Upload
others
View
79
Download
3
Embed Size (px)
Citation preview
Intrusion Detectionusing SnortSession E6
Contact Information
Matthew Hicks, CISSP, GCIASenior Information Security AnalystChildren’s National Medical Center, Washington [email protected]
ResponsibilitiesIntrusion Detection AnalysisSecurity InvestigationsMaintain Security Perimeter– Firewall– IDS– VPN
Anything and everything else
Agenda
Quick SurveyIntroduction to Intrusion DetectionSnort OverviewUsing SnortLive Demo
A Quick Survey
How many consider themselves Intrusion Analysts?– Training– Reviewing data packets on a regular basis
Does anyone currently support a IDS?– Review of logs– Update signatures– Dedicated staff
Food for ThoughtYou would be surprised at the number of organizations who have installed an IDS but do not monitor itStaff supporting the IDS are not trained as Intrusion AnalystSome Organizations have installed an IDS but do not update it or add signaturesThe result is the organization claims the IDS is not working and will shut it offDO NOT LET THE IDS BECOME OBSOLETE AN SELFWARE OR FLOORWARE
What do you think?
From: www.infosecuritymag.com/articles/august01/cover.shtml
“an IDS is like a Christmas puppy,” says Pete Lindstrom, senior security analyst at Hurwitz Group, “at first, it sounds like a great idea but then once you get the thing, your are thinking like, ‘oh my god I have got to care for this and it’s alot more work then I thought”
Introduction to Intrusion Detection
Intrusion Detection Not just one Piece
IDSFirewall
Email Filtering
Audit and MonitoringProcedures and Policies
Virus Scanning
URL Filtering
The firewall stopped 3100 hits of the SQL-Slammer worm on Jan 25th.
You must have the support staff!
Intrusion Analysis ToolsEthereal– www.ethereal.com– Sniffs the network to show and capture traffic
Windump or Tcpdump– windump.polito.it– www.tcpdump.org– Dumps data packets based on a set of filters and parameters for
future analysisSnort IDS– www.snort.org
SQL Slammer wormReal Life Story
The SQL Slammer worm was released on Jan 24th
The worm begins to swamp the internet affecting one bank’s ATM system and an online reservation systemMy firewall recorded 3100 hits in 5 hoursMy systems were not affected by this worm because I had configured the firewall against unauthorized trafficThe SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.
Slammer Worm
How to tell what is a bad packet or not?How to tell if the IDS alert is a false positive or not?The key here is Intrusion AnalysisCapture and look at the data packetWe will look at the example of the SQL Slammer Worm
SQL Slammer Worm02/04-14:46:04.168266 xxx.xxx.0.210:1115 -> xxx.xxx.72.29:1434UDP TTL:111 TOS:0x0 ID:16303 IpLen:20 DgmLen:404Len: 3840x0000: 00 04 9A D0 DA 24 00 30 94 CB 73 E1 08 00 45 00 .....$.0..s...E.0x0010: 01 94 3F AF 00 00 6F 11 63 FA 8E B0 00 D2 CF 10 ..?...o.c.......0x0020: 48 1D 04 5B 05 9A 01 80 8A 40 04 01 01 01 01 01 H..[[email protected]: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B.0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B.0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B....0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P..0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh.dllhel32hkern0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P.
Kernel32.dll
Ws2_32.dll
SQL Slammer WormCauses SQL server to stop responding by using a buffer overflow– See the 04 in the previous slide
Writes garbage data to the buffer– See the ‘01010101010101010101010’ in previous slide
Access kernel32.dll and ws2_32.dll– See previous slide
100% memory resident – no files written to hard driveRemove infection by rebooting server but easily infected if not patchedMust load Win2K SP3 to protect against this worm– Some SQL applications are not cert for SP3
SQL Slammer Worm
SQL Slammer Worm
Snort rule to detect the Slammer worm– alert udp $EXTERNAL_NET any -> $HOME_NET
1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send";
– Your challenge is to find the above data following the Content option in the previous packet trace.
We will discuss Snort rules shortly
What Is an IDS?
