36
Intrusion Detection using Snort Session E6 Contact Information Matthew Hicks, CISSP, GCIA Senior Information Security Analyst Children’s National Medical Center, Washington DC [email protected]

Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

  • Upload
    others

  • View
    79

  • Download
    3

Embed Size (px)

Citation preview

Page 1: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Intrusion Detectionusing SnortSession E6

Contact Information

Matthew Hicks, CISSP, GCIASenior Information Security AnalystChildren’s National Medical Center, Washington [email protected]

Page 2: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

ResponsibilitiesIntrusion Detection AnalysisSecurity InvestigationsMaintain Security Perimeter– Firewall– IDS– VPN

Anything and everything else

Agenda

Quick SurveyIntroduction to Intrusion DetectionSnort OverviewUsing SnortLive Demo

Page 3: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

A Quick Survey

How many consider themselves Intrusion Analysts?– Training– Reviewing data packets on a regular basis

Does anyone currently support a IDS?– Review of logs– Update signatures– Dedicated staff

Food for ThoughtYou would be surprised at the number of organizations who have installed an IDS but do not monitor itStaff supporting the IDS are not trained as Intrusion AnalystSome Organizations have installed an IDS but do not update it or add signaturesThe result is the organization claims the IDS is not working and will shut it offDO NOT LET THE IDS BECOME OBSOLETE AN SELFWARE OR FLOORWARE

Page 4: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

What do you think?

From: www.infosecuritymag.com/articles/august01/cover.shtml

“an IDS is like a Christmas puppy,” says Pete Lindstrom, senior security analyst at Hurwitz Group, “at first, it sounds like a great idea but then once you get the thing, your are thinking like, ‘oh my god I have got to care for this and it’s alot more work then I thought”

Introduction to Intrusion Detection

Page 5: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Intrusion Detection Not just one Piece

IDSFirewall

Email Filtering

Audit and MonitoringProcedures and Policies

Virus Scanning

URL Filtering

The firewall stopped 3100 hits of the SQL-Slammer worm on Jan 25th.

You must have the support staff!

Intrusion Analysis ToolsEthereal– www.ethereal.com– Sniffs the network to show and capture traffic

Windump or Tcpdump– windump.polito.it– www.tcpdump.org– Dumps data packets based on a set of filters and parameters for

future analysisSnort IDS– www.snort.org

Page 6: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

SQL Slammer wormReal Life Story

The SQL Slammer worm was released on Jan 24th

The worm begins to swamp the internet affecting one bank’s ATM system and an online reservation systemMy firewall recorded 3100 hits in 5 hoursMy systems were not affected by this worm because I had configured the firewall against unauthorized trafficThe SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.

Slammer Worm

How to tell what is a bad packet or not?How to tell if the IDS alert is a false positive or not?The key here is Intrusion AnalysisCapture and look at the data packetWe will look at the example of the SQL Slammer Worm

Page 7: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

SQL Slammer Worm02/04-14:46:04.168266 xxx.xxx.0.210:1115 -> xxx.xxx.72.29:1434UDP TTL:111 TOS:0x0 ID:16303 IpLen:20 DgmLen:404Len: 3840x0000: 00 04 9A D0 DA 24 00 30 94 CB 73 E1 08 00 45 00 .....$.0..s...E.0x0010: 01 94 3F AF 00 00 6F 11 63 FA 8E B0 00 D2 CF 10 ..?...o.c.......0x0020: 48 1D 04 5B 05 9A 01 80 8A 40 04 01 01 01 01 01 H..[[email protected]: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B.0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B.0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B....0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P..0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh.dllhel32hkern0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P.

Kernel32.dll

Ws2_32.dll

SQL Slammer WormCauses SQL server to stop responding by using a buffer overflow– See the 04 in the previous slide

Writes garbage data to the buffer– See the ‘01010101010101010101010’ in previous slide

Access kernel32.dll and ws2_32.dll– See previous slide

100% memory resident – no files written to hard driveRemove infection by rebooting server but easily infected if not patchedMust load Win2K SP3 to protect against this worm– Some SQL applications are not cert for SP3

Page 8: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

SQL Slammer Worm

SQL Slammer Worm

Snort rule to detect the Slammer worm– alert udp $EXTERNAL_NET any -> $HOME_NET

1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send";

– Your challenge is to find the above data following the Content option in the previous packet trace.

