The Hunt For HTTP Signatures - ISA 2006 Firewall HTTP Filter
[LEFT][CODE]http://www.carbonwind.net/ISA/HTTPSig/HTTPSig1.htm[/CODE]
[SIZE=3][B]Part 1: Playing With Wireshark[/B][/SIZE]
You've bought an ISA 2006 Firewall and you want to use it to block applications like [URL="http://messenger.yahoo.com/"]Yahoo Messenger[/URL] or [URL="http://get.live.com/messenger/overview"]Windows Live Messenger[/URL] just to name a few.
Currently you cannot afford investing in an advanced web filtering solution like the one offered by [URL="http://www.websense.com/"]WebSense[/URL] or [URL="http://www.gfi.com/"]GFI[/URL]. So you must manually block such applications(not the most nice job in the world).
You are aware of the fact that these applications have a "signature". Thus you must try and identify this signature and then configure the [URL="http://www.microsoft.com/technet/isa/2004/help/FW_HTTPFilter.mspx?mfr=true"]HTTP filter[/URL] in ISA to block it.
Note that the HTTP signatures you can apply on ISA are found in the Request URL or in the HTTP Headers or Bodies. Both Request or Response Headers or Bodies can be inspected.
Be careful with the Request or Response body, if you enable ISA to search "deep" into them(increase the maximum number of bytes inspected by ISA) you will suffer from performance degradation.
We will search for signatures within the Request URL or within the HTTPHeaders or Bodies.
A great tool for the hunt of signatures is our favourite network protocol analyzer, [URL="http://www.wireshark.org/"]Wireshark[/URL].
For the ones not used with Wireshark, the use of it combined with the need to identify signatures can be intimidating. Therefore let's spend a few minutes playing with Wireshark first.
You can skip this part if you are familiar with Wireshark and jump to [URL="http://www.carbonwind.net/ISA/HTTPSig/HTTPSig2.htm"]Part 2[/URL].
Open Wireshark.
Click "Edit" and then click "Preferences". See [B]Figure1[/B].
[IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Pref.JPG[/IMG]
[B]Figure1: Wireshark Preferences[/B]
On the "User Interface" click "Capture". See [B]Figure2[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capt_Pref_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capt_Pref.jpg[/IMG][/URL][B]
Figure2: Wireshark Capture Preferences[/B]
Here you can set the default interface so you do not have to specify every time which interface you want to use for capturing packets. Also you can capture packets in promiscuous mode(the adapter will capture all frames, not just frames addressed to that adapter) or scroll the live capture or hide the capture info dialog([B]Figure8[/B] shows the capture info dialog) or decide if the update list of packets in real time is checked or not. If you not take an "Update list of packets in real time" capture, Wireshark should not consume memory as it captures packets. However Wireshark will consume memory when you stop the capture and it reads it.
On the"User Interface" click "Name Resolution". See [B]Figure3[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Name_Pref_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Name_Pref.jpg[/IMG][/URL][B]
Figure3: Wireshark Name Resolution Preferences[/B]
Wireshark is able to perform name resolution. MAC name resolution attempts to provide a more human readable MAC address. Network name resolution will convert an IP address to the hostname associated with it. Transport name resolution will transform TCP/UDP ports to something more "human readable(say TCP Port 80 to HTTP). See [B]Figure4[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_NameRes_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_NameRes.jpg[/IMG][/URL][B]
Figure4: Wireshark Name Resolution[/B]
Enabling network name resolution may slow down Wireshark.
On the Menu click "Capture". See [B]Figure5[/B].
[IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capt.JPG[/IMG]
[B]Figure5: Wireshark Capture[/B]
If you click on "Interfaces" you have the chance to select on which interface you want to start the capture. See [B]Figure6[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capt_Int_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capt_Int.jpg[/IMG][/URL][B]
Figure6: Wireshark Capture Interfaces[/B]
If you click on "Options" you can specify some settings for the capture. See [B]Figure7[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capt_Opt_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capt_Opt.jpg[/IMG][/URL][B]
Figure7: Wireshark Capture Options[/B]
If you click "Start", Wireshark will begin capturing packets. See [B]Figure8[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capturing_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Capturing.jpg[/IMG][/URL][B]
Figure8: Wireshark Capture Started
[/B]
From Wireshark Menu, click "View" and "Time Display Format". From here you can select the time format. For example you may want to see the date and the time of the day when a packet was captured. See [B]Figure9[/B] and [B]Figure10[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Ws_Time_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Ws_Time.jpg[/IMG][/URL][B]
Figure9: Wireshark Select Time Format[/B]
[URL="http://www.carbonwind.net/ISA/HTTPSig/Ws_Time_Format_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Ws_Time_Format.jpg[/IMG][/URL][B]
Figure10: Wireshark Time Format[/B]
After you have captured some traffic you may want to analyze only certain things. For example you are insterested in HTTP traffic only(TCP port 80). You can apply a filter. You can enter an expression into the Filter. See [B]Figure11[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter.jpg[/IMG][/URL][B]
Figure11: Wireshark Filter[/B]
And then Apply this filter. See [B]Figure12[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter2_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter2.jpg[/IMG][/URL][B]
Figure12: Wireshark "tcp.port eq 80" Filter[/B]
The "eq" expression is also equal with "==" (Equality).
The "and" expression is also equal with "&&" (Concatenation).
The "or" expression is also equal with "||" (Alternation).
The "not" expression is also equal with "!" (Negation).
You may want to see HTTP and HTTPS traffic only. Note that we do not use the "and" expression, "or" is used instead. See [B]Figure13[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter3_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter3.jpg[/IMG][/URL][B]
Figure13: Wireshark "tcp.port eq 80 or tcp.port eq 443" Filter[/B]
Since probably there are plenty of HTTP packets, it would be useful to view only interesting HTTP traffic, like packets destined to TCP Port 80 (HTTP requests). Click the "Expression" button and in the "Field Name" scroll for "TCP", select "tcp.dstport == 80". See [B]Figure14[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter4_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter4.jpg[/IMG][/URL][B]
Figure14: Wireshark Building a TCP filter[/B]
And then apply this expression. See [B]Figure15[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter5_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter5.jpg[/IMG][/URL][B]
Figure15: Wireshark "tcp.dstport == 80" Filter[/B]
You can view only packets destined to TCP Port 80 (HTTP requests) or to TCP Port 443 (HTTPS requests). See [B]Figure16[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter6_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter6.jpg[/IMG][/URL][B]
Figure16: Wireshark "tcp.dstport eq 80 or tcp.dstport eq 443" Filter[/B]
You can filter TCP traffic based on source port or on flags too for example. Wireshark has plenty of firepower.
You may be interested in cleaning up the capture a little bit by excluding certain ports for example. You can do that with the "!" expressions. In [B]Figure17[/B] Wireshark will not display packets destined to TCP port 80.
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter7_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter7.jpg[/IMG][/URL][B]
Figure17: Wireshark "!tcp.dstport eq 80" Filter[/B]
While is useful to filter traffic based on ports, in certain situations you need to view only HTTP requests containing methods like "POST" for example. Click the "Expression" button and in the "Field Name" scroll for "HTTP", select "http.request.method == POST". See [B]Figure18[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter8_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter8.jpg[/IMG][/URL][B]
Figure18: Wireshark Building an HTTP filter[/B]
And then apply this expression. See [B]Figure19[/B].
[IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter9.jpg[/IMG]
[B]Figure19: Wireshark "http.request.method == "POST" " Filter[/B]
Or you can include other methods like "GET", thus to view HTTP requests containing the "POST" or "GET" methods. See [B]Figure20[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter10_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/Wireshark_Filter10.jpg[/IMG][/URL][B]
Figure20: "http.request.method eq "POST" or http.request.method eq "GET" " Filter[/B]
Also you can filter based on IP protocol(IP address, IP Protocol, IP flags and so on). See[B]Figure21[/B] and [B]Figure22[/B].
[URL="http://www.carbonwind.net/ISA/HTTPSig/WS_IP_Expr_Big.JPG"][IMG]http://www.carbonwind.net/ISA/HTTPSig/WS_IP_Expr.jpg[/IMG][/URL][B]
Figure21: Wireshark IP Expression[/B]
[IMG]http://www.carbonwind.net/ISA/HTTPSig/WS_IP_Filter.jpg[/IMG]
[B]Figure22: Wireshark "ip.addr == 192.168.10.110" Filter[/B]
Wireshark has plenty of options. If you want to find out more about Wireshark make sure you do not miss its excellent [URL="http://wiki.wireshark.org/FrontPage"]Wiki[/URL].
[/LEFT]