Creating a custom IPS/IDS definition.

Forum|Forum|10 years ago
August 10, 2015
2 replies
7716 views

I'm getting hit a lot by miscreants using the OpenVAS scanner as of late. It eventually triggers one of my IPS/IDS rules and the IP gets banned, but I'd like to do so as soon as it sees a connection with the "OpenVAS" string in it.

For example:

==pcap 1 ascii s==

.......Uf^..P...P...E..P[.@.7.Ag[...Ap.....P.W.....S.............#......GET./cgi-mod/index.cgi.HTTP/1.1..Connection:.Close..Host:.65.112.26.132:80..Pragma:.no-cache..User-Agent:.Mozilla/5.0.[en].(X11,.U;.[style="background-color: #ffff00;"]OpenVAS[/style].7.0.5)..Accept:.image/gif,.image/x-xbitmap,.image/jpeg,.image/pjpeg,.image/png,.*/*..Accept-Language:.en..Accept-Charset:.iso-8859-1,*,utf-8....

==pcap 1 ascii e==

Has someone created a custom definition before. The explanation of the syntax in the Fortigate 5.2 help for this isn't the best.

Here is what I'm thinking:

[align=LEFT]F-SBID( --name "Block.OpenVAS"; --protocol tcp; --service HTTP; --pattern "OpenVAS"; --no_case; --context uri; )[/align][align=LEFT] [/align][align=LEFT]Would this work?[/align]

Best answer by emnoc

You can touch it up but are you looking for the string in the contact header ?

e.g

"F-SBID( --attack_id 7777; --name "/OpenVAS01/"; --protocol tcp; --service HTTP; --tcp_flags A; --pattern "\OpenVAS\"; --no_case; --context header; --flow from_client;)"

Give that a try and monitor for a while.

emnocAnswer

New Member

You can touch it up but are you looking for the string in the contact header ?

e.g

"F-SBID( --attack_id 7777; --name "/OpenVAS01/"; --protocol tcp; --service HTTP; --tcp_flags A; --pattern "\OpenVAS\"; --no_case; --context header; --flow from_client;)"

Give that a try and monitor for a while.

seadaveAuthor

New Member

emnoc wrote:
You can touch it up but are you looking for the string in the contact header ?

e.g

"F-SBID( --attack_id 7777; --name "/OpenVAS01/"; --protocol tcp; --service HTTP; --tcp_flags A; --pattern "\OpenVAS\"; --no_case; --context header; --flow from_client;)"
Give that a try and monitor for a while.

When I try to enter this I get "Index out of range"? I've tried without attack_id (I think one will be automatically assigned), and with and without quotes. Does it not like the escape characters?

To answer your question yes. Based on the pcap I have, part of the client ID or interrogation string will identify itself as a particular version of OpenVAS. I'd like to trigger on any client that passes that text to my firewall and quarantine their IP. I know how to configure the last part, I just need to define the proper signature.

seadaveAuthor

New Member

@emnoc

Thanks so much for taking the time to consider my question. It is appreciated. Will report back what I see. It is interesting. A few months back our MSS reported lots of Zemu based scans. Those have now been surpassed by OpenVAS. There is an IPS for Zemu and I leveraged that quite effectively. Hopefully this will work.

Thanks!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded