Outline - Help Net Security

Download Report

Transcript Outline - Help Net Security

An Introduction to Snort
Richard Bejtlich
TaoSecurity
Houston ISSA Meeting 11 Apr 02
Outline







Introduction to Intrusion Detection
What is Snort?
Installing Snort
Snort Rules
Snort in Action
Third-Party Enhancements
Conclusion
About Me





Bejtlich = “bate-lik”
Senior engineer for managed network
security operations, BATC (2001-)
Former captain at US Air Force Computer
Emergency Response Team (1998-2001)
Student of intrusion detection, incident
response, and digital forensics
www.taosecurity.com
Introduction to Intrusion
Detection

Network defense or “protection” model





Planning
Prevention
Detection
Response
Intrusion detection is the process of
discovering, analyzing, and reporting
unauthorized or damaging network or
computer activities
Introduction to Intrusion
Detection

All network and computer activities fall in one
of three categories:




Normal
Abnormal but not malicious
Malicious
Intrusion detection operates in two arenas:


What a computer says: network traffic
What a computer thinks: computer processes
Introduction to Intrusion
Detection




Network traffic is monitored by networkbased intrusion detection systems (NIDS)
Computer processes are monitored by hostbased intrusion detection systems (HIDS)
So-called “hybrid” systems examine network
traffic to or from a host, as well as processes
on that host
NIDS are easier to deploy and manage, but
HIDS may give greater visibility to events
What is Snort?




Snort is a fast, flexible, small-footprint, opensource NIDS developed by the security
community and a “benevolent dictator”
Lead coder: Marty Roesch, now founder of
Sourcefire (www.sourcefire.com)
Initially developed in late 1998 as a sniffer
with consistent output, unlike protocoldependent output of TCPDump
Licensed under GPL, but version 2.0 may
change to a different license
Installing Snort

As of 16 Mar 02, version 1.8.4 available at
www.snort.org/dl/ in these forms:




UNIX source
Solaris, FreeBSD, Windows binary packages
Red Hat .rpm
Requires installation of libpcap first!


UNIX: www.tcpdump.org/release/libpcap0.7.1.tar.gz or newest available source
Windows: netgroup-serv.polito.it/winpcap/install/
offers winpcap 2.2 and 2.3 beta (XP requires 2.3)
Installing Snort

On Red Hat Linux 7.2, as root:


Download and install libpcap
Download and install these three .rpm:





libnet-1.0.2a-1snort.i386.rpm
snort-1.8.4-1snort.i386.rpm
snort-postgresql+flexresp-1.8.4-1snort.i386.rpm
Create /var/log/snort directory
Files installed:



/etc/snort contains conf and rule files
/var/log/snort will contain logs
/usr/sbin/snort contains snort binary
Installing Snort

For a quick test, execute this command within
the /etc/snort directory:


From a separate machine, use nmap to
generate events for Snort to detect:


snort –A console
nmap –sP <snort_machine_IP_address>
You should see an alert like this:
03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
{ICMP} 192.168.1.20 -> 192.168.1.237
Installing Snort

On Windows 2000, as administrator:




Download and install winpcap
Download and execute Snort184Win32.exe, and
select “typical” installation
mkdir “c:\Program Files\Sourcefire\Snort\log”
Files installed in c:\Program
Files\Sourcefire\Snort:



snort.conf
\rules directory contains rules
snort.exe executable
Installing Snort

To test, execute this command within the
c:\Program Files\Sourcefire\Snort directory:



From a separate machine, use nmap to
generate events for Snort to detect:


snort –A console
You may need to specify and interface with ‘-i 2’
nmap –sP <snort_machine_IP_address>
You should see an alert like this:
03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
{ICMP} 192.168.1.20 -> 192.168.1.237
Installing Snort


While not an element of Snort, Ethereal is the
best open source GUI-based packet viewer
www.ethereal.com offers:



Windows:
www.ethereal.com/distribution/win32/etherealsetup-0.9.2.exe
UNIX: www.ethereal.com/download.html
Red Hat Linux RPMs:
ftp.ethereal.com/pub/ethereal/rpms/
Installing Snort

Also not an element of Snort, tcpdump is a
well-established CLI packet capture tool


www.tcpdump.org offers UNIX source
netgroup-serv.polito.it/windump/install/ offers
windump, a Windows port of tcpdump



windump is helpful because it will help you see the
different interfaces available on your sensor
Next slide shows two available interfaces; note only the
second is capable of sniffing
snort –A console –i 2
Snort Rules


Snort rules are extremely flexible and are
easy to modify, unlike many commercial NIDS
Sample rule to detect SubSeven trojan:
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)


Elements before parentheses comprise ‘rule
header’
Elements in parentheses are ‘rule options’
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)







alert action to take; also log, pass, activate, dynamic
tcp protocol; also udp, icmp, ip
$EXTERNAL_NET source address; this is a variable – specific IP is ok
27374 source port; also any, negation (!21), range (1:1024)
-> direction; best not to change this, although <> is allowed
$HOME_NET destination address; this is also a variable here
any destination port
Snort Rules
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content:
"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)

msg:”BACKDOOR subseven 22”; message to appear in logs
flags: A+; tcp flags; many options, like SA, SA+, !R, SF*
content: “|0d0…0a|”; binary data to check in packet; content
without | (pipe) characters do simple content matches
reference…; where to go to look for background on this rule
sid:103; rule identifier
classtype: misc-activity; rule type; many others
rev:4; rule revision number

other rule options possible, like offset, depth, nocase






Snort Rules











bad-traffic.rules
finger.rules
smtp.rules
dos.rules
tftp.rules
web-frontpage.rules
web-attacks.rules
icmp.rules
backdoor.rules
porn.rules
virus.rules
exploit.rules
ftp.rules
rpc.rules
ddos.rules
web-cgi.rules
web-iis.rules
sql.rules
netbios.rules
shellcode.rules
info.rules
local.rules
scan.rules
telnet.rules
rservices.rules
dns.rules
web-coldfusion.rules
web-misc.rules
x11.rules
misc.rules
policy.rules
icmp-info.rules
attack-responses.rules
Snort Rules

Rules which actually caught intrusions



alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433
(msg:"MS-SQL xp_cmdshell - program execution"; content:
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|
"; nocase; flags:A+; classtype:attempted-user; sid:687;
rev:3;) caught compromise of Microsoft SQL Server
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-IIS cmd.exe access"; flags: A+;
content:"cmd.exe"; nocase; classtype:web-applicationattack; sid:1002; rev:2;) caught Code Red infection
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO
FTP \"MKD / \" possible warez site"; flags: A+;
content:"MKD / "; nocase; depth: 6; classtype:miscactivity; sid:554; rev:3;) caught anonymous ftp server
Snort Rules

More rules that caught intrusions



alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-IIS multiple decode attempt"; flags:A+;
uricontent:"%5c"; uricontent:".."; reference:cve,CAN2001-0333; classtype:web-application-attack; sid:970;
rev:2;) caught NIMDA infection
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET
Bad Login"; content: "Login incorrect"; nocase;
flags:A+; classtype:bad-unknown; sid:1251; rev:2;) caught
telnet username brute-force
Consider how a rule with “Login incorrect”
might trigger on many non-malicious events
Snort in Action

Three operational modes:



Sniffer: snort –dvae will be display payloads,
be verbose, display arp traffic, and display link
layer data
Packet logger: snort –b –l /var/log/snort
will log binary data to the /var/log/snort directory
NIDS: snort –b –l /var/log/snort –A
full –c /etc/snort/snort.conf will log
binary data in the /var/log/snort directory, with full
alerts in /var/log/snort/alert, reading the
configuration file in /etc/snort
Snort in Action

