intrusion detection

34
Intrusion Detection snort

Upload: keaton-coffey

Post on 01-Jan-2016

55 views

Category:

Documents


2 download

DESCRIPTION

Intrusion Detection. snort. Snort. Get snort Installation Configure Setup logs Rules Start. Get snort source. http://www.snort.org/ tar.gz Source http://www.snort.org/dl/current/snort-2.8.2.3.tar.gz Rpm's – Redhat Package Manager yum install snort Apt-get – Debian package manager - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Intrusion Detection

Intrusion Detection

snort

Page 2: Intrusion Detection

Snort

● Get snort

● Installation

● Configure

● Setup logs

● Rules

● Start

Page 3: Intrusion Detection

Get snort source

● http://www.snort.org/

● tar.gz

● Source

– http://www.snort.org/dl/current/snort-2.8.2.3.tar.gz

● Rpm's – Redhat Package Manager

● yum install snort

● Apt-get – Debian package manager

● apt-get install snort

Page 4: Intrusion Detection

InstallMake from source

● Source based installation

● Move the tar.gz file to ● /usr/local/src/ or● /usr/src/redhat/SOURCES

● tar -zxvf snort-2.4.3.tar.gz● Unpacks the source in snort-2.4.3

● Build the app● cd snort-2.4.3● ./configure● make● make install

Page 5: Intrusion Detection

Documentation

● Included documentation in the distributionAUTHORS BUGS CREDITS faq.pdf faq.tex INSTALLMakefileMakefile.am Makefile.in NEWS PROBLEMSREADMEREADME.alert_order README.asn1 README.csv README.databaseREADME.event_queue README.FLEXRESP README.flowREADME.flowbitsREADME.flow-portscan README.frag3 README.http_inspectREADME.INLINEREADME.PLUGINS README.sfportscanREADME.thresholdingREADME.UNSOCK README.WIN32 README.wireless RULES.todosnort_manual.pdf snort_manual.texsnort_schema_v106.pdf TODOUSAGE WISHLIST

● man snort

● More documentation on the snort website

Page 6: Intrusion Detection

Configure

● Create directory mkdir /etc/snort, cd /etc/snort

● Get snort rules● ttp://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

● Unpack the rule set● tar -zxvf snortrules-pr-2.4.tar.gz

● Edit /etc/snort/rules/snort.conf● mkdir /var/log/snort

● Snort has to know where everything is

Page 7: Intrusion Detection

snort.conf

var HOME_NET anyvar HOME_NET 192.168.50.0/24

var EXTERNAL_NET anyvar EXTERNAL_NET !$HOME_NET

var SMTP $HOME_NETvar HTTP_SERVICES $HOME_NETvar SQL_SERVERS $HOME_NETvar DNS_SERVERS $HOME_NETvar RULE_PATH /etc/snort/rules

Page 8: Intrusion Detection

Modes of operation

● Sniffer mode

● On screen packet sniffer

● Packet logger mode

● Logs in text format or tcpdump format

● Direct the logging to a remote host

● Logs every packet

● NIDS mode

● Uses snort.conf

● Logs only the packets that satisfies a rule

Page 9: Intrusion Detection

Sniffer mode● snort -v -i eth0 Shows only the headers on the screen

02/16-12:59:45.856485 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DFType:8 Code:0 ID:13104 Seq:256 ECHO=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-12:59:45.856519 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:50341 IpLen:20 DgmLen:84Type:0 Code:0 ID:13104 Seq:256 ECHO REPLY=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Page 10: Intrusion Detection

Sniffer mode● snort -vd -i eth0 Shows headers and packet contents on the screen

02/16-13:07:28.498178 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DFType:8 Code:0 ID:15408 Seq:256 ECHO90 FD 4F 3E E7 99 07 00 08 09 0A 0B 0C 0D 0E 0F ..O>............10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./30 31 32 33 34 35 36 37 01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-13:07:28.498206 127.0.0.1 -> 127.0.0.1ICMP TTL:64 TOS:0x0 ID:50342 IpLen:20 DgmLen:84Type:0 Code:0 ID:15408 Seq:256 ECHO REPLY90 FD 4F 3E E7 99 07 00 08 09 0A 0B 0C 0D 0E 0F ..O>............10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./30 31 32 33 34 35 36 37 01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Page 11: Intrusion Detection

