topic Block keywords via Snort Rules in Chinese 中文 https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Block-keywords-via-Snort-Rules/m-p/54300#M504 <P><FONT face="arial,helvetica,sans-serif" size="5">Dear 各位先進,</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">&nbsp; &nbsp; 近期某家金融客戶,由 third-party 資安設備偵測到某台 Web server 一直遭到 Hydra Webshell 攻擊, 如下面 report</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Hydra_report.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1316i067036FDA5F8B47C/image-size/large?v=v2&amp;px=999" role="button" title="Hydra_report.jpg" alt="Hydra_report.jpg" /></span></FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">&nbsp; &nbsp; 這問題我們有開 Ticket , IPS database 更新到最新版本, 也 import 最新的 Snort rules, 並把所有有關 Hydra Signature 都設為 Prevent, 但還是偵測不到這個攻擊</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">&nbsp; &nbsp; 最後我們是用 Snort rules 來阻擋含有 <FONT color="#FF0000">"public/hydra.php?xcmd=cmd.exe"</FONT> 這個關鍵字的流量, 步驟如下:</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">1. 準備 Snort rules </FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">Snort rules 檔案請參考附件</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="5">或是將以下語法存成 file-name.rules</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5" color="#FF0000">alert tcp any any -&gt; any any (content: "public/hydra.php?xcmd=cmd.exe"; msg: "HYDRA Attack-jacky_test";)</FONT></P><P><FONT size="5">至於語法的說明, 在 Google 大神上都可以查的到,這邊就不加說明</FONT></P><P><BR /><FONT face="arial,helvetica,sans-serif" size="5">2. 將 Snort rule 檔案滙入 Check Point</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01090.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1317i4231A38BD3918501/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01090.jpg" alt="ScreenShot01090.jpg" /></span><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">詳細的滙入說明可參考松倫大大分享的文章</FONT><BR /><A title="New Exploits for Unsecure SAP Systems, How to import Snort rule" href="https://community.checkpoint.com/t5/Taiwan%E8%AB%96%E5%A3%87/New-Exploits-for-Unsecure-SAP-Systems-How-to-import-Snort-rule/m-p/53095#M498%2Fjump-to%2Ffirst-unread-message" target="_self">https://community.checkpoint.com/t5/Taiwan%E8%AB%96%E5%A3%87/New-Exploits-for-Unsecure-SAP-Systems-How-to-import-Snort-rule/m-p/53095#M498%2Fjump-to%2Ffirst-unread-message</A></P><P><FONT face="arial,helvetica,sans-serif" size="5">若是 R77.30 的版本, 可參考</FONT><BR /><A href="https://sc1.checkpoint.com/documents/R77/CP_R77_IPS_WebAdminGuide/12857.htm" target="_self">https://sc1.checkpoint.com/documents/R77/CP_R77_IPS_WebAdminGuide/12857.htm</A><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">3. 滙入完成後, 將滙入的 Snort rules Action 設為Prevent, 並且勾選Capture Packets</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01091.jpg" style="width: 763px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1318i621393EA2C44FCF2/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01091.jpg" alt="ScreenShot01091.jpg" /></span><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">4. Install Threat Prevention policy, 然後產生一些 <FONT color="#FF0000">http://IP/public/hydra.php?xcmd=cmd.exe%20/c%20</FONT> 測試流量</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">例如用 pchome 來做測試, 會看到連線被 reset 掉</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01098.jpg" style="width: 938px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1319i02D66C57CAA8CAE0/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01098.jpg" alt="ScreenShot01098.jpg" /></span></P><P><BR /><FONT face="arial,helvetica,sans-serif" size="5">5. 查看 IPS log 是否有相關 log</FONT><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01093.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1320i1D57668E933E116C/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01093.jpg" alt="ScreenShot01093.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01094.jpg" style="width: 801px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1321iEFAADD2503C19FCD/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01094.jpg" alt="ScreenShot01094.jpg" /></span></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="5">點選 Packet Captures 可看到阻擋的封包內容</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01097.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1322iB17AA64A429379AE/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01097.jpg" alt="ScreenShot01097.jpg" /></span><BR /><BR /></P><P><FONT face="arial,helvetica,sans-serif" size="5">所以透過 Snort Rules, 只要簡單修改一些內容, 就可以達到阻檔 keyword 的目的, 很簡單</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">PS. 