Snort Lecture10

8/3/2019 Snort Lecture10

1/27


2/27

9/29/201

There once was some value in distinguishingcivilian, criminal, terrorist and nation-statesponsored hackers but that time is past

Does the motivation of your attacker really matter inpreparing your defense and response measures?

A better term for the present day is adversary The people and organizations dedicated to

penetrating your defenses and achieving unauthorizedaccess to your information assets and their supportinginfrastructure

ID Lecture 10

Some digerati want to rehabilitate the termhacker to return to its original meaning

Language doesnt work like that Dont call yourself a hacker unless you want the

bad press that goes with the term in moderncultureMany more people call themselves 1337 than areAnd yeah, I do know about the hat colors

ID Lecture 10


3/27

9/29/201

snort

Snort is included in Back|Track 5It is also available as the Shadow IDS athttp://www.whitehats.ca/main/index.html

ID Lecture 10

INTRUSION DETECTION AND

PREVENTION

ID Lecture 10Modified from slides accompanying Chapter 6 of Penetration Testing: Security Analysis by

EC-Council Additional original content Richard Austin

ID Lecture 10
http://www.whitehats.ca/main/index.htmlhttp://www.whitehats.ca/main/index.html


4/27

9/29/201

Situational Awareness

Being aware of what is happening around youIn an Internet-connected enterprise with millionsof packets crossing the perimeter per second, thiscan be extremely challengingIntrusion detection and prevention are ways of improving situational awareness

ID Lecture 10

IDS vs IPS

IDS IPS

ID Lecture 10


5/27

9/29/201

Organization

IDS/IPS can be a simple, monolithic system ora distributed set of sensors feeding a centralanalysis and correlation engineCritical to any design is placing the sensors sothat they have appropriate visibility of thetraffic to be monitored

ID Lecture 10

Sensor Placement

What would a sensor at eacharrow be able to observe?Types of traffic Volume of traffic

ID Lecture 10


6/27

9/29/201

Visibility

IDS/IPS should have visibility to the trafficSPANTAPConsider the volume of traffic before choosing atechnology

SPAN aggregates multiple ports onto a singlemonitor port

What might be the problem with mirroring 4 gigabitEthernet ports onto a single monitor port?

ID Lecture 10

TAPA tap produces twomonitor streams

InboundOutbound

These streams mayneed to be recombinedfor analysis

Taps are write -

blocked and cannotgenerate traffic so theyare problematic for IPSsystems

ID Lecture 10


7/27

9/29/201

TAP Notes

A server running an IDS behind a tap must bemulti-homed

Two NICs for the monitor ports (inbound andoutbound)One NIC to allow transmission of alerts/logs/etc

ID Lecture 10

Technologies

Signature based (e.g., SNORT)Pattern-matches traffic against known bad trafficWeaknesses

Malicious traffic may morph

New XOR encoderTraffic must be known before a signature can bewritten

Anomaly based (e.g., BRO)Compares traffic to normal baseline

ID Lecture 10


8/27

9/29/201

Success Factors

In order to effectively use an IDS, the rightinfrastructure must be in place to deal withthe information generated

ID Lecture 10

Problem

False positivesDetecting malicious network traffic is difficult andfor that reason rulesets tend toward the paranoidThis leads to the situation where normal traffic

may be labeled as suspicioustelnet is a disallowed protocol within the DMZA hapless web server administrator uses telnet toconnect to a server while troubleshooting a problem

Triage, event correlation, etc are critical stepsin any incident detection strategy

ID Lecture 10


9/27

9/29/201

ID&R

An IDS can be a useful component of anincident detection methodologyThere must be an incident response plan tospell out the actions to be taken when anincident is detected

From NIST 800-61ID Lecture 10

Metrics

Security programs muse be measured inorder to evaluate their effectivenessGeorge Jetson has deployed a SNORT sensoron the external leg of Spacely Sprockets

bastion router and is planning to report thenumber, rate, etc, of IDS alerts as a metric forhis network security program

How would you assess the effectiveness of hisstrategy?

