Last week there was a request from our client to domonstrate IPS functionality of SEP in blocking web downloads, as the systems are in test environment they did not say anyting in particular to block, the popular one is to block streaming media , decided to go with blocking MP3 downloads.
Here is how we went with using IPS to achieve this task.
Important concern was in understanding the flow of communication between a client and server during the session is necessary if custom signatures are to be created. Various pieces of information are sent back and forth between these two systems, contained in TCP packets destined for the appropriate service (port 80 for HTTP, and 21 for FTP) on the server. Within these packets is a payload component containing the required information.
First we did a packet capture of HTTP and FTP with respect to MP3 Download because its important to know how it works in first place ( i'm just a begineer with respect to IPS signatures)
Packet captures of both HTTP and FTP requests for an MP3 file would give us the frequently used commands ( you have lot of free tools for it )
The HTTP GET and FTP RETR commands utilized by browsers and FTP clients when downloading files
The FTP command is also used when multiple files are retrieved using the MGET command. The file name, including the mp3 extension, is present in
both requests, and both protocols insert [CR][LF] characters to mark the end of the request. This provides sufficient information to create custom signatures to prevent these requests from being transmitted.
The signatures will need to contain several parameters, including a regular expression that identifies the specific commands that should be blocked. Regular expressions are patterns of characters that are compared against data, in this case, the contents of the packet. The
commands we wish to block are clearly contained in these packets.
As we do not know the filename, we need to use a wildcard to match the unknown number of characters between the command and the filename. We also need to consider the possibility that the command may not be issues in upper case, and also that the file extension may be capitalized. With this knowledge, we built the signature syntax as follows:
In order to apply this rule to tcp packets : rule tcp (what protocal ?)
Packet must contact tcp-ack flag (reduces false positives) : tcp_flag&ack
Request must originate on the host : saddr=$LOCALHOST
For the FTP rule we need to
limit to destination port 21 (FTP) : dest=(21)
descriptive name for rule in logs : msg=”MP3 in FTP” :
match ASCII text “RETR [.*].mp3[CR][LF]” – not case sensitive
Goes same for HTTP too
limit to destination ports 80 and 443 : dest=(80,443)
descriptive name for rule in logs : msg=”MP3 in HTTP” :
ASCII text “GET [.*].mp3[CR][LF]” – not case sensitive
regexpcontent="[Gg][Ee][Tt] .*[Mm][Pp]3 .*\x0d\x0a
So the final content would look like this
rule tcp, dest=(21), tcp_flag&ack, saddr=$LOCALHOST, msg="MP3 detected",
rule tcp, dest=(80,443), tcp_flag&ack, saddr=$LOCALHOST, msg="MP3 GET in HTTP detected",
regexpcontent="[Gg][Ee][Tt] .*[Mm][Pp]3 .*\x0d\x0a"
Once we have this, its easier to add the same in our SEPM under IPS signature Polices
1. Click on the Policies button.
2. Under View Policies, click Intrusion Prevention.
3. Click Add Custom Intrusion Prevention Signatures. The Custom Intrusion Prevention Library
dialog box appears.
By default An example signature group and signature are listed. To view the signature content,
select the signature and click Edit below the Signatures table.
4. Type a name for the custom library, and optionally add a description.
5. At the bottom of the Signature Groups pane (on the left of the dialog box), click Add to add a
new signature group.
6. Type a name for the signature group, and optionally add a description.
7. The group you added is listed in the Signature Groups box and is automatically enabled. If you
do not want it enabled yet, clear the Enable this Group checkbox.
8. Below the Signatures table, click Add. The Add Signature dialog box is displayed. Fill in the
Type a Name and Description (optional) for the signature.
Indicate the Severity from 0 (most critical) to 15 (informational only).
Indicate the direction of traffic to be checked for the signature.
9.Type the syntax of the signature in the Content fied (the one we have above , for HTTP and FTP)
if you want any applications to trigger the option you can do so by selecting application tab and mention the application
10.Select action Block or allow or write to packet log, we selected Write to packet log and blocked it
Now we need to test if its working or not
we tried with browser and it was timed out after few seconds, saying internet explorer cannot download , connection with server was reset,
the same would happen with FTP also It does not matter if the client is command-line or GUI based, the same RETR command is used by all clients the command will time-out, and the remote server will reset the connection, effectively disconnecting the client.
The event can be viewed in the Console in the Firewall Attacks Logs, and the msg parameter provided in the signature syntax allows easy identification
of these events.
On test environment it was successfull, i was able to achive this after reading custom signature help file from SEP client help menu,
hope this was informative and you guys have good time in using all the features of SEP..