若是 HTTPS 的流量, 當然是要開 HTTPS Inspection 才看的到囉</FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="5">Regards,</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">Jacky</FONT></P> Fri, 24 May 2019 06:23:43 GMT Jacky_Chen 2019-05-24T06:23:43Z Block keywords via Snort Rules https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Block-keywords-via-Snort-Rules/m-p/54300#M504 <P><FONT face="arial,helvetica,sans-serif" size="5">Dear 各位先進,</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">&nbsp; &nbsp; 近期某家金融客戶,由 third-party 資安設備偵測到某台 Web server 一直遭到 Hydra Webshell 攻擊, 如下面 report</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Hydra_report.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1316i067036FDA5F8B47C/image-size/large?v=v2&amp;px=999" role="button" title="Hydra_report.jpg" alt="Hydra_report.jpg" /></span></FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">&nbsp; &nbsp; 這問題我們有開 Ticket , IPS database 更新到最新版本, 也 import 最新的 Snort rules, 並把所有有關 Hydra Signature 都設為 Prevent, 但還是偵測不到這個攻擊</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">&nbsp; &nbsp; 最後我們是用 Snort rules 來阻擋含有 <FONT color="#FF0000">"public/hydra.php?xcmd=cmd.exe"</FONT> 這個關鍵字的流量, 步驟如下:</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">1. 準備 Snort rules </FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">Snort rules 檔案請參考附件</FONT><BR /><FONT face="arial,helvetica,sans-serif" size="5">或是將以下語法存成 file-name.rules</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5" color="#FF0000">alert tcp any any -&gt; any any (content: "public/hydra.php?xcmd=cmd.exe"; msg: "HYDRA Attack-jacky_test";)</FONT></P><P><FONT size="5">至於語法的說明, 在 Google 大神上都可以查的到,這邊就不加說明</FONT></P><P><BR /><FONT face="arial,helvetica,sans-serif" size="5">2. 將 Snort rule 檔案滙入 Check Point</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01090.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1317i4231A38BD3918501/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01090.jpg" alt="ScreenShot01090.jpg" /></span><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">詳細的滙入說明可參考松倫大大分享的文章</FONT><BR /><A title="New Exploits for Unsecure SAP Systems, How to import Snort rule" href="https://community.checkpoint.com/t5/Taiwan%E8%AB%96%E5%A3%87/New-Exploits-for-Unsecure-SAP-Systems-How-to-import-Snort-rule/m-p/53095#M498%2Fjump-to%2Ffirst-unread-message" target="_self">https://community.checkpoint.com/t5/Taiwan%E8%AB%96%E5%A3%87/New-Exploits-for-Unsecure-SAP-Systems-How-to-import-Snort-rule/m-p/53095#M498%2Fjump-to%2Ffirst-unread-message</A></P><P><FONT face="arial,helvetica,sans-serif" size="5">若是 R77.30 的版本, 可參考</FONT><BR /><A href="https://sc1.checkpoint.com/documents/R77/CP_R77_IPS_WebAdminGuide/12857.htm" target="_self">https://sc1.checkpoint.com/documents/R77/CP_R77_IPS_WebAdminGuide/12857.htm</A><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">3. 滙入完成後, 將滙入的 Snort rules Action 設為Prevent, 並且勾選Capture Packets</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01091.jpg" style="width: 763px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1318i621393EA2C44FCF2/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01091.jpg" alt="ScreenShot01091.jpg" /></span><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">4. Install Threat Prevention policy, 然後產生一些 <FONT color="#FF0000">http://IP/public/hydra.php?xcmd=cmd.exe%20/c%20</FONT> 測試流量</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">例如用 pchome 來做測試, 會看到連線被 reset 掉</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01098.jpg" style="width: 938px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1319i02D66C57CAA8CAE0/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01098.jpg" alt="ScreenShot01098.jpg" /></span></P><P><BR /><FONT face="arial,helvetica,sans-serif" size="5">5. 查看 IPS log 是否有相關 log</FONT><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01093.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1320i1D57668E933E116C/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01093.jpg" alt="ScreenShot01093.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01094.jpg" style="width: 801px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1321iEFAADD2503C19FCD/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01094.jpg" alt="ScreenShot01094.jpg" /></span></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="5">點選 Packet Captures 可看到阻擋的封包內容</FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScreenShot01097.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/1322iB17AA64A429379AE/image-size/large?v=v2&amp;px=999" role="button" title="ScreenShot01097.jpg" alt="ScreenShot01097.jpg" /></span><BR /><BR /></P><P><FONT face="arial,helvetica,sans-serif" size="5">所以透過 Snort Rules, 只要簡單修改一些內容, 就可以達到阻檔 keyword 的目的, 很簡單</FONT><BR /><BR /><FONT face="arial,helvetica,sans-serif" size="5">PS. 若是 HTTPS 的流量, 當然是要開 HTTPS Inspection 才看的到囉</FONT></P><P>&nbsp;</P><P><FONT face="arial,helvetica,sans-serif" size="5">Regards,</FONT></P><P><FONT face="arial,helvetica,sans-serif" size="5">Jacky</FONT></P> Fri, 24 May 2019 06:23:43 GMT https://community.checkpoint.com/t5/Chinese-%E4%B8%AD%E6%96%87/Block-keywords-via-Snort-Rules/m-p/54300#M504 Jacky_Chen 2019-05-24T06:23:43Z