Upload
curry-duck
View
235
Download
0
Embed Size (px)
Citation preview
8/3/2019 Snort Lecture10
1/27
8/3/2019 Snort Lecture10
2/27
9/29/201
There once was some value in distinguishingcivilian, criminal, terrorist and nation-statesponsored hackers but that time is past
Does the motivation of your attacker really matter inpreparing your defense and response measures?
A better term for the present day is adversary The people and organizations dedicated to
penetrating your defenses and achieving unauthorizedaccess to your information assets and their supportinginfrastructure
ID Lecture 10
Some digerati want to rehabilitate the termhacker to return to its original meaning
Language doesnt work like that Dont call yourself a hacker unless you want the
bad press that goes with the term in moderncultureMany more people call themselves 1337 than areAnd yeah, I do know about the hat colors
ID Lecture 10
8/3/2019 Snort Lecture10
3/27
9/29/201
snort
Snort is included in Back|Track 5It is also available as the Shadow IDS athttp://www.whitehats.ca/main/index.html
ID Lecture 10
INTRUSION DETECTION AND
PREVENTION
ID Lecture 10Modified from slides accompanying Chapter 6 of Penetration Testing: Security Analysis by
EC-Council Additional original content Richard Austin
ID Lecture 10
http://www.whitehats.ca/main/index.htmlhttp://www.whitehats.ca/main/index.html8/3/2019 Snort Lecture10
4/27
9/29/201
Situational Awareness
Being aware of what is happening around youIn an Internet-connected enterprise with millionsof packets crossing the perimeter per second, thiscan be extremely challengingIntrusion detection and prevention are ways of improving situational awareness
ID Lecture 10
IDS vs IPS
IDS IPS
ID Lecture 10
8/3/2019 Snort Lecture10
5/27
9/29/201
Organization
IDS/IPS can be a simple, monolithic system ora distributed set of sensors feeding a centralanalysis and correlation engineCritical to any design is placing the sensors sothat they have appropriate visibility of thetraffic to be monitored
ID Lecture 10
Sensor Placement
What would a sensor at eacharrow be able to observe?Types of traffic Volume of traffic
ID Lecture 10
8/3/2019 Snort Lecture10
6/27
9/29/201
Visibility
IDS/IPS should have visibility to the trafficSPANTAPConsider the volume of traffic before choosing atechnology
SPAN aggregates multiple ports onto a singlemonitor port
What might be the problem with mirroring 4 gigabitEthernet ports onto a single monitor port?
ID Lecture 10
TAPA tap produces twomonitor streams
InboundOutbound
These streams mayneed to be recombinedfor analysis
Taps are write -
blocked and cannotgenerate traffic so theyare problematic for IPSsystems
ID Lecture 10
8/3/2019 Snort Lecture10
7/27
9/29/201
TAP Notes
A server running an IDS behind a tap must bemulti-homed
Two NICs for the monitor ports (inbound andoutbound)One NIC to allow transmission of alerts/logs/etc
ID Lecture 10
Technologies
Signature based (e.g., SNORT)Pattern-matches traffic against known bad trafficWeaknesses
Malicious traffic may morph
New XOR encoderTraffic must be known before a signature can bewritten
Anomaly based (e.g., BRO)Compares traffic to normal baseline
ID Lecture 10
8/3/2019 Snort Lecture10
8/27
9/29/201
Success Factors
In order to effectively use an IDS, the rightinfrastructure must be in place to deal withthe information generated
ID Lecture 10
Problem
False positivesDetecting malicious network traffic is difficult andfor that reason rulesets tend toward the paranoidThis leads to the situation where normal traffic
may be labeled as suspicioustelnet is a disallowed protocol within the DMZA hapless web server administrator uses telnet toconnect to a server while troubleshooting a problem
Triage, event correlation, etc are critical stepsin any incident detection strategy
ID Lecture 10
8/3/2019 Snort Lecture10
9/27
9/29/201
ID&R
An IDS can be a useful component of anincident detection methodologyThere must be an incident response plan tospell out the actions to be taken when anincident is detected
From NIST 800-61ID Lecture 10
Metrics
Security programs muse be measured inorder to evaluate their effectivenessGeorge Jetson has deployed a SNORT sensoron the external leg of Spacely Sprockets
bastion router and is planning to report thenumber, rate, etc, of IDS alerts as a metric forhis network security program
How would you assess the effectiveness of hisstrategy?
