- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating a custom IPS/IDS definition.
I'm getting hit a lot by miscreants using the OpenVAS scanner as of late. It eventually triggers one of my IPS/IDS rules and the IP gets banned, but I'd like to do so as soon as it sees a connection with the "OpenVAS" string in it.
For example:
==pcap 1 ascii s==
.......Uf^..P...P...E..P[.@.7.Ag[...Ap.....P.W.....S.............#......GET./cgi-mod/index.cgi.HTTP/1.1..Connection:.Close..Host:.65.112.26.132:80..Pragma:.no-cache..User-Agent:.Mozilla/5.0.[en].(X11,.U;.[style="background-color: #ffff00;"]OpenVAS[/style].7.0.5)..Accept:.image/gif,.image/x-xbitmap,.image/jpeg,.image/pjpeg,.image/png,.*/*..Accept-Language:.en..Accept-Charset:.iso-8859-1,*,utf-8....
==pcap 1 ascii e==
Has someone created a custom definition before. The explanation of the syntax in the Fortigate 5.2 help for this isn't the best.
Here is what I'm thinking:
[align=LEFT]F-SBID( --name "Block.OpenVAS"; --protocol tcp; --service HTTP; --pattern "OpenVAS"; --no_case; --context uri; )[/align][align=LEFT] [/align][align=LEFT]Would this work?[/align]
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can touch it up but are you looking for the string in the contact header ?
e.g
"F-SBID( --attack_id 7777; --name "/OpenVAS01/"; --protocol tcp; --service HTTP; --tcp_flags A; --pattern "\OpenVAS\"; --no_case; --context header; --flow from_client;)"
Give that a try and monitor for a while.
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can touch it up but are you looking for the string in the contact header ?
e.g
"F-SBID( --attack_id 7777; --name "/OpenVAS01/"; --protocol tcp; --service HTTP; --tcp_flags A; --pattern "\OpenVAS\"; --no_case; --context header; --flow from_client;)"
Give that a try and monitor for a while.
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:You can touch it up but are you looking for the string in the contact header ?
e.g
"F-SBID( --attack_id 7777; --name "/OpenVAS01/"; --protocol tcp; --service HTTP; --tcp_flags A; --pattern "\OpenVAS\"; --no_case; --context header; --flow from_client;)"
Give that a try and monitor for a while.
When I try to enter this I get "Index out of range"? I've tried without attack_id (I think one will be automatically assigned), and with and without quotes. Does it not like the escape characters?
To answer your question yes. Based on the pcap I have, part of the client ID or interrogation string will identify itself as a particular version of OpenVAS. I'd like to trigger on any client that passes that text to my firewall and quarantine their IP. I know how to configure the last part, I just need to define the proper signature.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@emnoc
Thanks so much for taking the time to consider my question. It is appreciated. Will report back what I see. It is interesting. A few months back our MSS reported lots of Zemu based scans. Those have now been surpassed by OpenVAS. There is an IPS for Zemu and I leveraged that quite effectively. Hopefully this will work.
Thanks!
