Passive Host Auditing
Using Snort And Other Free Tools
by John Ives aka. jives
The Importance Of Auditing
Identify assets to better protect
Inventory of what you have and where it is on
your network
The State Of Auditing Today
Relies primarily on active network scanning
Makes heavy usage of client agents
Difficult to impossible in chaotic
decentralized environments
What Is Passive Auditing
Uses packets on the network to answer the
question about the hosts
Does not affect end system logging
Uses black hat scans for white hat purposes
Aids policy enforcement
Ultimately its using event correlation to
profile a host.
What Can Be Monitored Passively
OS
OS updates
Antivirus/firewall/spyware updates
Network services (e.g. telnet, ftp, http, etc.)
Open Ports
Service versions
Network Application Versions
Policies
What are its Downsides?
Getting started can be labor intensive.
It requires a lot of Data to build an accurate
picture
It requires a commitment of time and money
It can be bypassed, but most end users won’t
It actually benefits from an ugly network!
Example Rule
(AV/Firewall update)
Symantec LiveUpdate
---------------------------------------------------------------------------
alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\
(msg:"PHA
-
user
-
agent Symantec liveupdate";
\
flow:to_server,established;
\
content:"|0d0a|User
-
Agent
\
: Symantec LiveUpdate"; nocase;
\
content:"|0d0a|Host
\
: liveupdate.symantecliveupdate.com"; nocase;
\
threshold: type limit, track by_src, count 1, seconds 1800; )
Example packets
(AV/Firewall update)
Symantec LiveUpdate
---------------------------------------------------------------------------
IP: 10.10.29.25
-
> 38.113.220.7 hlen=20 TOS=00 dgramlen=283 id=946B
MF/DF=0/1 frag=0 TTL=126 proto=TCP cksum=CC44
TCP: port 1694
-
> 80 seq=3152470340 ack=3992596721
hlen=20 (data=243) UAPRSF=011000 wnd=65535 cksum=74B4 urg=0
DATA: GET
/
symantec
$20
antivirus
$20
corporate
$20
client
$20
nt_9.0
_
english
_livetri.zip
HTTP/1.0.
Accept: */*.
Cache
-
Control: max
-
age=0.
User
-
Agent:
Symantec LiveUpdate
.
Host: liveupdate.symantecliveupdate.com.
----------
:
----------
.
Pragma: no
-
cache.
.
Example Rule
(OS Update)
Windows updating for KB896358 (MS05
-
026)
---------------------------------------------------------------------------
alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\
(msg:"PHA
-
Windows Update download KB896358 MS05
-
026";
\
content:"GET |2F|"; depth:5; nocase;
\
content:"kb896358"; nocase;
\
content:".exe HTTP|2F|1.1|0d0a|"; nocase;)
Example packets
(OS Update)
Windows ME updating for KB896358 (MS05
-
026)
---------------------------------------------------------------------------
IP: 10.11.19.24
-
> 207.46.249.25 hlen=20 TOS=00 dgramlen=282 id=2498
MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=EE37
TCP: port 1493
-
> 80 seq=0370010218 ack=2679330397
hlen=20 (data=242) UAPRSF=011000 wnd=17520 cksum=8456 urg=0
DATA: GET /msdownload/update/v3
-
19990518/cabpool/
WindowsME
-
KB896358
-
ENU
_7e9ddccce2504c0ee808dffaf52c841.EXE HTTP/1.1.
Accept: */*.
Range: bytes=0
-
16384.
User
-
Agent:
Progressive Download
.
Host: download.windowsupdate.com.
Cache
-
Control: no
-
cache.