We will discuss Snort rules shortly

Page 9: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

What Is an IDS?

Basic components

Traditional software design:– Input– Processing– Output

IDS components– Collection (Input)– Analysis (Processing)– Reporting (Output)

Page 10: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

IDS Data FlowchartCOLLECTION

ANALYSIS1 to n Sensors

REPORTING

n

1

23

4…

Page 11: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Overview of Snort

Snort Is . . .A lightweight Network Intrusion Detection System (N-IDS)– Compact, efficient code– Light load on the system running it– Fast execution

Flexible:– Highly Configurable– Broadly Scalable

Multi-platform– There are performance problems running under windows

Most important of all…..

Page 12: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Free!

More about SnortWinpcap or Libpcap-based packet sniffing– A system-independent interface for packet capture. It provides

a portable framework for low-level network monitoring in the form of a include files and a library that be linked against, as is done with the Tcpdump package.

Rules-based detection engine– Completely user programmable and configurable

Plug-in based extensibility– Pre-processors, detection, output plug-ins

Page 13: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Snort Data Flow

SNORTD

ata Flow

Packet Stream

Packet DecoderPre-Processor

<Plug-Ins>

Detection Engine<Plug-Ins>

Post-Processor& Output Stage

<Plug-Ins>

Sniffing

Alerts/Logs

Snort Packet Decoder

Ethernet

IP header

Protocol

worm

networkpacket

Page 14: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Snort Packet Decoder (2)

Ethernet

IP header

Protocol

worm

tcpdumpbinary file

Introduction to Snort Usage

Page 15: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

In This SectionBasic Invocation using command lineLogging & Options– Directory sort (default)– Binary dump (tcpdump format)– Off (no logging)

Alerts & Options– Alert types– Alert delivery options

Rules– Rule file specification– Rule types

Running SnortInvoking Snort with no arguments just generates usage / options messageTo do something, at least one of the following is required:

-v - Verbose, dump decoded packets to stdout -c - <fn> Use rules file <fn>-b - Binary dump undecoded packets into a file

(tcpdump format)

Page 16: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Example: Basic Invocation> snort –vInitializing Network Interface ep1

Decoding Ethernet on interface ep1

-*> Snort! <*-

Version 1.6.1-beta1

By Martin Roesch ([email protected], www.clark.net/~roesch)

06/28-16:58:19.877894 204.89.131.233:80 -> MY.NET.150.160:1412

TCP TTL:119 TOS:0x0 ID:13696 DF

******A* Seq: 0x101AEB1 Ack: 0x9A5FA7 Win: 0x2001

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-16:58:19.877998 MY.NET.150.160:1412 -> 204.89.131.233:80

TCP TTL:127 TOS:0x1A ID:43538 DF

******A* Seq: 0x9A5FA7 Ack: 0x101B461 Win: 0x1C7C

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-16:58:19.878182 209.252.154.64:1899 -> MY.NET.253.114:80

TCP TTL:20 TOS:0x0 ID:16420 DF

*****PA* Seq: 0xB3B219C Ack: 0x30A1394B Win: 0x2176

Example: Getting More Detail> snort -vdInitializing Network Interface ep1

Decoding Ethernet on interface ep1

-*> Snort! <*-

Version 1.6.1-beta1

By Martin Roesch ([email protected], www.clark.net/~roesch)

06/28-17:02:33.761442 208.188.32.226:64302 -> MY.NET.70.121:7777

UDP TTL:116 TOS:0x0 ID:45845

Len: 37

29 CA 48 03 01 BC 82 B9 6A DE B4 50 07 CA D6 48 ).H.....j..P...H

04 00 9C CB 8B A1 89 01 1C 11 CA BB 21 ............!