Logger mode● snort -d -l ./log -i eth0

● Logs packets to current_dir/log/eth0

● Log file must exist

● Logged as ASCII● -e Also records the Data link layer info

● snort -de -l ./log -b -i eth0

● Logs complete packets in binary format, i.e. tcpdump format

Page 12: Intrusion Detection

NIDS Mode

● Runs snort as an intrusion detector● Every packet is not recorded

● Only those packets matching a rule● snort -de -l -i eth0 -c snort.conf

● Uses rules in snort.conf● tcpdump format

● Sends log files to /var/log/snort

Page 13: Intrusion Detection

Rules

● The basis for logging or not logging a packet

● Can be more that one line long – now

● Each line to be continued must be terminated with a ' \‘● That is “space \”

● Generic syntax

rule_header (rule_options)

● Rule header

● Action, addresses, ports, masks● Rule options

● Messages, what to look for, where to look

Page 14: Intrusion Detection

Simple Rule

● Snort rule examplealert tcp any any -> 192.168.1.0/24 111 \

(content:”|00 01 86 a5|”; msg: “mountd access”;)– content: what to match in the packet– msg: log message heading

Action

Protocol

Src IP

mask

Source

Port

Des IP

mask

Dest

Port

Page 15: Intrusion Detection

Key Words

● Includeinclude /etc/snort/rules/ping.rules

● Variablesvar HOME_NET 192.16.13.0/24

var RULE_PATH /etc/snort/rules

include $RULE_PATH/ping.rules

● Configconfig reference: bugtraq ttp://www.securityfocus.com/bid

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 15

Page 16: Intrusion Detection

Rule Actions/TypesField 1

● Alert, log, pass

● Alert – generates an alert message and then logs the packet

● Log – logs the packet

● Pass – ignores the packet

● Activate, dynamic

● Activate – sends an alert and then turns on a dynamic rule

● Dynamic – idle until activated and then acts as a log rule

● User defined rule types

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 16

Page 17: Intrusion Detection

ProtocolsField 2

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 17

● tcp, udp, icmp, ip

● Todate● arp, igrp, gre, ospf, rip, etc.

● The distant future

Page 18: Intrusion Detection

AddressesFields 3 & 5

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 18

● Usual dotted decimal notation with mask indicated● 192.16.13.0/24

● Dereferenced variable● $HOME_NET

● Keyword any

● List [192.16.13.0/24,10.1.1.0/24]● Negation !192.16.13.1

Page 19: Intrusion Detection

PortsFields 4 & 6

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 19

● Numerical, “any”

● 80, 21, 23, etc.

● 100:1024 - ports 100 through 1024

● :600 - ports 0 through 600

● 500: - ports greater than or equal to 500

● Typical address/port fields

!192.16.13.0/24 any -> 192.16.13.0/24 111

Page 20: Intrusion Detection

Rule Options

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 20

Key words:- msg prints a message in the log- ttl test the ip header's ttl value- tos test the tos field- id test the ip header's id field- fragbits test the fragmentation bits- dsize test the packet's payload size- flags test tcp flags- seq test the sequence number for a specific value- ack test the ack bit for set or clear- itype test icmp type- sid snort rule for id- rev rule revision number- ip_proto ip header's protocol number- reference external attack

Page 21: Intrusion Detection

Options

Examples

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 21

● msg

– Puts a message in the log record to identify the snort rule

msg: “SYN packet malformed”;

● ttl

– Tests for a specific ttl value

ttl: “127”;

● dsize

– Tests for a specific size of the packet, >, <, <>

dsize: “400<>500”;

Page 22: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 22

● fragbits– Tests for configuration of the IP dgram frag bits

RB, MF, DF (reserved bit, more frags bit, do not frag bit)

modifiers: + all have to match

* any have to match

! match if bits are not set

fragbits: R+;

Page 23: Intrusion Detection

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 23

● content– Tests for specific content within the payload packet

Binary data enclosed by “| ... |”

ASCII data enclosed by “ ... “

! tests that the content does not contain the string

content: “|90CB C0FF FFF|/bin/sh”;

content: !”GET”;