Example Rule
(Anti
-
Spyware Detection)
Microsoft Windows Malicious Software Removal Tool
---------------------------------------------------------------------------
alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\
(msg:"PHA
-
Windows Spyware Tool KB890830";
\
content:"GET |2F|"; depth:5; nocase;
\
content:"kb890830"; nocase;
\
content:".exe HTTP|2F|1.1|0d0a|"; nocase;
\
Content:"|0d0a|User
-
Agent: Microsoft BITS"; nocase;)
Example packets
(Spyware Detection)
Microsoft Windows Malicious Software Removal Tool
---------------------------------------------------------------------------
IP: 10.11.60.7
-
> 65.59.184.62 hlen=20 TOS=00 dgramlen=326 id=0611
MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=4CFC
TCP: port 1078
-
> 80 seq=0643000275 ack=3277861441
hlen=20 (data=286) UAPRSF=011000 wnd=65535 cksum=0FBC urg=0
DATA: GET /msdownload/update/v3
-
19990518/cabpool/
windows
-
kb890830
-
v1.5
-
delta
-
enu
_21d25af37346306a6b2dee41479b947829a529db.exe HTTP/1.1.
Accept: */*.
Accept
-
Encoding: identity.
Range: bytes=0
-
5622.
User
-
Agent:
Microsoft BITS
/6.6.
Host: au.download.windowsupdate.com.
Connection: Keep
-
Alive.
Example Rule
(OS Update Check
-
In)
RedHat looking for updates via up2date
---------------------------------------------------------------------------
alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\
(msg:"PHA
-
RedHat Update Up2Date check
-
in"; flow:to_server,established;
\
content:"GET |2F|"; depth:5; nocase;
\
content:"header.info HTTP/1.1|0d0a|"; nocase;
\
content:"|0d0a|User
\
-
agent
\
: Up2date
\
/"; nocase;)
Example packets
(OS Update Check
-
In)
RedHat updating via up2date
---------------------------------------------------------------------------
IP: 10.11.26.94
-
> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11
MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667
TCP: port 36102
-
> 80 seq=0480187150 ack=3321205591
hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0
DATA: GET /pub/
fedora
/linux/
core
/
3
/
i386
/os/headers/header.info HTTP/1.1.
Host: download.fedora.redhat.com.
Accept
-
Encoding: identity.
If
-
Modified
-
Since: Wed, 03 Nov 2004 23:16:42 GMT.
User
-
Agent:
RHN
-
Applet
/2.1.16.
Example Rule
(another OS update)
RedHat updating via up2date
---------------------------------------------------------------------------
alert tcp $HOME_NET any
-
> $EXTERNAL_NET 80
\
(msg:"PHA
-
RedHat Update Up2Date check
-
in"; flow:to_server,established;
\
content:"GET |2F|"; depth:5; nocase;
\
content:“.rpm HTTP/1.1|0d0a|"; nocase;
\
content:"|0d0a|User
\
-
agent
\
: Up2date
\
/"; nocase;)
Example packets
(another OS update)
RedHat updating via up2date
---------------------------------------------------------------------------
IP: 10.11.26.94
-
> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11
MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667
TCP: port 36102
-
> 80 seq=0480187150 ack=3321205591
hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0
DATA: GET /pub/
fedora
/
linux
/
core
/updates/
4
/i386//
kernel
-
2.6.12
-
1.1398
_FC4.
i686
.rpm HTTP/1.1
Accept
-
Encoding: identity
Host:
download.fedora.redhat.com
Connection: close
User
-
agent:
Up2date
4.4.23
-
4/Yum
Misc. Example Rules
Syn Packets for p0f
---------------------------------------------------------------------------
alert tcp $HOME_NET any
-
> any any (msg:"PHA syn packet capture for p0f";
\
flags:s; threshold: type limit, track by_src, count 1, seconds 1800; )
---------------------------------------------------------------------------
IIS 5.1 on Windows XP
---------------------------------------------------------------------------
alert tcp $HOME_NET 80
-
> $EXTERNAL_NET any
\
(msg:"PHA
-
IIS 5.1 running on Windows XP"; flow: from_server;
\
content:"|0D 0A|Server
\
: Microsoft
-
IIS/5.1|0D 0A|"; nocase;
\
threshold: type limit, track by_src, count 1, seconds 1800;)
Tools
Snort
p0f
tcpdump
tcpshow and/or ngrep
Bro IDS
Custom Scripts
Database
Thank You
Thank you for coming today
If you are interested in getting more information or
volunteering to help out, you can email me at
jives@passiveaudit.org
Updated scripts, rules, etc will be available at
http://www.passiveaudit.org
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο