Snort Intro and Overview - FedVTE Online Training Portal ... · Snort Intro and Overview . Table of Contents . ... before building are libpcap and pcre (Perl Compatible Regular Expressions)

Snort Intro and Overview

Table of Contents

First the Basics . . . ........................................................................................................................... 2

SNORT Intrusion Detection System ................................................................................................ 3

SNORT Intrusion Detection System -1 ............................................................................................ 4

SNORT Intrusion Detection System -2 ............................................................................................ 5

SNORT Background -1 ..................................................................................................................... 6

SNORT Background -2 ..................................................................................................................... 8

SNORT Installation and Configuration -1 ...................................................................................... 10

Installing and Configuring SNORT ................................................................................................. 12

Installing SNORT in Windows ........................................................................................................ 13

SNORT Functionality ..................................................................................................................... 14

SNORT Rules .................................................................................................................................. 15

Advanced SNORT Rules -1 ............................................................................................................. 17





SNORT Intrusion Prevention System -1 ........................................................................................ 22

SNORT Intrusion Prevention System -2 ........................................................................................ 23

SNORT Usage................................................................................................................................. 25

Notices .......................................................................................................................................... 26

Page 1 of 26

First the Basics . . .

3

First the Basics…

Protocol Analyzer/Network Sniffer

Packet Logger

Intrusion Detection System• Host-based (HIDS)• Network-based (NIDS)

Intrusion Prevention System• Host-based (HIPS)• Network-based (NIPS) Wireshark – Protocol Analyzer

WinDump – Network Analyzer

**003 There are protocol analyzers, packet sniffers, packet loggers out there. They all basically capture traffic. What sets an IDS apart from these is it actually does some type of analysis on the traffic that it does see. There are host-based intrusion detection systems that sit on individual systems and protect those individual systems. There are also network-based IDSs, which protect groups of computers, networks, subnets. You'll also hear the term intrusion prevention system, and that's the idea that when it generates an alert, it's going to actively try to

Page 2 of 26

prevent that attack from happening, either by closing the connection, sending a reset. It's going to take some type of active measure in order to kill the attack that it's seeing.

SNORT Intrusion Detection System

4

SNORT Intrusion Detection System

**004 So let's talk about Snort.

Page 3 of 26

SNORT Intrusion Detection System -1

5

SNORT Intrusion Detection System -1Free and open source

• www.snort.org

Free updates • SNORT is constantly being updated

Free signatures• Official Rules• Community Rules

Paid for signatures• Bleeding Edge

Can log the data it collects to files or databases• We will be using MySQL in the lab.

ACID/BASE is a GUI front-end• Gives ready access to the alerts and information SNORT installation is

collecting

**005 Snort is free and open source. It's available from Snort.org. It's constantly being updated. It's been a fairly well-supported program for quite a while. There are several different types of signatures available for it, both free and paid for, that we'll talk about in a little bit. It does actually log the data that it does collect into a database. In the case of the virtual machines that you have, it's all being logged to MySQL, so you do have access to the underlying data if you really want to look at it. Again, I think it's one of those eye-gouging things. Use a frontend for it; it's a lot easier to interpret the data. So use a program

Page 4 of 26

like ACID/BASE in order to view what snort is actually telling you, or what it's actually seeing.


6


Can be used for a multitude of tasks• Sniffer

— # snort -v

• Packet Logger— # snort -l

• Network Intrusion Detection System— # snort -A or # snort -c [{path}/config-file]

• Host Intrusion Detection System— # snort -p -A

— -p takes snort out of Promiscuous Mode

Promiscuous Mode – Tells the network interface card to pass all packets it sees on the wire to the network driver versus only passing those packets addressed for the host system.

**006 You can run Snort as a sniffer if you wanted, as a packet logger. You can run it as an IDS, and you can even run it as an IPS. It depends entirely on how you've configured Snort, how you've compiled the source, whether you've compiled certain options in there in order for it to do certain things. I think default, out of the box, when you install it, it comes in IDS mode. So if you want to put it into intrusion prevention mode, you actually have to recompile it and set some specific flags in there.

Page 5 of 26

SNORT Background -1

7

SNORT Background -1SNORT monitors traffic seen by the box’s network card in promiscuous mode.

SNORT compares this traffic to a set of static rules (signatures).

Any matches to the signatures produce an alert.

These alerts can be displayed through SYSLOG or through several other front-ends (like BASE).

Alerts can be stored in a database for later analysis.

An operator can view these alerts and take appropriate action.

Note the one-way paths here – for security purposes…• BUT – these could all be on the same box if we wanted… (and we do for this

workshop).

