snort acid l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Snort & ACID PowerPoint Presentation
Download Presentation
Snort & ACID

Loading in 2 Seconds...

play fullscreen
1 / 24

Snort & ACID - PowerPoint PPT Presentation


  • 684 Views
  • Uploaded on

Snort & ACID Low cost, highly configurable IDS by Patrick Southcott southcottus@yahoo.com http://www.patricksouthcott.com What is snort? Where does an IDS fit in the network? Snort 2.0, Marty and Sourcefire.com Snort system overview config file rules (custom & public)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Snort & ACID' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
snort acid

Snort & ACID

Low cost, highly configurable IDS

by

Patrick Southcott

southcottus@yahoo.com

http://www.patricksouthcott.com

large topic general outline
What is snort?

Where does an IDS fit in the network?

Snort 2.0, Marty and Sourcefire.com

Snort system overview

config file

rules (custom & public)

ACID : opensource, web-based, simple alert management.

PROS & CONS of snort as an IDS.

Building a snort sensor on Redhat9.

Large topic, General outline:
what is snort
What is Snort?

Snort is an application which listens to network traffic and uses rules to determine if it sees particular types of traffic. It logs, alerts for and listens to network traffic.

The System Architecture consists of these main parts:

  • Sniffer
    • “Promiscuous Mode” NIC
  • Preprocessor
    • frag2, stream4, http_decode
  • Detection Engine
    • Using Rules
  • Logging and Alerting plugins
    • log mysql, alert smb

Packets on the wire

Snort Detection Process

Records in a SQL db

snort in the larger picture
Snort in the larger picture
  • Snort “sensors” can be placed on any network device. Hubs work best.
  • Sensors may log to a central database over secure tunnels or private media.
  • Management console using ACID.
network overview
Network Overview

Management Console

IDS network

sensor

sensor

sensor

DMZ

Router / firewall

Router / firewall

Internet

Private LAN

DMZ hosts

ids in perspective
IDS in Perspective
  • low TCO (End-to-end, openness)
  • Wants reports which show ROE
  • Management / Executive
  • System Admin
  • Network Admin / Analyst
  • Configures and runs everything. Routers, firewalls, servers.
  • Endless game to keep “up-to-date”.
  • Wants to be “user” of IDS
  • High quality data
  • Auto-response to new vulnerabilities.
  • Maintains network
  • Event Correlation
  • Broad -> Specific
  • Tune rules
marty roesch and sourcefire
Marty Roesch and Sourcefire
  • Created snort in 1998.
  • Sourcefire sells IDS boxes which they install, configure and support. Different security needs may involve specific tuning to customer’s network.
  • Sourcefire is the major commercial supporter of snort.
  • Gig speeds with multiprocessors and linux
    • same kernel, custom drivers, minimal footprint
  • demo-sensor.sourcefire.com
snort usage
Snort Usage

Shell output from snort init.:

$ ./snort –l /home/snort/snort_spool/

Running in packet logging mode

Log directory = /snort/snort_spool/

Initializing Network Interface eth0

--== Initializing Snort ==--

Initializing Output Plugins!

Decoding Ethernet on interface eth0

--== Initialization Complete ==--

-*> Snort! <*-

Version 2.0.0rc4 (Build 70)

By Martin Roesch (roesch@sourcefire.com, www.snort.org)

$ ./snort –c snort.conf

–l /home/snort/snort_spool/

  • Run on Console
  • Run as Daemon

$ ./snort –D –c snort.conf

–l home/snort/snort_spool/

Snort Config File:

config daemon

snort console output
Snort Console Output

================================================================

Snort analyzed 4 out of 4 packets, dropping 0(0.000%) packets

Breakdown by protocol: Action Stats:

TCP: 4 (100.000%) ALERTS: 0

UDP: 0 (0.000%) LOGGED: 4

ICMP: 0 (0.000%) PASSED: 0

ARP: 0 (0.000%)

EAPOL: 0 (0.000%)

IPv6: 0 (0.000%)

IPX: 0 (0.000%)

OTHER: 0 (0.000%)

DISCARD: 0 (0.000%)

================================================================

Wireless Stats:

Breakdown by type:

Management Packets: 0 (0.000%)

Control Packets: 0 (0.000%)

Data Packets: 0 (0.000%)

================================================================

Fragmentation Stats:

Fragmented IP Packets: 0 (0.000%)

Fragment Trackers: 0

Rebuilt IP Packets: 0

Frag elements used: 0

Discarded(incomplete): 0

Discarded(timeout): 0

Frag2 memory faults: 0

….

snort configuration file
Snort Configuration File

Variables

Preprocessor

  • preprocessor frag2
  • preprocessor stream4
  • preprocessor portscan2
  • var HOME_NET
  • var EXTERNAL_NET
  • var FOO_SERVERS
  • config interface: eth0
  • config set_uid: snort
  • config dump_payload
  • config daemon

Configuration

Each bullet is a line in the config file. Variables are used in the files with the snort rules.

