Why does my Rule not match?



  • Hi all,

    last week a partner asked me to support him in removing Zeus from his client's network. The network is as follows:

    DSL-onAir - [(192.168.1.xxx) WAN] - pfSense - [LAN (192.168.2.xxx)]

    I've created a firewall rule like this:

    Action                    Proto      Source  S-Port    Destination (Alias) D-Port
    Block(& Protocoll)     TCP LAN net *  CC_Sinkhole_IPs 80&443

    But I got another Report from CBL that we contacted a sinkhole IP that is already listed in that firewall alias… From how I understand pfSense firewalling rules, this should already be blocked.

    I hope one of you can gi'me a hint why that rule did not match as expected...

    BTW: No, there isn't a any/any rule in that setup...

    Edit:

    Here's the info I see on CBL:

    
    IP Address 212.xz.xy.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
    
    It was last detected at 2013-07-22 09:00 GMT (+/- 30 minutes), approximately 7 hours ago.
    
    It has been relisted following a previous removal at 2013-07-22 05:28 GMT (10 hours, 34 minutes ago)
    
    
    
    This was detected by a TCP/IP connection from 212.xz.xy.xxx on port 51257 going to IP address 82.165.37.26 (the sinkhole) on port 80.
    
    The botnet command and control domain for this connection was "graceinthedarkness11.net".
    
    

    82.165.37.26 and graceinthedarkness11.net are both part of my firewall-alias "CC_Sinkhole_IPs"…

    Greetz
    Mircsicz



  • As no one come's up with an idea here's some more information:

    My Firewall config

    and the aliases

    I hope one of you will be able to gi'me a hint, cause their ext. IP got listed again by http://cbl.abuseat.org/

    Here's what they stated:

    
    IP Address 212.xz.xy.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
    
    It was last detected at 2013-07-24 20:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago.
    
    It has been relisted following a previous removal at 2013-07-23 08:08 GMT (1 days, 15 hours, 24 minutes ago)
    
    This IP is infected with, or is NATting for a machine infected with Win32/Zbot (Microsoft).
    
    This was detected by observing this IP attempting to make contact to a Zeus Command and Control server, with contents unique to Zeus C&C command protocols.
    
    Zbot is known by other names: Wsnpoem (Symantec) and most commonly as Zeus.
    
    Zbot/Zeus is a banking trojan, and specializes in stealing personal information (passwords, account information, etc) from interactions with banking sites through the use of "formgrabs".
    
    This was detected by a TCP/IP connection from 212.xz.xy.xxx on port 55944 going to IP address 82.165.37.26 (the sinkhole) on port 80.
    
    The botnet command and control domain for this connection was "graceinthedarkness11.net".
    
    

    As that machine is running on a ALIX-Board there's only limited log-file space, so all log's are sent to a syslog-server. But neither the IP or Port are mentioned in the log's!!!



  • You could look at Diagnostics->Tables, verify that CC_Sinkhole_IPs is a table, and has the needed IPs in it.
    Maybe there is some issue with having a mix of IP addresses and FQDNs in 1 alias? I just looked on my system (2.1-RC0) and a mixed alias like that is working.


  • Banned

    Well, maybe it just did not resolve due to DNS failure, or whatever. Also, I'd block pretty much every port, not just web ports. You do NOT want any such outgoing traffic to those IPs. Also afraid the alias is vastly incomplete. A maintained ZeUS blocklist in a format usable by pfBlocker is available here: http://list.iblocklist.com/?list=ynkdjqsjyfmilsgbogqf&fileformat=p2p&archiveformat=gz, currently has 217 CC servers.



  • Did you use toggle button adjacent to a tick box to disable/enable rule? If so try rebooting pfsense to see if rule in question starts working.
    I noticed that using a toggle button does not always re-enable the rule.



  • Wow, first no single answer and then three in a row… Awesome, thank you all so much!!!

    @ phil.davis
    Thx Phil, I had a look at Diag > Tables and that one is OK...

    @ doktornotor
    Thx I already had that link: http://www.netsecdb.de/?q=node/3081 I now used it and combined it with your URL...

    @ andriusst
    I did a reboot last night, sadly I had another access to 82.165.37.26 an hour before that!

    I'll let you know what the log's are containing when I check em next on monday.

    Greetz
    Mircsicz



  • According to CBL they again had contact with 82.165.37.26…

    So it seems the rule's didn't work again! And a grep on the exported log's did show that the IP is once more not mentioned in the log's. Which is quite logical if the rule doesn't work...  >:(

    I've rebooted the box again to see if that helps!

    Greetz
    Mircsicz


  • Banned

    A bunch of notes:
    0/ The CBL nonsense blacklist is broken in the first place, as are any blocklists that do collateral listings.
    1/ WTH is "contact"? If I telnet to the IP:80 (say for diagnosing the firewall settings), I'll get on their blocklist? Wonderful concept.  ::)
    2/ Trying to block something on firewall absolutely does not solve the root problem, which are the (allegedly) infected boxes. After one week spent with hunting the ghosts, it'd be about time to scan the machines with AV scanner instead and disinfect/reimage them.

    EDIT: Frankly, I don't trust the guys and their claims about "contacts" at all… Set up some outbound NAT/port forward for the IP (82.165.37.26), set up a webserver, let it log the requests.



  • To your 2nd point:
    they define 'contact' as follows:

    
    This was detected by observing this IP attempting to make contact to a Zeus Command and Control server, with contents unique to Zeus C&C command protocols.
    
    

    So I expect em to wireshark that IP…

    To your 3rd point:
    We used 'desinfec't' from a German computer-mag, it's an ubuntu based live-cd and utilizes up to 5 different scanners... But could not clean all of the machines!

    So the plan is to block&log that traffic and then see which machine is trying to call 'home'! If this would be my network there would be a default image, but there aren't even backups of those client's... I don't wanna share my other judgement about that 'strategy'! I'm only in charge for the firewall....

    Greetz
    mircsicz

    EDIT: I don't get that outbound NAT hint can explain that Little further pls?


  • Banned

    @mircsicz:

    EDIT: I don't get that outbound NAT hint can explain that Little further pls?

    The idea was, instead of trying to block, redirect the traffic to some local webserver and log the requests… instead of relying on CBL folks' claims about something making "contacts". As said, these DNSBL folks are generally the sort of people I plain don't trust.



  • If you have been infected with ZEUS (or anything for that matter), don't attempt to clean it.  Wipe it and do a full reinstall.  Once a machine has been infected in such a way, you can never trust that install again.  Also, if ZEUS has done its job, you need to treat your entire network as if you have lost all your passwords to a thief.  Change them all.  Also, if I were a thief, one of the first things I would do is build myself some access to your systems for when you found my trojan.  Maybe add an account for myself and use SSH or something.  So, your problem could potentially go further than just eliminating the trojan.

    Also, here is a lesson for future infrastructure decisions:

    Zeus targets Microsoft Windows machines. It does not work on Mac OS X or Linux.  (This is the case with almost all malwar)


  • Banned

    @kejianshi:

    If you have been infected with ZEUS (or anything for that matter), don't attempt to clean it.  Wipe it and do a full reinstall.  Once a machine has been infected in such a way, you can never trust that install again.

    That's pretty much valid for any similar compromise. Suggested reading:
    Help: I Got Hacked. Now What Do I Do?
    Help: I Got Hacked. Now What Do I Do? Part II

    The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.



  • I agree with the doktornotor.