If you want to go the group policy route here you go.... If this blows up your computer, your domain, server farm, blender, I'm not responsible... You have to enable the setting for each inside of the gpo to set the killbit.
CLASS MACHINE
CATEGORY VulnFixes
POLICY "MS 972890 Activex component {011B3619-FE63-4814-8A84-15A194CE9CE3}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {0149EEDF-D08F-4142-8D73-D23903D21E90}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {0369B4E5-45B6-11D3-B650-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {0369B4E6-45B6-11D3-B650-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {055CB2D7-2969-45CD-914B-76890722F112}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {15D6504A-5494-499C-886C-973C9E53B9F1}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {1C15D484-911D-11D2-B632-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {1DF7D126-4050-47F0-A7CF-4C4CA9241333}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {334125C0-77E5-11D3-B653-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{334125C0-77E5-11D3-B653-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {37B0353C-A4C8-11D2-B634-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {37B03543-A4C8-11D2-B634-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03543-A4C8-11D2-B634-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {37B03544-A4C8-11D2-B634-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {418008F3-CF67-4668-9628-10DC52BE1D08}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{418008F3-CF67-4668-9628-10DC52BE1D08}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {577FAA18-4518-445E-8F70-1473F8CF4BA4}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{577FAA18-4518-445E-8F70-1473F8CF4BA4}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {59DC47A8-116C-11D3-9D8E-00C04F72D980}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {823535A0-0318-11D3-9D8E-00C04F72D980}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{823535A0-0318-11D3-9D8E-00C04F72D980}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {8A674B4C-1F63-11D3-B64C-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4C-1F63-11D3-B64C-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {8A674B4D-1F63-11D3-B64C-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {9CD64701-BDF3-4D14-8E03-F12983D86664}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9CD64701-BDF3-4D14-8E03-F12983D86664}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {A2E3074E-6C3D-11D3-B653-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {A2E30750-6C3D-11D3-B653-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {AD8E510D-217F-409B-8076-29C5E73B98E8}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {B0EDF163-910A-11D2-B632-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0EDF163-910A-11D2-B632-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {B64016F3-C9A2-4066-96F0-BD9563314726}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B64016F3-C9A2-4066-96F0-BD9563314726}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {BB530C63-D9DF-4B49-9439-63453962E598}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB530C63-D9DF-4B49-9439-63453962E598}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {C531D9FD-9685-4028-8B68-6E1232079F1E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {C5702CCC-9B79-11D3-B654-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCC-9B79-11D3-B654-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {C5702CCD-9B79-11D3-B654-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {C5702CCE-9B79-11D3-B654-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {C5702CCF-9B79-11D3-B654-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {C5702CD0-9B79-11D3-B654-00C04F79498E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CD0-9B79-11D3-B654-00C04F79498E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {D02AAC50-027E-11D3-9D8E-00C04F72D980}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
POLICY "MS 972890 Activex component {FA7C375B-66A7-4280-879D-FD459C84BB02}"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
VulnFixes="VulnFixes"
Killit="Set kill bit"
Tuesday, July 7, 2009
Wednesday, April 8, 2009
Small Update to PcapParser
I have uploaded a new version of PcapParser for all 3 of you who are probably using it ;-). It has small fixes.
1. The last pcap file in the array wasn't being added to the search list when using argus data and the last connection time was > the pcap file timestamp.
2. I set the default linktype to be ethernet in the bpfcompile php extension so that we could match on mac addresses. If you need it to be somthing else you will have to modify it.
http://doc.emergingthreats.net/pub/Main/PcapParser/pcapp-0.1.tar.bz2
md5sum:e6d71d9a4dd0c5ee7ed033c17150d785
Additionally there was recently a question to the snort mailing list about automating extraction of sessions etc. I have upload the script that I use to automate this. Essentially it tails a barnyard generated csv file, and then runs parsep4 based on matched sids.
I have uploaded this to the pcap parser page as well just incase you are looking for a crappy script to do this for you ;-)....
http://doc.emergingthreats.net/pub/Main/PcapParser/sentinal.tar.bz2
md5sum:0be132cd3ac15b184af3e4b39ece4f1a
1. The last pcap file in the array wasn't being added to the search list when using argus data and the last connection time was > the pcap file timestamp.
2. I set the default linktype to be ethernet in the bpfcompile php extension so that we could match on mac addresses. If you need it to be somthing else you will have to modify it.
http://doc.emergingthreats.net/pub/Main/PcapParser/pcapp-0.1.tar.bz2
md5sum:e6d71d9a4dd0c5ee7ed033c17150d785
Additionally there was recently a question to the snort mailing list about automating extraction of sessions etc. I have upload the script that I use to automate this. Essentially it tails a barnyard generated csv file, and then runs parsep4 based on matched sids.
