snort - capturar e dissecar o tráfego da rede
DESCRIPTION
TRANSCRIPT
Snort - capturar e dissecar o trafego de rede
Ulisses Araujo Costa
25 Marco, 2009
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Sumario
1 NIDS
2 Snort
3 Objectivo
4 tsharkEstatısticas
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
NIDS - Network Intrusion Detection System
Sistema de deteccao de intrusao de rede
Tenta detectar actividade maliciosa (ataques DoS, DDos, portscans, tentativas de cracking)
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Como funciona
Analise de todos os pacotes
Tenta encontrar padroes suspeitos
Exemplo - port scanners
Se um grande numero de pedidos de coneccoes TCP para umgrande numero de portas diferentes num curto espaco de tempoentao o NIDS concluı que podemos estar a ser alvo de um scan deportos.
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Sumario
1 NIDS
2 Snort
3 Objectivo
4 tsharkEstatısticas
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Definicao
SNORT r is an open source network intrusion preventionand detection system utilizing a rule-driven language,which combines the benefits of signature, protocol andanomaly based inspection methods. With millions ofdownloads to date, Snort is the most widely deployedintrusion detection and prevention technology worldwideand has become the de facto standard for the industry.
Modo passivo
Modo activo 6= firewall
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Abordagem
Usar o Snort para capturar todo o trafego que conseguir em modopassivo.
root@pig:# snort -u snort -g snort -D -d -l /var/log/snort -c /etc/snort/snort.debian.conf -S -i
eth0
Grava log em binario (formato tcpdump)
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Sumario
1 NIDS
2 Snort
3 Objectivo
4 tsharkEstatısticas
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Depois de ter o ficheiro. . .
Implementacao de filtros segundo determinadas regras
Agregacao de pacotes segundo regras (onde o Snort naochega)
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Problema - parsing
Fazer parsing de tcpdump
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Exemplo - pacote SSH
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Implementacao em Haskell
getPacket :: [Word8] -> InPacket
getPacket bytes = toInPack $ listArray (0,Prelude.length bytes -1) $ bytes
-- Ethernet | IP | TCP | X
getPacketTCP :: [Word8] -> Maybe (NE.Packet (NI4.Packet (NT.Packet InPacket)))
getPacketTCP bytes = doParse $ getPacket bytes :: Maybe (NE.Packet (NI4.Packet (
NT.Packet InPacket)))
Problema
Nao ha parsers feitos para camada de aplicacao :S
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Sumario
1 NIDS
2 Snort
3 Objectivo
4 tsharkEstatısticas
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Exemplos
Mostrar todas as comunicacoes com o IP 192.168.74.242root@pig:# tshark -R "ip.addr == 192.168.74.242" -r snort.log
...
7750 6079.816123 193.136.19.96 -> 192.168.74.242 SSHv2 Client: Key Exchange Init
7751 6079.816151 192.168.74.242 -> 193.136.19.96 TCP ssh > 51919 [ACK] Seq=37
Ack =825 Win =7424 Len=0 TSV =131877388 TSER =1789588
7752 6079.816528 192.168.74.242 -> 193.136.19.96 SSHv2 Server: Key Exchange Init
7753 6079.817450 193.136.19.96 -> 192.168.74.242 TCP 51919 > ssh [ACK] Seq =825
Ack =741 Win =7264 Len=0 TSV =1789588 TSER =131877389
7754 6079.817649 193.136.19.96 -> 192.168.74.242 SSHv2 Client: Diffie -Hellman
GEX Request
7755 6079.820784 192.168.74.242 -> 193.136.19.96 SSHv2 Server: Diffie -Hellman
Key Exchange Reply
7756 6079.829495 193.136.19.96 -> 192.168.74.242 SSHv2 Client: Diffie -Hellman
GEX Init
7757 6079.857490 192.168.74.242 -> 193.136.19.96 SSHv2 Server: Diffie -Hellman
GEX Reply
7758 6079.884000 193.136.19.96 -> 192.168.74.242 SSHv2 Client: New Keys
7759 6079.922576 192.168.74.242 -> 193.136.19.96 TCP ssh > 51919 [ACK] Seq =1613
Ack =1009 Win =8960 Len=0 TSV =131877415 TSER =1789605
...
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Exemplos
Mostrar um triplo com: (tempo,codigo http,tamanho do conteudohttp), separados por ’,’ e entre aspas.
root@pig:# tshark -r snort.log -R http.response -T fields -E header=y -E separator=’,’ -E
quote=d -e frame.time relative -e http.response.code -e http.content length
...
"128.341166000" ,"200" ,"165504"
"128.580181000" ,"200" ,"75332"
"128.711618000" ,"200" ,"1202"
"149.575548000" ,"206" ,"1"
"149.719938000" ,"304" ,
"149.882290000" ,"404" ,"338"
"150.026474000" ,"404" ,"341"
"150.026686000" ,"404" ,"342"
"150.170295000" ,"304" ,
"150.313576000" ,"304" ,
"150.456650000" ,"304" ,
...
