Upload
subhendu
View
225
Download
0
Embed Size (px)
Citation preview
8/14/2019 Linux World Expo
1/30
Harnessing the
Power of Snort
Brian Caswell
Principal Research EngineerSourcefire Vulnerability Research Team
8/14/2019 Linux World Expo
2/30
2
Background
What is Snort?Open Source packet analysis tool
The most widely deployed Network Intrusion DetectionSystem (NIDS)
The de facto standard in intrusion detection andprevention
Who is Brian Caswell? Sourcefire Vulnerability Research Team - Principal
Research Engineer Keeping Snort users ahead of the threat
Snort Rules Maintainer
AuthorSnort 2.1 Intrusion Detection: Second Edition
8/14/2019 Linux World Expo
3/30
3
Snort History
Initial release by Marty Roesch in 1998Original goals of Snort: Traffic analysis tool for home networkDebugger for service simulators Marty was developing
for a honeypot system Learning tool for libpcap
Initial open source release inDecember 1998
Just a sniffer, no rule languageRules implemented early 1999
1.0 release, June 1999 Basic rules language, stateless
8/14/2019 Linux World Expo
4/30
4
Snort History [cont.]
Snort 1.5 released December 1999 System was rearchitected to be modular and
extensible
Same basic architecture still used today!
Snort implemented as a packet analysis pipeline
DataAquisition Decode Preprocess Detect Action
8/14/2019 Linux World Expo
5/30
5
Snort Goes Commercial
Sourcefire founded in January 2001Snort 1.7 last release before full time
development begins Snort 1.7 is pitted head to head against 9 commercial
IDS offerings in a Network Computing test, comes in3rd overall!
Snort 1.8 released in mid-2001, contains highspeed output system, enterprise grade IP
defragmenter/TCP Stream Reassembler, etc
8/14/2019 Linux World Expo
6/30
6
Snort Today
Snort 2.3 availableHighly stateful, 3000 detection rules + protocol
anomaly detectionRecent additions include
New portscan detector Target-based IP Defragmenter Event queuing Gigabit performance capabilities, etc
12-15000 downloads/week600k+ rule updates per month
Most Innovative @ RSA 2005
8/14/2019 Linux World Expo
7/307
Snort Tomorrow
The futureNew extensible data acquisition/decoder
architecture
New stream reassembler
More application layer protocol analysis(SMTP/POP/IMAP, DCERPC, SNMP,Telnet/FTP, etc)
Target-based traffic analysis
8/14/2019 Linux World Expo
8/30
Getting Started
8/14/2019 Linux World Expo
9/309
Getting Started
Website - http://www.snort.orgStable release is always available at
http://www.snort.org/dl
Installable binary packages and source tarballsare typically available
Also available via CVS http://www.snort.org/source.html
8/14/2019 Linux World Expo
10/30
10
Building Snort
Get the tarball from snort.org http://www.snort.org/dl/snort-2.3.0.tar.gz
Make sure libpcap and PCRE are installed
Unpack as usual Tar zxvf snort-2.3.0.tar.gz
BuildCd snort-2.3.0; ./configure && make && make install
8/14/2019 Linux World Expo
11/30
11
Read the Docs!
Lots of documentation is available for Snort!Look in the doc directory of the tarball Snort manual in PDF format
README files cover Snort features and subsystems
Man pages available too
8/14/2019 Linux World Expo
12/30
Running Snort
8/14/2019 Linux World Expo
13/30
13
Snort Run Modes
Three basic modes of operation Sniffer
Packet logger
NIDS
Runtime mode is determined at run-time viacommand line switches
05/22-11:50:11.320761 127.0.0.1:55786 -> 127.0.0.1:631TCP TTL:64 TOS:0x0 ID:16546 IpLen:20 DgmLen:69 DF***AP*** Seq: 0xCE6183EE Ack: 0x89ECD4F2 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1481027454 148102745450 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D POST / HTTP/1.1.0A .
8/14/2019 Linux World Expo
14/30
14
NIDS Mode
Sniffer and packet logger modes are covered inthe first chapter of the Snort manual
NIDS Mode is what most people think of whentalking about Snort
Command line switches: -c : load NIDS config from -A : specify alert -s: generate alerts to syslog
Examples: Snort -c snort.conf Snort -c snort.conf -d -l ~/pktlog -s Snort -c snort.conf -b -A fast
8/14/2019 Linux World Expo
15/30
15
NIDS Mode [cont]
Useful switches -D: daemon mode
-i : sniff on network interface
-r : read packets from
-g : set group ID of Snort process
-u : set user ID of Snort process
-t : chroot Snort process to
If no command line switches are specified, Snortlooks for snort.conf in the /etc/snort and the localdirectory
Default logging directory is /var/log/snort
8/14/2019 Linux World Expo
16/30
Snort Rules
8/14/2019 Linux World Expo
17/30
17
Rule Syntax
Snorts rule syntax is simple and straightforwardIt is also, unfortunately, quirky
Full rule docs in snort_manual.pdf file!
