1 / 33

Matt Brown Cory Lovelace

Matt Brown Cory Lovelace. Intro to Snort. What is Snort? Snort is a lightweight multi-mode packet analysis tool Packet Sniffer Packet Logger Network Intrusion Detection System Where did it come from?

elana
Download Presentation

Matt Brown Cory Lovelace

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Matt Brown Cory Lovelace

  2. Intro to Snort • What is Snort? • Snort is a lightweight multi-mode packet analysis tool • Packet Sniffer • Packet Logger • Network Intrusion Detection System • Where did it come from? • Developed out of the evolving need to perform network traffic analysis in both real-time and for forensic post processing

  3. Lightweight IDS • What makes Snort “lightweight?” • Simple to deploy • Cross-platform • Small system footprint • Easily to configure

  4. Snort stats • ~800k source code • Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc) • Fast (High probability of detection for a given attack on 100Mbps networks) • Free (GPL/Open Source Software)

  5. Snort vs. The World! • Shares commonalities with both sniffers and NIDS • Two programs comparable to Snort • Tcpdump • Network Flight Recorder

  6. vs. tcpdump • Both are commandline packet analyzers • Snort features packet payload inspection (tcpdump does not) • Includes the application layer (http,dns,ssh, etc) • Snort output more user friendly than tcpdump

  7. vs. Network Flight Recorder • NFR a more complete network analysis tool • Besides being free, Snort can be more quickly adapted to new threats

  8. Sample NFR rule to detect CGI probe badweb_schema = library_schema:new( 1, ["time", "int", "ip", "ip", "str"], scope()); # list of web servers to watch. List IP address of servers or a netmask # that matches all. use 0.0.0.0:0.0.0.0 to match any server da_web_servers = [ 0.0.0.0:0.0.0.0 ] ; query_list = [ "/cgi-bin/nph-test-cgi?", "/cgi-bin/test-cgi?", "/cgi-bin/perl.exe?", "/cgi-bin/phf?" ] ; filter bweb tcp ( client, dport: 80 ) { if (! ( tcp.connDst inside da_web_servers) ) return; declare $blob inside tcp.connSym; if ($blob == null) $blob = tcp.blob; else $blob = cat ( $blob, tcp.blob ); while (1 == 1) { $x = index( $blob, "\n" ); if ($x < 0) # break loop if no complete line yet break;

  9. Snort rules to detect the same probe alert tcp any any -> any 80 (msg:"CGI-nph-tst-cgi"; content:"cgi-bin/nph-test-cgi?"; flags: PA;) alert tcp any any -> any 80 (msg:"CGI-test-cgi"; content:"cgi-bin/test-cgi?"; flags: PA;) alert tcp any any -> any 80 (msg:"CGI-perl.exe"; content:"cgi-bin/perl.exe?"; flags: PA;) alert tcp any any -> any 80 (msg:"CGI-phf"; content:"cgi-bin/phf?"; flags: PA;)

  10. Category of IDS • Network Intrusion Detection System (NIDS) • Listens & analyses traffic in a network • Capture data package • Compare with database signatures • Host-based Intrusion Detection System (HIDS) • Installed as an agent of a host • Listens & analyses system logs

  11. Snort-based IDS

  12. Multiple Sensor IDS

  13. Single Sensor IDS

  14. Using Snort • Three main operational modes • Sniffer Mode • Packet Logger Mode • NIDS Mode • Operational modes are configured via command line switches • Snort automatically tries to go into NIDS mode if no command line switches are given, looks for snort.conf configuration file in /etc

  15. Using Snort – Sniffer Mode • Works much like tcpdump • Decodes packets and dumps them to stdout • Berkley packet filter interface available to shape displayed network traffic (prioritization)

  16. What Do The Packet Dumps Look Like? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS 49 FF F0 I.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.956582 10.1.1.8:23 -> 10.1.1.6:1032 TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20 0D 0A 0D 0A 53 75 6E 4F 53 20 35 2E 37 0D 0A 0D ....SunOS 5.7... 00 0D 0A 0D 00 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

  17. Packet Logger Mode • Multi-mode packet logging options available • Flat ASCII, tcpdump, XML, database, etc available • Log all data and post-process to look for anomalous activity

