Harnessing the Power of Snort Brian Caswell Principal Research Engineer Sourcefire Vulnerability Research Team
Background What is Snort? Open Source packet analysis tool The most widely deployed Network Intrusion Detection System (NIDS) The de facto standard in intrusion detection and prevention Who is Brian Caswell? Sourcefire
Vulnerability Research Team - Principal Research Engineer Keeping Snort users ahead of the threat
Snort
Rules Maintainer Author Snort 2.1 Intrusion Detection: Second Edition 2
Snort History Initial release by Marty Roesch in 1998 Original goals of Snort: Traffic analysis tool for home network Debugger for service simulators Marty was developing for a honeypot system Learning tool for libpcap Initial open source release in
December 1998 Just
a sniffer, no rule language Rules implemented early 1999
1.0 release, June 1999 Basic rules language, stateless 3
Snort History [cont.] Snort 1.5 released December 1999 System was rearchitected to be modular and extensible Same basic architecture still used today! Snort implemented as a packet analysis pipeline
Data Aquisition
Decode
Preprocess
Detect
Action
4
Snort Goes Commercial Sourcefire founded in January 2001 Snort 1.7 last release before “full time”
development begins Snort
1.7 is pitted head to head against 9 commercial IDS offerings in a Network Computing test, comes in 3rd overall!
Snort 1.8 released in mid-2001, contains high
speed output system, enterprise grade IP defragmenter/TCP Stream Reassembler, etc
5
Snort Today Snort 2.3 available Highly stateful, 3000 detection rules + protocol anomaly detection Recent additions include
New portscan detector Target-based IP Defragmenter Event queuing Gigabit performance capabilities, etc
12-15000 downloads/week 600k+ rule updates per month “Most Innovative” @ RSA 2005 6
Snort Tomorrow The future New extensible data acquisition/decoder architecture New stream reassembler More application layer protocol analysis (SMTP/POP/IMAP, DCERPC, SNMP, Telnet/FTP, etc) Target-based traffic analysis…
7
Getting Started
Getting Started Website - http://www.snort.org Stable release is always available at
http://www.snort.org/dl Installable binary packages and source tarballs are typically available Also available via CVS http://www.snort.org/source.html
9
Building Snort Get the tarball from snort.org http://www.snort.org/dl/snort-2.3.0.tar.gz Make sure libpcap and PCRE are installed Unpack as usual Tar
zxvf snort-2.3.0.tar.gz
Build Cd
snort-2.3.0; ./configure && make && make install
10
Read the Docs! Lots of documentation is available for Snort! Look in the ‘doc’ directory of the tarball Snort
manual in PDF format README files cover Snort features and subsystems Man pages available too
11
Running Snort
Snort Run Modes Three basic modes of operation Sniffer Packet logger NIDS Runtime mode is determined at run-time via
command line switches
05/22-11:50:11.320761 127.0.0.1:55786 -> 127.0.0.1:631 TCP TTL:64 TOS:0x0 ID:16546 IpLen:20 DgmLen:69 DF ***AP*** Seq: 0xCE6183EE Ack: 0x89ECD4F2 Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 1481027454 1481027454 50 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D POST / HTTP/1.1. 0A .
13
NIDS Mode Sniffer and packet logger modes are covered in
the first chapter of the Snort manual NIDS Mode is what most people think of when talking about Snort Command line switches: -c
: load NIDS config from -A <mode>: specify alert <mode> -s: generate alerts to syslog
Examples: Snort -c snort.conf Snort -c snort.conf -d -l ~/pktlog -s Snort -c snort.conf -b -A fast 14
NIDS Mode [cont] Useful switches -D: daemon mode -i : sniff on network interface -r : read packets from -g : set group ID of Snort process -u : set user ID of Snort process -t : chroot Snort process to If no command line switches are specified, Snort
looks for snort.conf in the /etc/snort and the local directory Default logging directory is /var/log/snort 15
Snort Rules
Rule Syntax Snort’s rule syntax is simple and straightforward It is also, unfortunately, quirky Full rule docs in snort_manual.pdf file!
