intrusion detection
DESCRIPTION
Intrusion Detection. snort. Snort. Get snort Installation Configure Setup logs Rules Start. Get snort source. http://www.snort.org/ tar.gz Source http://www.snort.org/dl/current/snort-2.8.2.3.tar.gz Rpm's – Redhat Package Manager yum install snort Apt-get – Debian package manager - PowerPoint PPT PresentationTRANSCRIPT
Intrusion Detection
snort
Snort
● Get snort
● Installation
● Configure
● Setup logs
● Rules
● Start
Get snort source
● http://www.snort.org/
● tar.gz
● Source
– http://www.snort.org/dl/current/snort-2.8.2.3.tar.gz
● Rpm's – Redhat Package Manager
● yum install snort
● Apt-get – Debian package manager
● apt-get install snort
InstallMake from source
● Source based installation
● Move the tar.gz file to ● /usr/local/src/ or● /usr/src/redhat/SOURCES
● tar -zxvf snort-2.4.3.tar.gz● Unpacks the source in snort-2.4.3
● Build the app● cd snort-2.4.3● ./configure● make● make install
Documentation
● Included documentation in the distributionAUTHORS BUGS CREDITS faq.pdf faq.tex INSTALLMakefileMakefile.am Makefile.in NEWS PROBLEMSREADMEREADME.alert_order README.asn1 README.csv README.databaseREADME.event_queue README.FLEXRESP README.flowREADME.flowbitsREADME.flow-portscan README.frag3 README.http_inspectREADME.INLINEREADME.PLUGINS README.sfportscanREADME.thresholdingREADME.UNSOCK README.WIN32 README.wireless RULES.todosnort_manual.pdf snort_manual.texsnort_schema_v106.pdf TODOUSAGE WISHLIST
● man snort
● More documentation on the snort website
Configure
● Create directory mkdir /etc/snort, cd /etc/snort
● Get snort rules● ttp://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
● Unpack the rule set● tar -zxvf snortrules-pr-2.4.tar.gz
● Edit /etc/snort/rules/snort.conf● mkdir /var/log/snort
● Snort has to know where everything is
snort.conf
var HOME_NET anyvar HOME_NET 192.168.50.0/24
var EXTERNAL_NET anyvar EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NETvar HTTP_SERVICES $HOME_NETvar SQL_SERVERS $HOME_NETvar DNS_SERVERS $HOME_NETvar RULE_PATH /etc/snort/rules
Modes of operation
● Sniffer mode
● On screen packet sniffer
● Packet logger mode
● Logs in text format or tcpdump format
● Direct the logging to a remote host
● Logs every packet
● NIDS mode
● Uses snort.conf
● Logs only the packets that satisfies a rule
Sniffer mode● snort -v -i eth0 Shows only the headers on the screen
02/16-12:59:45.856485 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DFType:8 Code:0 ID:13104 Seq:256 ECHO=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/16-12:59:45.856519 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:50341 IpLen:20 DgmLen:84Type:0 Code:0 ID:13104 Seq:256 ECHO REPLY=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Sniffer mode● snort -vd -i eth0 Shows headers and packet contents on the screen
02/16-13:07:28.498178 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DFType:8 Code:0 ID:15408 Seq:256 ECHO90 FD 4F 3E E7 99 07 00 08 09 0A 0B 0C 0D 0E 0F ..O>............10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/16-13:07:28.498206 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:50342 IpLen:20 DgmLen:84Type:0 Code:0 ID:15408 Seq:256 ECHO REPLY90 FD 4F 3E E7 99 07 00 08 09 0A 0B 0C 0D 0E 0F ..O>............10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Logger mode● snort -d -l ./log -i eth0
● Logs packets to current_dir/log/eth0
● Log file must exist
● Logged as ASCII● -e Also records the Data link layer info
● snort -de -l ./log -b -i eth0
● Logs complete packets in binary format, i.e. tcpdump format
NIDS Mode
● Runs snort as an intrusion detector● Every packet is not recorded
● Only those packets matching a rule● snort -de -l -i eth0 -c snort.conf
● Uses rules in snort.conf● tcpdump format
● Sends log files to /var/log/snort
Rules
● The basis for logging or not logging a packet
● Can be more that one line long – now
● Each line to be continued must be terminated with a ' \‘● That is “space \”
● Generic syntax
rule_header (rule_options)
● Rule header
● Action, addresses, ports, masks● Rule options
● Messages, what to look for, where to look
Simple Rule
● Snort rule examplealert tcp any any -> 192.168.1.0/24 111 \
(content:”|00 01 86 a5|”; msg: “mountd access”;)– content: what to match in the packet– msg: log message heading
Action
Protocol
Src IP
mask
Source
Port
Des IP
mask
Dest
Port
Key Words
● Includeinclude /etc/snort/rules/ping.rules
● Variablesvar HOME_NET 192.16.13.0/24
var RULE_PATH /etc/snort/rules
include $RULE_PATH/ping.rules
● Configconfig reference: bugtraq ttp://www.securityfocus.com/bid
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 15
Rule Actions/TypesField 1
● Alert, log, pass
● Alert – generates an alert message and then logs the packet
● Log – logs the packet
● Pass – ignores the packet
● Activate, dynamic
● Activate – sends an alert and then turns on a dynamic rule
● Dynamic – idle until activated and then acts as a log rule
● User defined rule types
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 16
ProtocolsField 2
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 17
● tcp, udp, icmp, ip
● Todate● arp, igrp, gre, ospf, rip, etc.