  18. NIDS Mode • Wide variety of rules available for signature engine (~1300 as of June 2001, grow to ~2900 at May 2005) • Multiple detection modes available via rules and plug-ins • Rules/signature • Statistical anomaly • Protocol verification

  19. Advanced Snorting • Shoring up commercial IDS’s • Can be used to fill holes in vendor’s rules; such as when a new threat arises • Same day that IRDP DDOS attack announced Snort rules were made available • Multiple detection modes available via rules and plug-ins • Rules/signature • Statistical anomaly • Protocol verification

  20. Detection Engine • Rules form “signatures” • Wide range of detection capabilities • Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. • Rules system is very flexible, and creation of new rules is relatively simple

  21. Signature Basics • Connection attempt from a reserved IP address. This is easily identified by checking the source address field in an IP header. • Packet with an illegal TCP flag combination. This can be found by comparing the flags set in a TCP header against known good or bad flag combinations. • Email containing a particular virus. Snort can compare the subject of each email to the subject associated with the virus-laden email, or it can look for an attachment with a particular name. • DNS buffer overflow attempt. One method would be to look for exploit shellcode sequences in the payload (application layer).

  22. Signature Basics cont. • Denial of service attack on a POP3 server caused by issuing the same command thousands of times. • One signature for this attack would be to keep track of how many times the command is issued and to alert when that number exceeds a certain threshold. • File access attack on an FTP server by issuing file and directory commands to it without first logging in. • A state-tracking signature could be developed which would monitor FTP traffic for a successful login and would alert if certain commands were issued before the user had authenticated properly.

  23. Snort Rules

  24. Snort Rules • Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • Elements before parentheses comprise ‘rule header’ • Elements in parentheses are ‘rule options’

  25. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • alert action to take; also log, pass, activate, dynamic • tcp protocol; also udp, icmp, ip • $EXTERNAL_NETsource address; this is a variable – specific IP is ok • 27374source port; also any, negation (!21), range (1:1024) • -> direction; best not to change this, although<>is allowed • $HOME_NETdestination address; this is also a variable here • anydestination port

  26. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • msg:”BACKDOOR subseven 22”; message to appear in logs • flags: A+; tcp flags; The A means Ack, and the + means match all • content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches • reference…; where to go to look for background on this rule • sid:103; rule identifier • classtype: misc-activity; rule type; many others • rev:4;rule revision number

  27. Snort Rules • bad-traffic.rules exploit.rules scan.rules • finger.rules ftp.rules telnet.rules • smtp.rules rpc.rules rservices.rules • dos.rules ddos.rules dns.rules • tftp.rules web-cgi.rules web-coldfusion.rules • web-frontpage.rules web-iis.rules web-misc.rules • web-attacks.rules sql.rules x11.rules • icmp.rules netbios.rules misc.rules • backdoor.rules shellcode.rules policy.rules • porn.rules info.rules icmp-info.rules • virus.rules local.rules attack-responses.rules

  28. Snort Rules • Rules which actually caught intrusions • alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server • alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) caught Code Red infection • alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP \"MKD / \" possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server

  29. Case Study • Snort tested with a forensic computing perspective • evaluates the system in terms of its evidence acquisition (“forensic”) capabilities • the legal admissibility of the digital evidence generated • privacy implications of intrusion detection systems and network monitoring

  30. Case Study cont. • During the study (and indeed when collecting actual forensic data) the following practices were in effect to keep evidence admissable in court • minimize handling of the original data set • account for any change • comply with the rules of evidence

  31. Case Study cont. • evaluated the system in terms of its evidence acquisition (“forensic”) capabilities • Longest runtime of 193 hours. • During this time over 660,000 packets were recorded • in a case of serious deployment, large storage space is needed and an effective log rotation system has to be developed to allow quick and timely analysis

  32. Case Study cont. • The case study highlighted that the “collect everything” approach is highly desirable but has severe limitations and implications: • Clear text transactions are easily visible and source and destination hosts are easily identifiable. If SNORT was deployed in its usual configuration as a network IDS, it would collect heaps of data that could clearly violate the privacy rights of academics, students and other network and Internet users.

  33. Demo • (>'-')> <('-'<) ^(' - ')^ <('-'<) (>'-')>

More Related