In the last post, we talked about how to create some custom Application Control signatures with Fortinet Fortigate firewalls in order to detect a specific behavior to look for possible infected hosts inside our networks.

In this post, I will show you how to detect some tools which could be used to attack our infrastructure by creating custom IPS signatures. We will give three examples and then, you will be capable of creating your own signatures to detect similar tools.

Sqlmap

Sqlmap is "an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server". Of course, the best way to avoid attackers from getting access to our databases is to develop securely, checking our security by performing regular pentesting projects and using a Web Application Firewall... But we always want to know when we are under attack and to be protected just in case we did a mistake in our security planning.

We are going to create a custom IPS signature to detect Sqlmap by looking at the User-Agent string. Some of these tools have the option of changing the User-Agent in order to try to keep a little bit more unnoticed.  Even knowing that Sqlmap has this option, it worths some of our time to detect attackers that don´t change the default User-Agent of their tools. There are a lot of them out there...

This is the default Sqlmap User-Agent (it depends on the installed version).

  • User-Agent: sqlmap/1.0-dev-nongit-20141210 (http://sqlmap.org)


We just need to add a pattern like that to detect the User-Agent used by Sqlmap.

  • --pattern \"User-Agent|3a 20|sqlmap\"

With this pattern we will match "User-Agent: sqlmapXXXXXXXXXXXXXXX"

Noticed that the characters bellow must be written as:

  • " ->|22|
  • ; -> |3B| or |3b|
  • \ -> |5C| or |5c|
  • | -> |7C| or |7c|
  • : -> |3A| or |3a|
  • space -> |20|

So ":" corresponds to |3a| and " " (space) corresponds to |20| so it should be |3a 20|


You can create the custom signature via CLI with the commands bellow.

config ips custom
    edit "Sqlmap.Web.Vulnerability.Scanner"
        set signature "F-SBID( --name \"Sqlmap.Web.Vulnerability.Scanner\"; --protocol tcp; --service HTTP;  --parsed_type HTTP_GET; --flow from_client; --pattern \"User-Agent|3a 20|sqlmap\"; --context header; )"
        set comment ''
    next
end

Nikto

Nikto "is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software."

Nikto has an User-Agent like that (it depends on the version):

  • User-Agent: Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:Port Check)

As we did in our last post, we will use regular expression in order to try to detect all possible Nikto User-Agents used by diferent versions.

  • --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{2}..Nikto/

The final rule is:

config ips custom
    edit "Nikto.Web.Vulnerability.Scanner"
        set signature "F-SBID( --name \"Nikto.Web.Vulnerability.Scanner\"; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{2}..Nikto/; --context header; )"
        set comment ''
    next
end

Skipfish

Skipfish "is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks."

As the previous ones, depending on the installed version, Skipfish has a different User-Agent. Here some examples.

  • User-Agent: "Mozilla/5.0 SF/1.01b"
  • User-Agent: "Mozilla/5.0 SF/2.10b"

By using pcre we will try to detect again all possible versions:

  • --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{1}.SF.[0-9]{1}.[0-9]{2}[A-Za-z_]/

config ips custom
    edit "Skipfish.Web.Vulnerability.Scanner"
        set signature "F-SBID( --name \"Skipfish.Web.Vulnerability.Scanner\"; --protocol tcp; --service HTTP; --parsed_type HTTP_GET; --flow from_client; --pcre /User-Agent: Mozilla.[0-9]{1}.[0-9]{1}.SF.[0-9]{1}.[0-9]{2}[A-Za-z_]/; --context header; )"
        set comment ''
    next
end

Testing

We just need to add our custom IPS signatures to our IPS profile and set them to "Block". Then we will see how our IPS is dropping the sessions generated by those tools when they are used against our web servers.