Linux World Expo

  • Uploaded by: subhendu
  • 0
  • 0
  • December 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Linux World Expo as PDF for free.

More details

  • Words: 1,337
  • Pages: 30
Harnessing the Power of Snort Brian Caswell Principal Research Engineer Sourcefire Vulnerability Research Team

Background  What is Snort?  Open Source packet analysis tool  The most widely deployed Network Intrusion Detection System (NIDS)  The de facto standard in intrusion detection and prevention  Who is Brian Caswell?  Sourcefire

Vulnerability Research Team - Principal Research Engineer  Keeping Snort users ahead of the threat

 Snort

Rules Maintainer  Author Snort 2.1 Intrusion Detection: Second Edition 2

Snort History  Initial release by Marty Roesch in 1998  Original goals of Snort:  Traffic analysis tool for home network  Debugger for service simulators Marty was developing for a honeypot system  Learning tool for libpcap  Initial open source release in

December 1998  Just

a sniffer, no rule language  Rules implemented early 1999

 1.0 release, June 1999  Basic rules language, stateless 3

Snort History [cont.]  Snort 1.5 released December 1999  System was rearchitected to be modular and extensible  Same basic architecture still used today!  Snort implemented as a packet analysis pipeline

Data Aquisition

Decode

Preprocess

Detect

Action

4

Snort Goes Commercial  Sourcefire founded in January 2001  Snort 1.7 last release before “full time”

development begins  Snort

1.7 is pitted head to head against 9 commercial IDS offerings in a Network Computing test, comes in 3rd overall!

 Snort 1.8 released in mid-2001, contains high

speed output system, enterprise grade IP defragmenter/TCP Stream Reassembler, etc

5

Snort Today Snort 2.3 available  Highly stateful, 3000 detection rules + protocol anomaly detection  Recent additions include    

New portscan detector Target-based IP Defragmenter Event queuing Gigabit performance capabilities, etc

12-15000 downloads/week 600k+ rule updates per month “Most Innovative” @ RSA 2005 6

Snort Tomorrow The future  New extensible data acquisition/decoder architecture  New stream reassembler  More application layer protocol analysis (SMTP/POP/IMAP, DCERPC, SNMP, Telnet/FTP, etc)  Target-based traffic analysis…

7

Getting Started

Getting Started  Website - http://www.snort.org  Stable release is always available at

http://www.snort.org/dl  Installable binary packages and source tarballs are typically available  Also available via CVS  http://www.snort.org/source.html

9

Building Snort  Get the tarball from snort.org  http://www.snort.org/dl/snort-2.3.0.tar.gz  Make sure libpcap and PCRE are installed  Unpack as usual  Tar

zxvf snort-2.3.0.tar.gz

 Build  Cd

snort-2.3.0; ./configure && make && make install

10

Read the Docs!  Lots of documentation is available for Snort!  Look in the ‘doc’ directory of the tarball  Snort

manual in PDF format  README files cover Snort features and subsystems  Man pages available too

11

Running Snort

Snort Run Modes  Three basic modes of operation  Sniffer  Packet logger  NIDS  Runtime mode is determined at run-time via

command line switches

05/22-11:50:11.320761 127.0.0.1:55786 -> 127.0.0.1:631 TCP TTL:64 TOS:0x0 ID:16546 IpLen:20 DgmLen:69 DF ***AP*** Seq: 0xCE6183EE Ack: 0x89ECD4F2 Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1481027454 1481027454 50 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D POST / HTTP/1.1. 0A .

13

NIDS Mode  Sniffer and packet logger modes are covered in

the first chapter of the Snort manual  NIDS Mode is what most people think of when talking about Snort  Command line switches:  -c

: load NIDS config from  -A <mode>: specify alert <mode>  -s: generate alerts to syslog

 Examples:  Snort -c snort.conf  Snort -c snort.conf -d -l ~/pktlog -s  Snort -c snort.conf -b -A fast 14

NIDS Mode [cont]  Useful switches  -D: daemon mode  -i : sniff on network interface  -r : read packets from  -g : set group ID of Snort process  -u : set user ID of Snort process  -t : chroot Snort process to  If no command line switches are specified, Snort

looks for snort.conf in the /etc/snort and the local directory  Default logging directory is /var/log/snort 15

Snort Rules

Rule Syntax  Snort’s rule syntax is simple and straightforward  It is also, unfortunately, quirky  Full rule docs in snort_manual.pdf file!

