Embed Size (px)
Citation preview
An Introduction to Snort
Richard BejtlichTaoSecurity
Houston ISSA Meeting 11 Apr 02
Outline Introduction to Intrusion Detection What is Snort? Installing Snort Snort Rules Snort in Action Third-Party Enhancements Conclusion
About Me Bejtlich = “bate-lik” Senior engineer for managed network
security operations, BATC (2001-) Former captain at US Air Force Computer
Emergency Response Team (1998-2001) Student of intrusion detection, incident
response, and digital forensics www.taosecurity.com
Introduction to Intrusion Detection Network defense or “protection” model
Planning Prevention Detection Response
Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities
Introduction to Intrusion Detection All network and computer activities fall in
one of three categories: Normal Abnormal but not malicious Malicious
Intrusion detection operates in two arenas: What a computer says: network traffic What a computer thinks: computer processes
Introduction to Intrusion Detection Network traffic is monitored by network-
based intrusion detection systems (NIDS) Computer processes are monitored by host-
based intrusion detection systems (HIDS) So-called “hybrid” systems examine
network traffic to or from a host, as well as processes on that host
NIDS are easier to deploy and manage, but HIDS may give greater visibility to events
What is Snort? Snort is a fast, flexible, small-footprint,
open-source NIDS developed by the security community and a “benevolent dictator”
Lead coder: Marty Roesch, now founder of Sourcefire (www.sourcefire.com)
Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump
Licensed under GPL, but version 2.0 may change to a different license
Installing Snort As of 16 Mar 02, version 1.8.4 available at
www.snort.org/dl/ in these forms: UNIX source Solaris, FreeBSD, Windows binary packages Red Hat .rpm
Requires installation of libpcap first! UNIX:
www.tcpdump.org/release/libpcap-0.7.1.tar.gz or newest available source
Windows: netgroup-serv.polito.it/winpcap/install/ offers winpcap 2.2 and 2.3 beta (XP requires 2.3)
Installing Snort On Red Hat Linux 7.2, as root:
Download and install libpcap Download and install these three .rpm:
libnet-1.0.2a-1snort.i386.rpm snort-1.8.4-1snort.i386.rpm snort-postgresql+flexresp-1.8.4-1snort.i386.rpm
Create /var/log/snort directory Files installed:
/etc/snort contains conf and rule files /var/log/snort will contain logs /usr/sbin/snort contains snort binary
Installing Snort For a quick test, execute this command
within the /etc/snort directory: snort –A console
From a separate machine, use nmap to generate events for Snort to detect: nmap –sP <snort_machine_IP_address>
You should see an alert like this:
03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.1.20 -> 192.168.1.237
Installing Snort On Windows 2000, as administrator:
Download and install winpcap Download and execute Snort184Win32.exe,
and select “typical” installation mkdir “c:\Program Files\Sourcefire\Snort\log”
Files installed in c:\Program Files\Sourcefire\Snort: snort.conf \rules directory contains rules snort.exe executable
Installing Snort To test, execute this command within the
c:\Program Files\Sourcefire\Snort directory: snort –A console You may need to specify and interface with ‘-i 2’
From a separate machine, use nmap to generate events for Snort to detect: nmap –sP <snort_machine_IP_address>
You should see an alert like this:03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.1.20 -> 192.168.1.237
Installing Snort While not an element of Snort, Ethereal
is the best open source GUI-based packet viewer
www.ethereal.com offers: Windows:
www.ethereal.com/distribution/win32/ethereal-setup-0.9.2.exe
UNIX: www.ethereal.com/download.html Red Hat Linux RPMs:
ftp.ethereal.com/pub/ethereal/rpms/
Installing Snort Also not an element of Snort, tcpdump is
a well-established CLI packet capture tool www.tcpdump.org offers UNIX source netgroup-serv.polito.it/windump/install/ offers
windump, a Windows port of tcpdump windump is helpful because it will help you see the
different interfaces available on your sensor Next slide shows two available interfaces; note only
the second is capable of sniffing snort –A console –i 2
Snort Rules Snort rules are extremely flexible and are
easy to modify, unlike many commercial NIDS
Sample rule to detect SubSeven trojan:
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
Elements before parentheses comprise ‘rule header’
Elements in parentheses are ‘rule options’
Snort Rulesalert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
alert action to take; also log, pass, activate, dynamic tcp protocol; also udp, icmp, ip $EXTERNAL_NET source address; this is a variable – specific IP is
ok 27374 source port; also any, negation (!21), range (1:1024) -> direction; best not to change this, although <> is allowed $HOME_NET destination address; this is also a variable here any destination port
Snort Rulesalert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
msg:”BACKDOOR subseven 22”; message to appear in logs flags: A+; tcp flags; many options, like SA, SA+, !R, SF* content: “|0d0…0a|”; binary data to check in packet;
content without | (pipe) characters do simple content matches reference…; where to go to look for background on this rule sid:103; rule identifier classtype: misc-activity; rule type; many others rev:4; rule revision number other rule options possible, like offset, depth, nocase
