Transcript Snort & ACID - DMC Cisco Networking Academy

Snort & ACID
Low cost, highly configurable IDS
by
Patrick Southcott
[email protected]
http://www.patricksouthcott.com
Large topic, General outline:
1. What is snort?
2. Where does an IDS fit
in the network?
3. Snort 2.0, Marty and
Sourcefire.com
4. Snort system overview
– config file
– rules (custom & public)
5. ACID : opensource,
web-based, simple
alert management.
6. PROS & CONS of
snort as an IDS.
7. Building a snort
sensor on Redhat9.
What is Snort?
Snort is an application which listens to network traffic and
uses rules to determine if it sees particular types of traffic.
It logs, alerts for and listens to network traffic.
The System Architecture consists of these main parts:
• Sniffer
• “Promiscuous Mode” NIC
Packets on the wire
• Preprocessor
• frag2, stream4, http_decode
• Detection Engine
Snort Detection Process
• Using Rules
• Logging and Alerting plugins
• log mysql, alert smb
Records in a SQL db
Snort in the larger picture
• Snort “sensors” can be placed on any
network device. Hubs work best.
• Sensors may log to a central database over
secure tunnels or private media.
• Management console using ACID.
Network Overview
Management
Console
IDS network
sensor
sensor
Internet
Router /
firewall
DMZ
sensor
Router /
firewall
Private LAN
DMZ hosts
IDS in Perspective
• Management / Executive
• low TCO (End-to-end, openness)
• Wants reports which show ROE
• System Admin
•
•
•
•
•
Configures and runs everything. Routers, firewalls, servers.
Endless game to keep “up-to-date”.
Wants to be “user” of IDS
High quality data
Auto-response to new vulnerabilities.
• Network Admin / Analyst
•
•
•
•
Maintains network
Event Correlation
Broad -> Specific
Tune rules
Marty Roesch and Sourcefire
• Created snort in 1998.
• Sourcefire sells IDS boxes which they install,
configure and support. Different security needs
may involve specific tuning to customer’s
network.
• Sourcefire is the major commercial supporter of
snort.
• Gig speeds with multiprocessors and linux
– same kernel, custom drivers, minimal footprint
• demo-sensor.sourcefire.com
Snort Usage
• Run on Console
$ ./snort –c snort.conf
Shell output from snort init.:
$ ./snort –l /home/snort/snort_spool/
Running in packet logging mode
Log directory = /snort/snort_spool/
–l /home/snort/snort_spool/
Initializing Network Interface eth0
--== Initializing Snort ==--
• Run as Daemon
Initializing Output Plugins!
Decoding Ethernet on interface eth0
$ ./snort –D –c snort.conf
--== Initialization Complete ==--
–l home/snort/snort_spool/
-*> Snort! <*Version 2.0.0rc4 (Build 70)
Snort Config File:
config daemon
By Martin Roesch ([email protected],
www.snort.org)
Snort Console Output
================================================================
Snort analyzed 4 out of 4 packets, dropping 0(0.000%) packets
Breakdown by protocol:
Action Stats:
TCP: 4
(100.000%)
ALERTS: 0
UDP: 0
(0.000%)
LOGGED: 4
ICMP: 0
(0.000%)
PASSED: 0
ARP: 0
(0.000%)
EAPOL: 0
(0.000%)
IPv6: 0
(0.000%)
IPX: 0
(0.000%)
OTHER: 0
(0.000%)
DISCARD: 0
(0.000%)
================================================================
Wireless Stats:
Breakdown by type:
Management Packets: 0
(0.000%)
Control Packets:
0
(0.000%)
Data Packets:
0
(0.000%)
================================================================
Fragmentation Stats:
Fragmented IP Packets: 0
(0.000%)
Fragment Trackers: 0
Rebuilt IP Packets: 0
Frag elements used: 0
Discarded(incomplete): 0
Discarded(timeout): 0
Frag2 memory faults: 0
….
Snort Configuration File
Variables
• var HOME_NET
• var EXTERNAL_NET
• var FOO_SERVERS
Configuration
•
•
•
•
config
config
config
config
interface: eth0
set_uid: snort
dump_payload
daemon
Preprocessor
• preprocessor frag2
• preprocessor stream4
• preprocessor portscan2
Each bullet is a line in the config
file. Variables are used in the files
with the snort rules.
Output SQL Database
• output database: log, mysql, user=snort
password=foobar dbname=snort host=localhost
Snort Preprocessors
• Frag2 Preprocessor
– snort.conf: “preprocessor frag2”
– packet fragmentation can lead to the IDS missing packets or getting
different ones than the host gets. This cleans fragmented packets.
• The stream4 Preprocessor
– snort can keep track of tcp sessions. “stateful”
– detection of “stealth” scans from software like nmap.
• Portscan and portscan2 Preprocessors
– detection of single host access to many ports.
