Modified slides from Martin Roesch Sourcefire Inc.

Topics
• • • • Intro to Snort Using Snort Snort Architecture Thi d P t Enhancements Third-Party E h t

Intro to Snort
• What is Snort?
– Snort is a multi-mode packet analysis tool
• • • • Sniffer Packet Logger Forensic Data Analysis tool N t Network k Intrusion I t i Detection D t ti System S t

• Where did it come from?
– Developed out of the evolving need to perform network traffic analysis in both real-time and for forensic post processing

HP-UX. Tru64. Solaris. BSD. IRIX.Snort “Metrics” Metrics • Portable (Linux. etc) • Fast (High probability of detection for a given attack on 100Mbps networks) • Configurable (Easy rules language. many reporting/logging options • Free (GPL/Open Source Software) . MacOS X. Windows.

Snort Design • Packet sniffing “lightweight” network intrusion detection system y • Libpcap-based sniffing interface • Rules-based Rules based detection engine • Plug-in system allows endless flexibility .

buffer overflows. • Rules system is very flexible. and creation of new rules is relatively simple . etc. OS fingerprinting. CGI exploits. back doors.Detection Engine • Rules form “signatures” • Modular detection elements are combined to form these signatures • Wide range g of detection capabilities p – Stealth scans.

Using Snort • Three main operational modes – – – – Sniffer Mode P k t Logger Packet L M Mode d NIDS Mode (Forensic Data Analysis Mode) • Operational modes are configured via command line switches – Snort automatically tries to go into NIDS mode if no command line switches are given. looks for g file in /etc snort.conf configuration .

Using Snort – Sniffer Mode • Works much like tcpdump • Decodes packets and dumps them to stdout • BPF filtering interface available to shape displayed network traffic .

Packet Logger Mode • Gee. it sure would be nice if I could save those packets to disk… • Multi-mode packet logging options available – Flat ASCII. etc available • L Log all ll data d t and d post-process t t look to l k for f anomalous activity . database. XML. tcpdump.

NIDS Mode • Wide variety of rules available for signature engine (~1300 as of June 2001.000 000 rules) ~2900 • Multiple detection modes available via rules and plug-ins plug ins – Rules/signature – Statistical anomaly – Protocol verification . grow to 2900 at May 2005 2005. now over 20 20.

Snort Rules .

rules b tt k l l l x11.rules attack-responses.Snort Rules • • • • • • • • • • • bad-traffic.rules dos.rules dns.rules web-frontpage.rulessql.rules web-misc.rules smtp.rules tftp.rules ftp rules ftp.rules ddos.rules exploit.rules misc.rules shellcode.rules scan.rules local.rules web-attacks.rules .rules web-coldfusion.rules web-cgi.rules netbios.rules rpc.rules backdoor.rules telnet rules telnet.rules porn.rules policy.rules info.rules web-iis.rules virus.rules icmp-info.rules rservices.rules 11 l icmp.rules finger rules finger.

) • Elements before p parentheses comprise p ‘rule header’ • Elements in p parentheses are ‘rule options’ p .Snort Rules • Snort rules are extremely flexible and are easy to modify • Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22".org/subseven/.hackfix.www. content: "|0d0a5b52504c5d3030320d0a|". classtype:misc-activity. flags: A+. rev:4.485. reference:arachnids. sid:103. reference:url.

icmp. this is a variable – specific IP is ok 27374 source port. also udp. activate. dynamic tcp pp protocol. p.www.) • • • • • • • alert action to take.org/subseven/. this is also a variable here any destination port . rev:4. sid:103. . flags: A+. p. negation (!21).Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22". f h id 485 reference:url. content: "|0d0 5b52504 5d3030320d0 |" reference:arachnids. ip p $EXTERNAL_NET source address.hackfix. classtype:misc-activity.485. "|0d0a5b52504c5d3030320d0a|". pass. although <> is allowed $HOME_NET destination address. range (1:1024) -> direction. best not to change this this. also log. also any.

Snort Architecture .

Data Flow Snort S iffi Sniffing Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Data Flow F Pac cket Stre eam Alerts/Logs .

1.) .) .2.1 any -> 2.1 any -> 2.2.) Alert tcp 1.1.) Alert tcp 1.1.2.1.2. msg: “FIN Scan”. msg: “SYN-FIN SYN FIN Scan Scan”.2 any (flags: F.1 any -> 2.1.Detection Engine: Rules Rule Header Rule Options Alert tcp 1.2. msg: “Queso Scan”.2.1.2 any (flags: S12.2 any (flags: SF.

1. msg: “FIN Scan”.2. msg: “SYN “SYN-FIN FIN Scan”.) S ”) (flags: S12.) .) (flags: F.2 any Option Node (fl (flags: SF SF.1 any -> 2.2.Detection Engine: Internal Representation Rule Node Alert tcp 1.1. msg: “Queso Scan”.

Detection Engine: Fully Populated Rule N d Node Option p Node Option O ti Node Option Node Rule N d Node Option p Node Option O ti Node Rule N d Node Option p Node Option O ti Node Option Node Rule N d Node Option p Node Rule N d Node Option p Node Option O ti Node .

th “ “expert” t” 24 24-36? 36? • Managed network security providers should collect ll t enough hi information f ti t to make k d decisions i i without calling clients to ask what happened .Conclusion • Snort is a powerful tool. but maximizing its usefulness f l requires i at trained i d operator t • Becoming proficient with network intrusion d t ti t detection takes k 12 months.

how fast? – Response p Coordination .Background – Policy • Successful intrusion detection depends on policy and management as much as technology – Security Policy (defining what is acceptable and d what h ti is b being i d defended) f d d) i is th the fi first t step – Notification • Who.

Plug Ins Plug-Ins • Preprocessor – Packets are examined/manipulated before being handed to the detection engine • Detection – Perform single. simple tests on a single aspect/field of the packet • Output O t t – Report results from the other plug-ins .

Third-Party y Enhancements .

org/dl/contrib/data_analysis/ snortsnarf/ t f/ • SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports • Output intended for diagnostic inspection • Used to have commercial support from SiliconDefense .snort.SnortSnarf • http://www.

.

• www www.demarc.com demarc com • NIDS management console. integrating Snort with the convenience and power of a centralized interface for all network sensors • Commercialized by Applied Watch for Enterprise Open Source Security Management – Snort® (IDS) – Snort-Inline (IPS) – Labrea Tarpit p ( (Sticky y Honeypot) yp ) – ClamAV (Antivirus) – Nessus (Vulnerability Management) Demarc .

.

.

.What Do The Packet Dumps Look Like? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.1.'.6:1032 TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20 0D 0A 0D 0A 53 75 6E 4F 53 20 35 2E 37 0D 0A 0D .1..1. 00 0D 0A 0D 00 .SunOS 5...$.1.ANS 49 FF F0 I..6:1032 -> 10..8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** AP Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..1..7. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ .1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.1.1.....954779 10..956582 10..8:23 -> 10...#.

to alert the network administrator with message “Worm Worm Ditty!” Ditty! .0/24).Quiz Now suppose a new worm break out. Add rules for snort to detect this worm. Do not alert if some machines hi i inside id our network t kt to send d th the worm like traffic out.100. Write rules for this worm. • The worm is coming from outside of our network (129. The feature of the worm is: • It targets the TCP 8008 or UDP port 4004 • It contains the signature “03 0E FE CC A0” follow by “PASS : RECV” within the 20 bytes of the first one.105.

Sign up to vote on this title
UsefulNot useful