SNORT

1.1.1.1

MySQL

1.1.1.2

BASE

1.1.1.3

NetworkCanx Alerts

View Alerts

AlertsSNIFF

**007 Just some background on Snort and how this would generally work. Well, you have some network out here, and you've got your Snort installation here. Let's just say it's sitting on 1.1.1.1. Well, in the most generic form, Snort is going to sit there and it's going to look at traffic, either passing through it, if it's in inline mode-- we'll talk about that-- or it's going to sit there and look at traffic coming in off of a spanning port, off of a switch, or something like that. So the point is, Snort is sitting here and it's looking at the traffic that's coming in, and it's going

Page 6 of 26

to compare it to its signature set that it has. Then what it's going to do is if any of the traffic that it sees matches a signature, it's going to generate an alert, and it's going to fire that alert off to some database, which could be running on a separate host. In this diagram that we've got on the screen, it's running on a separate host. From there, how do you actually interact with this data? Well, you've got a third host out there where-- this is the operator console. This is the frontend that's interfacing with the database. So in this big chain here, you've got three separate hosts: one running Snort, one running a database, and one running a frontend to actually look at the data that Snort's creating for you. Now, what you can do, of course, is collapse all this down onto one host and you can run Snort plus the database plus the GUI all on one system if you want to.

Page 7 of 26

SNORT Background -2

8

SNORT Background -2

The key to SNORT is its rules.• Two kinds

— Official Ruleseto Paying users get them as they are releasedo Registered users get them “shortly” after releaseo Unregistered users get them with SNORT releases

— Community Ruleso Publicly Available

Rules are text based files that contain a signature (what to alert on) and an action (how to alert).

SNORT

1.1.1.1

MySQL

1.1.1.2

BASE

1.1.1.3

NetworkCanx Alerts

View Alerts

AlertsSNIFF

**008 The key to Snort really is its rules. The real power to Snort comes from its ability to look at traffic and say, "Is this malicious, or is it not malicious?" What defines that is the rule set that it has. Snort has two different kinds of rule sets. There's the official rule set that comes from Sourcefire. If you are just a-- you've downloaded it, Snort, but you haven't registered, you get whatever rule set came with that package without any updates. If you want updates, you have to register and provide them your name and email address and you get updates that are 30 days old. So they'll release a signature set; 30 days after that they'll make it

Page 8 of 26

available to their registered but not paying users. If you want to pay for it, then you'll get the rules as they're released by-- at least officially released-- by Sourcefire. So you can get that. There's also community rules that are out there, both pay and free rules. But since it's an open source program and the rule set for it is not proprietary, it's just text, anybody can write a rule for it. And so there are several community sites that you can go to to either pay for the signatures or just use what the community has come up with.

Page 9 of 26

SNORT Installation and Configuration -1

9

SNORT Installation and Configuration -1

Can be installed inline or standard, active or passive• Inline – traffic must flow through the SNORT box to reach the

network• Standard – SNORT sniffs traffic on the network• Active – SNORT will attempt to block (RST) connections that result

in an alert• Passive – SNORT will alert only

We have configured SNORT in inline and passive mode.

SNORT is pre-installed for your lab, but it is pretty easy to do.• apt-get install snort-mysql

**009 And we'll talk about the rules in a slide here, in a few slides. So, Snort can be installed in inline mode or standard mode, and either active or passive. Inline means that it is sitting in the network and traffic has to pass through it to get to somewhere else. What this implies is that you've got potentially a single point of failure in your network. If the Snort box goes down, then no traffic passes through that. If it's inline mode, you probably have this at your gateway or something like that, and so it's monitoring all the traffic coming into the network and all the traffic leaving the network. That's what inline mode is.

Page 10 of 26

Standard mode is where you're hanging Snort off of a switch, like off of a span port or mirror port or something like that. So you can do it in standard mode. Active mode is where Snort is in intrusion prevention mode and you can actually control or try to terminate connections that may be deemed malicious. And then passive mode, where Snort is just listening. And so it'll generate alerts, but it's not going to actively try to reset connections or anything like that. So on the virtual machine, and what we have in the labs, it's configured in inline mode and mostly passive, although there's-- actually in the lab we have it in active mode. So it's inline mode, in active mode, is what you'll see in the lab. And if you wanted to install Snort, at least the basic version of it where it's mostly preconfigured for you, that's the line that you would use in Ubuntu or something to install it.

Page 11 of 26

Installing and Configuring SNORT

10

Installing and Configuring SNORT

To build SNORT from source code• Create a SNORT directory in /usr/local/src• Download SNORT from snort.org into the new directory• Then

$ tar xvft snort-2.9.x.tar.gz$ cd snort-2.9.x$ ./configure$ make# make install

• … the SNORT binary will be placed in /usr/local/bin

The two main dependencies you will need to have installed before building are libpcap and pcre (Perl Compatible Regular Expressions).