Snort Rules
bad-traffic.rules exploit.rules scan.rules finger.rules ftp.rules telnet.rules smtp.rules rpc.rules rservices.rules dos.rules ddos.rules dns.rules tftp.rules web-cgi.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-attacks.rules sql.rules x11.rules icmp.rules netbios.rules misc.rules backdoor.rules shellcode.rules policy.rules porn.rules info.rules icmp-info.rules virus.rules local.rules attack-responses.rules
Snort Rules Rules which actually caught intrusions
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) caught Code Red infection
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP \"MKD / \" possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server
Snort Rules More rules that caught intrusions
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple decode attempt"; flags:A+; uricontent:"%5c"; uricontent:".."; reference:cve,CAN-2001-0333; classtype:web-application-attack; sid:970; rev:2;) caught NIMDA infection
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login incorrect"; nocase; flags:A+; classtype:bad-unknown; sid:1251; rev:2;) caught telnet username brute-force
Consider how a rule with “Login incorrect” might trigger on many non-malicious events
Snort in Action Three operational modes:
Sniffer: snort –dvae will be display payloads, be verbose, display arp traffic, and display link layer data
Packet logger: snort –b –l /var/log/snort will log binary data to the /var/log/snort directory
NIDS: snort –b –l /var/log/snort –A full –c /etc/snort/snort.conf will log binary data in the /var/log/snort directory, with full alerts in /var/log/snort/alert, reading the configuration file in /etc/snort
Snort in Action Three ways to tell Snort how to act
snort.conf configures variables, preprocessors, output plugins, and active rule sets
.rules files define actual signatures Command line options start snort and will
override options in snort.conf file Snort will run with default snort.conf, but
you will have less ‘chaff’ to sort through if you spend time configuring snort.conf properly
Snort in Action Snort as NIDS (third mode) captures recon Contents of /var/log/snort/alert
[**] [1:469:1] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]03/28-09:48:40.739935 192.168.1.2 -> 192.168.1.3ICMP TTL:46 TOS:0x0 ID:61443 IpLen:20 DgmLen:28Type:8 Code:0 ID:10629 Seq:0 ECHO[Xref => http://www.whitehats.com/info/IDS162]
[**] [1:469:1] spp_portscan: PORTSCAN DETECTED from 192.168.1.2 (THRESHOLD 4 connections exceeded in 0 seconds) [**]03/28-09:48:41.052635
[**] [100:2:1] spp_portscan: portscan status from 192.168.1.2: 183 connections across 1 hosts: TCP(183), UDP(0) [**]03/2809:48:45.007501
Snort in Action Partial contents of
/var/log/snort/portscan.logMar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:106 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:193 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:138 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:128 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:156 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:35 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:48 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:16 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:173 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:72 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:65 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:36 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:149 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:17 SYN ******S* Mar 28 09:48:41 192.168.1.2:45061 -> 192.168.1.3:218 SYN ******S*
Snort in Action /var/log/snort/snort-0328\@0948.log is
in binary format; read with Ethereal or tcpdump
Sample tcpdump output of this log file
09:48:40.739935 192.168.1.2 > 192.168.1.3: icmp: echo request
09:48:40.743705 192.168.1.2 > 192.168.1.3: icmp: echo request
As configured, Snort will only log the packets which triggered an alert
Packets triggering portscans are not logged by default
Third-Party Enhancements SnortSnarf
www.silicondefense.com/software/snortsnarf/
SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports
Output intended for diagnostic inspection Silicon Defense also supplies sensors with
commercial support Description and screenshot taken from SnortSnarf
web
Third-Party Enhancements Analysis Console for Intrusion
Databases (ACID) acidlab.sourceforge.net/ PHP-based analysis engine to search and
process a database of security events generated by various IDSes, firewalls, and network monitoring tools
Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation
Description and screenshots taken from ACID web
Demarc www.demarc.com NIDS management console, integrating Snort
with the convenience and power of a centralized interface for all network sensors
Monitor all servers / hosts to make sure network services such as a mail or web servers remain accessible at all times
Monitor system logs for anomalous log entries that may indicate intruders or system malfunctions
Description and screenshots taken from demarc web
Conclusion Snort is a powerful tool, but maximizing its
usefulness requires a trained operator Becoming proficient with network intrusion
detection takes 12 months; “expert” 24-36? Snort is considered a superior NIDS when
compared to most commercial systems Managed network security providers should
collect enough information to make decisions without calling clients to ask what happened