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-17:02:33.761503 MY.NET.20.10:39850 -> 216.115.105.60:80

TCP TTL:63 TOS:0x0 ID:62903

**S***** Seq: 0xA2DD19C5 Ack: 0x0 Win: 0x2000

TCP Options => MSS: 1460

Page 17: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Logging

Snort supports three kinds of logging1. Directory sort:

– Decodes packets and sorts the results into different directories by IP and port

– Default method2. Binary dump:

– Stores raw packet data in a binary file3. Off:

– Logging disabled

Setting the logging directory

By default, logs go to the directory – /var/log (unix)– /snort/log (win32)

Command line option: -l <logdir> – Redirects logs to directory <logdir>

Page 18: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Logging 1 ./log/131.118.254.130/TCP:1959-119

06/28-17:08:16.561137 131.118.254.130:1959 -> MY.NET.1.6:119

TCP TTL:61 TOS:0x0 ID:32792 DF

*****PA* Seq: 0xA017051A Ack: 0xA5356082 Win: 0x4470

25 5E 45 2B 26 0D 0A 4D 42 41 53 2D 53 45 45 31 %^E+&..MBAS-SEE1

2A 24 4C 51 3D 3B 39 60 37 27 37 2B 29 38 46 43 *$LQ=;9`7'7+)8FC

56 29 38 30 41 3E 2A 46 24 27 56 31 4E 2A 46 44 V)80A>*F$'V1N*FD

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-17:08:16.571185 MY.NET.1.6:119 -> 131.118.254.130:1959

TCP TTL:63 TOS:0x0 ID:6910 DF

******A* Seq: 0xA5356082 Ack: 0xA0178846 Win: 0x5B40

00 00 00 00 00 00 ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-17:08:16.651944 MY.NET.1.6:119 -> 131.118.254.130:1959

TCP TTL:63 TOS:0x0 ID:6976 DF

******A* Seq: 0xA5356082 Ack: 0xA019428A Win: 0x5B40

00 00 00 00 00 00 ....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Logging 2Reading from a binary dump

> snort -v -r ./log/[email protected]

Initializing Network Interface ep0

snaplen = 1514

Entering readback mode..

-*> Snort! <*-

Version 1.6.1-beta1

By Martin Roesch ([email protected], www.clark.net/~roesch)

06/28-17:38:40.456070 61.139.8.125:80 -> MY.NET.20.10:29568

TCP TTL:43 TOS:0x0 ID:28329 DF

******A* Seq: 0xE43A5DAA Ack: 0xC59E5EB8 Win: 0x7D78

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-17:38:40.456164 MY.NET.20.10:41771 -> 216.200.16.77:80

TCP TTL:63 TOS:0x0 ID:10919

******A* Seq: 0x55CFD22 Ack: 0x5554AECE Win: 0x2238

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/28-17:38:40.456371 MY.NET.20.10:41771 -> 216.200.16.77:80

TCP TTL:63 TOS:0x0 ID:10920

*****PA* Seq: 0x55CFD22 Ack: 0x5554AECE Win: 0x2238

Page 19: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Logging 3: DisabledCommand line option: -N – Turns off all logging functions

> snort -v -N

Initializing Network Interface ep1

Decoding Ethernet on interface ep1

-*> Snort! <*-

Version 1.6.1-beta1

By Martin Roesch ([email protected], www.clark.net/~roesch)

06/30-14:05:39.359582 204.117.117.22:1318 -> MY.NET.151.20:1704

UDP TTL:116 TOS:0x0 ID:47822

Len: 789

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/30-14:05:39.359726 MY.NET.20.10:2672 -> 216.111.248.10:80

TCP TTL:63 TOS:0x0 ID:52617

**S***** Seq: 0x7B372741 Ack: 0x0 Win: 0x2000

TCP Options => MSS: 1460

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Alerting

Alerts are “special actions” that Snort can take in response to different packets.

Definition of these actions is in the rules file, but the format and delivery of alerts is specified on the Snort command line.

Page 20: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Snort Alert TypesCommand line option: -A <type>where <type> is one of the following:– full Full alert (default)

Full text with detail of packet that triggered alert

– fast Fast alertAbbreviated alert with packet header information

– none No alertdisable alert function

Snort Alert Delivery

By default all alerts go to a file named “alert” in the logging directoryCommand line option: -s– Directs alerts to the syslog

Command line option: -M <smb-hosts-file>– Send WinPopup messages to the list of workstations

contained in the smb-hosts-file

Page 21: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Rules, Filters, and Modules

Filters– Narrow the selection of packets at collection

Rules– Specify processing and response

Modules– Pre- and Post-Processors

Snort RulesRules are the core of Snort’s flexibilitySpecified in a rules fileActions:– Alert: generate alert message and log the packet– Log: log the packet – Pass: ignore the packet

