Chapter 7: Advanced psad Topics: From Signature Matching
to OS Fingerprinting
This chapter introduces you to advanced psad functionality, including
integrated passive OS fingerprinting, Snort signature detection via packet
headers, verbose status information, and DShield reporting. This chapter is all
about showing how far iptables log information can go toward providing
security data.
Modifications that psad makes to syntax of the Snort rules language is discussed, and below are a few signatures from the /etc/psad/signatures file. These signatures are used by psad in order to use iptables log messages to detect malicious traffic that matches Snort rules that have no application layer pattern match requirement.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN
packet"; psad_dsize:>20; flags:S; reference:url,www.cert.org/incident_notes/
IN-99-07.html; classtype:misc-activity; sid:207; psad_id:100000; psad_dl:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan";
flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon;
sid:622; psad_id:100197; psad_dl:2;)
alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip;
reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/
advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; psad_id:100103;
psad_dl:2;)
alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0
traffic"; classtype:misc-activity; sid:524; psad_id:100101; psad_dl:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0;
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268;
reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity;
sid:1321; psad_id:100104; psad_dl:2;)
