UnderGround Forums
 

ITGround >> IDS/IPS


5/31/10 9:50 PM
Ignore | Quote | Vote Down | Vote Up
tycoon
Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 7638
 
I need to install some sort of intrusion detection system that will catch an email spam worm called STORM. It has caused our email server's public IP to be blacklisted a couple times in the past week. When we get blacklisted, we cannot send to a few of our dealers who use hotmail.com, aol.com, earthlink.net, etc.. accounts. Not until I request a de-listing of the blacklist in the SPAMHAUS blacklist group and wait for the removal do emails flow properly again.

I also cleaned out a couple PCs, one with a fully updated Symantec AV and the other running Microsoft Security Essentials. Both still got infected with a fake "Anti-Spyware" agent that I had to remove manually in the registry and hard drive. It is possibly these relate to the STORM virus since the article I read mentioned something about "asam" which I deleted out of their registries to remove the trojan. I also have a Barracuda spam/virus filter that is not catching this Storm Worm.

I went through our ASA's firewall logs and did a packet capture to/from our email server's IP along with our IPSEC tunnels and unable to track any other possible infected hosts in our multiple LANs across our L2L VPNs.

I have read that Snort now has more complex http/email inspection for the IDS signatures. Does anyone have any experience running Snort or other IDS/IPS like Cisco or Juniper products?

When I contacted SPAMHAUS about the reason for the blacklist, this was the link they provided me below.

https://www.honeynet.org/node/539
6/1/10 10:11 AM
Ignore | Quote | Vote Down | Vote Up
big_slacker
24 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 14580
I don't know that you need to buy an IPS simply to block one particular worm. Your ASA is capable of http or smtp inspection and can drop specific traffic based on a string.

Looking at the link you gave if its true that the command and control connection is via http and always uses the user-agent listed (with the windoss typo) then you can block with:

regex STORM "Windoss"
!
class-map type inspect http STORM
match request header user-agent regex STORM
policy-map type inspect http DROP_STORM
class STORM
reset log
policy-map global_policy
class inspection_default
inspect http DROP_STORM
6/1/10 10:17 AM
Ignore | Quote | Vote Down | Vote Up
big_slacker
24 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 14581
Now, you can (and should) still have an IPS. I've only used snort a little and cisco's clunky IPS quite a bit. You can get an IPS module for your ASA or a standalone appliance with more ports that can watch different areas with different policy. The ASA module is cheaper and easier to set up, the appliance more difficult but more flexible. Both use the same engine/signatures.

Cisco's IPS has a sig for the storm worm but I don't know about this variant. If not you could write a simple sig like the above to block it.

I've used juniper's IDP and it has similar functionality to the cisco one, meaning its a network based IPS.

Since the end effect of the thing is spam, you might consider an e-mail filtering appliance. This is another "nice to have" or "critical to have" depending on the business. Ironport is good, Ironmail is good, spam assassin is open source and works if you're a linux guy. :D
6/1/10 2:43 PM
Ignore | Quote | Vote Down | Vote Up
Road Warrior Fin
13 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 26637
 You may also wanna throw airopeek on a spanned port and monitor the traffic on the LAN>ISP - Usually boxes throwing out spam are chatty as fuck.
6/1/10 5:09 PM
Ignore | Quote | Vote Down | Vote Up
tycoon
Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 7641
Thanks for the input, I will try that config in the ASA and see if it works. The strange thing is when i was sniffing the traffic to our Exchange 2007 server, I noticed port 1224 [VPNZ] which looked odd to me. Since typically you only need certain ports open for email like 25 and 110, I blocked 1224. When I tested it, the Outlook 2007 client couldn't connect to the Exchange server anymore, so I had to take out the ACL for blocking port 1224.

I have used spam assassin before, but got the baracuda to replace it since it worked better when I was evaluting their product:

http://www.barracudanetworks.com/ns/products/spam_overview.php

BTW- How much does the IPS module for the ASA run for? If I got one, I would be putting it into an ASA5520 or maybe even an ASA5505. Is it AIM or NME?
6/1/10 8:05 PM
Ignore | Quote | Vote Down | Vote Up
big_slacker
24 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Edited: 06/01/10 8:05 PM
Member Since: 1/1/01
Posts: 14582
AIP SSM-10, 20 and 40. Same engine, throughput varies by model and firewall model its installed in. I think list on the SSM-10 is 6k, 10k for the 20, but you can obviously get them much cheaper. SSM-10 is like 3200 on amazon.

There is also a module for 5505's called the SSC. I've never used it so can't speak for its effectiveness or throughput.

I ran the SSM-20 in a 5520, full default sigs enabled on a 100mb internet pipe with no issues though.
6/2/10 9:39 AM
Ignore | Quote | Vote Down | Vote Up
gsx_r
Send Private Message Add Comment To Profile

Member Since: 9/17/09
Posts: 427
A) update your barracuda box and make sure it's doing outgoing scanning.

b) snort can detect the worm. see http://www.securiteam.com/securitynews/5DP0B0K4KG.html for rules. Snort is easy and free to setup, just span a port from your core switch to the machine.


<rant>
IDS/IPS are COMPLETELY FUCKING USELESS. Unless you take a HUGE HUGE amount of time to really tailor them to your env. More time then 99% of companies are willing to put into it.

Even if you do spend the time the IPS/IDS aren't going to solve your local pc security issues.

Where IDS are usefull is having them around as a general "hey machine X might have Y worm" type detector. Just don't rely on it for anything.
</rant>
6/2/10 11:29 AM
Ignore | Quote | Vote Down | Vote Up
big_slacker
24 The total sum of your votes up and votes down Send Private Message Add Comment To Profile

Member Since: 1/1/01
Posts: 14583
I don't think IDS's need to take a huge amount of time to tune. I think the problem is expertise. Most network admins are "all in one" types and not solely network security types.

I've done several IPS/MARS install and tunes for medium (2k-8k nodes) companies. There is a general install/coarse tuning that takes a day or maybe 2. Fine tuning and proper alerting takes the rest of the week, but its not an 8 hour a day type thing. If you don't have the time/expertise, just hire a consultant to do it. 20 hours or less should do it, should be $2-4k.

After that, yeah someone needs to get the alerts and check up on them. And yes you need to upgrade and tune new sigs. But that is maybe one day out of the month.

For new worms its critical that you have some kind of anomaly detection (1 host scans 100, 10 hosts scan 5 or more, etc...) turned on.

There is a great article out there about baselining and tuning snort out there which is almost a must read.

And as mentioned an IDS/IPS isn't the solution to infected PCs. That is your local domain policy, AV, etc..

Reply Post

You must log in to post a reply. Click here to login.