leave a Comment :, , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...