March 6, 2011

SpiderTrap as an active response

SpiderTrap was created by the Pauldotcom crew to mess with attackers. The original version servers up four random links regardless of the URL requested. This can cause web crawlers and scanners to get stuck in an endless loop and possibly crash. WebLabyrinth is a PHP version of SpiderTrap with a few additional features. It reads in text from a file and makes random words in the text links to random URL’s. Also, WebLabyrinth will randomly return HTTP errors to possibly confuse the scanner. Although the PHP version would work I wanted to run a python web server on the loopback to combine SpiderTrap and OSSEC.

I ported WebLabyrinth’s additional features to python and added them to SpiderTrap. This allows for SpiderTrap to listen on the loopback for connections being directed away from the normal website. To redirect offending IP’s I modified the pf.sh included with OSSEC and added a table for redirection to pf.conf. This setup works on FreeBSD 8.1 running PF*.

This is what the pf.conf looks like:

# ossec firewall tables and rules
table <ossec_fwtable> persist
table <ossec_rdrtable> persist

rdr pass proto tcp from <ossec_rdrtable> to port 80 -> 127.0.0.1 port 8080

block in quick from <ossec_fwtable> to any
block out quick from any to <ossec_fwtable>

By putting the redirection before the standard OSSEC blocking rule web traffic will be redirected but any other traffic will be dropped. To add IP’s triggering web scanning signatures a command and active response needs to be added to OSSEC. To match any web scanning signature a new rule needs to be added to the web_rules.xml. Active response’s don’t seem to have a group match criteria however rules do. By created a new rule that matches all of the web_scan signatures that rule can be references in the active response rule.

<!-- add this rule to web_rules.xml -->
  <rule id="31166" level="10">
    <if_matched_group>web_scan</if_matched_group>
    <description>Signature to trigger web redirect active response</description>
  </rule>

<!-- add these to ossec.conf -->

  <command>
    <name>pf-redirect</name>
    <executable>pf-redirect.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <active-response>
    <!-- Firewall Redirect response. Redirect the IP for
       - 600 seconds on the firewall (pf only...).
      -->
    <command>pf-redirect</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
    <rules_id>31166</rules_id>
  </active-response>

*The version of PF included with FreeBSD 8.1 is an older version than the current PF in OpenBSD.