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Exemplos
Mostrar um tuplo de aridade 4 com: (tempo,ip origem,ip destino,tamanho do pacote tcp).
root@pig:# tshark -r snort.log -R "tcp.len>0" -T fields -e frame.time relative -e ip.src -e
ip.dst -e tcp.len
...
551.751252000 193.136.19.96 192.168.74.242 48
551.751377000 192.168.74.242 193.136.19.96 144
551.961545000 193.136.19.96 192.168.74.242 48
551.961715000 192.168.74.242 193.136.19.96 208
552.682260000 193.136.19.96 192.168.74.242 48
552.683955000 192.168.74.242 193.136.19.96 1448
552.683961000 192.168.74.242 193.136.19.96 1448
552.683967000 192.168.74.242 193.136.19.96 512
555.156301000 193.136.19.96 192.168.74.242 48
555.158474000 192.168.74.242 193.136.19.96 1448
555.158481000 192.168.74.242 193.136.19.96 1400
556.021205000 193.136.19.96 192.168.74.242 48
556.021405000 192.168.74.242 193.136.19.96 160
558.874202000 193.136.19.96 192.168.74.242 48
558.876027000 192.168.74.242 193.136.19.96 1448
...
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Exemplos
Mostrar um triplo com: (ip origem,ip destino, porto do ip destino).
root@pig:# tshark -r snort.log -Tfields -e ip.src -e ip.dst -e tcp.dstport
...
192.168.74.242 193.136.19.96 37602
192.168.74.242 193.136.19.96 37602
193.136.19.96 192.168.74.242 22
192.168.74.242 193.136.19.96 37602
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
192.168.74.242 193.136.19.96 37602
192.168.74.242 193.136.19.96 37602
192.168.74.242 193.136.19.96 37602
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
192.168.74.242 193.136.19.96 37602
192.168.74.242 193.136.19.96 37602
...
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Sumario
1 NIDS
2 Snort
3 Objectivo
4 tsharkEstatısticas
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Estatısticas
Hierarquia de protocolosroot@pig:# tshark -r snort.log -q -z io,phs
frame frames :7780 bytes :1111485
eth frames :7780 bytes :1111485
ip frames :3992 bytes :848025
tcp frames :3908 bytes :830990
ssh frames :2153 bytes :456686
http frames :55 bytes :19029
http frames :5 bytes :3559
http frames :3 bytes :2781
http frames :2 bytes :2234
http frames :2 bytes :2234
data -text -lines frames :10 bytes :5356
tcp.segments frames :3 bytes :1117
http frames :3 bytes :1117
media frames :3 bytes :1117
udp frames :84 bytes :17035
nbdgm frames :50 bytes :12525
smb frames :50 bytes :12525
mailslot frames :50 bytes :12525
browser frames :50 bytes :12525
dns frames :34 bytes :4510
llc frames :3142 bytes :224934
stp frames :3040 bytes :182400
cdp frames :102 bytes :42534
loop frames :608 bytes :36480
data frames :608 bytes :36480
arp frames :38 bytes :2046
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Estatısticas - Conversations
Usa-se: -z conv,<tipo>,<filtro>
Tipo pode ser: eth,tr,fc,fddi,ip,ipx,tcp,udpOs filtros servem para restringir as estatısticas
root@pig:# tshark -r snort.log -q -z conv,ip,tcp.port==80
================================================================================
IPv4 Conversations
Filter:tcp.port ==80
| <- | | -> | | Total |
|Frames Bytes | |Frames Bytes | |Frames Bytes |
193.136.19.148 <-> 192.168.74.242 141 13091 202 259651 343 272742
192.168.74.242 <-> 128.31.0.36 22 6858 28 4784 50 11642
================================================================================
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Estatısticas - IO
Usa-se: -z io,stat,<int>,<filtro>,. . . ,<filtro>
root@pig:# tshark -r snort.log -q -z io,stat,300,’not (tcp.port=22)’
===================================================================
IO Statistics
Interval: 300.000 secs
Column #0:
| Column #0
Time |frames| bytes
000.000 -300.000 2161 543979
300.000 -600.000 1671 264877
600.000 -900.000 508 46224
900.000 -1200.000 185 12885
1200.000 -1500.000 201 14607
1500.000 -1800.000 187 13386
1800.000 -2100.000 189 13887
2100.000 -2400.000 187 13386
2400.000 -2700.000 189 13887
2700.000 -3000.000 187 13386
3000.000 -3300.000 185 12885
3300.000 -3600.000 189 13887
3600.000 -3900.000 210 15546
3900.000 -4200.000 189 13887
4200.000 -4500.000 187 13386
4500.000 -4800.000 185 12885
4800.000 -5100.000 189 13887
===================================================================
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede
Fim
?
Ulisses Araujo Costa Snort - capturar e dissecar o trafego de rede