Basic components
Traditional software design:– Input– Processing– Output
IDS components– Collection (Input)– Analysis (Processing)– Reporting (Output)
IDS Data FlowchartCOLLECTION
ANALYSIS1 to n Sensors
REPORTING
n
1
23
4…
Overview of Snort
Snort Is . . .A lightweight Network Intrusion Detection System (N-IDS)– Compact, efficient code– Light load on the system running it– Fast execution
Flexible:– Highly Configurable– Broadly Scalable
Multi-platform– There are performance problems running under windows
Most important of all…..
Free!
More about SnortWinpcap or Libpcap-based packet sniffing– A system-independent interface for packet capture. It provides
a portable framework for low-level network monitoring in the form of a include files and a library that be linked against, as is done with the Tcpdump package.
Rules-based detection engine– Completely user programmable and configurable
Plug-in based extensibility– Pre-processors, detection, output plug-ins
Snort Data Flow
SNORTD
ata Flow
Packet Stream
Packet DecoderPre-Processor
<Plug-Ins>
Detection Engine<Plug-Ins>
Post-Processor& Output Stage
<Plug-Ins>
Sniffing
Alerts/Logs
Snort Packet Decoder
Ethernet
IP header
Protocol
worm
networkpacket
Snort Packet Decoder (2)
Ethernet
IP header
Protocol
worm
tcpdumpbinary file
Introduction to Snort Usage
In This SectionBasic Invocation using command lineLogging & Options– Directory sort (default)– Binary dump (tcpdump format)– Off (no logging)
Alerts & Options– Alert types– Alert delivery options
Rules– Rule file specification– Rule types
Running SnortInvoking Snort with no arguments just generates usage / options messageTo do something, at least one of the following is required:
-v - Verbose, dump decoded packets to stdout -c - <fn> Use rules file <fn>-b - Binary dump undecoded packets into a file
(tcpdump format)
Example: Basic Invocation> snort –vInitializing Network Interface ep1
Decoding Ethernet on interface ep1
-*> Snort! <*-
Version 1.6.1-beta1
By Martin Roesch ([email protected], www.clark.net/~roesch)
06/28-16:58:19.877894 204.89.131.233:80 -> MY.NET.150.160:1412
TCP TTL:119 TOS:0x0 ID:13696 DF
******A* Seq: 0x101AEB1 Ack: 0x9A5FA7 Win: 0x2001
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-16:58:19.877998 MY.NET.150.160:1412 -> 204.89.131.233:80
TCP TTL:127 TOS:0x1A ID:43538 DF
******A* Seq: 0x9A5FA7 Ack: 0x101B461 Win: 0x1C7C
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-16:58:19.878182 209.252.154.64:1899 -> MY.NET.253.114:80
TCP TTL:20 TOS:0x0 ID:16420 DF
*****PA* Seq: 0xB3B219C Ack: 0x30A1394B Win: 0x2176
Example: Getting More Detail> snort -vdInitializing Network Interface ep1
Decoding Ethernet on interface ep1
-*> Snort! <*-
Version 1.6.1-beta1
By Martin Roesch ([email protected], www.clark.net/~roesch)
06/28-17:02:33.761442 208.188.32.226:64302 -> MY.NET.70.121:7777
UDP TTL:116 TOS:0x0 ID:45845
Len: 37
29 CA 48 03 01 BC 82 B9 6A DE B4 50 07 CA D6 48 ).H.....j..P...H
04 00 9C CB 8B A1 89 01 1C 11 CA BB 21 ............!
