Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bloquear Ultrasurf con Snort vía proyecto Blackstring

    Scheduled Pinned Locked Moved Español
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      javcasta
      last edited by

      Hola

      Enlazando con el hilo o post: https://forum.pfsense.org/index.php?topic=120647.msg667347#msg667347

      Cómo bloquear Ultrasurf con Snort vía proyecto BlackString

      Según el proyecto BlackString, ( https://github.com/maravento/blackstring ) tienen un fichero donde a traves de sniffers (tcpdump, wireshark) han conseguido las marcas o patterns de las conexiones del anonimizador Ultrasurf.

      El fichero blackstring.txt ( https://github.com/maravento/blackstring/blob/master/blackstring.txt ) actualizado a 21/10/16

      
      # BLACKSTRING
      # Update Ago 19 2015
      #
      # U-release-to-15x
      1603010048010000440301
      160301013c010001380303
      1603010079010000750303
      1603010066010000620301
      16030100410100003d0301
      16030100630100005f0301
      160301007b0100007b0301
      160301017a010001760303
      160301008b010000870301
      1603010089010000830301
      1603010089010000850301
      160301009C010000980301
      160301009f0100009b0301
      1603010186010001820303
      1603010069010000650301
      # U-cloudfront.net
      16030300c3010000bf0303
      # U-S3.amazonaws.com
      1603010082010000760301
      16030100b6010000b20303
      16030300d6010000d20303
      16030100a20100009e0301
      16030100820100007e0301
      # U16x
      16030100810100007d0303
      16030100a00100009c0303
      160301016a010001660303
      16030101700100016c0303
      16030100b7010000b30303
      16030100b9010000b50303
      16030101310100012d0303
      16030101500100014c0303
      726f79616c64657461696c
      
      

      Pasando esos contents a reglas de Snort, qudaria algo así

      
      # ultrasurf
      #la regla con sid 5001129 me bloqueaba tráfico al servidor api.v.dropbox.com, por lo que se deberá afinar qué reglas capan otros servicios
      alert tcp any any -> any any (content:"|16 03 01 00 48 01 00 00 44 03 01|"; msg:"ultrasurf"; gid:120; sid:5001101; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 01 3c 01 00 01 38 03 03|"; msg:"ultrasurf"; gid:120; sid:5001102; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 79 01 00 00 75 03 03|"; msg:"ultrasurf"; gid:120; sid:5001103; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 66 01 00 00 62 03 01|"; msg:"ultrasurf"; gid:120; sid:5001105; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 41 01 00 00 3d 03 01|"; msg:"ultrasurf"; gid:120; sid:5001106; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 63 01 00 00 5f 03 01|"; msg:"ultrasurf"; gid:120; sid:5001107; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 7b 01 00 00 7b 03 01|"; msg:"ultrasurf"; gid:120; sid:5001108; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 01 7a 01 00 01 76 03 03|"; msg:"ultrasurf"; gid:120; sid:5001109; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 8b 01 00 00 87 03 01|"; msg:"ultrasurf"; gid:120; sid:5001110; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 89 01 00 00 83 03 01|"; msg:"ultrasurf"; gid:120; sid:5001111; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 89 01 00 00 85 03 01|"; msg:"ultrasurf"; gid:120; sid:5001112; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 9C 01 00 00 98 03 01|"; msg:"ultrasurf"; gid:120; sid:5001113; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 9f 01 00 00 9b 03 01|"; msg:"ultrasurf"; gid:120; sid:5001114; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 01 86 01 00 01 82 03 03|"; msg:"ultrasurf"; gid:120; sid:5001115; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 69 01 00 00 65 03 01|"; msg:"ultrasurf"; gid:120; sid:5001116; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 03 00 c3 01 00 00 bf 03 03|"; msg:"ultrasurf"; gid:120; sid:5001117; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 82 01 00 00 76 03 01|"; msg:"ultrasurf"; gid:120; sid:5001118; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 b6 01 00 00 b2 03 03|"; msg:"ultrasurf"; gid:120; sid:5001119; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 03 00 d6 01 00 00 d2 03 03|"; msg:"ultrasurf"; gid:120; sid:5001120; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 a2 01 00 00 9e 03 01|"; msg:"ultrasurf"; gid:120; sid:5001121; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 82 01 00 00 7e 03 01|"; msg:"ultrasurf"; gid:120; sid:5001122; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 81 01 00 00 7d 03 03|"; msg:"ultrasurf"; gid:120; sid:5001123; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 81 01 00 00 7d 03 03|"; msg:"ultrasurf"; gid:120; sid:5001124; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 a0 01 00 00 9c 03 03|"; msg:"ultrasurf"; gid:120; sid:5001125; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 01 6a 01 00 01 66 03 03|"; msg:"ultrasurf"; gid:120; sid:5001126; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 01 70 01 00 01 6c 03 03|"; msg:"ultrasurf"; gid:120; sid:5001127; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 b7 01 00 00 b3 03 03|"; msg:"ultrasurf"; gid:120; sid:5001128; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 00 b9 01 00 00 b5 03 03|"; msg:"ultrasurf"; gid:120; sid:5001129; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 01 31 01 00 01 2d 03 03|"; msg:"ultrasurf"; gid:120; sid:5001130; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|16 03 01 01 50 01 00 01 4c 03 03|"; msg:"ultrasurf"; gid:120; sid:5001131; classtype:misc-activity; rev:1;)
      alert tcp any any -> any any (content:"|72 6f 79 61 6c 64 65 74 61 69 6c|"; msg:"ultrasurf"; gid:120; sid:5001132; classtype:misc-activity; rev:1;)
      
