Outline - Help Net Security

righteousgaggleData Management

Jan 31, 2013 (4 years and 6 months ago)

232 views

An Introduction to Snort

Richard Bejtlich

TaoSecurity

Houston ISSA Meeting 11 Apr 02

Outline


Introduction to Intrusion Detection


What is Snort?


Installing Snort


Snort Rules


Snort in Action


Third
-
Party Enhancements


Conclusion

About Me


Bejtlich = “bate
-
lik”


Senior engineer for managed network
security operations, BATC (2001
-
)


Former captain at US Air Force Computer
Emergency Response Team (1998
-
2001)


Student of intrusion detection, incident
response, and digital forensics


www.taosecurity.com


Introduction to Intrusion
Detection


Network defense or “protection” model


Planning


Prevention


Detection


Response


Intrusion detection is the process of
discovering, analyzing, and reporting
unauthorized or damaging network or
computer activities

Introduction to Intrusion
Detection


All network and computer activities fall in one
of three categories:


Normal


Abnormal but not malicious


Malicious


Intrusion detection operates in two arenas:


What a computer says: network traffic


What a computer thinks: computer processes

Introduction to Intrusion
Detection


Network traffic is monitored by network
-
based intrusion detection systems (NIDS)


Computer processes are monitored by host
-
based intrusion detection systems (HIDS)


So
-
called “hybrid” systems examine network
traffic to or from a host, as well as processes
on that host


NIDS are easier to deploy and manage, but
HIDS may give greater visibility to events

What is Snort?


Snort is a fast, flexible, small
-
footprint, open
-
source NIDS developed by the security
community and a “benevolent dictator”


Lead coder: Marty Roesch, now founder of
Sourcefire (
www.sourcefire.com
)


Initially developed in late 1998 as a sniffer
with consistent output, unlike protocol
-
dependent output of TCPDump


Licensed under GPL, but version 2.0 may
change to a different license

Installing Snort


As of 16 Mar 02, version 1.8.4 available at
www.snort.org/dl/

in these forms:


UNIX source


Solaris, FreeBSD, Windows binary packages


Red Hat .rpm


Requires installation of libpcap first!


UNIX:
www.tcpdump.org/release/libpcap
-
0.7.1.tar.gz

or newest available source


Windows:
netgroup
-
serv.polito.it/winpcap/install/

offers winpcap 2.2 and 2.3 beta (XP requires 2.3)

Installing Snort


On Red Hat Linux 7.2, as root:


Download and install libpcap


Download and install these three .rpm:


libnet
-
1.0.2a
-
1snort.i386.rpm


snort
-
1.8.4
-
1snort.i386.rpm


snort
-
postgresql+flexresp
-
1.8.4
-
1snort.i386.rpm


Create /var/log/snort directory


Files installed:


/etc/snort contains conf and rule files


/var/log/snort will contain logs


/usr/sbin/snort contains snort binary

Installing Snort


For a quick test, execute this command within
the /etc/snort directory:


snort

A console


From a separate machine, use nmap to
generate events for Snort to detect:


nmap

sP <snort_machine_IP_address>


You should see an alert like this:


03/27
-
15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
{ICMP} 192.168.1.20
-
> 192.168.1.237

Installing Snort


On Windows 2000, as administrator:


Download and install winpcap


Download and execute Snort184Win32.exe, and
select “typical” installation


mkdir “c:
\
Program Files
\
Sourcefire
\
Snort
\
log”


Files installed in c:
\
Program
Files
\
Sourcefire
\
Snort:


snort.conf


\
rules directory contains rules


snort.exe executable


Installing Snort


To test, execute this command within the
c:
\
Program Files
\
Sourcefire
\
Snort directory:


snort

A console


You may need to specify and interface with ‘
-
i 2’


From a separate machine, use nmap to
generate events for Snort to detect:


nmap

sP <snort_machine_IP_address>


You should see an alert like this:

03/27
-
15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
{ICMP} 192.168.1.20
-
> 192.168.1.237

Installing Snort


While not an element of Snort, Ethereal is the
best open source GUI
-
based packet viewer


www.ethereal.com

offers:


Windows:
www.ethereal.com/distribution/win32/ethereal
-
setup
-
0.9.2.exe


UNIX:
www.ethereal.com/download.html


Red Hat Linux RPMs:
ftp.ethereal.com/pub/ethereal/rpms/

Installing Snort


Also not an element of Snort, tcpdump is a
well
-
established CLI packet capture tool


www.tcpdump.org

offers UNIX source


netgroup
-
serv.polito.it/windump/install/

offers
windump, a Windows port of tcpdump


windump is helpful because it will help you see the
different interfaces available on your sensor


Next slide shows two available interfaces; note only the
second is capable of sniffing


snort

A console

i 2

Snort Rules


Snort rules are extremely flexible and are
easy to modify, unlike many commercial NIDS


Sample rule to detect SubSeven trojan:


alert tcp $EXTERNAL_NET 27374
-
> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc
-
activity; rev:4;)



Elements before parentheses comprise ‘rule
header’


Elements in parentheses are ‘rule options’

Snort Rules

alert tcp $EXTERNAL_NET 27374
-
> $HOME_NET any

(msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc
-
activity; rev:4;)



alert

action to take; also
log, pass, activate, dynamic


tcp

protocol; also
udp, icmp, ip


$EXTERNAL_NET

source address; this is a variable


specific IP is ok


27374

source port; also
any
, negation
(
!21
)
, range
(
1:1024
)


-
>

direction; best not to change this, although

<>

is allowed


$HOME_NET

destination address; this is also a variable here


any

destination port

Snort Rules

alert tcp $EXTERNAL_NET 27374
-
> $HOME_NET any
(msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc
-
activity; rev:4;)



msg:”BACKDOOR subseven 22”;
message to appear in logs


flags: A+;
tcp flags; many options, like
SA, SA+, !R, SF*


content: “|0d0…0a|”;

binary data to check in packet; content
without | (pipe) characters do simple content matches


reference…;

where to go to look for background on this rule


sid:103;

rule identifier


classtype: misc
-
activity;

rule type; many others


rev:4;

rule revision number


other rule options possible, like
offset, depth, nocase

Snort Rules



bad
-
traffic.rules

exploit.rules

scan.rules


finger.rules


ftp.rules

telnet.rules


smtp.rules


rpc.rules

rservices.rules


dos.rules


ddos.rules

dns.rules


tftp.rules


web
-
cgi.rules

web
-
coldfusion.rules


web
-
frontpage.rules

web
-
iis.rules

web
-
misc.rules


web
-
attacks.rules

sql.rules

x11.rules


icmp.rules


netbios.rules

misc.rules


backdoor.rules

shellcode.rules

policy.rules


porn.rules


info.rules

icmp
-
info.rules


virus.rules


local.rules

attack
-
responses.rules

Snort Rules


Rules which actually caught intrusions


alert tcp $EXTERNAL_NET any
-
> $SQL_SERVERS 1433
(msg:"MS
-
SQL xp_cmdshell
-

program execution"; content:
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|
"; nocase; flags:A+; classtype:attempted
-
user; sid:687;
rev:3;)

caught compromise of Microsoft SQL Server


alert tcp $EXTERNAL_NET any
-
> $HTTP_SERVERS 80
(msg:"WEB
-
IIS cmd.exe access"; flags: A+;
content:"cmd.exe"; nocase; classtype:web
-
application
-
attack; sid:1002; rev:2;)

caught Code Red infection


alert tcp $EXTERNAL_NET any
-
> $HOME_NET 21 (msg:"INFO
FTP
\
"MKD /
\
" possible warez site"; flags: A+;
content:"MKD / "; nocase; depth: 6; classtype:misc
-
activity; sid:554; rev:3;)

caught anonymous ftp server


Snort Rules


More rules that caught intrusions


alert tcp $EXTERNAL_NET any
-
> $HTTP_SERVERS 80
(msg:"WEB
-
IIS multiple decode attempt"; flags:A+;
uricontent:"%5c"; uricontent:".."; reference:cve,CAN
-
2001
-
0333; classtype:web
-
application
-
attack; sid:970;
rev:2;)
caught NIMDA infection


alert tcp $HOME_NET 23
-
> $EXTERNAL_NET any (msg:"TELNET
Bad Login"; content: "Login incorrect"; nocase;
flags:A+; classtype:bad
-
unknown; sid:1251; rev:2;)

caught
telnet username brute
-
force


Consider how a rule with “Login incorrect”
might trigger on many non
-
malicious events