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:02:33.761503 MY.NET.20.10:39850 -> 216.115.105.60:80
TCP TTL:63 TOS:0x0 ID:62903
**S***** Seq: 0xA2DD19C5 Ack: 0x0 Win: 0x2000
TCP Options => MSS: 1460
Logging
Snort supports three kinds of logging1. Directory sort:
– Decodes packets and sorts the results into different directories by IP and port
– Default method2. Binary dump:
– Stores raw packet data in a binary file3. Off:
– Logging disabled
Setting the logging directory
By default, logs go to the directory – /var/log (unix)– /snort/log (win32)
Command line option: -l <logdir> – Redirects logs to directory <logdir>
Logging 1 ./log/131.118.254.130/TCP:1959-119
06/28-17:08:16.561137 131.118.254.130:1959 -> MY.NET.1.6:119
TCP TTL:61 TOS:0x0 ID:32792 DF
*****PA* Seq: 0xA017051A Ack: 0xA5356082 Win: 0x4470
25 5E 45 2B 26 0D 0A 4D 42 41 53 2D 53 45 45 31 %^E+&..MBAS-SEE1
2A 24 4C 51 3D 3B 39 60 37 27 37 2B 29 38 46 43 *$LQ=;9`7'7+)8FC
56 29 38 30 41 3E 2A 46 24 27 56 31 4E 2A 46 44 V)80A>*F$'V1N*FD
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:08:16.571185 MY.NET.1.6:119 -> 131.118.254.130:1959
TCP TTL:63 TOS:0x0 ID:6910 DF
******A* Seq: 0xA5356082 Ack: 0xA0178846 Win: 0x5B40
00 00 00 00 00 00 ....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:08:16.651944 MY.NET.1.6:119 -> 131.118.254.130:1959
TCP TTL:63 TOS:0x0 ID:6976 DF
******A* Seq: 0xA5356082 Ack: 0xA019428A Win: 0x5B40
00 00 00 00 00 00 ....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Logging 2Reading from a binary dump
> snort -v -r ./log/[email protected]
Initializing Network Interface ep0
snaplen = 1514
Entering readback mode..
-*> Snort! <*-
Version 1.6.1-beta1
By Martin Roesch ([email protected], www.clark.net/~roesch)
06/28-17:38:40.456070 61.139.8.125:80 -> MY.NET.20.10:29568
TCP TTL:43 TOS:0x0 ID:28329 DF
******A* Seq: 0xE43A5DAA Ack: 0xC59E5EB8 Win: 0x7D78
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:38:40.456164 MY.NET.20.10:41771 -> 216.200.16.77:80
TCP TTL:63 TOS:0x0 ID:10919
******A* Seq: 0x55CFD22 Ack: 0x5554AECE Win: 0x2238
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:38:40.456371 MY.NET.20.10:41771 -> 216.200.16.77:80
TCP TTL:63 TOS:0x0 ID:10920
*****PA* Seq: 0x55CFD22 Ack: 0x5554AECE Win: 0x2238
Logging 3: DisabledCommand line option: -N – Turns off all logging functions
> snort -v -N
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
-*> Snort! <*-
Version 1.6.1-beta1
By Martin Roesch ([email protected], www.clark.net/~roesch)
06/30-14:05:39.359582 204.117.117.22:1318 -> MY.NET.151.20:1704
UDP TTL:116 TOS:0x0 ID:47822
Len: 789
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/30-14:05:39.359726 MY.NET.20.10:2672 -> 216.111.248.10:80
TCP TTL:63 TOS:0x0 ID:52617
**S***** Seq: 0x7B372741 Ack: 0x0 Win: 0x2000
TCP Options => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Alerting
Alerts are “special actions” that Snort can take in response to different packets.
Definition of these actions is in the rules file, but the format and delivery of alerts is specified on the Snort command line.
Snort Alert TypesCommand line option: -A <type>where <type> is one of the following:– full Full alert (default)
Full text with detail of packet that triggered alert
– fast Fast alertAbbreviated alert with packet header information
– none No alertdisable alert function
Snort Alert Delivery
By default all alerts go to a file named “alert” in the logging directoryCommand line option: -s– Directs alerts to the syslog
Command line option: -M <smb-hosts-file>– Send WinPopup messages to the list of workstations
contained in the smb-hosts-file
Rules, Filters, and Modules
Filters– Narrow the selection of packets at collection
Rules– Specify processing and response
Modules– Pre- and Post-Processors
Snort RulesRules are the core of Snort’s flexibilitySpecified in a rules fileActions:– Alert: generate alert message and log the packet– Log: log the packet – Pass: ignore the packet
Order of evaluation: Alert-Pass-Log– -o option changes this to Pass-Alert-Log
Command line option: -c <rules file>
A Word on CIDR notation Classless Inter-Domain Routing – used to identify the network Snort is protecting– MY.0.0.0/8
Class A network MY.x.x.x– MY.NET.0.0/16
Class B network MY.NET.x.x– MY.NET.WORK.0/24
Class C network MY.NET.WORK.x– MY.NET.WORK.135/32
Indicates a specific host (135) on the class C MY.NET.WORK network
Snort Session with Rules
A simple rules file:var HOME_NET MY.NET.0.0/16
alert tcp any any -> $HOME_NET 21
HOME_NET is the private network you are protecting with the SNORT IDS.