      

      la regla con sid 5001129 me bloqueaba tráfico al servidor api.v.dropbox.com, por lo que cada cual deberá afinar qué reglas capan otros servicios y optar por quitarlas si no interesan

      Bajo un Debian o Linux, con iptables, implementar BlackString es bastante fácil:

      • hay que descargarse el fichero blackstring.txt alojarlo en /etc/acl/
      • y ejecutar el script
      iptables=/sbin/iptables
      route=/etc/acl
      for string in `sed '/#.*/d' $route/blackstring.txt`; do
        $iptables -I FORWARD -m string --hex-string "|$string|" --algo kmp -j NFLOG --nflog-prefix 'Illegal String'
        $iptables -I FORWARD -m string --hex-string "|$string|" --algo kmp -j DROP
      done
      

      La forma para pf o ipfw en pfSense no sabria como, pero vía Snort, con las reglas anteriores creo que bastaria.

      Salu2

      Javier Castañón
      Técnico de comunicaciones, soporte y sistemas.

      Mi web: https://javcasta.com/

      Soporte scripting/pfSense https://javcasta.com/soporte/

      1 Reply Last reply Reply Quote 0
      • belleraB
        bellera
        last edited by

        Cuando empezé con pfSense jugué un poco con fwbulider

        http://serverfault.com/questions/228313/how-to-go-from-iptables-to-pf

        http://www.fwbuilder.org/

        No sé si será matar moscas a cañonazos pero eso puede ser de ayuda para pasar de iptables a pf.

        1 Reply Last reply Reply Quote 0
        • J
          javcasta
          last edited by

          Hola

          Sí, usé fwbuilder (muy bueno era, hace tiempo q no lo uso) para pasar ACLs de Cisco a ipTables o de ipfw/wipfw a ipTables y viceversa.

          Pero el problema es que pf packet filter no tiene la opción de iptables de string –hex-string no hay manera de convertir esa regla de iptables a pf. Excepto vía IDS/IPS (snort, suricata).

          He leido que pf no piensan ni implementar eso (sus razones tendrán)

          http://misc.openbsd.narkive.com/ivQyQYIz/pf-string-march

          Will exist an option "string match" like there is in iptables in the next
          versions of pf?

          Pero vamos, que como pfSense es un sistema, no solo FW, con Snort va de lujo :)

          Salu2

          Javier Castañón
          Técnico de comunicaciones, soporte y sistemas.

          Mi web: https://javcasta.com/

          Soporte scripting/pfSense https://javcasta.com/soporte/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.