● The distant future
AddressesFields 3 & 5
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 18
● Usual dotted decimal notation with mask indicated● 192.16.13.0/24
● Dereferenced variable● $HOME_NET
● Keyword any
● List [192.16.13.0/24,10.1.1.0/24]● Negation !192.16.13.1
PortsFields 4 & 6
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 19
● Numerical, “any”
● 80, 21, 23, etc.
● 100:1024 - ports 100 through 1024
● :600 - ports 0 through 600
● 500: - ports greater than or equal to 500
● Typical address/port fields
!192.16.13.0/24 any -> 192.16.13.0/24 111
Rule Options
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 20
Key words:- msg prints a message in the log- ttl test the ip header's ttl value- tos test the tos field- id test the ip header's id field- fragbits test the fragmentation bits- dsize test the packet's payload size- flags test tcp flags- seq test the sequence number for a specific value- ack test the ack bit for set or clear- itype test icmp type- sid snort rule for id- rev rule revision number- ip_proto ip header's protocol number- reference external attack
Options
Examples
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 21
● msg
– Puts a message in the log record to identify the snort rule
msg: “SYN packet malformed”;
● ttl
– Tests for a specific ttl value
ttl: “127”;
● dsize
– Tests for a specific size of the packet, >, <, <>
dsize: “400<>500”;
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 22
● fragbits– Tests for configuration of the IP dgram frag bits
RB, MF, DF (reserved bit, more frags bit, do not frag bit)
modifiers: + all have to match
* any have to match
! match if bits are not set
fragbits: R+;
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 23
● content– Tests for specific content within the payload packet
Binary data enclosed by “| ... |”
ASCII data enclosed by “ ... “
! tests that the content does not contain the string
content: “|90CB C0FF FFF|/bin/sh”;
content: !”GET”;
Options
Examples cont'd
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 24
● offset
– Dictates the starting position of the content search
offset: 3;
● depth
– Dictates the maximum depth of the content search
depth: 22;
● nocase
– Content search is not case sensitive
nocase;
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 25
● flags
– Tests for TCP flags for a match
F, S, R, P, A, U, 2, 1, 0
1 & 2 are the reserved bits in the flag octet
0 no flag is set
! tests that the content does not contain the string
modifiers: + all have to match
* any have to match
! match if bits are not set
flags: SF;
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 26
● ip_proto
– Checks the IP Protocol field, permissible are in /etc/protocolsip_proto: 6;
# /etc/protocols:# $Id: protocols,v 1.3 2001/07/07 07:07:15 nalin Exp $## Internet (IP) protocols## from: @(#)protocols 5.1 (Berkeley) 4/17/89## Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).## See also http://www.iana.org/assignments/protocol-numbers
ip 0 IP # internet protocol, pseudo protocol number#hopopt 0 HOPOPT # hop-by-hop options for ipv6icmp1 ICMP # internet control message protocoligmp2 IGMP # internet group management protocolggp 3 GGP # gateway-gateway protocolipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')st 5 ST # ST datagram modetcp 6 TCP # transmission control protocolcbt 7 CBT # CBT, Tony Ballardie <[email protected]>egp 8 EGP # exterior gateway protocoligp 9 IGP # any private interior gateway (Cisco: for IGRP)bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoringnvp 11 NVP-II # Network Voice Protocolpup 12 PUP # PARC universal packet protocolargus 13 ARGUS # ARGUSemcon 14 EMCON # EMCONxnet15 XNET # Cross Net Debuggerchaos 16 CHAOS # Chaosudp 17 UDP # user datagram protocolmux 18 MUX # Multiplexing protocoldcn 19 DCN-MEAS # DCN Measurement Subsystemshmp 20 HMP # host monitoring protocolprm 21 PRM # packet radio measurement protocol
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 28
● classtype
– Categorizes snort detects into attack classesclasstype: <class name>;
Listed in classification:config
classtype: misc-attack;
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 29
● itype
– Checks the value of the ICMP type field
itype: 0;
● icode
– Checks the value of the ICMP code field
icode: 8;
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 30
● reference
– References to external attack identification systems
Bugtrack, CVE, Arachnids McAfee, url
reference: <id-system>,<id>
reference: arachNIDS,IDS287; reference: bugtraq,1387;
Options
Examples cont'd
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 31
● flow
– Used with TCP stream reassembly, applies to certain directions
– Applies to either client or server
to_client - triggers on server responses
to_server – triggers on client requests
from_client – triggers on client requests
from_server – triggers on server responses
established – triggers only on established TCP connections
flow: from_server;
Rule Example
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 32
Alert TCP any any -> any 7070 \
(msg: “IDS411/dos-realaudio”; \
flags: AP; content: “|fff4 fffd 06|”; \
reference: arachNIDS,IDS411;)
Rule Example
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:
Slide 33
alert udp any any -> any 1434 \
(msg: “MS-SQL Worm propagation attempt”; \
content: “|04|”; depth:1; \
content:”|81 f1 03 01 04 9b 81 f1 01|” \
content:”sock”; \
content:”send”; \
reference:bugtraq,5310; \
reference:bugtraq,5311;
reference:url,il.nai.com/vil/content/v_99992.htm; \
classtype:misc-attack; sid:2003; rev:2;)
Final Lab
Setup and configure snort.
Select a rule set. Be sure to include scanning rules
Start snort in NIDS mode.
With your firewall up and down: Scan your system using ping scan, xmas tree scan, OS scan
Check your syslog and snort logs and nmap e.g. Icmp ping scan, map returns
1. With shields up what got through and what did snort think was happening.
2. With shields down what got through and what did snort think was happening.
3. What did nmap think it saw in each case.
Hand in:
1. Firewall policies
2. Firewall script with comments, especially how each policy is enforced
3. snort.conf
4. Discussion from the experiments above.