Snort in Action


Three operational modes:


Sniffer:
snort

dvae

will be display payloads,
be verbose, display arp traffic, and display link
layer data


Packet logger:
snort

b

l /var/log/snort

will log binary data to the /var/log/snort directory


NIDS:
snort

b

l /var/log/snort

A
full

c /etc/snort/snort.conf

will log
binary data in the /var/log/snort directory, with
full alerts in /var/log/snort/alert, reading the
configuration file in /etc/snort

Snort in Action


Three ways to tell Snort how to act


snort.conf configures variables, preprocessors,
output plugins, and active rule sets


.rules files define actual signatures


Command line options start snort and will override
options in snort.conf file


Snort will run with default snort.conf, but you
will have less ‘chaff’ to sort through if you
spend time configuring snort.conf properly

Snort in Action


Snort as NIDS (third mode) captures recon


Contents of /var/log/snort/alert

[**] [1:469:1] ICMP PING NMAP [**][Classification:
Attempted Information Leak] [Priority: 2]03/28
-
09:48:40.739935 192.168.1.2
-
> 192.168.1.3ICMP TTL:46
TOS:0x0 ID:61443 IpLen:20 DgmLen:28Type:8 Code:0
ID:10629 Seq:0 ECHO[Xref =>
http://www.whitehats.com/info/IDS162]

[**] [1:469:1] spp_portscan: PORTSCAN DETECTED from
192.168.1.2 (THRESHOLD 4 connections exceeded in 0
seconds) [**]03/28
-
09:48:41.052635

[**] [100:2:1] spp_portscan: portscan status from
192.168.1.2: 183 connections across 1 hosts: TCP(183),
UDP(0) [**]03/2809:48:45.007501


Snort in Action


Partial contents of /var/log/snort/portscan.log


Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:106 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:193 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:138 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:128 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:156 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:35 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:48 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:16 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:173 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:72 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:65 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:36 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:149 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:17 SYN ******S*

Mar 28 09:48:41 192.168.1.2:45061
-
> 192.168.1.3:218 SYN ******S*

Snort in Action


/var/log/snort/snort
-
0328
\
@0948.log is in
binary format; read with Ethereal or tcpdump


Sample tcpdump output of this log file


09:48:40.739935 192.168.1.2 > 192.168.1.3: icmp: echo request

09:48:40.743705 192.168.1.2 > 192.168.1.3: icmp: echo request


As configured, Snort will only log the packets
which triggered an alert


Packets triggering portscans are not logged
by default

Third
-
Party Enhancements


SnortSnarf


www.silicondefense.com/software/snortsnarf/


SnortSnarf is a Perl program to take files of alerts
from the Snort to produce HTML reports


Output intended for diagnostic inspection


Silicon Defense also supplies sensors with
commercial support


Description and screenshot taken from SnortSnarf web


Third
-
Party Enhancements


Analysis Console for Intrusion Databases
(ACID)


acidlab.sourceforge.net/


PHP
-
based analysis engine to search and process
a database of security events generated by
various IDSes, firewalls, and network monitoring
tools


Query
-
builder and search interface, packet viewer
(decoder), alert management, chart and statistics
generation


Description and screenshots taken from ACID web


Demarc


www.demarc.com



NIDS management console, integrating Snort with
the convenience and power of a centralized
interface for all network sensors


Monitor all servers / hosts to make sure network
services such as a mail or web servers

remain
accessible at all times


Monitor system logs for anomalous log entries that
may indicate intruders or system malfunctions


Description and screenshots taken from demarc web

Conclusion


Snort is a powerful tool, but maximizing its
usefulness requires a trained operator


Becoming proficient with network intrusion
detection takes 12 months; “expert” 24
-
36?


Snort is considered a superior NIDS when
compared to most commercial systems


Managed network security providers should
collect enough information to make decisions
without calling clients to ask what happened