ID Lecture 10


10/27

9/29/201

1

SNORT

Signature-based IDS/IPSSNORT itself is Open Source BUT theSourceFire Vulnerability Research Team (VRT)rulesets are subscription-based

There are also community rules which arecontributed under the GPL

ID Lecture 10

ObjectivesUnderstand Snorts modes of operation Configure SnortUse plug-ins and preprocessorsUnderstand how Snort worksWrite Snort rules

Use the IDS Policy Manager

ID Lecture 10


11/27

9/29/201

Introduction to Snort

AnalysisSnortWidely used, open-source, network-basedintrusion detection system capable of performingreal-time traffic analysis and packet logging on IPnetworksPerforms protocol analysis and content matchingto detect a variety of attacks and probes such as:

buffer overflows, stealth port scans, CGI attacks,SMB probes, OS fingerprinting attempts, andmore

ID Lecture 10

Modes of OperationSnort can be configured to run in the followingmodes:

Packet SnifferPacket LoggerNetwork Intrusion Detection SystemInline

Allows SNORT to function as an IPS by droppingsuspicious trafficWhat are some concerns you might have with thissolution?

ID Lecture 10


12/27

9/29/201

1

Features of Snort

Features of Snort:Protocol analysisContent searching/matchingReal-time alerting capabilityCan read a Tcpdump trace and run it against a rule setFlexible rules language

Snort can be configured to watch a network for aparticular type of attack profile

It can alert the incident response team as soon as theattack takes place

ID Lecture 10

Configuring Snort

Snort is configured using the text file snort.conf include keyword allows other rules files to be includedwithin the rules file

VariablesUsed to define parameters for detection, specificallythose of the local network or specific servers or portsfor inclusion or exclusion in the rules

Snort PreprocessorsOffer additional detection capabilitiesPort scan : TCP connection that attempts to send tomore than P ports in T seconds or as UDP packets sentto more than P ports in T seconds

ID Lecture 10


13/27

9/29/201

1

Configuring Snort

Table 6-3 These are the different directives that can be used with the configcommand

ID Lecture 10

Configuring SnortOutput Plug-ins

Allow Snort to be much more flexible in theformatting and presentation of output to its usersSnort has nine output plug-ins:

alert_syslogalert_fastalert_fullalert_unixsocklog_tcpdumpdatabasecsvunifiedlog_null

ID Lecture 10


14/27

9/29/201

1

How Snort WorksInitializing Snort

Starting UpParsing the Configuration File

DecodingExecution begins at the ProcessPacket() functionwhen a new packet is received

PreprocessingProcessPacket() function tests to see the mode inwhich Snort is running

DetectionDetection phase begins in the Detect() function

ID Lecture 10

Content Matching

Snort uses a series of string matching andparsing functions

Contained in the src/mstring.c and src/mstring.h filesin the Snort source tree

Detection engine slightly changes the way Snortworks by having the first phase be a setwisepattern matchSome detection options, such as pcre (PerlCompatible Regular Expressions) and byte test,perform detection in the payload section of thepacket, rather than using the setwise pattern-matching engine

ID Lecture 10


15/27

9/29/201

1

The Stream4 Preprocessor

stream4 moduleProvides TCP stream reassembly and statefulanalysis capabilities to SnortGives large-scale users the ability to track manysimultaneous TCP streamsSet to handle 8,192 simultaneous TCP connectionsin its default configuration

Stream4 contains two configurable modules:Global Stream4 preprocessorStream4 reassemble preprocessor

ID Lecture 10

Inline Functionality

Implemented utilizing the iptables or ipfwfirewall option to provide the functionality for anew set of rule types: drop, reject, and sdropInline Initialization

inline_flag variable is used to toggle the use of inlinefunctionality in Snort

Inline DetectionTo receive packets from ipqueue or ipfw, calls to theIpqLoop() and IpfwLoop() functions are added to theSnortMain() function

ID Lecture 10


16/27

9/29/201

1

Writing Snort Rules

Snort uses a simple, lightweight rules descriptionlanguage that is both flexible and powerfulThe Rule Header (fields)

Rule actionProtocolIP addressPort informationDirectional operator

Rule OptionsSpecify exactly what to match and what to displayafter a successful match

ID Lecture 10

Simple Example

alert tcp !10.1.1.0/24 any ->10.1.1.0/24 any (flags: SF;msg :SYN-FIN scan;)

Composed of a rule header and rule optionsRule header:

Action is Alert On any TCP traffic not from 10.1.1.0/24 to 10.1.1.0/24Assuming our internal network is 10.1.1.0/24, the header says anyexternal address trying to open a TCP connection

Rule options:If the SYN and FIN flags are set, the alert message SYN -FIN scanis associated with the alert

Example from Network Intrusion Detection, 3ed by Northcutt and Novak

ID Lecture 10


17/27


18/27

9/29/201

1

Adding Rules to SNORT

Write your rule using any text editor and saveit (convention is somedescriptivename.rules)in the rules subdirectoryThen in the snort.conf file, add your rule fileto the list SNORT will load

ID Lecture 10

Writing Snort Rules

Figure 6-2 These are all available Snort rule options.

ID Lecture 10


19/27

9/29/201

1

Writing Snort Rules

Writing Good Snort RulesDevelop effective content-matching stringsCatch the vulnerability, not the exploit!!!Catch the oddities of the protocol in the ruleOptimize the rules

ID Lecture 10

Snort Tools

IDS Policy ManagerWritten to manage Snort IDS sensors in adistributed environment

Snort Rules SubscriptionSourcefire, the company behind Snort, uses aregistration and subscription model fordistribution of new rules

Honeynet Security ConsoleAnalysis tool to view events on a personal networkor honeynet

ID Lecture 10


20/27

9/29/201

2

Snort Tools

Figure 6-3 IDS Policy Manager configures Snort with a graphicaluser interface.

ID Lecture 10

SIM/SIEM

A large organization may have many sourcesof security-relevant information thatcontribute to maintaining overall situationalawareness

SIM/SIEM solutions aggregate thisinformation under a single umbrella andallow a dashboard-like display of activity

ID Lecture 10


21/27

9/29/201

2

Process

ID Lecture 10

SIM/SIEM

Figure 6-4 Honeynet Security Console

ID Lecture 10


22/27

9/29/201

2

Squil

http://sguil.sourceforge.net/ID Lecture 10

Using SNORT

The easiest way to try SNORT out is to usethe BackTrack 5 DVD as SNORT is alreadyinstalled

snort A console c /etc/conf/snort.conf

This will run SNORT on the first networkinterface and direct the alert messages to theconsole

ID Lecture 10


23/27

9/29/201

2

Lots of output (nmap scan)

ID Lecture 10

BRO

ID Lecture 10


24/27

9/29/201

2

Alarms

ID Lecture 10

Sample Policy

ID Lecture 10


25/27

9/29/201

2

BRO Incident

ID Lecture 10

We will not have class next week

Lab and Exam

ID Lecture 10


26/27

9/29/201

2

The Lab

Your challenge is:Identify the appropriate locations for SPANports/network tap(s) and IDS sensor(s)Write a SNORT rule to detect connectionattempts to the netcat port and generate an alertSpecify what actions are to be taken when an alertoccurs

ID Lecture 10

The Exam

Exam I will be done at homeI will post it on the websiteIt must be submitted in hardcopy on 10/11

Word processor output (Im not going to struggle

with your handwriting)Minimum 12 point fontMake sure your name appears on each pagePrint out and sign the academic honestystatement and submit it as the first page of yourexam paper

ID Lecture 10


27/27

9/29/201

Summary

Snort is a powerful intrusion detection system(IDS) and traffic analyzerA Snort configuration file has four majorcomponents:

VariablesPreprocessorsOutput plug-insRules

A Snort rule contains a rule header and ruleoptionsUsers can write their own Snort rules eithermanually or with the assistance of tools

ID Lecture 10

The Exam

Since it is a take-home exam, it is of course openbookDO NOT cut-and-paste from Google!!!

If you use content from a source in your answer, citethe source just like you would in any academic writing

Be succinct! Dont write three pages to say whatcan be said in half-a-page!!!

If you go off into left field, dont expect me to followyou in hopes that you eventually answer the question!

ID Lecture 10

Documents

Snort Lecture10