ID Lecture 10
8/3/2019 Snort Lecture10
10/27
9/29/201
1
SNORT
Signature-based IDS/IPSSNORT itself is Open Source BUT theSourceFire Vulnerability Research Team (VRT)rulesets are subscription-based
There are also community rules which arecontributed under the GPL
ID Lecture 10
ObjectivesUnderstand Snorts modes of operation Configure SnortUse plug-ins and preprocessorsUnderstand how Snort worksWrite Snort rules
Use the IDS Policy Manager
ID Lecture 10
8/3/2019 Snort Lecture10
11/27
9/29/201
Introduction to Snort
AnalysisSnortWidely used, open-source, network-basedintrusion detection system capable of performingreal-time traffic analysis and packet logging on IPnetworksPerforms protocol analysis and content matchingto detect a variety of attacks and probes such as:
buffer overflows, stealth port scans, CGI attacks,SMB probes, OS fingerprinting attempts, andmore
ID Lecture 10
Modes of OperationSnort can be configured to run in the followingmodes:
Packet SnifferPacket LoggerNetwork Intrusion Detection SystemInline
Allows SNORT to function as an IPS by droppingsuspicious trafficWhat are some concerns you might have with thissolution?
ID Lecture 10
8/3/2019 Snort Lecture10
12/27
9/29/201
1
Features of Snort
Features of Snort:Protocol analysisContent searching/matchingReal-time alerting capabilityCan read a Tcpdump trace and run it against a rule setFlexible rules language
Snort can be configured to watch a network for aparticular type of attack profile
It can alert the incident response team as soon as theattack takes place
ID Lecture 10
Configuring Snort
Snort is configured using the text file snort.conf include keyword allows other rules files to be includedwithin the rules file
VariablesUsed to define parameters for detection, specificallythose of the local network or specific servers or portsfor inclusion or exclusion in the rules
Snort PreprocessorsOffer additional detection capabilitiesPort scan : TCP connection that attempts to send tomore than P ports in T seconds or as UDP packets sentto more than P ports in T seconds
ID Lecture 10
8/3/2019 Snort Lecture10
13/27
9/29/201
1
Configuring Snort
Table 6-3 These are the different directives that can be used with the configcommand
ID Lecture 10
Configuring SnortOutput Plug-ins
Allow Snort to be much more flexible in theformatting and presentation of output to its usersSnort has nine output plug-ins:
alert_syslogalert_fastalert_fullalert_unixsocklog_tcpdumpdatabasecsvunifiedlog_null
ID Lecture 10
8/3/2019 Snort Lecture10
14/27
9/29/201
1
How Snort WorksInitializing Snort
Starting UpParsing the Configuration File
DecodingExecution begins at the ProcessPacket() functionwhen a new packet is received
PreprocessingProcessPacket() function tests to see the mode inwhich Snort is running
DetectionDetection phase begins in the Detect() function
ID Lecture 10
Content Matching
Snort uses a series of string matching andparsing functions
Contained in the src/mstring.c and src/mstring.h filesin the Snort source tree
Detection engine slightly changes the way Snortworks by having the first phase be a setwisepattern matchSome detection options, such as pcre (PerlCompatible Regular Expressions) and byte test,perform detection in the payload section of thepacket, rather than using the setwise pattern-matching engine
ID Lecture 10
8/3/2019 Snort Lecture10
15/27
9/29/201
1
The Stream4 Preprocessor
stream4 moduleProvides TCP stream reassembly and statefulanalysis capabilities to SnortGives large-scale users the ability to track manysimultaneous TCP streamsSet to handle 8,192 simultaneous TCP connectionsin its default configuration
Stream4 contains two configurable modules:Global Stream4 preprocessorStream4 reassemble preprocessor
ID Lecture 10
Inline Functionality
Implemented utilizing the iptables or ipfwfirewall option to provide the functionality for anew set of rule types: drop, reject, and sdropInline Initialization
inline_flag variable is used to toggle the use of inlinefunctionality in Snort
Inline DetectionTo receive packets from ipqueue or ipfw, calls to theIpqLoop() and IpfwLoop() functions are added to theSnortMain() function
ID Lecture 10
8/3/2019 Snort Lecture10
16/27
9/29/201
1
Writing Snort Rules
Snort uses a simple, lightweight rules descriptionlanguage that is both flexible and powerfulThe Rule Header (fields)
Rule actionProtocolIP addressPort informationDirectional operator
Rule OptionsSpecify exactly what to match and what to displayafter a successful match
ID Lecture 10
Simple Example
alert tcp !10.1.1.0/24 any ->10.1.1.0/24 any (flags: SF;msg :SYN-FIN scan;)
Composed of a rule header and rule optionsRule header:
Action is Alert On any TCP traffic not from 10.1.1.0/24 to 10.1.1.0/24Assuming our internal network is 10.1.1.0/24, the header says anyexternal address trying to open a TCP connection
Rule options:If the SYN and FIN flags are set, the alert message SYN -FIN scanis associated with the alert
Example from Network Intrusion Detection, 3ed by Northcutt and Novak
ID Lecture 10
8/3/2019 Snort Lecture10
17/27
8/3/2019 Snort Lecture10
18/27
9/29/201
1
Adding Rules to SNORT
Write your rule using any text editor and saveit (convention is somedescriptivename.rules)in the rules subdirectoryThen in the snort.conf file, add your rule fileto the list SNORT will load
ID Lecture 10
Writing Snort Rules
Figure 6-2 These are all available Snort rule options.