17
Rule format
alert tcp $BAD any -> $GOOD any (flags: SF; msg: “SYN-FIN scan”;)
Rule Header
Rule Options
Rule Header - static definition - has to be in every rule
Rule Options - variable definition - not always necessary - 50+ options available 18
Rule Headers alert tcp $BAD any -> $GOOD any
Dest. Port Rule action Protocol Dest. CIDR Direction Src. CIDR Src. Port
19
Rule Options
(flags: SF; msg: “SYN-FIN scan”;) Option start/finish Option Detail flags: SF; Delimiter Keyword Argument Separator 20
Fun with Snort Rules Basic detection is fun and easy with Snort rules To detect a basic string on the network (network
grep) you just need the content keyword
alert tcp any any > any any \ (content: “foo”; msg: “detected foo!”;)
Detecting basic strings is easy but can result in
false positives Better method is to define more constraints under which the rule may fire
21
Getting Stateful with Snort Rules Two options available for Snort rules
Flow: check TCP session state, direction Flowbits: set/test/clear application state info
Stream4 preprocessor must be running for the flow
keyword to work Flow preprocessor must be running to enable flowbits alert tcp any any > any any \ (flow: established, to_server; \ Content: “foo”; msg: “detected foo”;) This rule will only fire for TCP sessions that are in the
ESTABLISHED state and for traffic headed to the server
22
Stateful Snort Rules There is another type of state that can be used,
cross-rule state Uses the new “flowbits” keyword to set/test/clear bits in Snort rules We
can track application protocol state with Snort!
Example:
alert tcp any any > $SMTP 25 \ (pcre: “/^DATA\n/i”; \ flowbits: set,smtp.client.mode.data; flowbits: noalert;) alert tcp any any > $SMTP 25 \ (msg:"SMTP expn decode"; flow: established, to_server; flowbits: isnotset,smtp.client.mode.data; ... 23
Regular Expressions Snort supports PCRE - powerful regular
expression payload analysis Use with care Maintainability,
performance issues
alert tcp $HOME_NET any > $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; \ flow:to_server,established; \ content:"ContentDisposition|3A|"; nocase; \ pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]| s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)| jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)| v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws| ocx)[\x27\x22\n\r\s]/iR"; \ classtype:suspiciousfilenamedetect; \ sid:721; rev:7;)
24
Managing Output
Snort Output Two basic types Alert are for real-time notification Logs are for forensics Several alert/log output types available Alert: syslog, text, database, unified Log: text, pcap, database, unified, CSV Performance is a big deal in the output
subsystem Low
performance = dropped packets
Snort’s unified format was designed specifically
for high-performance output Pcap format is for cross-platform analysis
26
Unified Output Unified output is setup for high performance and
flexibility Unified format can be converted to any of the other formats (DB, pcap, XML, etc) Barnyard is used to process unified files
http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz Input/output
plugins
Input: Alert, log, stream (flow data) Output: DB, CSV, syslog, pcap, SGUIL, text, XML
27
Output Futures Unified/Barnyard are the future of Snort output
generation Performance is the number one concern of the sensor process Unfied2 coming soon, barnyard will change to suit Most complex post-processing should move into Barnyard
28
Current & Future Developments New portscan detector
Uses rate-based and backscatter methods to detect portscans
New IP defragmenter (frag3)
Target-based, very hard to evade or confuse, high performance
New TCP Stream Reassembler (stream5)
Target-based, high performance
New data acquisition frontend
Modular, extensible
New decoder architecture
Modular, extensible, easier to add protocols to Snort
Additional layer-7 preprocessing
Better protocol anomaly detection, more protocols normalized, enable new protocol-specific detection keywords
Target-base detection engine… 29
“Sourcefire, framing the future of IT security” Information Security Magazine, The Influence List
Questions & Answers www.sourcefire.com 800 917 4134