I have uploaded this to the pcap parser page as well just incase you are looking for a crappy script to do this for you ;-)....
http://doc.emergingthreats.net/pub/Main/PcapParser/sentinal.tar.bz2
md5sum:0be132cd3ac15b184af3e4b39ece4f1a
Monday, February 16, 2009
New Version of PCAP Parser
I have updated my PcapParser to support more options and have included a web interface. You can download the latest version here. The web interface uses a php extension that you must install that verifies bpf syntax that is passed as userinput. I'm using pfring so if you are not look at the README in the bpfcompile subdirectory for instructions. The perl script also now requires
Net::Pcap and Mail::Sendmail.
The updated version also has a configuration file that usually lives at /etc/pcapp/pcapp.conf.
All of the options can also be passed as command line options. Anything passed via command line overrides what is in the config file.
The pcap parser will work with or without the web interface. The conf file has to modified to fit your environment.
If you are using the web interface you must also modify the processpcap2_conf.php to supply the directories where your argus and pcap files are stored. These should be the same as your pcapdir and argusdir in your pcapp.conf file
Sample command line usage...
In this example we are going to use all argus files to extract sessiondata about our attacker and then use that to determine which out of all of our pcap files traffic resides in. The traffic is then merged into a single pcap and then tcpflow,chaosreader,afterglow and honeysnap are run against the pcap. The files are then md5sum'd and the output of these runs are put into a tar.bz file with a web index.
/usr/bin/parsep4.pl -ip="192.168.1.1" -netmask="32" -argusnum=0 -pcapnum=0 -dotcpflow=yes -domd5deep=yes -dochaosreader=yes -doafterglow=yes -dohoneysnap=yes
This is the same as above although now we are using a bpf to see all tcp traffic that is not 80,443,20, or 21, and we are only looking through the last 1 argus file i.e. today's traffic.
/usr/bin/parsep4.pl -bpf="tcp and not port 80 and not port 443 and not port 21 and not port 20" -argusnum=1 -pcapnum=0 -dotcpflow=yes -domd5deep=yes -dochaosreader=yes -doafterglow=yes -dohoneysnap=yes
Sunday, February 1, 2009
PF_RING/IPSET rpms for CentOS5
Matt Jonkman over at emerging threats was nice enough to host a CentoOS5 rpm repo for me. I have created a set of i686 kernel rpms that have been patched to include PF_RING and ipset. I did not backport libpcap to the version included with CentOS5 so you will have to recompile your libpcap based tools if you decide to use the pf_ring/libpcap based stuff for the 0.9.7 version in the repo. I also have included rpms for the latest apache etc so I suggest if you use a file to throw into /etc/yum.repos.d/ you use the include/exclude stuff options so that you only pull the items that you need/want. There are quite a few other useful tools that have been recomipled to use libpfring.
To use ipset you will have to remove your existing iptables version and replace it with the one in the repo.
link to the repo..
http://www.emergingthreats.net/emergingrepo/
I have also modified the script created by Joshua Gimer for updating the fw rules using ipset which you can download here.
http://doc.emergingthreats.net/pub/Main/EmergingFirewallRules/emerging-ipset-update.pl.txt
To use ipset you will have to remove your existing iptables version and replace it with the one in the repo.
link to the repo..
http://www.emergingthreats.net/emergingrepo/
I have also modified the script created by Joshua Gimer for updating the fw rules using ipset which you can download here.
http://doc.emergingthreats.net/pub/Main/EmergingFirewallRules/emerging-ipset-update.pl.txt
Thursday, January 29, 2009
It's better than new AV software from onlineproantispywarescan.com
Ok so I was talking with a consultant today who was visiting my place of employment and he was telling me about all of the troubles that he was having with fake AV software infecting clients. I remembered way back when, I was trying to figure out how to enforce policy with technical controls i.e. "you are not allowed to download anything off of the internet that is not approved" and came up with this transparent squid config to do so. It is not perfect, but it attempts stop exe downloads in http based on the following characteristics.
1. File extension
2. File extension inside of content-disposition header
3. mime-type that is sent back in the reply from the server (can be spoofed)
Maybe a fun project to work on would be a mime-sniffer similar to what IE does for squid using libmagic. Or maybe hack-up what is already in c-icap as it does mime-sniffing to determine what to send to it's AV scanner. I have also hacked up frox to forward requests to squid for ftp downloads and drop the download when we get a denied message from squid. This code needs to be cleaned up and tested more before it is published. Something else interesting to keep an eye on is the SSLBump feature set that is being worked on in squid HEAD. Will we someday get transparent SSL MITM in Squid to filter out unwanted downloads similar to what vendors like blue-coat offer?