I.E. internal network = 192.168.1.0
HOME_NET = MY.NET.1.0
Snort Session with Rules (2)First line defines the variable $HOME_NET to be MY.NET.0.0/16
Second line specifies that an alert be generated for every packet that is:– alert tcp any any -> $HOME_NET 21
– A tcp packet– From any source IP
From any source port– To any destination within $HOME_NET
To destination port 21
Rules Session Output
Snort command with -c option:> snort -l ./log -c ./rules/myrules
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
Initializing Preprocessors!
-------------------------------------------------
Keyword | Preprocessor @
-------------------------------------------------
http_decode : 0xd0d4
minfrag : 0xd2fc
portscan : 0xdfa0
portscan-ignorehosts: 0xea30
defrag : 0x10544
-------------------------------------------------
Rules Session Output
Now we look in the ./log directory> ls ./log
209.70.98.152 210.229.79.62 212.170.18.20 213.228.3.197 alert
Note: Default style logging (IP sorted by subdirectory) occurred since we didn’t use the -Noption
Rules Session Output (7)> cat ./log/alert
[**] Snort Alert! [**]06/30-14:58:42.567915 209.70.98.152:1168 -> MY.NET.60.11:21
TCP TTL:117 TOS:0x0 ID:28726 DF
*****PA* Seq: 0x48B9BE1 Ack: 0xFF900F0 Win: 0x1EC2
[**] Snort Alert! [**]06/30-14:58:42.675093 209.70.98.152:1168 -> MY.NET.60.11:21
TCP TTL:117 TOS:0x0 ID:29238 DF
*****PA* Seq: 0x48B9C03 Ack: 0xFF90122 Win: 0x1E90
…[**] Snort Alert! [**]06/30-14:58:50.565715 213.228.3.197:32575 -> MY.NET.253.105:21
TCP TTL:50 TOS:0x0 ID:37043 DF
*****PA* Seq: 0x85115725 Ack: 0x176C2565 Win: 0x2238
TCP Options => NOP NOP TS: 7979439 31450159
[**] Snort Alert! [**]06/30-14:58:50.771597 213.228.3.197:32575 -> MY.NET.253.105:21
TCP TTL:50 TOS:0x0 ID:37361 DF
******A* Seq: 0x8511572C Ack: 0x176C257D Win: 0x2238
TCP Options => NOP NOP TS: 7979439 31450160
2nd Snort Session with RulesA slightly different Snort command with options:-N -c -A fast
> snort -l ./log -c ./rules/myrules -N -A fast
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
Initializing Preprocessors!