Order of evaluation: Alert-Pass-Log– -o option changes this to Pass-Alert-Log

Command line option: -c <rules file>

Page 22: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

A Word on CIDR notation Classless Inter-Domain Routing – used to identify the network Snort is protecting– MY.0.0.0/8

Class A network MY.x.x.x– MY.NET.0.0/16

Class B network MY.NET.x.x– MY.NET.WORK.0/24

Class C network MY.NET.WORK.x– MY.NET.WORK.135/32

Indicates a specific host (135) on the class C MY.NET.WORK network

Snort Session with Rules

A simple rules file:var HOME_NET MY.NET.0.0/16

alert tcp any any -> $HOME_NET 21

HOME_NET is the private network you are protecting with the SNORT IDS.

I.E. internal network = 192.168.1.0

HOME_NET = MY.NET.1.0

Page 23: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Snort Session with Rules (2)First line defines the variable $HOME_NET to be MY.NET.0.0/16

Second line specifies that an alert be generated for every packet that is:– alert tcp any any -> $HOME_NET 21

– A tcp packet– From any source IP

From any source port– To any destination within $HOME_NET

To destination port 21

Rules Session Output

Snort command with -c option:> snort -l ./log -c ./rules/myrules

Initializing Network Interface ep1

Decoding Ethernet on interface ep1

Initializing Preprocessors!

-------------------------------------------------

Keyword | Preprocessor @

-------------------------------------------------

http_decode : 0xd0d4

minfrag : 0xd2fc

portscan : 0xdfa0

portscan-ignorehosts: 0xea30

defrag : 0x10544

-------------------------------------------------

Page 24: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Rules Session Output

Now we look in the ./log directory> ls ./log

209.70.98.152 210.229.79.62 212.170.18.20 213.228.3.197 alert

Note: Default style logging (IP sorted by subdirectory) occurred since we didn’t use the -Noption

Rules Session Output (7)> cat ./log/alert

[**] Snort Alert! [**]06/30-14:58:42.567915 209.70.98.152:1168 -> MY.NET.60.11:21

TCP TTL:117 TOS:0x0 ID:28726 DF

*****PA* Seq: 0x48B9BE1 Ack: 0xFF900F0 Win: 0x1EC2

[**] Snort Alert! [**]06/30-14:58:42.675093 209.70.98.152:1168 -> MY.NET.60.11:21

TCP TTL:117 TOS:0x0 ID:29238 DF

*****PA* Seq: 0x48B9C03 Ack: 0xFF90122 Win: 0x1E90

…[**] Snort Alert! [**]06/30-14:58:50.565715 213.228.3.197:32575 -> MY.NET.253.105:21

TCP TTL:50 TOS:0x0 ID:37043 DF

*****PA* Seq: 0x85115725 Ack: 0x176C2565 Win: 0x2238

TCP Options => NOP NOP TS: 7979439 31450159

[**] Snort Alert! [**]06/30-14:58:50.771597 213.228.3.197:32575 -> MY.NET.253.105:21

TCP TTL:50 TOS:0x0 ID:37361 DF

******A* Seq: 0x8511572C Ack: 0x176C257D Win: 0x2238

TCP Options => NOP NOP TS: 7979439 31450160

Page 25: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

2nd Snort Session with RulesA slightly different Snort command with options:-N -c -A fast

> snort -l ./log -c ./rules/myrules -N -A fast

Initializing Network Interface ep1

Decoding Ethernet on interface ep1

Initializing Preprocessors!

-------------------------------------------------

Keyword | Preprocessor @

-------------------------------------------------

http_decode : 0xd0d4

minfrag : 0xd2fc

portscan : 0xdfa0

portscan-ignorehosts: 0xea30

defrag : 0x10544

-------------------------------------------------

2nd Rules Session Output

Now we look in the ./log directory> ls ./log

alert

Note: Default logging was suppressed by the -N option but alerts were still allowed to be recorded

Page 26: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

2nd Rules Session Output (3)Note: Alerts in abbreviated form due to the option: -A fast

> cat ./log/alert 06/30-18:03:30.238623 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:30.352807 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:30.627864 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:30.627991 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:30.761860 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:31.688452 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:31.764592 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:31.842841 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:32.036428 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:32.210022 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:32.373553 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:32.517695 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:32.619376 206.136.246.12:3433 -> MY.NET.60.16:21