8/14/2019 Linux World Expo
18/30
18
Rule format
alert tcp $BAD any -> $GOOD any (flags: SF; msg: SYN-FIN scan;)
Rule Header Rule Options
Rule Header- static definition
- has to be in every rule
Rule Options- variable definition
- not always necessary
- 50+ options available
8/14/2019 Linux World Expo
19/30
19
Rule Headers
alert tcp $BAD any -> $GOOD any
ule actionProtocol
Src. CIDR
Src. Port
Direction
Dest. CIDRDest. Port
8/14/2019 Linux World Expo
20/30
20
Rule Options
(flags: SF; msg: SYN-FIN scan;)
Option start/finish
Option Detail
flags:SF;
Keyword
SeparatorArgument
Delimiter
8/14/2019 Linux World Expo
21/30
21
Fun with Snort Rules
Basic detection is fun and easy with Snort rulesTo detect a basic string on the network (network
grep) you just need the content keyword
Detecting basic strings is easy but can result in
false positivesBetter method is to define more constraints
under which the rule may fire
alert tcp any any -> any any \(content: foo; msg: detected foo!;)
8/14/2019 Linux World Expo
22/30
22
Getting Stateful with Snort Rules
Two options available for Snort rules Flow: check TCP session state, direction
Flowbits: set/test/clear application state info
Stream4 preprocessor must be running for the flowkeyword to work
Flow preprocessor must be running to enable flowbits
This rule will only fire for TCP sessions that are in theESTABLISHED state and for traffic headed to the server
alert tcp any any -> any any \(flow: established, to_server; \Content: foo; msg: detected foo;)
8/14/2019 Linux World Expo
23/30
23
Stateful Snort Rules
There is another type of state that can be used,cross-rule state
Uses the new flowbits keyword to set/test/clearbits in Snort rules
We can track application protocol state with Snort!
Example:alert tcp any any -> $SMTP 25 \
(pcre: /^DATA\n/i; \ flowbits: set,smtp.client.mode.data;
flowbits: noalert;)alert tcp any any -> $SMTP 25 \
(msg:"SMTP expn decode";flow: established, to_server;flowbits: isnotset,smtp.client.mode.data;...
8/14/2019 Linux World Expo
24/30
24
Regular Expressions
Snort supports PCRE - powerful regularexpression payload analysis
Use with careMaintainability, performance issues
alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(msg:"VIRUS OUTBOUND bad file attachment"; \
flow:to_server,established; \
content:"Content-Disposition|3A|"; nocase; \
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|
s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|
jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|
ocx)[\x27\x22\n\r\s]/iR"; \
classtype:suspicious-filename-detect; \
sid:721; rev:7;)
8/14/2019 Linux World Expo
25/30
Managing Output
8/14/2019 Linux World Expo
26/30
26
Snort Output
Two basic types Alert are for real-time notification Logs are for forensics
Several alert/log output types available
Alert: syslog, text, database, unified Log: text, pcap, database, unified, CSV
Performance is a big deal in the outputsubsystem
Low performance = dropped packetsSnorts unified format was designed specifically
for high-performance output
Pcap format is for cross-platform analysis
8/14/2019 Linux World Expo
27/30
27
Unified Output
Unified output is setup for high performance andflexibility
Unified format can be converted to any of theother formats (DB, pcap, XML, etc)
Barnyard is used to process unified files http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
Input/output plugins
Input: Alert, log, stream (flow data)
Output: DB, CSV, syslog, pcap, SGUIL, text, XML
8/14/2019 Linux World Expo
28/30
28
Output Futures
Unified/Barnyard are the future of Snort outputgeneration
Performance is the number one concern of thesensor process
Unfied2 coming soon, barnyard will change tosuit
Most complex post-processing should move intoBarnyard
8/14/2019 Linux World Expo
29/30
29
Current & Future Developments
New portscan detector Uses rate-based and backscatter methods to detect portscans
New IP defragmenter (frag3) Target-based, very hard to evade or confuse, high performance
New TCP Stream Reassembler (stream5) Target-based, high performance
New data acquisition frontend Modular, extensible
New decoder architecture
Modular, extensible, easier to add protocols to Snort Additional layer-7 preprocessing
Better protocol anomaly detection, more protocols normalized,enable new protocol-specific detection keywords
Target-base detection engine
8/14/2019 Linux World Expo
30/30
Questions & Answers
Sourcefire, framing thefuture of IT security
Information Security Magazine, The Influence List
www.sourcefire.com
800 917 4134