Sourcefire Custom IPS Signatures Using Signature Editor

Up until this point we relied on Cisco/Sourcefire to provide us with signatures that will protect our network. But, at some point in our IPS expert career the need will arise to create our own signatures. This time we will create a signature with the “IPS Signature Editor“.

First, let’s recall our topology:


We are protecting the laptop on the left hand side from bad guys coming from dark cloud on the right. We are going to attack  our laptop.

Let’s come up with a scenario: the attack emerged that uses UDP/2015 port as a destination, because there is some vulnerable service listening on that port. Because this service is not so common, up to now there is no signature for it. The attack is carried out by sending the hex string “53 6f 75 72 63 65 66 69  72 65” to the victim. This hex string is actually a text Sourcefire. We need to create the signature that will detect UDP packets with this payload and drop them.

Before we do that, we must come up with a solution that tests our connectivity before we create our signature. There are several applications that can aid this effort, such as PackETH, TcpClientServer, UdpClientServer, … For the sake of this blog, we will use UdpClientServer. This application is used for testing connectivity from some point in our network to another point. We should install this application on our laptop and run int as a server, and also install it on the attacker PC, from which we will carry the attack. The installation is pretty straight forward.

On our laptop, we start it up and set it to act as a server. We select the interface and listening address, as well as port. We then click “Start Server” button:

26-May-2015 2-10-34 PM

Now our server (in this case laptop) is ready. Let’s go now to our test PC and start UdpClientServer. We select the interface we will be using for sending data, the IP address of our target server, or the victim, and the port number:

26-May-2015 2-13-12 PM

In order to try this, on our test PC in the Send edit box we type in our attack string, which is Sourcefire. We then click “Send Text“:

26-May-2015 2-17-33 PM

After we click the “Sent Text“, we go the our victim and check out our Receive field:

26-May-2015 2-19-59 PM

So our test worked. Before we create our IPS rule that will prevent this, we will create an “Access Control Policy” rule that will allow this kind of traffic and we will change this ACP rule in a way that we will attach the IPS policy to it. Our ACP rule should look like this:

26-May-2015 2-24-26 PM

We placed this rule at the top of our access control policy, and make it allow the traffic through. Remember, if we made it block the traffic, we could not attach the IPS policy. After we commit our changes, we try our connection again and check the result on the “Defense Center“:

26-May-2015 2-28-53 PM

We can see the the event is logged and further to the right we can see what policy and what rule matched.

Now we are ready to create our IPS rule…

We can create our IPS rule inside our current policy and apply that policy to our “Access Policy Rule“, like we did with that CWD ~root IPS rule. But, we already know how to do this. Let’s create an “empty” IPS policy and within that policy, we will create our rule.

Let’s go to “Policies->Intrusion->Intrusion Policy” and click “Create Policy“:

27-May-2015 8-57-51 AM

We gave it a name and description and selected that no rules should be active. We want to dedicate this policy only for our custom service. We click “Create and Edit Policy“:

27-May-2015 9-12-03 AM

We can see all zeroes. No rules active in either layer. This is kinda empty policy. It is not actually empty, but rather all rules are disabled.

Now we are going to create our custom IPS rule. Let’s go to “Policy->Intrusion->Rule Editor“. We will focus on “Local Rules” category, because these are the ones we create. We have no custom rules created so far. We click “Create Rule” at the top right:

27-May-2015 9-15-59 AM

The “Create New Rule” dialog needs to be filled in. We type the Message text in, select Classification, Action, Protocol, Direction, “Source IPs“, “Source Port“, “Destination IPs” and “Destination Port“:

27-May-2015 9-21-15 AM

Under the “Detection Options” we select content and click “Add Option“. We can now specify the string we are hunting and other parameter regarding this search. More about this later. For now, in the content field we type sourcefire. Because original scenario stated that the attack string is Sourcefire (with the capital S), we can type exactly Sourcefire (upper case S), or sourcefire (lower case S) with the option “Case Insensitive“:

27-May-2015 9-26-01 AM

We click “Save As New“. We can see that the new rule created with the 1:1000000:1 designations. These are GID:SID:REV, “Generator ID“, “Signature ID” and Revision. For now we need to remember that for custom rules GID is always one, SID begins with one million and the REV is revision number for this rule, beginning with one. If we go back to the “Rule Editor” we can see our newly created rule:

27-May-2015 9-31-08 AM

Let’s navigate back to our “WP CUSTOM POLICYIPS policy, under “Policy Layers->My Changes->Rules“, under Category we select local and we can see our rule:

27-May-2015 9-37-28 AM

We can see that our rule is not enabled. So, we select it, click “Rule State” and select “Drop and Generate Events“:

27-May-2015 9-39-21 AM

Now our rule is active:

27-May-2015 9-40-36 AM

We have a yellow warning sign next to “Policy Information“:

27-May-2015 9-42-16 AM

We click there and then “Commit Changes“. Let’s go back to our policy, and click “Policy Layers“. As we learned so far, our custom rule is placed in the top “User Layers” layer, in this case “My Changes“:

27-May-2015 9-45-24 AM

Finally, we need to attach this IPS policy to our “WP CUSTOM IPS SIGNATURE” within the “WP TEST POLICYaccess control policy” rule:

27-May-2015 9-49-07 AM

We save and apply our “Access Control Policy” changes.

Now it’s time to test our application again. We start UdpClientServer in server mode on our laptop, and start it in client mode on some PC in the outside network. Now if we type in Sourcefire text on the client side and click  “Send Text“, we should not get that text on the server side. This is because our IPS rule detected and prevented this attack. Some other text should go through. Let’s verify that under “Analysis->Connection->Events“:

27-May-2015 9-58-14 AM

We can see that the connection is dropped and the reason is “Intrusion Block“. This can also be viewed by going to “Analysis->Intrusion->Events“:

27-May-2015 10-02-00 AM

Indeed, this is our triggered rule. By clicking the event we can dive deep into it. We can see that the Priority is low, the Impact is three and the “Inline Result” is drop, which is represented with the black down arrow:

27-May-2015 10-03-39 AM

By selecting the event (click the check box) and clicking View, we can investigate even further:

27-May-2015 10-08-18 AM

We can see what signature triggered, when, from where and where to. Also we can see who is the attacker and who is the victim, what policy and what rule triggered this event. Finally we can see the Snort rule as if it were written in text. Yes, Sourcefire does use Snort engine 🙂

At the bottom of this page we can see the whole frame or packet captured from the network. This is the packed which triggered the event. We can use this information to further investigate the issue, or even save the packet in the PCAP format and open it with Wireshark. We can see the string that caused this event to trigger:

27-May-2015 10-13-58 AM

At the end of this blog, I would like to point out to another way to test our rules. It is very nice tool for testing the Snort rules and learn a lot about creating them without using the wizard. Before we wrap this blog up, here is our packet written in PackETH or loaded in PackETH from PCAP file downloaded from our “Defense Center“:

27-May-2015 1-51-29 PM

27-May-2015 1-53-41 PM

28-May-2015 8-12-11 AM

Once we prepare the packet this way, we select the interface to use and click Send:

27-May-2015 1-57-25 PM

If we choose to test our rules with the PackETH (which is far more powerful tool for such testing than UdpClientServer or TcpClientServer), we must use it from a Linux box. Although there is a version for Windows, in my testings it was creating faulty packets which were dropped by the ASA before they even made it to the SFR. We will deal with PackETH and creating Snort rules some other time.

Well, I guess that’s all for now. Stay tuned for more…

Thanks for reading!


This entry was posted in Cisco, FirePOWER, Firewall, IPS, Security, Sourcefire and tagged , , , , . Bookmark the permalink.

6 Responses to Sourcefire Custom IPS Signatures Using Signature Editor

  1. Pingback: Sourcefire Event Filtering, Dynamic States, Alerting and Comments | popravak

  2. xamtomcat says:

    Hi, nice post! but… doing a step backwards I don’t really understand how is this system keeping up to date on the signatures it already has. Is Cisco updating it automatical by pushing notification to the registered users or to the system?

  3. mikgruff says:

    Great post as always. Im a complete linux noob. How would I set up PackETH on a linux box? Also, is this example are you using windows PackETH or linux PackETH?

    • Sasa says:

      I was using Linux version. Windows version does *not* work. For some reason, on my laptop, that is. Installing Packeth on a Linux box is an easy task. On Debian based distros (Debian, Ubuntu, Kali, …) you should do:

      – sudo apt-get update
      – sudo apt-get install packeth

      And run the tool with: packeth or sudo packeth

      For Windows, you may try Colasoft Packet Builder. It’s free and it works.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s