-------------------------------------------------
Keyword | Preprocessor @
-------------------------------------------------
http_decode : 0xd0d4
minfrag : 0xd2fc
portscan : 0xdfa0
portscan-ignorehosts: 0xea30
defrag : 0x10544
-------------------------------------------------
2nd Rules Session Output
Now we look in the ./log directory> ls ./log
alert
Note: Default logging was suppressed by the -N option but alerts were still allowed to be recorded
2nd Rules Session Output (3)Note: Alerts in abbreviated form due to the option: -A fast
> cat ./log/alert 06/30-18:03:30.238623 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:30.352807 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:30.627864 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:30.627991 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:30.761860 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:31.688452 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:31.764592 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:31.842841 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:32.036428 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:32.210022 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:32.373553 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:32.517695 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:32.619376 206.136.246.12:3433 -> MY.NET.60.16:21
06/30-18:03:32.694124 206.136.246.12:3433 -> MY.NET.60.16:21
Sample Rules
Here are some illustrative rules:Note the ‘msg’ option:
alert tcp 195.11.50.204/32 any -> $HOME_NET any (msg:"GIAC 08-feb-2000";)
Note the ‘content’ option:alert udp any any -> $HOME_NET any (msg:"Trin00 password";content:"[]..Ks";)
Samples Rules (2)
Note the ‘flags’ option:alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;)
All of the above:alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"/msads/Samples/SELECTOR/showcode.asp"; flags: PA;)
And there are many, many other options, and combinations of options
Writing Snort Rulesets
Snort rules are simple and extremely flexible. For a more in-depth treatment of writing rulesets, it is more than worth your while to look at docs at www.snort.org
Snort with filters
Snort can accept tcpdump-style filters– These filters work at the “front end” of Snort– Only packets passed by the filters will be processed by the rules– Example:
snort -v ‘tcp[13] &3 != 0’
Accepts only packets that either have the SYN or the FIN bit set (or both)
Snort with filters (2)
Filters can be put at the end of Snort commands (see previous example)Filters can also reside in a fileCommand line option: -F <filter file>– Reads filters into the Snort process from <filter file>
Snort Plug-Ins
Snort allows you to add new modules and to activate existing ones that come with the distribution– Additions are compiled as object code and activated as usual– Activation takes place in the rules file
A wide variety of modules are available– One nifty module searches the packet stream for scanning
behavior
Snort Plug-In Types
Preprocessor– Packets are examined/manipulated before being
handed to the detection engineDetection– Perform single, simple tests on a single aspect/field of
the packetOutput– Report results from the other plug-ins
Ways to use Snort
Real-time traffic analysis– Watching the packets go by live
(do you have a quiet, peaceful network?)How Fast Can You Read?
Packet logging– Collecting packets in raw form for later analysis– Creating logs of decoded packets for later analysis
Stored log analysis– Reading raw packet files for in-depth analysis
What Can Come Out of SnortStandard output (decoded packets)Binary dump (raw packets)Snort default logging schemeText messages going to text files– Syslog-based logging– Other log files (like alert)
Notifications– Samba-based pop-up windows– Other alerting modules (e.g. paging)
Responses– Auto-responses (e.g. dropping connections)
Do It Yourself
Building a Larger Framework
Very Simple
tcpdump
Packet Stream
Filter file
Sniffing
tcpdumpprocess
To Log File
ReportGenerator
Less Simple
SNORT
Packet Stream
Sniffing
Rules fileAlertFile
To Alert File
To E
mailCron
ReportGenerator
Even Less Simple
SNORT
Packet Stream
Sniffing
Rules fileAlertFile
To Alert File
ToEm
ailCron
Correlation
Network traffic logs can be used to correlate with data in other records (system logs, authentication logs) If inappropriate or illegal activity is suspected, network log correlation can be used to justify closer scrutiny of things like e-mail and network session contentOn hearing the description of “correlation”, a Maryland State trooper replied that he called it “probable cause”.
Correlation: ExamplesDaily report from system logs identifies any user with more than 10 authentication failures in one day from external siteNetwork Traffic Logs may show other questionable activity from that site BlackIce on desktop NT shows DNS probe from external siteNetwork Traffic Logs show complete scan of internal network, port 53
Resources
ResourcesAll things Snort (Marty Roesch’s Snort homepage):
http://www.snort.orgSnort database support:
http://www.incident.org/snortdbSnort plug-ins
http://spyjurenet.com/linuxrc.org/projects/snortAttack signatures database (arachNIDS):
http://www.whitehats.com
Resources (2)Other Snort tools:– Statistics:
http://xanadu.rem.cmu.edu/snort– Snort report → HTML converter:
http://www.silicondefense.com/snortsnarfLibpcap packet capture library:– ftp.ee.lbl.gov
Demo
http://localhost/acid/index.html