ID Lecture 10
8/3/2019 Snort Lecture10
19/27
9/29/201
1
Writing Snort Rules
Writing Good Snort RulesDevelop effective content-matching stringsCatch the vulnerability, not the exploit!!!Catch the oddities of the protocol in the ruleOptimize the rules
ID Lecture 10
Snort Tools
IDS Policy ManagerWritten to manage Snort IDS sensors in adistributed environment
Snort Rules SubscriptionSourcefire, the company behind Snort, uses aregistration and subscription model fordistribution of new rules
Honeynet Security ConsoleAnalysis tool to view events on a personal networkor honeynet
ID Lecture 10
8/3/2019 Snort Lecture10
20/27
9/29/201
2
Snort Tools
Figure 6-3 IDS Policy Manager configures Snort with a graphicaluser interface.
ID Lecture 10
SIM/SIEM
A large organization may have many sourcesof security-relevant information thatcontribute to maintaining overall situationalawareness
SIM/SIEM solutions aggregate thisinformation under a single umbrella andallow a dashboard-like display of activity
ID Lecture 10
8/3/2019 Snort Lecture10
21/27
9/29/201
2
Process
ID Lecture 10
SIM/SIEM
Figure 6-4 Honeynet Security Console
ID Lecture 10
8/3/2019 Snort Lecture10
22/27
9/29/201
2
Squil
http://sguil.sourceforge.net/ID Lecture 10
Using SNORT
The easiest way to try SNORT out is to usethe BackTrack 5 DVD as SNORT is alreadyinstalled
snort A console c /etc/conf/snort.conf
This will run SNORT on the first networkinterface and direct the alert messages to theconsole
ID Lecture 10
8/3/2019 Snort Lecture10
23/27
9/29/201
2
Lots of output (nmap scan)
ID Lecture 10
BRO
ID Lecture 10
8/3/2019 Snort Lecture10
24/27
9/29/201
2
Alarms
ID Lecture 10
Sample Policy
ID Lecture 10
8/3/2019 Snort Lecture10
25/27
9/29/201
2
BRO Incident
ID Lecture 10
We will not have class next week
Lab and Exam
ID Lecture 10
8/3/2019 Snort Lecture10
26/27
9/29/201
2
The Lab
Your challenge is:Identify the appropriate locations for SPANports/network tap(s) and IDS sensor(s)Write a SNORT rule to detect connectionattempts to the netcat port and generate an alertSpecify what actions are to be taken when an alertoccurs
ID Lecture 10
The Exam
Exam I will be done at homeI will post it on the websiteIt must be submitted in hardcopy on 10/11
Word processor output (Im not going to struggle
with your handwriting)Minimum 12 point fontMake sure your name appears on each pagePrint out and sign the academic honestystatement and submit it as the first page of yourexam paper
ID Lecture 10
8/3/2019 Snort Lecture10
27/27
9/29/201
Summary
Snort is a powerful intrusion detection system(IDS) and traffic analyzerA Snort configuration file has four majorcomponents:
VariablesPreprocessorsOutput plug-insRules
A Snort rule contains a rule header and ruleoptionsUsers can write their own Snort rules eithermanually or with the assistance of tools
ID Lecture 10
The Exam
Since it is a take-home exam, it is of course openbookDO NOT cut-and-paste from Google!!!
If you use content from a source in your answer, citethe source just like you would in any academic writing
Be succinct! Dont write three pages to say whatcan be said in half-a-page!!!
If you go off into left field, dont expect me to followyou in hopes that you eventually answer the question!
ID Lecture 10