Output SQL Database

  • output database: log, mysql, user=snort password=foobar dbname=snort host=localhost
snort preprocessors
Snort Preprocessors
  • Frag2 Preprocessor
    • snort.conf: “preprocessor frag2”
    • packet fragmentation can lead to the IDS missing packets or getting different ones than the host gets. This cleans fragmented packets.
  • The stream4 Preprocessor
    • snort can keep track of tcp sessions. “stateful”
    • detection of “stealth” scans from software like nmap.
  • Portscan and portscan2 Preprocessors
    • detection of single host access to many ports.
snort rules
Snort Rules

snort.conf :

. . .

include $RULE_PATH/local.rules

local.rules :

activate tcp any any -> any 23 (activates: 23; msg:”Potential Telnet Login Credentials Logged”;) dynamic tcp any any -> any 23 (activated_by: 23; count:20;)

log tcp any any -> any any (msg: “tcp traffic”;)

log udp any any -> any any (msg: “udp traffic”;)

log icmp any any -> any any (msg: “icmp traffic”;)

Rules to log all tcp, udp and icmp traffic.

snort rules13
Snort Rules

web-iis.rules :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \

(msg:"WEB-IIS cmd.exe access"; flow:to_server,established; \

content:"cmd.exe"; nocase; classtype:web-application-attack; \

sid:1002; rev:5;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \

(msg:"WEB-IIS CodeRed v2 root.exe access"; \

flow:to_server,established; uricontent:"/root.exe"; \

nocase; classtype:web-application-attack; \

reference:url,www.cert.org/advisories/CA-2001-19.html; \

sid:1256; rev:7;)

# action = pass, log, alert, dynamic, activate

# protocol = icmp, tcp, ip, udp

action protocol source -> destination ( optional_rule_body )

snort rules14
Snort Rules
  • attack-responses.rules
  • backdoor.rules
  • bad-traffic.rules
  • chat.rules
  • ddos.rules
  • deleted.rules
  • DMZ.rules
  • dns.rules
  • dos.rules
  • experimental.rules
  • exploit.rules
  • finger.rules
  • ftp.rules
  • icmp-info.rules
  • icmp.rules
  • imap.rules
  • info.rules
  • local.rules
  • misc.rules
  • multimedia.rules
  • mysql.rules
  • netbios.rules
  • nntp.rules
  • oracle.rules
  • other-ids.rules
  • p2p.rules
  • policy.rules
  • pop2.rules
  • pop3.rules
  • porn.rules
  • rpc.rules
  • rservices.rules
  • scan.rules
  • shellcode.rules
  • smtp.rules
  • snmp.rules
  • sql.rules
  • telnet.rules
  • tftp.rules
  • virus.rules
  • web-attacks.rules
  • web-cgi.rules
  • web-client.rules
  • web-coldfusion.rules
  • web-frontpage.rules
  • web-iis.rules
  • web-misc.rules
  • web-php.rules
  • x11.rules
  • Default rules for known bad packets.
acid to manage alerts
ACID to manage Alerts
  • Sort and display alerts based on ip, port, date, unique alerts.
  • Search alerts
  • Display layer 3 and 4 packet data
  • Graphs and statistics for alert frequency.
  • Alert grouping, archiving, managing
connecting mysql with stunnel
Connecting mysql with stunnel
  • Generate foo.pem for tunnel.

openssl req -new -out stunnel.pem -keyout \

stunnel.pem -nodes -x509 -days 365

Cert = /foobar/stunnel.pem

[mysqls]

accept = 3307

connect = 3306

#!/bin/sh

/usr/local/sbin/stunnel -c -d 3306 -r 10.1.5.1:3307

  • stunnel 4 with config ( stunnel.conf)
  • stunnel 3.22 from shell prompt.
snort ids pros and cons
Snort IDS: PROs and CONs

PROs

CONs

  • Snort/ACID is only part of a secure network.
  • Does not record the success or failure of a detected intrusion
  • Does nothing to stop an intrusion in progress.
  • False sense of security.
  • Powerful, specific rules to match packets.
  • No backdoors
  • Weakness quickly found & published.
  • Rules actively published for detection of new worms etc.
  • Open Source software developers know code will be checked. Fewer hacks.
ids component overview
Open Source Network Intrusion Detection System (Snort)

snort-2.0.0rc4.tar.gz

mysql-4.0.12.tar.gz

Analysis Console for Intrusion Databases (ACID)

apache_1.3.27.tar.gz

php-4.3.1.tar.gz

acid-0.9.6b23.tar.gz

IDS component overview
apache php setup
Apache & php Setup
  • ./configure --prefix=/home/apache/apache_prefix/ --activate-module=src/modules/php4/libphp4.a
  • make && make install
  • ./configure --prefix=/home/apache/php_prefix --with-mysql --enable-bcmath --with-gd --enable-sockets --with-zlib-dir=/home/apache/php-4.3.1/zlib-1.1.4/ --with-apache=../apache_1.3.27
  • Php needs graphics libs:
    • zlib-1.1.4, libpng-1.2.5, gd-1.8.4, phplot-4.4.6
snort system setup
Snort System Setup
  • mysql-4.0.12
  • ./configure --prefix=/home/snort/snort_prefix --enable-smbalerts --with-mysql
  • Make && make check && make install;
  • Webmin
    • snort-1.0.wbm
create snort database tables
Create snort database & tables
  • CREATE DATABASE snort;" | mysql -u root –p
  • grant INSERT,SELECT on snort.* to snortusr@localhost;
  • mysql -D snort -u root -p < ./contrib/create_mysql
snort config setup
Snort Config Setup
  • output database: log, mysql, user=snortusr password=foobar dbname=snort host=localhost
  • Modify alert rules to personal taste
acid setup
ACID Setup
  • adodb331.zip in www_root
  • tar zxfp acid-0.9.6b23.tar.gz
    • mv acid /var/www/html
  • edit acid/acid_conf.php
    • $DBlib_path = "/var/www/html/adodb";
    • $aler_dbname = "snort“
  • http://acid.foobar.com/acid/acid_main.php