monitoring for sober.y with squid and swatch
Written by jlgaddis on January 5, 2006 – 10:28 pm -Here’s something I just implemented that may be helpful… monitoring for Sober.Y activity using a combination of Squid and swatch.
This just occurred to me while reading A sober New Years update at the Internet Storm Center, since I just recently posting an article about Blocking .WMF at the Perimeter. This is somewhat similar.
SANS recommends monitoring (but not blocking) traffic from the following hosts:
- people.freenet.de
- scifi.pages.at
- free.pages.at
- home.pages.at
- home.arcor.de
In my case, I’m running Squid on a Red Hat Enterprise Linux 4. Squid’s access.log is stored in /var/log/squid/access.log. Using swatch, we can easily monitor for attempts to access any of the above hosts (as long as it’s going through the proxy, anyways). I run a transparent proxy for roughly 900 Windows hosts. The “redirection” is done automatically on an HP9304m switch. Any traffic heading outbound on port 80 is sent through the proxy server, and no outbound traffic on port 80 is permitted through the firewall except from the proxy server — this prevents anyone from bypassing the proxy and trying to go direct.
Here’s an example entry from access.log, showing the client at 192.168.0.1 attempting to access a (non-existant) page:
1136517432.277 697 192.168.0.1 TCP_MISS/404 20854 GET http://people.freenet.de/jlgaddistest – DIRECT/62.104.23.40 text/htmlSee the “people.freenet.de”? That’s what we’re going to trigger on using swatch.
I created a config file for swatch at /root/.swatch. Here’s the contents:
watchfor /people.freenet.de/ mail addresses=jlgaddis-pager:jlgaddis,subject=SOBER.Y watchfor /scifi.pages.at/ mail addresses=jlgaddis-pager:jlgaddis,subject=SOBER.Y watchfor /free.pages.at/ mail addresses=jlgaddis-pager:jlgaddis,subject=SOBER.Y watchfor /home.pages.at/ mail addresses=jlgaddis-pager:jlgaddis,subject=SOBER.Y watchfor /home.arcor.de/ mail addresses=jlgaddis-pager:jlgaddis,subject=SOBER.YThis tells swatch for look for each of the hosts and defines the action to take when it “sees” it.
“addresses=jlgaddis-pager:jlgaddis” causes swatch to send an e-mail notification to both “jlgaddis-pager” and “jlgaddis”. As you might guess, one goes to my e-mail and the other to my pager. Both will have a subject line of “SOBER.Y” and the body of the e-mail will be the exact line that matches in access.log (like the entry I pasted above).
This works, and will definitely get my attention if, around midnight, my pager starts going off with these messages.
Tags: internet, linux, microsoft, open-source, security | No Comments »
January 6th, 2006 at 8:57 am
Bigger-Better-Faster-More
Today’s dose of NIF – News, Interesting & Funny … limited blogation weekend starting (+ Open Trackbacks)
January 6th, 2006 at 1:09 pm
BRILLIANT!!!
;o)
January 7th, 2006 at 9:20 pm
It’s certainly noble to monitor for infected hosts but why not take the simple next step and block the outgoing requests? Squid has native functionality to implement this using ACL’s or alternatively you could use a redirector. There are several existing redirectors like squidguard that would work well or in such a simple case you could even write your own.
The issue is that you’ll know if one of your hosts is infected but you’ll still be allowing the malicous update to occur. It would seem prudent to take the next step and block the sites you’ve identified.
I manage a similar setup for about 9k mixed OS hosts and adding filtering for known malicous content generally adds little overhead.
January 7th, 2006 at 9:36 pm
Personally, I agree with you WRT blocking. SANS made the recommendation not to do blocking, since the administrators of those hosts had been notified and the offending files were already removed from the servers.
Since it wasn’t really deemed a threat (and, TBH, my pager hasn’t went off once from this), I didn’t mind just monitoring as opposed to blocking.
In just about any other case, including the recent WMF vulnerability, I would do whatever I could to block the requests, but I trust SANS and their recommendations.
This was more of a learning exercise for me, with regards to swatch.
January 25th, 2006 at 4:29 am
[...] As kind of a follow-up to “Monitoring for Sober.Y with Squid and swatch“, I figured I’d throw up this post about monitoring for Blackworm with swatch. [...]