snort
Pour prendre en compte les alertes relevées par MISP sur notre PfSense, nous allons installer le service SORT qui permettra de les bloquer.
Installation de snort
Sur l’interface web de votre pfsense rendez-vous dans la section “System” > “Package Manager”
Dans la section “Available Packages” (1), rechercher “snort” (2,3).
Appuyer sur “Install” (4)
Confirmer
Une fois l’installation terminée vous devriez voir un message vert de confirmation apparaître.
Installation de snort sur l’interface WAN
Nous allons maintenant installer snort sur l’interface WAN, pour cela aller dans “Services” > “Snort”
Ajouter une interface
Activer la et sélectionner WAN
Puis sauvegarder
Configurer snort
Nous voulons que snort accepte et prenne en compte un fichier de règles ajouter par nous. Ce fichier correspondra à ce que respectera notre script via l’API MISP.
Pour cela, directement sur la machine pfsense, nous devons modifier les configurations du package.
A la fin du fichier ajouter include \$RULE_PATH/apt41.rules.
Cela signifiera que snort devra prendre en compte le fichier “apt41.rules”. Attention ce fichier devra donc toujours être présent, pour les interfaces n’en n’ayant pas besoin, il faudra donc mettre un fichier vide du même nom. La configuration ne pouvait pas être faîte directement sur l’interface WAN car à chaque redémarrage le fichier de configuration était écrasé.
Quand vous lancerez l’interface, vous pourrez donc aller voir le fichier de configuration lui correspondant :
A la fin, vous verrez apparaître notre nouveau fichier.
Test du fichier custom
Afin de vérifier que notre fichier fonctionne bien, nous allons commencer par le remplir avec une seule règle.
Nous mettons une alerte sur le port SSH.
Dans le cas de nos règles MISP nous mettrons des reject afin de bloquer et logger les paquets indésirables.
Nous pouvons maintenant démarrer notre interface.
Si vous vous connecter en ssh, vous retrouverez donc votre alerte apparaître dans les logs.
Export de MISP en règles SNORT
Pour exporter du MISP en SNORT, nous utilisons l’endpoint event/restSearch de l’API MISP.
Nous l’appelons via une requête POST envoyé avec CURL dans un script shell.
Pour la documentation de ce script, voir la partie documentation.
Le script, grâce à sa requête POST, va récupérer le contenu des feeds APT41 sous forme de règles SNORT et les mettre directement dans un fichier apt41.rules dans l’interface WAN de snort.
Nous pouvons tester le bon fonctionnement du script.
Nous lançons le script pour voir si notre fichier contenant les règles SNORT est ajouté.
Nous pouvons maintenant aller vérifier si notre fichier c’est bien rempli.
Nous pouvons voir que le fichier de règle snort exporté est le suivant :
# MISP export of IDS rules - optimized for
#
# These NIDS rules contain some variables that need to exist in your configuration.
# Make sure you have set:
#
# $HOME_NET - Your internal network range
# $EXTERNAL_NET - The network considered as outside
# $SMTP_SERVERS - All your internal SMTP servers
# $HTTP_PORTS - The ports used to contain HTTP traffic (not required with suricata export)
#
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: znetdevil@msn.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"znetdevil@msn.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000011; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: zeplinlegal@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"zeplinlegal@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000021; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: zeplincopyright@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"zeplincopyright@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000031; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: zeplin.law@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"zeplin.law@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000041; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: ysummer56@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"ysummer56@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000051; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: wrennieeller564c@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"wrennieeller564c@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000061; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: wljsdd@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"wljsdd@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000071; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e2 [APT41] Source Email Address: willardstone92@gmail.com"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"willardstone92@gmail.com"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4000081; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/2;)
...
reject udp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: zxerbqr.zyns.com"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||07|zxerbqr|04|zyns|03|com|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:4007131; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: zxerbqr.zyns.com"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||07|zxerbqr|04|zyns|03|com|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:4007132; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e5 [APT41] Outgoing HTTP Hostname: zxerbqr.zyns.com"; flow:to_server,established; content: "Host|3a| zxerbqr.zyns.com"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])zxerbqr\.zyns\.com[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:4007133; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject udp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: excharge.sexxxy.biz"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||08|excharge|06|sexxxy|03|biz|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:4007141; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: excharge.sexxxy.biz"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||08|excharge|06|sexxxy|03|biz|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:4007142; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e5 [APT41] Outgoing HTTP Hostname: excharge.sexxxy.biz"; flow:to_server,established; content: "Host|3a| excharge.sexxxy.biz"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])excharge\.sexxxy\.biz[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:4007143; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject udp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: faceb00k.ns01.info"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||08|faceb00k|04|ns01|04|info|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:4007151; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: faceb00k.ns01.info"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||08|faceb00k|04|ns01|04|info|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:4007152; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e5 [APT41] Outgoing HTTP Hostname: faceb00k.ns01.info"; flow:to_server,established; content: "Host|3a| faceb00k.ns01.info"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])faceb00k\.ns01\.info[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:4007153; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject udp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: firejun.myddns.com"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||07|firejun|06|myddns|03|com|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:4007161; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: firejun.myddns.com"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||07|firejun|06|myddns|03|com|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:4007162; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e5 [APT41] Outgoing HTTP Hostname: firejun.myddns.com"; flow:to_server,established; content: "Host|3a| firejun.myddns.com"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])firejun\.myddns\.com[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:4007163; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject udp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: pd1.dynamic-dns.net"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||03|pd1|0b|dynamic-dns|03|net|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:4007171; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: pd1.dynamic-dns.net"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||03|pd1|0b|dynamic-dns|03|net|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:4007172; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e5 [APT41] Outgoing HTTP Hostname: pd1.dynamic-dns.net"; flow:to_server,established; content: "Host|3a| pd1.dynamic-dns.net"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])pd1\.dynamic\-dns\.net[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:4007173; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject udp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: pdbana.dynamic-dns.net"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||06|pdbana|0b|dynamic-dns|03|net|00|"; fast_pattern; nocase; classtype:trojan-activity; sid:4007181; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp any any -> any 53 (msg: "MISP e5 [APT41] Hostname: pdbana.dynamic-dns.net"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|01||06|pdbana|0b|dynamic-dns|03|net|00|"; fast_pattern; nocase; flow:established; classtype:trojan-activity; sid:4007182; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e5 [APT41] Outgoing HTTP Hostname: pdbana.dynamic-dns.net"; flow:to_server,established; content: "Host|3a| pdbana.dynamic-dns.net"; nocase; http_header; pcre: "/(^|[^A-Za-z0-9-\.])pdbana\.dynamic\-dns\.net[^A-Za-z0-9-\.]/H"; tag:session,600,seconds; classtype:trojan-activity; sid:4007183; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)
reject tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "MISP e5 [APT41] Source Email Address: hee_chow_ming@yahoo.com.hk"; flow:established,to_server; content:"MAIL FROM|3a|"; nocase; content:"hee_chow_ming@yahoo.com.hk"; fast_pattern; nocase; content:"|0D 0A 0D 0A|"; within:8192; tag:session,600,seconds; classtype:trojan-activity; sid:4007191; rev:1; priority:4; reference:url,https://192.168.2.3/events/view/5;)