Creating custom SonicWall IPS signatures

Creating custom SonicWall IPS signatures

I’m going to show how to use Kali Linux and Windows 7 Pro running in VMware Workstation to create a packet capture for the creation of a SonicWall IPS signature to detect a reverse shell. Before writing this article I talked to SonicWall support and asked them if the IPS signatures already detected netcat reverse shells and was told that they do not. After creating this article, I discovered during testing that they actually do. We can still use this article as a reference to create custom IPS signatures in the future so all is not wasted.

On your Kali vm, open a terminal and enter “ncat -l”. This starts ncat listening for our reverse shell on the default port 31337. You may specify a different port: “ncat -l 4444” for example.

In Kali, start Wireshark and make a note of the IP address of the interface you are using for your capture. Start the Wireshark capture.

In Windows, download netcat from and unzip it to the directory of your choice. Open a cmd prompt and either cd to the directory where netcat is extracted, or enter the path with the following command: “nc -e 31337”

On Kali, once the Windows 7 machine connects to our ncat listener you will see your Windows command prompt with the Windows version number. Stop the Wireshark capture. In wireshark, enter a filter to find the right packet: ip.src== and apply it.

Scroll down through the filtered frames until you see:

Click File > Export selected packet, and check “Selected packet only” and save it to your desktop.

I installed the Okteta hex editor in Kali; “apt-get install okteta”. There is a command line hex editor already installed in Kali, however I didn’t want to take the time to learn a cli hex editor since I had a deadline to get this done. I’ll take the time to learn hexedit later.

Open Okteta and open your packet capture that contains the one frame we’re interested in that you previously saved. Highlight the part you see highlighted below since we don’t want to include the directory path in our signature since that may vary. If you use anything beyond “Version 6.1.” then you will need to edit the capture in your hex editor and export a copy for EVERY version of Windows that you need to protect.

Click File > Export > Values, delete out the space in the Separation field to remove the spaces in the Preview field, and click the Export to File button.

To add the new signature, you need to add a new “Match Object”. In the SonicWall web interface, go to Firewall > Match Objects, and at the bottom click “Add new match object”. Enter your object name, I used “Windows Reverse Shell”, Match Object Type should be “Custom Object”, Match Type should be “Exact Match”, Input Representation should be “Hexadecimal”, now paste your hex code you extracted from the hex editor earlier and then click “Add” and then “Ok”.

Create a new app rule:

CVE-2014-6271 Shellshock and Sonicwall IPS Signature gaffe?

If you manage a Sonicwall firewall, be aware that for some strange reason, Sonicwall decided to make the signature for Shellshock a “Low” priority. If you’ve enabled IPS on your Sonicwall firewall, and don’t have “Prevent All” and “Detect All” checked for low priority attacks, then you’re not protected. WTH? While the CVE and all reports mark it as high, 10/10, why the hell would Sonicwall mark it as low?

If you don’t want to check prevent and/or detect for low priority signatures, you can still prevent Shellshock by searching for Signature ID 10529, and changing Prevention and Detection to Enable, which I recommend you do like, yesterday.