06/30-18:03:32.694124 206.136.246.12:3433 -> MY.NET.60.16:21

Sample Rules

Here are some illustrative rules:Note the ‘msg’ option:

alert tcp 195.11.50.204/32 any -> $HOME_NET any (msg:"GIAC 08-feb-2000";)

Note the ‘content’ option:alert udp any any -> $HOME_NET any (msg:"Trin00 password";content:"[]..Ks";)

Page 27: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Samples Rules (2)

Note the ‘flags’ option:alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;)

All of the above:alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"/msads/Samples/SELECTOR/showcode.asp"; flags: PA;)

And there are many, many other options, and combinations of options

Writing Snort Rulesets

Snort rules are simple and extremely flexible. For a more in-depth treatment of writing rulesets, it is more than worth your while to look at docs at www.snort.org

Page 28: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Snort with filters

Snort can accept tcpdump-style filters– These filters work at the “front end” of Snort– Only packets passed by the filters will be processed by the rules– Example:

snort -v ‘tcp[13] &3 != 0’

Accepts only packets that either have the SYN or the FIN bit set (or both)

Snort with filters (2)

Filters can be put at the end of Snort commands (see previous example)Filters can also reside in a fileCommand line option: -F <filter file>– Reads filters into the Snort process from <filter file>

Page 29: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Snort Plug-Ins

Snort allows you to add new modules and to activate existing ones that come with the distribution– Additions are compiled as object code and activated as usual– Activation takes place in the rules file

A wide variety of modules are available– One nifty module searches the packet stream for scanning

behavior

Snort Plug-In Types

Preprocessor– Packets are examined/manipulated before being

handed to the detection engineDetection– Perform single, simple tests on a single aspect/field of

the packetOutput– Report results from the other plug-ins

Page 30: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Ways to use Snort

Real-time traffic analysis– Watching the packets go by live

(do you have a quiet, peaceful network?)How Fast Can You Read?

Packet logging– Collecting packets in raw form for later analysis– Creating logs of decoded packets for later analysis

Stored log analysis– Reading raw packet files for in-depth analysis

What Can Come Out of SnortStandard output (decoded packets)Binary dump (raw packets)Snort default logging schemeText messages going to text files– Syslog-based logging– Other log files (like alert)

Notifications– Samba-based pop-up windows– Other alerting modules (e.g. paging)

Responses– Auto-responses (e.g. dropping connections)

Page 31: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Do It Yourself

Building a Larger Framework

Page 32: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Very Simple

tcpdump

Packet Stream

Filter file

Sniffing

tcpdumpprocess

To Log File

ReportGenerator

Less Simple

SNORT

Packet Stream

Sniffing

Rules fileAlertFile

To Alert File

To E

mailCron

Page 33: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

ReportGenerator

Even Less Simple

SNORT

Packet Stream

Sniffing

Rules fileAlertFile

To Alert File

ToEm

ailCron

Correlation

Network traffic logs can be used to correlate with data in other records (system logs, authentication logs) If inappropriate or illegal activity is suspected, network log correlation can be used to justify closer scrutiny of things like e-mail and network session contentOn hearing the description of “correlation”, a Maryland State trooper replied that he called it “probable cause”.

Page 34: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Correlation: ExamplesDaily report from system logs identifies any user with more than 10 authentication failures in one day from external siteNetwork Traffic Logs may show other questionable activity from that site BlackIce on desktop NT shows DNS probe from external siteNetwork Traffic Logs show complete scan of internal network, port 53

Resources

Page 35: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

ResourcesAll things Snort (Marty Roesch’s Snort homepage):

http://www.snort.orgSnort database support:

http://www.incident.org/snortdbSnort plug-ins

http://spyjurenet.com/linuxrc.org/projects/snortAttack signatures database (arachNIDS):

http://www.whitehats.com

Resources (2)Other Snort tools:– Statistics:

http://xanadu.rem.cmu.edu/snort– Snort report → HTML converter:

http://www.silicondefense.com/snortsnarfLibpcap packet capture library:– ftp.ee.lbl.gov

Page 36: Intrusion Detection using Snort Session E6academy.delmar.edu/Courses/ITSY2430/eBooks/Snort(IntrusionDetectionOverview).pdfOverview of Snort Snort Is . . . zA lightweight Network Intrusion

Demo

http://localhost/acid/index.html