Options

Examples cont'd

Page 24: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 24

● offset

– Dictates the starting position of the content search

offset: 3;

● depth

– Dictates the maximum depth of the content search

depth: 22;

● nocase

– Content search is not case sensitive

nocase;

Page 25: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 25

● flags

– Tests for TCP flags for a match

F, S, R, P, A, U, 2, 1, 0

1 & 2 are the reserved bits in the flag octet

0 no flag is set

! tests that the content does not contain the string

modifiers: + all have to match

* any have to match

! match if bits are not set

flags: SF;

Page 26: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 26

● ip_proto

– Checks the IP Protocol field, permissible are in /etc/protocolsip_proto: 6;

Page 27: Intrusion Detection

# /etc/protocols:# $Id: protocols,v 1.3 2001/07/07 07:07:15 nalin Exp $## Internet (IP) protocols## from: @(#)protocols 5.1 (Berkeley) 4/17/89## Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).## See also http://www.iana.org/assignments/protocol-numbers

ip 0 IP # internet protocol, pseudo protocol number#hopopt 0 HOPOPT # hop-by-hop options for ipv6icmp1 ICMP # internet control message protocoligmp2 IGMP # internet group management protocolggp 3 GGP # gateway-gateway protocolipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')st 5 ST # ST datagram modetcp 6 TCP # transmission control protocolcbt 7 CBT # CBT, Tony Ballardie <[email protected]>egp 8 EGP # exterior gateway protocoligp 9 IGP # any private interior gateway (Cisco: for IGRP)bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoringnvp 11 NVP-II # Network Voice Protocolpup 12 PUP # PARC universal packet protocolargus 13 ARGUS # ARGUSemcon 14 EMCON # EMCONxnet15 XNET # Cross Net Debuggerchaos 16 CHAOS # Chaosudp 17 UDP # user datagram protocolmux 18 MUX # Multiplexing protocoldcn 19 DCN-MEAS # DCN Measurement Subsystemshmp 20 HMP # host monitoring protocolprm 21 PRM # packet radio measurement protocol

Page 28: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 28

● classtype

– Categorizes snort detects into attack classesclasstype: <class name>;

Listed in classification:config

classtype: misc-attack;

Page 29: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 29

● itype

– Checks the value of the ICMP type field

itype: 0;

● icode

– Checks the value of the ICMP code field

icode: 8;

Page 30: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 30

● reference

– References to external attack identification systems

Bugtrack, CVE, Arachnids McAfee, url

reference: <id-system>,<id>

reference: arachNIDS,IDS287; reference: bugtraq,1387;

Page 31: Intrusion Detection

Options

Examples cont'd

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 31

● flow

– Used with TCP stream reassembly, applies to certain directions

– Applies to either client or server

to_client - triggers on server responses

to_server – triggers on client requests

from_client – triggers on client requests

from_server – triggers on server responses

established – triggers only on established TCP connections

flow: from_server;

Page 32: Intrusion Detection

Rule Example

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 32

Alert TCP any any -> any 7070 \

(msg: “IDS411/dos-realaudio”; \

flags: AP; content: “|fff4 fffd 06|”; \

reference: arachNIDS,IDS411;)

Page 33: Intrusion Detection

Rule Example

/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp:

Slide 33

alert udp any any -> any 1434 \

(msg: “MS-SQL Worm propagation attempt”; \

content: “|04|”; depth:1; \

content:”|81 f1 03 01 04 9b 81 f1 01|” \

content:”sock”; \

content:”send”; \

reference:bugtraq,5310; \

reference:bugtraq,5311;

reference:url,il.nai.com/vil/content/v_99992.htm; \

classtype:misc-attack; sid:2003; rev:2;)

Page 34: Intrusion Detection

Final Lab

Setup and configure snort.

Select a rule set. Be sure to include scanning rules

Start snort in NIDS mode.

With your firewall up and down: Scan your system using ping scan, xmas tree scan, OS scan

Check your syslog and snort logs and nmap e.g. Icmp ping scan, map returns

1. With shields up what got through and what did snort think was happening.

2. With shields down what got through and what did snort think was happening.

3. What did nmap think it saw in each case.

Hand in:

1. Firewall policies

2. Firewall script with comments, especially how each policy is enforced

3. snort.conf

4. Discussion from the experiments above.