**010 If you want to build it from source code, it's a little bit more trying. But again, if you want to set specific options, like putting it in active mode or enabling active response, you have to compile it. These are the commands that you would use, at least on Ubuntu, to compile it and build a program that you can use.

Page 12 of 26

Installing SNORT in Windows

11

Installing SNORT in Windows

Download the .exe installation package from: http://www.snort.org/downloads/

Run the installation package

The main dependency for Windows is to have Winpcapinstalled.

• If you already have Wireshark installed, you should be alright http://winpcap.org.

**011 If you're running Snort on Windows, which you can do, because there's a port for it for Windows, you just download the installation package and run it. You have to have WinPcap installed, but that's usually not a big deal. It's another executable you have to go and download and run. But it is possible to run Snort on Windows, although here we'll be running it in Ubuntu.

Page 13 of 26

SNORT Functionality

12

SNORT Functionality

At a very basic level, SNORT will log any alerts to the MySQL database – you can check the ‘events’ table to see what alerts have been generated.

Admittedly, this is NOT a good way for an operator to monitor intrusions – BUT, it lets YOU develop your own front-end if you do not like one of the available ones.

Enter BASE – a web front-end to the MySQL database for displaying the alerts. More on this later.

**012 So, as I mentioned before, the basic functionality of Snort is that it's going to look at the traffic flowing through it or being passed to it, and it's going to compare the traffic to the signatures that it has, and any alerts or any matches will generate alerts, and those will get dumped into the database. There's a specific table in the database called Events, and this is where all of the raw Snort alerts get generated and are stored. Then it's up to your frontend program, or whatever operator console you'll have, to interpret that, to read it out of the database and present it to you such that you could actually do something with it-- you

Page 14 of 26

could see it and you could do something with it. So one of those frontends is called BASE and it's a program. All it does is read the MySQL database that Snort is pushing alerts into, and it displays those alerts to you.

SNORT Rules

13

SNORT Rules

A rule in SNORT is nothing more than a text representation of what to alert on and what to do if it alerts.

Sample (simple!) rule

Alert tcp any any -> $HOME_NET any(flags:S; msg:”SYN packet”;)

Syntax• Function protocol IP port -> IP port (content screen; msg:Alert

message”;)• Content screen can be anything – flags, packet content, length,

fragmentation, pretty much any packet attribute• Alert message – message that is displayed to the operator• You can also put in references (buqtraq, cve, etc.) and

classifications

**013 Here's what a sample Snort rule looks like. And the general form of this is you have some type of function-- that could be Alert, Reject. You have some type of protocol. You have the source IP address and port. You have the destination IP address and port. And then you have some type of content screening. These are

Page 15 of 26

the actual patterns that Snort is going to look for. And then you might have some type of alert message or references that follow in this as well. So if you look at the example here, what is this rule actually saying? Well, it says Alert. What is that going to do? Snort is going to say, "Hey, I saw this." It's not going to take any action; it's not going to reject it; it's not going to drop it on the floor. It's just going to say, "Alert." The next keyword up there is TCP. So now you know that the Snort rule is looking for TCP traffic from any-- any any means any IP address, any port. And then destination HOME_NET. So this is a variable, a shell script variable in Linux, that says, "My home network is whatever my internal network is." So with this rule, what it would say is, "I'm looking for any TCP traffic from any IP address to the network that I'm protecting. And if that TCP packet has the S flag"-- in this case the SYN flag-- "set, generate an alert that says 'I've seen a SYN packet.'" Easy question: Is this a good rule to have on your Snort sensor? Student: No. Chris Evans: Why not? Student: Noise. Chris Evans: Noise, right. You're self-generating noise here. So

Page 16 of 26

probably not a good idea. But this is a good rule that you can use to test your Snort installation to make sure that it's actually working and pushing data into your SQL database, and that your frontend is actually displaying that to you.

Advanced SNORT Rules -1

14


Alert on any TCP traffic from the outside, any port, to the inside on port 80.

alert tcp $EXTERNAL_NET any -> any 80 (msg:"SQL Injection -Possible OR 1=1 Stuff"; flow:to_server,established; pcre:"/\w*(\%27)|'(\s|\+)*((\%6F)|o|(\%4F))((\%72)|r|(\%52))/i"; classtype:web-application-attack; sid:9002; rev:1;)

**014 So here's more of an advanced rule. This is an example of a rule that's set up to look for SQL injection attacks. So here, again, we have the Alert keyword. It's looking for TCP traffic. In this case, we have an external net defined, which, in this case, it's anything outside our protected network. So from any IP address outside our network on any

Page 17 of 26

port, to any IP address-- presumably this would be on the inside-- but to any IP address on port 80. So again, we're looking for traffic coming into our network on port 80. You can see what our alert message is there, which is SQL injection.


