1 / 24

Snort & ACID

Snort & ACID Low cost, highly configurable IDS by Patrick Southcott southcottus@yahoo.com http://www.patricksouthcott.com What is snort? Where does an IDS fit in the network? Snort 2.0, Marty and Sourcefire.com Snort system overview config file rules (custom & public)

ostinmannual
Download Presentation

Snort & ACID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort & ACID Low cost, highly configurable IDS by Patrick Southcott southcottus@yahoo.com http://www.patricksouthcott.com

  2. What is snort? Where does an IDS fit in the network? Snort 2.0, Marty and Sourcefire.com Snort system overview config file rules (custom & public) ACID : opensource, web-based, simple alert management. PROS & CONS of snort as an IDS. Building a snort sensor on Redhat9. Large topic, General outline:

  3. What is Snort? Snort is an application which listens to network traffic and uses rules to determine if it sees particular types of traffic. It logs, alerts for and listens to network traffic. The System Architecture consists of these main parts: • Sniffer • “Promiscuous Mode” NIC • Preprocessor • frag2, stream4, http_decode • Detection Engine • Using Rules • Logging and Alerting plugins • log mysql, alert smb Packets on the wire Snort Detection Process Records in a SQL db

  4. Snort in the larger picture • Snort “sensors” can be placed on any network device. Hubs work best. • Sensors may log to a central database over secure tunnels or private media. • Management console using ACID.

  5. Network Overview Management Console IDS network sensor sensor sensor DMZ Router / firewall Router / firewall Internet Private LAN DMZ hosts

  6. IDS in Perspective • low TCO (End-to-end, openness) • Wants reports which show ROE • Management / Executive • System Admin • Network Admin / Analyst • Configures and runs everything. Routers, firewalls, servers. • Endless game to keep “up-to-date”. • Wants to be “user” of IDS • High quality data • Auto-response to new vulnerabilities. • Maintains network • Event Correlation • Broad -> Specific • Tune rules

  7. Marty Roesch and Sourcefire • Created snort in 1998. • Sourcefire sells IDS boxes which they install, configure and support. Different security needs may involve specific tuning to customer’s network. • Sourcefire is the major commercial supporter of snort. • Gig speeds with multiprocessors and linux • same kernel, custom drivers, minimal footprint • demo-sensor.sourcefire.com

  8. Snort Usage Shell output from snort init.: $ ./snort –l /home/snort/snort_spool/ Running in packet logging mode Log directory = /snort/snort_spool/ Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0rc4 (Build 70) By Martin Roesch (roesch@sourcefire.com, www.snort.org) $ ./snort –c snort.conf –l /home/snort/snort_spool/ • Run on Console • Run as Daemon $ ./snort –D –c snort.conf –l home/snort/snort_spool/ Snort Config File: config daemon

  9. Snort Console Output ================================================================ Snort analyzed 4 out of 4 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 4 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 4 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ================================================================ Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ================================================================ Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ….

  10. Snort Configuration File Variables Preprocessor • preprocessor frag2 • preprocessor stream4 • preprocessor portscan2 • var HOME_NET • var EXTERNAL_NET • var FOO_SERVERS • config interface: eth0 • config set_uid: snort • config dump_payload • config daemon Configuration Each bullet is a line in the config file. Variables are used in the files with the snort rules. Output SQL Database • output database: log, mysql, user=snort password=foobar dbname=snort host=localhost

  11. Snort Preprocessors • Frag2 Preprocessor • snort.conf: “preprocessor frag2” • packet fragmentation can lead to the IDS missing packets or getting different ones than the host gets. This cleans fragmented packets. • The stream4 Preprocessor • snort can keep track of tcp sessions. “stateful” • detection of “stealth” scans from software like nmap. • Portscan and portscan2 Preprocessors • detection of single host access to many ports.

  12. Snort Rules snort.conf : . . . include $RULE_PATH/local.rules local.rules : activate tcp any any -> any 23 (activates: 23; msg:”Potential Telnet Login Credentials Logged”;) dynamic tcp any any -> any 23 (activated_by: 23; count:20;) log tcp any any -> any any (msg: “tcp traffic”;) log udp any any -> any any (msg: “udp traffic”;) log icmp any any -> any any (msg: “icmp traffic”;) Rules to log all tcp, udp and icmp traffic.