Anyway let's look at how to do this... The first thing we are going to do is create a custom error page that will be displayed to users if a download is denied for some reason. Yeah I created it in Open Office it's late and I'm feeling lazy ;-)... If you wish to use the one I created you can pull it from here. In this example you will need to copy this file to your squid error directory in my case the file would end up being
/usr/share/squid/errors/English/ERR_BLOCKEXE
below is the squid.conf file which you can pull from the emerging threats site as well. It is pretty self explanatory note that the deny_info page is the one that is displayed to users when the download something naughty in this case the ERR_BLOCKEXE file we created. In addition I have found it helpful to generate a simple daily report with a cron job of the blocked downloads.
grep `date +%d/%b/%Y` /var/log/squid/access_log | grep "TCP_DENIED" | grep " 403 " | /bin/mail -s 'daily squid block report' someguy@somesite.com
http_port 3128 transparent
visible_hostname tproxy
#list of trusted domains that we will allow downloads from
acl noscan dstdomain .emergingthreats.net .blackberry.com .macromedia.com .apple.com .windowsupdate.com .hp.com .xerox.com .sw.be .centos.org .microsoft.com .adobe.com .sun.com .nai.com .symantecliveupdate.com .mcafee.com .symantec.com .vmware.com .trendmicro.com
no_cache deny noscan
always_direct allow noscan
#cache junk
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 512 MB
cache_dir ufs /var/spool/squid 2000 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
#various acl's
acl alldst dst 0.0.0.0/0.0.0.0
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1
acl our_networks src 192.168.2.0/255.255.255.0
acl our_networks src 192.168.1.0/255.255.255.0
#remove accept encoding to prevent gzip stuff along with range requests
header_access Accept-Ranges deny alldst
header_access Accept-Encoding deny alldst
header_replace Accept-Encoding identity
header_replace Accept-Ranges none
#use OpenDNS servers can block adware pr0n etc..
#If you are using a dynamic IP ddclient works very well for
#keeping your account up2date with the latest IP
dns_nameservers 208.67.222.222 208.67.220.220
#techmachines acl
#acl techmachines src 192.168.2.199
#acl techmachines src 192.168.2.200
#we are only redirecting port 80 so only allow port 80 traffic.
acl Safe_ports port 80 # http
http_access deny !Safe_ports
http_access allow manager localhost
http_access deny manager
acl DENY_EXE urlpath_regex -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??$
#domains we always want to block
acl denydomains dstdomain .ssl86.ru .ytgw123.cn .gmail-security.com perlbody.t35.com summertime.1gokurimu.com doradora.atzend.com
http_access deny denydomains
#dst ips we always want to block
acl dstips dst 195.242.161.63 59.106.145.58
http_access deny dstips
#allow trusted domains
http_access allow noscan
http_reply_access allow noscan
#allow your techs or whomever to pull exe's
#http_access allow techmachines
#http_reply_access allow techmachines
#block sites with exe in the uri
deny_info ERR_BLOCKEXE DENY_EXE
http_access deny DENY_EXE
#allow localhost and everything else
http_access allow localhost
http_access allow our_networks
#block exe downloads were the uri does not end exe but they are still sending an exe via conent-dispostion headers
#http://www.ietf.org/rfc/rfc2183.txt
acl blocked_contdisp rep_header Content-Disposition -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??"$
deny_info ERR_BLOCKEXE contdisp
http_reply_access deny blocked_contdisp
#block exe mime types
acl mime rep_mime_type -i ^application/exe$
acl mime rep_mime_type -i ^application/x-exe$
acl mime rep_mime_type -i ^application/dos-exe$
acl mime rep_mime_type -i ^vms/exe$
acl mime rep_mime_type -i ^application/x-winexe$
acl mime rep_mime_type -i ^application/msdos-windows$
acl mime rep_mime_type -i ^application/x-msdos-program$
acl mime rep_mime_type -i ^application/x-msdownload$
acl mime rep_mime_type -i ^application/x-cab-compressed$
acl mime rep_mime_type -i ^application/x-oleobject$
acl mime rep_mime_type -i ^application/x-cabinet$
acl mime rep_mime_type -i ^application/x-dosexec$
acl mime rep_mime_type -i ^vnd.ms-cab-compressed$
acl mime rep_mime_type -i ^application/x-cabinet-win32-x86$
acl mime rep_mime_type -i ^application/x-pe-win32-x86$
acl mime rep_mime_type -i ^application/x-setupscript$
deny_info ERR_BLOCKEXE mime
http_reply_access deny mime
#allow all other reply
http_reply_access allow all
#get some extra logging info
strip_query_terms off
log_mime_hdrs on
#custom log format for more information
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S -0600}tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh %mt
access_log /var/log/squid/access_log combined
error_directory /usr/share/squid/errors/English
coredump_dir /var/spool/squid
#disabled for performance
cache_store_log none
cache_log none
Monday, August 11, 2008
ScreenShot Proggie in Perl
Ever have issues trying to get management to try and understand log files from your proxy server, showing inappropriate user activity? As they say, a picture is worth 1000 words. If you decide to use this little proggie to monitor employee activity make sure you are within your right to do so. Also it is not very stealthy It just dumps the screenshots to a folder on the local drive or a network share. You need Admin rights to remotely install it, and you need to reboot the machine before it starts working(you can just use the shutdown command in XP). It does write to the Run key so if you have some sort of AV protection preventing this you will need an alternate way to start it.