15


The alert that will be generated and appear in your sensor logs or front-end system.


**015 We're looking for-- the apostrophe 1=1 stuff going on here.

Page 18 of 26


16


Specifically, look for traffic going to the server that is part of an established session.


**016 We're looking for established sessions going to our server. So now you've identified as part of this rule directional capability. So now this rule is looking for traffic coming to our server that's already part of an established session. So we're not going to alert on the half-open connections that might have this in it, even though I don't know why that would be the case, but maybe. So we've actually fine-tuned our rule here to say that the session has to be open and established and headed to the server for us to alert on it.

Page 19 of 26


17


This is a PCRE – Perl Compatible Regular Expression –looking for the string ‘ OR and its variants.

• Beginning of the “word”, then the apostrophe, then whitespace, then letter “o”, then letter “r”


**017 And this is the real meat of the rule here. This is a Perl- compatible regular expression. And if you speak regular expression, what you'll see here is this is looking for the apostrophe, space, OR, and the various variations of that-- lowercase, uppercase, the hex. You can see the various hex code representations of it there, like %6F or %4F.

Page 20 of 26


18


Alert classification, rule identification number and revision for documentation purposes


**018 And then you can have a-- you have an opportunity to classify the alert. So you can group alerts by certain classes, assign it an identification number and then maybe a revision number if you want to do it for documentation purposes.

Page 21 of 26

SNORT Intrusion Prevention System -1

19


Must compile SNORT with the following options.$ ./configure --enable-active-response --enable-flexresp3$ make# make install

Depending on how you have SNORT respond, you many need the libnet library in order for SNORT to craft a response packet.

**019 Understand that there's a lot of power that you can-- a lot of things that you can do with Snort rules. If you're going to put Snort in intrusion prevention mode, you have to compile it with these specific flags. So, Enable Active Response, Enable Flexible Response 3. If you're going to put it in active mode, you have to compile it with these, or you have to grab a version that's already been compiled with these options. If it doesn't have these options, it doesn't matter what you tell Snort in the rule set-- you might tell it to reject or drop or whatever-- it does not matter; Snort won't do it without these options preconfigured in it.

Page 22 of 26


20


Different methods to make prevention rules• Add respond to an ALERT rule

— resp:<resp_keyword>[, resp_keyword,…]

— Resp_keywords: rst_snd, rst_rcv, rst_all, icmp_net, icmp_host, icmp_port, icmp_all

• For HTTP alert rules you can add react— react:<react_keyword>[, react_keyword,…]

o block – Blocks access to the sessiono warn – Sends browser warning to usero proxy – Indicates proxy port number to sendo msg – Sends the alert message with the warning

• Change ALERT to REJECT in a particular rule— A TCP RST will be sent

**020 So if you want to generate an alert but you want it to take a specific action, like drop packets on the floor or send a reset or something like that, you can change the response to one of these keywords here, and that will tell Snort what to do, how to respond to a particular traffic stream if it sees it. So, "Should I send a reset?" "Should I send a reset to both sides of the connections? To one or the other?" "Should I sent ICMP Network Not Reachable? Should I send those messages?" You can really fine-tune how Snort responds to what it deems as a malicious connection.

Page 23 of 26

At the basic level, you can just put Drop in there. Or, sorry, Reject. So instead of the Alert keyword in the rule, you specify Reject, and what that will do, Snort will just send a reset out to whoever the source of that alert. There are a couple different options there if you're using HTTP rules, so things that are checking for port 80 or port 443 traffic. You can set a reaction keyword here, either blocking access to the session, warning, indicating proxy numbers or something like that, or just send a message to the user that says, "Hey, this is not-- something odd is going on here. You might want to contact your administrator." So it gives you a lot of flexibility to do this, in how you actually respond to those alerts.

Page 24 of 26

SNORT Usage

21

SNORT Usage

Runs when you start Ubuntu

If not# /etc/init.d/snort start

Or# sudo snort –c /etc/snort/snort.conf –i <iface> <opts>

Use the ‘-k none’ option to allow SNORT to interpret packets with invalid checksums.

**021 Usually Snort will start when you run Ubuntu. If it doesn't, there's the command that will start it for you, either through the init script or from the command line.

Page 25 of 26

Notices

NoticesCopyright 2013 Carnegie Mellon University

This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT® is a registered mark of Carnegie Mellon University..

Page 26 of 26

Documents

Snort Intro and Overview - FedVTE Online Training Portal ... · Snort Intro and Overview . Table of Contents . ... before building are libpcap and pcre (Perl Compatible Regular Expressions)