17

Rule format

alert tcp $BAD any -> $GOOD any (flags: SF; msg: “SYN-FIN scan”;)

Rule Header

Rule Options

Rule Header - static definition - has to be in every rule

Rule Options - variable definition - not always necessary - 50+ options available 18

Rule Headers alert tcp $BAD any -> $GOOD any

Dest. Port Rule action Protocol Dest. CIDR Direction Src. CIDR Src. Port

19

Rule Options

(flags: SF; msg: “SYN-FIN scan”;) Option start/finish Option Detail flags: SF; Delimiter Keyword Argument Separator 20

Fun with Snort Rules  Basic detection is fun and easy with Snort rules  To detect a basic string on the network (network

grep) you just need the content keyword

alert tcp any any ­> any any \ (content: “foo”; msg: “detected foo!”;)

 Detecting basic strings is easy but can result in

false positives  Better method is to define more constraints under which the rule may fire

21

Getting Stateful with Snort Rules  Two options available for Snort rules  

Flow: check TCP session state, direction Flowbits: set/test/clear application state info

 Stream4 preprocessor must be running for the flow

keyword to work  Flow preprocessor must be running to enable flowbits alert tcp any any ­> any any \ (flow: established, to_server; \ Content: “foo”; msg: “detected foo”;)  This rule will only fire for TCP sessions that are in the

ESTABLISHED state and for traffic headed to the server

22

Stateful Snort Rules  There is another type of state that can be used,

cross-rule state  Uses the new “flowbits” keyword to set/test/clear bits in Snort rules  We

can track application protocol state with Snort!

 Example:

alert tcp any any ­> $SMTP 25 \     (pcre: “/^DATA\n/i”; \      flowbits: set,smtp.client.mode.data;      flowbits: noalert;) alert tcp any any ­> $SMTP 25 \     (msg:"SMTP expn decode";       flow: established, to_server;      flowbits: isnotset,smtp.client.mode.data;      ... 23

Regular Expressions  Snort supports PCRE - powerful regular

expression payload analysis  Use with care  Maintainability,

performance issues

alert tcp $HOME_NET any ­> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; \ flow:to_server,established; \ content:"Content­Disposition|3A|"; nocase; \ pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]| s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)| jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)| v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws| ocx)[\x27\x22\n\r\s]/iR"; \ classtype:suspicious­filename­detect; \ sid:721; rev:7;)

24

Managing Output

Snort Output  Two basic types  Alert are for real-time notification  Logs are for forensics  Several alert/log output types available  Alert: syslog, text, database, unified  Log: text, pcap, database, unified, CSV  Performance is a big deal in the output

subsystem  Low

performance = dropped packets

 Snort’s unified format was designed specifically

for high-performance output  Pcap format is for cross-platform analysis

26

Unified Output  Unified output is setup for high performance and

flexibility  Unified format can be converted to any of the other formats (DB, pcap, XML, etc)  Barnyard is used to process unified files

 http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz  Input/output

plugins

 Input: Alert, log, stream (flow data)  Output: DB, CSV, syslog, pcap, SGUIL, text, XML

27

Output Futures  Unified/Barnyard are the future of Snort output

generation  Performance is the number one concern of the sensor process  Unfied2 coming soon, barnyard will change to suit  Most complex post-processing should move into Barnyard

28

Current & Future Developments  New portscan detector 

Uses rate-based and backscatter methods to detect portscans

 New IP defragmenter (frag3) 

Target-based, very hard to evade or confuse, high performance

 New TCP Stream Reassembler (stream5) 

Target-based, high performance

 New data acquisition frontend 

Modular, extensible

 New decoder architecture 

Modular, extensible, easier to add protocols to Snort

 Additional layer-7 preprocessing 

Better protocol anomaly detection, more protocols normalized, enable new protocol-specific detection keywords

 Target-base detection engine… 29

“Sourcefire, framing the future of IT security” Information Security Magazine, The Influence List

Questions & Answers www.sourcefire.com 800 917 4134

Related Documents

Linux World Expo
December 2019 36
Expo
November 2019 72
Expo
June 2020 30
Expo
October 2019 106
Expo!!!
June 2020 50
Expo
November 2019 53

More Documents from ""

Linux World Expo
December 2019 36
Iprouting
December 2019 35
Firewall Mode
December 2019 28
Base
December 2019 88
Snort Project
December 2019 44
Ipv6
December 2019 50