Transcript EC Council CHFI Certification: Course CF220

Penetration Testing
Security Analysis and Advanced
Tools:
Snort
Introduction to Snort Analysis
• Snort
– Widely used, open-source, network-based
intrusion detection system capable of performing
real-time traffic analysis and packet logging on IP
networks
– Performs protocol analysis and content matching
to detect a variety of attacks and probes such as:
buffer overflows, stealth port scans, CGI attacks,
SMB probes, OS fingerprinting attempts, and more
Modes of Operation
• Snort can be configured to run in the following
modes:
– Packet Sniffer
– Packet Logger
– Network Intrusion Detection System
– Inline
Features of Snort
• Features of Snort:
–
–
–
–
–
Protocol analysis
Content searching/matching
Real-time alerting capability
Can read a Tcpdump trace and run it against a rule set
Flexible rules language
• Snort can be configured to watch a network for a
particular type of attack profile
– It can alert the incident response team as soon as the
attack takes place
Configuring Snort
• Snort is configured using the text file snort.conf
– include keyword allows other rules files to be included
within the rules file
• Variables
– Used to define parameters for detection, specifically those
of the local network or specific servers or ports for
inclusion or exclusion in the rules
• Snort Preprocessors
– Offer additional detection capabilities
– Port scan: TCP connection that attempts to send to more
than P ports in T seconds or as UDP packets sent to more
than P ports in T seconds
Configuring Snort (cont’d.)
These are the different directives that can be used with the config command
Configuring Snort (cont’d.)
• Output Plug-ins
– Allow Snort to be much more flexible in the
formatting and presentation of output to its users
– Snort has nine output plug-ins:
•
•
•
•
•
•
•
•
•
alert_syslog
alert_fast
alert_full
alert_unixsock
log_tcpdump
database
csv
unified
log_null
How Snort Works
• Initializing Snort
– Starting Up
– Parsing the Configuration File
• Decoding
– Execution begins at the ProcessPacket() function when
a new packet is received
• Preprocessing
– ProcessPacket() function tests to see the mode in
which Snort is running
• Detection
– Detection phase begins in the Detect() function
Content Matching
• Snort uses a series of string matching and parsing
functions
– Contained in the src/mstring.c and src/mstring.h files
in the Snort source tree
• Detection engine slightly changes the way Snort
works by having the first phase be a setwise
pattern match
• Some detection options, such as pcre and byte
test, perform detection in the payload section of
the packet, rather than using the setwise patternmatching engine
The Stream4 Preprocessor
• stream4 module
– Provides TCP stream reassembly and stateful analysis
capabilities to Snort
– Gives large-scale users the ability to track many
simultaneous TCP streams
– Set to handle 8,192 simultaneous TCP connections in
its default configuration
• Stream4 contains two configurable modules:
– Global Stream4 preprocessor
– Stream4 reassemble preprocessor
Inline Functionality
• Implemented utilizing the iptables or ipfw firewall
option to provide the functionality for a new set
of rule types: drop, reject, and sdrop
• Inline Initialization
– inline_flag variable is used to toggle the use of inline
functionality in Snort
• Inline Detection
– To receive packets from ipqueue or ipfw, calls to the
IpqLoop() and IpfwLoop() functions are added to the
SnortMain() function
Writing Snort Rules
• Snort uses a simple, lightweight rules description
language that is both flexible and powerful
• The Rule Header (fields)
–
–
–
–
–
Rule action
Protocol
IP address
Port information
Directional operator
• Rule Options
– Specify exactly what to match and what to display
after a successful match
Writing Snort Rules (cont’d.)
These are all available Snort rule options.
Writing Snort Rules (cont’d.)
• Writing Good Snort Rules
– Develop effective content-matching strings
– Catch the vulnerability, not the exploit
– Catch the oddities of the protocol in the rule
– Optimize the rules
Snort Tools
• IDS Policy Manager
– Written to manage Snort IDS sensors in a distributed
environment
• Snort Rules Subscription
– Sourcefire, the company behind Snort, uses a
registration and subscription model for distribution of
new rules
• Honeynet Security Console
– Analysis tool to view events on a personal network or
honeynet
Snort Tools (cont’d.)
IDS Policy Manager configures Snort with a graphical user interface.
Snort Tools (cont’d.)
Honeynet Security Console displays and analyzes events from
several IDS programs.
Summary
• Snort is a powerful intrusion detection system (IDS)
and traffic analyzer
• A Snort configuration file has four major components:
–
–
–
–
Variables
Preprocessors
Output plug-ins
Rules
• A Snort rule contains a rule header and rule options
• Users can write their own Snort rules either manually
or with the assistance of tools
Summary (cont’d.)
• A three-homed firewall DMZ handles the traffic
between the internal network and firewall, as
well as the traffic between the firewall and DMZ
• A site survey can be conducted to determine the
proper number of access points needed based on
the expected number of users and the specific
environment for a WLAN
• Authentication may not be desired if a network is
publicly accessible
• An access point is a layer-2 device that serves as
an interface between the wireless network and
the wired network