  13. Snort Rules web-iis.rules : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; \ content:"cmd.exe"; nocase; classtype:web-application-attack; \ sid:1002; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-IIS CodeRed v2 root.exe access"; \ flow:to_server,established; uricontent:"/root.exe"; \ nocase; classtype:web-application-attack; \ reference:url,www.cert.org/advisories/CA-2001-19.html; \ sid:1256; rev:7;) # action = pass, log, alert, dynamic, activate # protocol = icmp, tcp, ip, udp action protocol source -> destination ( optional_rule_body )

  14. Snort Rules • attack-responses.rules • backdoor.rules • bad-traffic.rules • chat.rules • ddos.rules • deleted.rules • DMZ.rules • dns.rules • dos.rules • experimental.rules • exploit.rules • finger.rules • ftp.rules • icmp-info.rules • icmp.rules • imap.rules • info.rules • local.rules • misc.rules • multimedia.rules • mysql.rules • netbios.rules • nntp.rules • oracle.rules • other-ids.rules • p2p.rules • policy.rules • pop2.rules • pop3.rules • porn.rules • rpc.rules • rservices.rules • scan.rules • shellcode.rules • smtp.rules • snmp.rules • sql.rules • telnet.rules • tftp.rules • virus.rules • web-attacks.rules • web-cgi.rules • web-client.rules • web-coldfusion.rules • web-frontpage.rules • web-iis.rules • web-misc.rules • web-php.rules • x11.rules • Default rules for known bad packets.

  15. ACID to manage Alerts • Sort and display alerts based on ip, port, date, unique alerts. • Search alerts • Display layer 3 and 4 packet data • Graphs and statistics for alert frequency. • Alert grouping, archiving, managing

  16. Connecting mysql with stunnel • Generate foo.pem for tunnel. openssl req -new -out stunnel.pem -keyout \ stunnel.pem -nodes -x509 -days 365 Cert = /foobar/stunnel.pem [mysqls] accept = 3307 connect = 3306 #!/bin/sh /usr/local/sbin/stunnel -c -d 3306 -r 10.1.5.1:3307 • stunnel 4 with config ( stunnel.conf) • stunnel 3.22 from shell prompt.

  17. Snort IDS: PROs and CONs PROs CONs • Snort/ACID is only part of a secure network. • Does not record the success or failure of a detected intrusion • Does nothing to stop an intrusion in progress. • False sense of security. • Powerful, specific rules to match packets. • No backdoors • Weakness quickly found & published. • Rules actively published for detection of new worms etc. • Open Source software developers know code will be checked. Fewer hacks.

  18. Installing snort on RedHat 9

  19. Open Source Network Intrusion Detection System (Snort) snort-2.0.0rc4.tar.gz mysql-4.0.12.tar.gz Analysis Console for Intrusion Databases (ACID) apache_1.3.27.tar.gz php-4.3.1.tar.gz acid-0.9.6b23.tar.gz IDS component overview

  20. Apache & php Setup • ./configure --prefix=/home/apache/apache_prefix/ --activate-module=src/modules/php4/libphp4.a • make && make install • ./configure --prefix=/home/apache/php_prefix --with-mysql --enable-bcmath --with-gd --enable-sockets --with-zlib-dir=/home/apache/php-4.3.1/zlib-1.1.4/ --with-apache=../apache_1.3.27 • Php needs graphics libs: • zlib-1.1.4, libpng-1.2.5, gd-1.8.4, phplot-4.4.6

  21. Snort System Setup • mysql-4.0.12 • ./configure --prefix=/home/snort/snort_prefix --enable-smbalerts --with-mysql • Make && make check && make install; • Webmin • snort-1.0.wbm

  22. Create snort database & tables • CREATE DATABASE snort;" | mysql -u root –p • grant INSERT,SELECT on snort.* to snortusr@localhost; • mysql -D snort -u root -p < ./contrib/create_mysql

  23. Snort Config Setup • output database: log, mysql, user=snortusr password=foobar dbname=snort host=localhost • Modify alert rules to personal taste

  24. ACID Setup • adodb331.zip in www_root • tar zxfp acid-0.9.6b23.tar.gz • mv acid /var/www/html • edit acid/acid_conf.php • $DBlib_path = "/var/www/html/adodb"; • $aler_dbname = "snort“ • http://acid.foobar.com/acid/acid_main.php

More Related