First go and download and install the latest version of Active perl 5.8 (5.10 currently does not work)
http://www.activestate.com/store/activeperl/download/
Next we are going to install some deps that we need for taking the screen shot's and to convert our perl script to an exe so that the target machine does not need to have perl installed.
ppm install http://www.bribes.org/perl/ppm/PerlMagick.ppd
ppm install http://www.bribes.org/perl/ppm/Parse-Binary.ppd
ppm install http://www.bribes.org/perl/ppm/Win32-EXE.ppd
ppm install http://www.bribes.org/perl/ppm/Module-ScanDeps.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR-Dist.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR-Packer.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/Win32-Screenshot.ppd
ppm install Win32::TieRegistry
ppm install File-Copy-Recursive
Make the dir to hold the files that we will transfer to the target system.
mkdir c:\screenshots
Copy the ImageMagick DLL's into the c:\screenshots dir for some reason pp doesn't package them.
copy C:\Perl\site\lib\auto\Image\Magick\*.dll c:\screenshots
Start the screenshot install build.
First go and download and install the latest version of Active perl 5.8 (5.10 currently does not work)
http://www.activestate.com/store/activeperl/download/
Next we are going to install some deps that we need for taking the screen shot's and to convert our perl script to an exe so that the target machine does not need to have perl installed.
ppm install http://www.bribes.org/perl/ppm/PerlMagick.ppd
ppm install http://www.bribes.org/perl/ppm/Parse-Binary.ppd
ppm install http://www.bribes.org/perl/ppm/Win32-EXE.ppd
ppm install http://www.bribes.org/perl/ppm/Module-ScanDeps.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR-Dist.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/PAR-Packer.ppd
ppm install http://theoryx5.uwinnipeg.ca/ppms/Win32-Screenshot.ppd
ppm install Win32::TieRegistry
ppm install File-Copy-Recursive
Make the dir to hold the files that we will transfer to the target system.
mkdir c:\screenshots
Copy the ImageMagick DLL's into the c:\screenshots dir for some reason pp doesn't package them.
copy C:\Perl\site\lib\auto\Image\Magick\*.dll c:\screenshots
Start the screenshot install build.
-t gives the script the target ip address
-w tells the screenshot proggie where to write the screen shots 2. Make sure you properly escape thing that perl needs escaped so c:\downloads\ becomes c:\\downloads\\ or file://someserver/somehidenshare/ becomes \\\\someserver\\somehiddenshare\$\\
-i tells the program at what interval to take screen shots. It will not take a screen shot if nobody is logged in or the screen is locked.
-s tells the program what directory to copy over to the remote system. This needs to be the same dir that contains the ImagMagick dll's. In example below wearewatching.exe also gets created in this dir.
-d tells the progam what the dst directory should be on the remote machine. It doesn't have to be c:\windows\system32\ but it has to be somewhere in the PATH.
-e tells the program what executable name to give the application.
example:
c:\perl\bin\perl f:\\screenshotinstaller3.pl -t 127.0.0.1 -w c:\\downloads\\ -i 60 -s c:\\screenshots\\ -d c:\\windows\\system32\\ -e wearewatching.exe
c:\perl\bin\perl f:\\screenshotinstaller3.pl -t 127.0.0.1 -w c:\\downloads\\ -i 60 -s c:\\screenshots\\ -d c:\\windows\\system32\\ -e wearewatching.exe
Once the program is built it will copy over the files to the remote machine and remotely spawn the screenshot process on it's first run. The first run will check for the registry key and add if it is not there and then exit. You will then have to manually reboot the remote machine.
In this example once the user logs back in it will create a folder with the date below c:\downloads so something like MonAug112008. The program will create a new folder each day and in each folder you will have a new image every 60 seconds while a user is logged in with the format of Domain:username:date.png
Hope somebody else finds it useful ;-).....
Thanx to Matt Jonkman at emerging threats for letting me host this file.
ScreenShotInstaller.zip b1830a24a9bf848bf3bbf6f37611b6d9
Tuesday, March 18, 2008
snort_inline sticky-drop in svn
I have fixed sticky-drop for snort_inline in svn for all 5 of you who are running the latest version out of trunk. As VictorJ say's check it out!!!!!
svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
Subscribe to:
Posts (Atom)
