Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22
  1. #11
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    btw, there are rules already in Untangle's rule database that do exactly the same thing - trigger on a packet to port 25, with a particular MAIL FROM: string. Like rule 31507 "MAILWARE-CNC Win.Trojan.HW32 variant spam attempt" in Classtype trojan-activity:
    Code:
    alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC Win.Trojan.HW32 variant spam attempt"; flow:to_server, established; content:"MAIL FROM: <Reademal.com>|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31507; rev:1; )

  2. #12
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    I'm starting to think the issue is that I'm trying to use two content: conditions which apparently doesn't work. Every rule I've looked at that looks for more than one string in a packet uses content: for the first match and pcbe: for the additional match. Perl regular expressions are greek to me, but I'll have to figure it out... shouldn't be too hard as all I'm looking for is a simple character string.

  3. #13
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    Well it turns out my original rule was right all along, it actually does trigger when it should.

    There's a bug in the Untangle IPS module - rules added via the UI and checked "flag" or "drop" get unchecked every night, presumably during the rule update process. So every day when I come to work on this again or check the logs, I find the rule has been disabled and hasn't been logging - that's why I thought it wasn't working.

    and there appears to be another bug somewhere - when I set my rule to drop and the smtp client sends the offending "MAIL FROM:" packet, IPS drops it the first time; the smtp client sends the exact same packet again, and IPS drops it again; the smtp client sends it a 3rd time, and IPS lets it go right through and the smtp conversation completes as normal. TCPDUMP shows the 3 packets are identical, the smtp client doesn't do anything different the 3rd time, but IPS ignores the 3rd try for reasons unknown.

  4. #14
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    6,871

    Default

    Quote Originally Posted by johnsonx42 View Post
    There's a bug in the Untangle IPS module - rules added via the UI and checked "flag" or "drop" get unchecked every night, presumably during the rule update process. So every day when I come to work on this again or check the logs, I find the rule has been disabled and hasn't been logging - that's why I thought it wasn't working.
    .
    https://jira.untangle.com/browse/NGFW-11230
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #15
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    here's the tcpdump from the untangle external interface with the domain names and IP's changed:
    Code:
    Mon Jan 08 2018 12:06:29 GMT-0800 (Pacific Standard Time) - Test Started
    tcpdump: listening on eth1.5, link-type EN10MB (Ethernet), capture size 65535 bytes
    
