Community discussions

MikroTik App
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

content filter by hex

Mon Apr 28, 2014 9:08 pm

I'm trying to create a brute force rule that will automatically block ms sql attacks. I have the content of the packet but cant seem to figure out how to create a hex based rule... it does say "Login Failed" ....

4C 00 6F 00 67 00 69 00 6E 00 20 00 66 00 61 00 69 00 6C 00 65 00 64

how can i take this hex above and create a content filter to match it.
I have already tried to use nth for every 2 packets but it dont seem to work.
any help would be appreciated.
thanks

/ip firewall mangle> print
0 chain=prerouting action=log content=\4C\00\6F\00\67\00\69\00\6E\00\20\00\66\00\61\00\69\00\6C\00\65\00\64 log-prefix="failed"


screenshot of the packet created.
Image
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: content filter by hex

Wed May 14, 2014 10:08 pm

bump.
 
DmitriiP
just joined
Posts: 18
Joined: Sat Mar 09, 2013 9:42 pm

Re: content filter by hex

Thu May 15, 2014 1:09 am

try with L7
/ip firewall layer7-protocol add comment="" name=LoginFailed regexp="\\x4C\\x00\\x6F\\x00\\x67\\x00\\x69\\x00\\x6E\\x00\\x20\\x00\\x66\\x00\\x61\\x00\\x69\\x00\\x6C\\x00\\x65\\x00\\x64"
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: content filter by hex

Thu May 15, 2014 11:42 pm

when trying to add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C\\x00\\x6F\\x00\\x67\\x00\\x69\\x00\\x6E\\x00\\x20\\x00\\x66\\x00\\x61\\x00\\x69\\x00\\x6C\\x00\\x65\\x00\\x64"
i end up with: "failure: null (\x00) in regexp. A null terminates the regexp string!"
 
DmitriiP
just joined
Posts: 18
Joined: Sat Mar 09, 2013 9:42 pm

Re: content filter by hex

Fri May 16, 2014 2:14 am

don't know

try differrent ways:
add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C\\0\\x6F\\0\\x67\\0\\x69\\0\\x6E\\0\\x20\\0\\x66\\0\\x61\\0\\x69\\0\\x6C\\0\\x65\\0\\x64"

or

add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C\\u0000\\x6F\\u0000\\x67\\u0000\\x69\\u0000\\x6E\\u0000\\x20\\u0000\\x66\\u0000\\x61\\u0000\\x69\\u0000\\x6C\\u0000\\x65\\u0000\\x64"

or

add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C[^.]\\x6F[^.]\\x67[^.]\\x69[^.]\\x6E[^.]\\x20[^.]\\x66[^.]\\x61[^.]\\x69[^.]\\x6C[^.]\\x65[^.]\\x64"

or

add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C.\\x6F.\\x67.\\x69.\\x6E.\\x20.\\x66.\\x61.\\x69.\\x6C.\\x65.\\x64"
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: content filter by hex

Fri May 16, 2014 3:30 am

thanks was able to get the rule in now need to figure out why its seems like its not matching :).
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: content filter by hex

Tue Jul 22, 2014 10:25 pm

I haven't been able to get the filter rule to log any results as of yet. with the filter rules above.
Does anyone else have any ideas?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12438
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: content filter by hex

Tue Jul 22, 2014 10:29 pm

Mmmmmm........

Why complicate simpler things?
/ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="L.o.g.i.n. .f.a.i.l.e.d."
the dot "." on regexp stay for "any" character.


The problem are another: this errors appear on first 10 packet or first 2KBytes of the connection?

MUST appear on that limit for each connection, or you do not see any matching.
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: content filter by hex

Tue Jul 22, 2014 11:12 pm

ah that might do it :(... packet number 13... and also 4.7k
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12438
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: content filter by hex

Tue Jul 22, 2014 11:17 pm

Nice idea, but not working as expected.

I suppose when link fail sql close connection?

Try to count connection bytes.

If is on (for hypotesys) 14/16 packet only on 4.5/5.1KB only, is probvably one brute force attack?

Or better: you do not know what are the IP of calling clients?
Simply permit that IP and tarpit all other connections...
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: content filter by hex

Tue Jul 22, 2014 11:26 pm

yes that is correct. as soon as it gets an invalid log in the connection to sql closes.
as to the 14/16 packet only not sure what you mean.
Unfortunately the "allowed" ip's are not known. multiple wan address from multiple companies.
 
peterzaher
just joined
Posts: 1
Joined: Wed Dec 04, 2013 11:28 am

Re: content filter by hex

Mon Dec 15, 2014 3:10 am

Did you solve the problem i have the same and dont know how to fix
 
dw5304
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Apr 12, 2011 9:36 pm

Re: content filter by hex

Wed Dec 17, 2014 11:51 pm

issue has not yet been resolved.

I haven't had much of a chance to go back to this.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot] and 40 guests