Three ways to tell Snort how to act




snort.conf configures variables, preprocessors,
output plugins, and active rule sets
.rules files define actual signatures
Command line options start snort and will override
options in snort.conf file
Snort will run with default snort.conf, but you
will have less ‘chaff’ to sort through if you
spend time configuring snort.conf properly
Snort in Action


Snort as NIDS (third mode) captures recon
Contents of /var/log/snort/alert
[**] [1:469:1] ICMP PING NMAP [**][Classification:
Attempted Information Leak] [Priority: 2]03/2809:48:40.739935 192.168.1.2 -> 192.168.1.3ICMP TTL:46
TOS:0x0 ID:61443 IpLen:20 DgmLen:28Type:8 Code:0
ID:10629
Seq:0 ECHO[Xref =>
http://www.whitehats.com/info/IDS162]
[**] [1:469:1] spp_portscan: PORTSCAN DETECTED from
192.168.1.2 (THRESHOLD 4 connections exceeded in 0
seconds) [**]03/28-09:48:41.052635
[**] [100:2:1] spp_portscan: portscan status from
192.168.1.2: 183 connections across 1 hosts: TCP(183),
UDP(0) [**]03/2809:48:45.007501
Snort in Action

Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Partial contents of /var/log/snort/portscan.log
28
28
28
28
28
28
28
28
28
28
28
28
28
28
28
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
09:48:41
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
192.168.1.2:45061
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
192.168.1.3:106 SYN ******S*
192.168.1.3:193 SYN ******S*
192.168.1.3:138 SYN ******S*
192.168.1.3:128 SYN ******S*
192.168.1.3:156 SYN ******S*
192.168.1.3:35 SYN ******S*
192.168.1.3:48 SYN ******S*
192.168.1.3:16 SYN ******S*
192.168.1.3:173 SYN ******S*
192.168.1.3:72 SYN ******S*
192.168.1.3:65 SYN ******S*
192.168.1.3:36 SYN ******S*
192.168.1.3:149 SYN ******S*
192.168.1.3:17 SYN ******S*
192.168.1.3:218 SYN ******S*
Snort in Action


/var/log/snort/snort-0328\@0948.log is in
binary format; read with Ethereal or tcpdump
Sample tcpdump output of this log file
09:48:40.739935 192.168.1.2 > 192.168.1.3: icmp: echo request
09:48:40.743705 192.168.1.2 > 192.168.1.3: icmp: echo request


As configured, Snort will only log the packets
which triggered an alert
Packets triggering portscans are not logged
by default
Third-Party Enhancements

SnortSnarf




www.silicondefense.com/software/snortsnarf/
SnortSnarf is a Perl program to take files of alerts
from the Snort to produce HTML reports
Output intended for diagnostic inspection
Silicon Defense also supplies sensors with
commercial support

Description and screenshot taken from SnortSnarf web
Third-Party Enhancements

Analysis Console for Intrusion Databases
(ACID)



acidlab.sourceforge.net/
PHP-based analysis engine to search and process
a database of security events generated by
various IDSes, firewalls, and network monitoring
tools
Query-builder and search interface, packet viewer
(decoder), alert management, chart and statistics
generation

Description and screenshots taken from ACID web

Demarc




www.demarc.com
NIDS management console, integrating Snort with
the convenience and power of a centralized
interface for all network sensors
Monitor all servers / hosts to make sure network
services such as a mail or web servers remain
accessible at all times
Monitor system logs for anomalous log entries that
may indicate intruders or system malfunctions

Description and screenshots taken from demarc web
Conclusion




Snort is a powerful tool, but maximizing its
usefulness requires a trained operator
Becoming proficient with network intrusion
detection takes 12 months; “expert” 24-36?
Snort is considered a superior NIDS when
compared to most commercial systems
Managed network security providers should
collect enough information to make decisions
without calling clients to ask what happened