    12:06:36.270927 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [S], seq 870445152, win 29200, options [mss 1460,sackOK,TS val 3045101743 ecr 0,nop,wscale 7], length 0
    12:06:36.280165 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [S.], seq 2612692448, ack 870445153, win 28960, options [mss 1460,sackOK,TS val 460588117 ecr 3045101743,nop,wscale 7], length 0
    12:06:36.292121 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [.], ack 1, win 229, options [nop,nop,TS val 3045101764 ecr 460588117], length 0
    12:06:36.294116 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 1:132, ack 1, win 227, options [nop,nop,TS val 460588131 ecr 3045101764], length 131: SMTP: 220 mail.mydomain.com Ready
    12:06:36.305532 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [.], ack 132, win 237, options [nop,nop,TS val 3045101777 ecr 460588131], length 0
    12:06:36.305597 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3045101778 ecr 460588131], length 26: SMTP: EHLO mail.baddomain.com
    12:06:36.306023 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [.], ack 27, win 227, options [nop,nop,TS val 460588143 ecr 3045101778], length 0
    12:06:36.308096 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 132:188, ack 27, win 227, options [nop,nop,TS val 460588145 ecr 3045101778], length 56: SMTP: 250-mail.mydomain.com
    12:06:36.322103 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 27:70, ack 188, win 237, options [nop,nop,TS val 3045101795 ecr 460588145], length 43: SMTP: MAIL FROM:<dave@baddomain.com> SIZE=1982
    12:06:36.519742 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 132:188, ack 27, win 227, options [nop,nop,TS val 460588357 ecr 3045101778], length 56: SMTP: 250-mail.mydomain.com
    12:06:36.532052 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [.], ack 188, win 237, options [nop,nop,TS val 3045102004 ecr 460588357,nop,nop,sack 1 {132:188}], length 0
    12:06:36.542421 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 27:70, ack 188, win 237, options [nop,nop,TS val 3045102015 ecr 460588357], length 43: SMTP: MAIL FROM:<dave@baddomain.com> SIZE=1982
    12:06:36.731725 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 132:188, ack 27, win 227, options [nop,nop,TS val 460588569 ecr 3045101778], length 56: SMTP: 250-mail.mydomain.com
    12:06:36.743499 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [.], ack 188, win 237, options [nop,nop,TS val 3045102215 ecr 460588569,nop,nop,sack 1 {132:188}], length 0
    12:06:36.982063 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 27:70, ack 188, win 237, options [nop,nop,TS val 3045102455 ecr 460588569], length 43: SMTP: MAIL FROM:<dave@baddomain.com> SIZE=1982
    12:06:36.984716 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 188:196, ack 70, win 227, options [nop,nop,TS val 460588821 ecr 3045102455], length 8: SMTP: 250 Ok
    12:06:36.996914 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [.], ack 196, win 237, options [nop,nop,TS val 3045102469 ecr 460588821], length 0
    12:06:36.996957 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 70:140, ack 196, win 237, options [nop,nop,TS val 3045102470 ecr 460588821], length 70: SMTP: RCPT TO:<dave@mydomain.com> ORCPT=rfc822;dave@mydomain.com:0:0
    12:06:37.000238 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 196:204, ack 140, win 227, options [nop,nop,TS val 460588837 ecr 3045102470], length 8: SMTP: 250 Ok
    12:06:37.012091 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 140:146, ack 204, win 237, options [nop,nop,TS val 3045102484 ecr 460588837], length 6: SMTP: DATA
    12:06:37.013179 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 204:250, ack 146, win 227, options [nop,nop,TS val 460588850 ecr 3045102484], length 46: SMTP: 354 Start mail input; end with <CRLF>.<CRLF>
    12:06:37.027088 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 146:1594, ack 250, win 237, options [nop,nop,TS val 3045102498 ecr 460588850], length 1448: SMTP: Received: from -------------
    12:06:37.027138 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 1594:1840, ack 250, win 237, options [nop,nop,TS val 3045102498 ecr 460588850], length 246: SMTP:
    12:06:37.027259 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [.], ack 1840, win 272, options [nop,nop,TS val 460588864 ecr 3045102498], length 0
    12:06:37.038939 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 1840:2132, ack 250, win 237, options [nop,nop,TS val 3045102511 ecr 460588864], length 292: SMTP: soNormal>Test</p><p class=3DMsoNormal>Test</p><p class=3DMsoNormal><o:p>&nb=
    12:06:37.046958 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 250:258, ack 2132, win 295, options [nop,nop,TS val 460588884 ecr 3045102511], length 8: SMTP: 250 Ok
    12:06:37.058404 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 2132:2138, ack 258, win 237, options [nop,nop,TS val 3045102531 ecr 460588884], length 6: SMTP: QUIT
    12:06:37.061062 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [P.], seq 258:308, ack 2138, win 295, options [nop,nop,TS val 460588898 ecr 3045102531], length 50: SMTP: 221 mail.mydomain.com Closing transmission channel
    12:06:37.061323 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [F.], seq 308, ack 2138, win 295, options [nop,nop,TS val 460588898 ecr 3045102531], length 0
    12:06:37.072061 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [F.], seq 2138, ack 308, win 237, options [nop,nop,TS val 3045102545 ecr 460588898], length 0
    12:06:37.072220 IP 1.2.3.4.25 > 9.8.7.6.21666: Flags [.], ack 2139, win 295, options [nop,nop,TS val 460588909 ecr 3045102545], length 0
    12:06:37.073547 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [.], ack 309, win 237, options [nop,nop,TS val 3045102545 ecr 460588898], length 0
    Mon Jan 08 2018 12:07:00 GMT-0800 (Pacific Standard Time) - Test Completed
    capturing the same conversation from the internal interface shows just a single "MAIL FROM:" packet arriving after a few hundred MS delay (i.e. the time spent dropping the first two).