Snort Rules
snort.conf :
. . .
include $RULE_PATH/local.rules
local.rules :
activate tcp any any -> any 23 (activates: 23;
msg:”Potential Telnet Login Credentials Logged”;)
dynamic tcp any any -> any 23 (activated_by: 23;
count:20;)
Rules to log all tcp, udp and icmp traffic.
log tcp any any -> any any (msg: “tcp traffic”;)
log udp any any -> any any (msg: “udp traffic”;)
log icmp any any -> any any (msg: “icmp traffic”;)
web-iis.rules :
Snort Rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
\
(msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
\
content:"cmd.exe"; nocase; classtype:web-application-attack; \
sid:1002; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS CodeRed v2 root.exe access";
flow:to_server,established; uricontent:"/root.exe";
nocase; classtype:web-application-attack;
reference:url,www.cert.org/advisories/CA-2001-19.html;
sid:1256; rev:7;)
\
\
\
\
\
# action = pass, log, alert, dynamic, activate
# protocol = icmp, tcp, ip, udp
action protocol source -> destination ( optional_rule_body )
Snort Rules
• Default rules for known bad packets.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
attack-responses.rules
backdoor.rules
bad-traffic.rules
chat.rules
ddos.rules
deleted.rules
DMZ.rules
dns.rules
dos.rules
experimental.rules
exploit.rules
finger.rules
ftp.rules
icmp-info.rules
icmp.rules
imap.rules
info.rules
local.rules
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
misc.rules
multimedia.rules
mysql.rules
netbios.rules
nntp.rules
oracle.rules
other-ids.rules
p2p.rules
policy.rules
pop2.rules
pop3.rules
porn.rules
rpc.rules
rservices.rules
scan.rules
shellcode.rules
smtp.rules
snmp.rules
•
•
•
•
•
•
•
•
•
•
•
•
•
sql.rules
telnet.rules
tftp.rules
virus.rules
web-attacks.rules
web-cgi.rules
web-client.rules
web-coldfusion.rules
web-frontpage.rules
web-iis.rules
web-misc.rules
web-php.rules
x11.rules
ACID to manage Alerts
• Sort and display alerts based on ip, port,
date, unique alerts.
• Search alerts
• Display layer 3 and 4 packet data
• Graphs and statistics for alert frequency.
• Alert grouping, archiving, managing
Connecting mysql with stunnel
• Generate foo.pem for tunnel.
openssl req -new -out stunnel.pem -keyout \
stunnel.pem -nodes -x509 -days 365
• stunnel 4 with config ( stunnel.conf)
Cert = /foobar/stunnel.pem
[mysqls]
accept = 3307
connect = 3306
• stunnel 3.22 from shell prompt.
#!/bin/sh
/usr/local/sbin/stunnel -c -d 3306 -r 10.1.5.1:3307
Snort IDS: PROs and CONs
PROs
• Powerful, specific rules
to match packets.
• No backdoors
• Weakness quickly found &
published.
• Rules actively published for
detection of new worms etc.
• Open Source software
developers know code will
be checked. Fewer hacks.
CONs
• Snort/ACID is only
part of a secure
network.
• Does not record the
success or failure of a
detected intrusion
• Does nothing to stop an
intrusion in progress.
• False sense of security.
Installing snort on RedHat 9
IDS component overview
• Open Source Network
Intrusion Detection
System (Snort)
– snort-2.0.0rc4.tar.gz
– mysql-4.0.12.tar.gz
• Analysis Console for
Intrusion Databases
(ACID)
– apache_1.3.27.tar.gz
– php-4.3.1.tar.gz
– acid-0.9.6b23.tar.gz
Apache & php Setup
• ./configure --prefix=/home/apache/apache_prefix/ -activate-module=src/modules/php4/libphp4.a
• make && make install
• ./configure --prefix=/home/apache/php_prefix --withmysql --enable-bcmath --with-gd --enable-sockets --withzlib-dir=/home/apache/php-4.3.1/zlib-1.1.4/ --withapache=../apache_1.3.27
• Php needs graphics libs:
– zlib-1.1.4, libpng-1.2.5, gd-1.8.4, phplot-4.4.6
Snort System Setup
• mysql-4.0.12
• ./configure --prefix=/home/snort/snort_prefix
--enable-smbalerts --with-mysql
• Make && make check && make install;
• Webmin
– snort-1.0.wbm
Create snort database & tables
• CREATE DATABASE snort;" | mysql -u
root –p
• grant INSERT,SELECT on snort.* to
snortusr@localhost;
• mysql -D snort -u root -p <
./contrib/create_mysql
Snort Config Setup
• output database: log, mysql, user=snortusr
password=foobar dbname=snort
host=localhost
• Modify alert rules to personal taste
ACID Setup
• adodb331.zip in www_root
• tar zxfp acid-0.9.6b23.tar.gz
– mv acid /var/www/html
• edit acid/acid_conf.php
– $DBlib_path = "/var/www/html/adodb";
– $aler_dbname = "snort“
• http://acid.foobar.com/acid/acid_main.php