Professional Documents
Culture Documents
Topics
Intro to Snort Using Snort Snort Architecture Thi d P t Enhancements Third-Party E h t
Intro to Snort
What is Snort?
Snort is a multi-mode packet analysis tool
Sniffer Packet Logger Forensic Data Analysis tool N t Network k Intrusion I t i Detection D t ti System S t
Snort Design
Packet sniffing lightweight network intrusion detection system y Libpcap-based sniffing interface Rules-based Rules based detection engine Plug-in system allows endless flexibility
Detection Engine
Rules form signatures Modular detection elements are combined to form these signatures Wide range g of detection capabilities p
Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc.
Rules system is very flexible, and creation of new rules is relatively simple
Using Snort
Three main operational modes
Sniffer Mode P k t Logger Packet L M Mode d NIDS Mode (Forensic Data Analysis Mode)
NIDS Mode
Wide variety of rules available for signature engine (~1300 as of June 2001, grow to 2900 at May 2005 2005, now over 20 20,000 000 rules) ~2900 Multiple detection modes available via rules and plug-ins plug ins
Rules/signature Statistical anomaly Protocol verification
Snort Rules
Snort Rules
bad-traffic.rules exploit.rules scan.rules finger rules finger.rules ftp rules ftp.rules telnet rules telnet.rules smtp.rules rpc.rules rservices.rules dos.rules ddos.rules dns.rules tftp.rules web-cgi.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-attacks.rulessql.rules b tt k l l l x11.rules 11 l icmp.rules netbios.rules misc.rules backdoor.rules shellcode.rules policy.rules porn.rules info.rules icmp-info.rules virus.rules local.rules attack-responses.rules
Snort Rules
Snort rules are extremely flexible and are easy to modify Sample rule to detect SubSeven trojan:
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
Elements before p parentheses comprise p rule header Elements in p parentheses are rule options p
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0 5b52504 5d3030320d0 |" reference:arachnids,485; "|0d0a5b52504c5d3030320d0a|"; f h id 485 reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
alert action to take; also log, pass, activate, dynamic tcp pp protocol; ; also udp, p, icmp, p, ip p $EXTERNAL_NET source address; this is a variable specific IP is ok 27374 source port; also any, negation (!21), range (1:1024) -> direction; best not to change this this, although <> is allowed $HOME_NET destination address; this is also a variable here any destination port
Snort Architecture
Data Flow
Snort
S iffi Sniffing Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Data Flow F
Alerts/Logs
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: SF; msg: SYN-FIN SYN FIN Scan Scan;) ;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: Queso Scan;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: F; msg: FIN Scan;)
Option Node
(fl (flags: SF SF; msg: SYN SYN-FIN FIN Scan;) S ) (flags: S12; msg: Queso Scan;) (flags: F; msg: FIN Scan;)
Conclusion
Snort is a powerful tool, but maximizing its usefulness f l requires i at trained i d operator t Becoming proficient with network intrusion d t ti t detection takes k 12 months; th expert t 24 24-36? 36? Managed network security providers should collect ll t enough hi information f ti t to make k d decisions i i without calling clients to ask what happened
Background Policy
Successful intrusion detection depends on policy and management as much as technology
Security Policy (defining what is acceptable and d what h ti is b being i d defended) f d d) i is th the fi first t step Notification
Who, how fast?
Response p Coordination
Detection
Perform single, simple tests on a single aspect/field of the packet
Output O t t
Report results from the other plug-ins
Third-Party y Enhancements
SnortSnarf
http://www.snort.org/dl/contrib/data_analysis/ snortsnarf/ t f/ SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports Output intended for diagnostic inspection Used to have commercial support from SiliconDefense
www www.demarc.com demarc com NIDS management console, integrating Snort with the convenience and power of a centralized interface for all network sensors Commercialized by Applied Watch for
Enterprise Open Source Security Management
Snort (IDS) Snort-Inline (IPS) Labrea Tarpit p ( (Sticky y Honeypot) yp ) ClamAV (Antivirus) Nessus (Vulnerability Management)
Demarc
Quiz
Now suppose a new worm break out. The feature of the worm is: It targets the TCP 8008 or UDP port 4004 It contains the signature 03 0E FE CC A0 follow by PASS : RECV within the 20 bytes of the first one. The worm is coming from outside of our network (129.105.100.0/24). Add rules for snort to detect this worm. Do not alert if some machines hi i inside id our network t kt to send d th the worm like traffic out. Write rules for this worm, to alert the network administrator with message Worm Worm Ditty! Ditty!