    the rule in this test case is
    Code:
    drop tcp any any -> 1.2.3.4 25 ( msg:"mail from baddomain.com"; classtype:unknown; sid:1999999; content:"FROM:"; depth:10; fast_pattern; content:"@baddomain.com"; depth:30; nocase; )

  6. #16
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    Jcoffin - in regards to the bug report you linked, is there currently a way to fix it? i.e. do I need to give my rule a different classtype or sid?

  7. #17
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    for clarity, here are the 3 packets:
    Code:
    12:06:36.322103 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 27:70, ack 188, win 237, options [nop,nop,TS val 3045101795 ecr 460588145], length 43: SMTP: MAIL FROM:<dave@baddomain.com> SIZE=1982
    12:06:36.542421 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 27:70, ack 188, win 237, options [nop,nop,TS val 3045102015 ecr 460588357], length 43: SMTP: MAIL FROM:<dave@baddomain.com> SIZE=1982
    12:06:36.982063 IP 9.8.7.6.21666 > 1.2.3.4.25: Flags [P.], seq 27:70, ack 188, win 237, options [nop,nop,TS val 3045102455 ecr 460588569], length 43: SMTP: MAIL FROM:<dave@baddomain.com> SIZE=1982
    IPS drops the first two, and lets the 3rd one go through.

    (and yes, I tested multiple times, it's always the 3rd packet that goes through)

  8. #18
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    there is definitely something very wrong with Untangle's SNORT implementation. my testing shows any packet that should be dropped eventually gets through.

    I simplified my rule down to just this: "drop tcp any any -> 1.2.3.4 25 ( msg:"baddomain.com"; classtype:unknown; sid:1999999; content:"baddomain.com"; )"

    so all it does is look at every packet to port 25, and drops any that has "baddomain.com". obviously then I absolutely should not be able to receive any email from baddomain.com... yet:
    Code:
    Tue Jan 09 2018 09:13:43 GMT-0800 (Pacific Standard Time) - Test Started
    tcpdump: listening on eth1.5, link-type EN10MB (Ethernet), capture size 65535 bytes
    
    09:13:51.995281 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [S], seq 146781195, win 29200, options [mss 1460,sackOK,TS val 3121137465 ecr 0,nop,wscale 7], length 0
    09:13:52.008133 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [S.], seq 860018312, ack 146781196, win 28960, options [mss 1460,sackOK,TS val 536623845 ecr 3121137465,nop,wscale 7], length 0
    09:13:52.019307 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [.], ack 1, win 229, options [nop,nop,TS val 3121137493 ecr 536623845], length 0
    09:13:52.099040 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [P.], seq 1:132, ack 1, win 227, options [nop,nop,TS val 536623936 ecr 3121137493], length 131: SMTP: 220 mail.mydomain.com Ready
    09:13:52.115085 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [.], ack 132, win 237, options [nop,nop,TS val 3121137585 ecr 536623936], length 0
    09:13:52.115250 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121137586 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:13:52.341660 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121137814 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:13:52.569528 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121138042 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:13:53.023878 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121138499 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:13:53.937312 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121139412 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:13:55.764450 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121141240 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:13:59.421245 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121144896 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:14:06.732317 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1:27, ack 132, win 237, options [nop,nop,TS val 3121152208 ecr 536623936], length 26: SMTP: EHLO mail.baddomain.com
    09:14:06.732484 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [.], ack 27, win 227, options [nop,nop,TS val 536638569 ecr 3121152208], length 0
    09:14:06.734789 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [P.], seq 132:188, ack 27, win 227, options [nop,nop,TS val 536638572 ecr 3121152208], length 56: SMTP: 250-mail.mydomain.com
    09:14:06.745714 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 27:70, ack 188, win 237, options [nop,nop,TS val 3121152221 ecr 536638572], length 43: SMTP: MAIL FROM:<dave@baddomain.com> SIZE=1982
    09:14:06.750379 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [P.], seq 188:196, ack 70, win 227, options [nop,nop,TS val 536638587 ecr 3121152221], length 8: SMTP: 250 Ok
    09:14:06.762331 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 70:140, ack 196, win 237, options [nop,nop,TS val 3121152237 ecr 536638587], length 70: SMTP: RCPT TO:<dave@mydomain.com>
    09:14:06.766609 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [P.], seq 196:204, ack 140, win 227, options [nop,nop,TS val 536638603 ecr 3121152237], length 8: SMTP: 250 Ok
    09:14:06.778852 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 140:146, ack 204, win 237, options [nop,nop,TS val 3121152254 ecr 536638603], length 6: SMTP: DATA
    09:14:06.779919 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [P.], seq 204:250, ack 146, win 227, options [nop,nop,TS val 536638617 ecr 3121152254], length 46: SMTP: 354 Start mail input; end with <CRLF>.<CRLF>
    09:14:06.790993 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 146:1840, ack 250, win 237, options [nop,nop,TS val 3121152266 ecr 536638617], length 1694: SMTP: Received: from -----------------
    09:14:06.791213 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [.], ack 1840, win 272, options [nop,nop,TS val 536638628 ecr 3121152266], length 0
    09:14:06.802893 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 1840:2132, ack 250, win 237, options [nop,nop,TS val 3121152277 ecr 536638628], length 292: SMTP: soNormal>Test</p><p class=3DMsoNormal>Test</p><p class=3DMsoNormal><o:p>&nb=
    09:14:06.811014 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [P.], seq 250:258, ack 2132, win 295, options [nop,nop,TS val 536638648 ecr 3121152277], length 8: SMTP: 250 Ok
    09:14:06.822325 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [P.], seq 2132:2138, ack 258, win 237, options [nop,nop,TS val 3121152297 ecr 536638648], length 6: SMTP: QUIT
    09:14:06.824837 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [P.], seq 258:308, ack 2138, win 295, options [nop,nop,TS val 536638662 ecr 3121152297], length 50: SMTP: 221 mail.mydomain.com Closing transmission channel
    09:14:06.825105 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [F.], seq 308, ack 2138, win 295, options [nop,nop,TS val 536638662 ecr 3121152297], length 0
    09:14:06.838851 IP 9.8.7.6.48566 > 1.2.3.4.25: Flags [F.], seq 2138, ack 309, win 237, options [nop,nop,TS val 3121152313 ecr 536638662], length 0
    09:14:06.839044 IP 1.2.3.4.25 > 9.8.7.6.48566: Flags [.], ack 2139, win 295, options [nop,nop,TS val 536638676 ecr 3121152313], length 0
    Tue Jan 09 2018 09:14:14 GMT-0800 (Pacific Standard Time) - Test Completed
    it drops the first 7 EHLO messages, then just quits... it doesn't even bother dropping the next packet that includes baddomain.com. the email comes right in.
    Last edited by johnsonx42; 01-09-2018 at 10:25 AM.

  9. #19
    Master Untangler
    Join Date
    Jan 2011
    Posts
    967

    Default

    Really? Two weeks ago I identified a pretty serious failure in the IDS "Drop" function, with multiple tests and packet captures, which at least one person at Untangle has clearly read, and no one gives a crap? I also mentioned the same issue in another thread, which again at least one person at Untangle has clearly read.

    Yet nobody says they're investigating it nor is asking for any more information, nor even indicates so much as a passing interest. Sad.

  10. #20
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,085

    Default

    This is why I run ids behind all my Untangle installs where ids matters... because, I believe that their implementation is only there to serve as a requirement checkbox filler and does not function as a normal admin would expect an ids to function, like failing to trigger on selected rules that the ids behind it triggers on.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2