snort & nmap
DESCRIPTION
Snort & Nmap. Mike O’Connor Eric Tallman Matt Yasiejko. Overview. Snort What is it? What does it do? Features Nmap What is it? What does it do? Features. What is Snort?. IDS Can also be configured to be an IPS Software solution to IDS/IPS - PowerPoint PPT PresentationTRANSCRIPT
Snort & NmapSnort & Nmap
Mike O’ConnorMike O’Connor
Eric TallmanEric Tallman
Matt YasiejkoMatt Yasiejko
OverviewOverview
SnortSnort What is it?What is it? What does it do?What does it do? FeaturesFeatures
NmapNmap What is it?What is it? What does it do?What does it do? FeaturesFeatures
What is Snort?What is Snort? IDSIDS Can also be configured Can also be configured
to be an IPSto be an IPS Software solution to Software solution to
IDS/IPSIDS/IPS To be IPS, the sniffing To be IPS, the sniffing
machine needs 2 machine needs 2 interfacesinterfaces
Network basedNetwork based Switch – port mirroringSwitch – port mirroring Hub – sniff allHub – sniff all
SnortSnort
Network intrusion detection systemNetwork intrusion detection system Real-time traffic analysisReal-time traffic analysis Packet loggingPacket logging Detects OS fingerprinting attemptsDetects OS fingerprinting attempts
Protocol implementation detailsProtocol implementation details
Components in SnortComponents in Snort
External packet – capture libraryExternal packet – capture library Packet decoder – translates protocol Packet decoder – translates protocol
elements into an internal data elements into an internal data structurestructure
Preprocessors – examine/manipulate Preprocessors – examine/manipulate packets for detection enginepackets for detection engine
Detection engine – tests single Detection engine – tests single elements of packetselements of packets
Output plugins – generates alertsOutput plugins – generates alerts
1. Capturing traffic 1. Capturing traffic (libpcap/WinPcap)(libpcap/WinPcap)
Sniffs line and gets Sniffs line and gets rawraw packets off the packets off the networknetwork
Raw packets needed to detect various Raw packets needed to detect various attacksattacks
Can only process one packet at a timeCan only process one packet at a time
We use WinPcap We use WinPcap Windows Packet Windows Packet CapturingCapturing Captures packets traveling across a networkCaptures packets traveling across a network
2. Packet decoder2. Packet decoder
Series of decoders that each decode Series of decoders that each decode specific protocol elementsspecific protocol elements
Data structure is filled up with Data structure is filled up with decoded packet datadecoded packet data
Data structures passed to Data structures passed to preprocessors and the detection preprocessors and the detection engineengine
3a. Preprocessors3a. Preprocessors
Two typesTwo types Examine packetsExamine packets
-Used for non-signature based attacks-Used for non-signature based attacks Modify packets in preparation for Modify packets in preparation for
detection enginedetection engine-Normalize traffic-Normalize traffic
Packets cycle through all preprocessorsPackets cycle through all preprocessors Keeps attackers from hiding other trafficKeeps attackers from hiding other traffic Multiple violations may be seen this wayMultiple violations may be seen this way
3b. Preprocessors3b. Preprocessors
FragmentationFragmentation Malicious trafficMalicious traffic
Modify packet headersModify packet headers DoS – Ping of DeathDoS – Ping of Death
Stateful inspectionsStateful inspections Stateless connectionsStateless connections
SYN-ACK (connection not complete)SYN-ACK (connection not complete) IP protocol checks – beyond TCPIP protocol checks – beyond TCP
4. Detection engine4. Detection engine
Uses a decision treeUses a decision tree Eg) if the packet is TCP, the packet is Eg) if the packet is TCP, the packet is
passed to the portion that deals with passed to the portion that deals with TCPTCP
The first signature that matches is The first signature that matches is applied, the next packet is analyzedapplied, the next packet is analyzed Priority is very importantPriority is very important High level attacks must be prioritized High level attacks must be prioritized
currentlycurrently
5. Output plugins5. Output plugins
Dumps alert data to a file/resourceDumps alert data to a file/resource Unified formatUnified format
One of many optionsOne of many options Fastest possibleFastest possible
Alert file – Attack summary, IPs, protocol Alert file – Attack summary, IPs, protocol used, etc listedused, etc listed
Packet file – actual packet infoPacket file – actual packet info
Database, file dumps, external Database, file dumps, external applicationsapplications
snort_inline turns Snort snort_inline turns Snort into IPSinto IPS
Set up rules to drop packetsSet up rules to drop packets Set up alerts to log attacksSet up alerts to log attacks Set up rules to cut connectionSet up rules to cut connection
TCP reset for exampleTCP reset for example drop tcp any any -> any 80 drop tcp any any -> any 80
(classtype:attempted-user; msg:"Port (classtype:attempted-user; msg:"Port 80 connection initiated";)80 connection initiated";)
General rule structureGeneral rule structure
_action _protocol _ip1 _direction _ip2 _action _protocol _ip1 _direction _ip2 (options)(options)
_action options_action options
_action_action _protocol _ip1 _direction _ip2 _protocol _ip1 _direction _ip2 (options)(options)
alert - generate an alert using the selected alert alert - generate an alert using the selected alert method, and then log the packet method, and then log the packet
log - log the packet log - log the packet pass - ignore the packet pass - ignore the packet activate - alert and then turn on another activate - alert and then turn on another
dynamic rule dynamic rule dynamic - remain idle until activated by an dynamic - remain idle until activated by an
activate rule , then act as a log rule activate rule , then act as a log rule
_protocol options_protocol options
_action _action _protocol_protocol _ip1 _direction _ip2 _ip1 _direction _ip2 (options)(options)
TCP, IP, UDP, ICMP (, TCP, IP, UDP, ICMP (, ARP, IGRP, GRE, OSPF, RIP, IPX)
_action _protocol _action _protocol _ip1_ip1 _direction _direction _ip2_ip2 (options)(options)
IP address/netmask, port, ! to negateIP address/netmask, port, ! to negate Any, individual ipAny, individual ip
alert tcp any any -> 192.168.1.0/24 111
_ip options_ip options
IP address
netmask
port
_direction options_direction options
_action _protocol _ip1 _action _protocol _ip1 _direction_direction _ip2 _ip2 (options)(options)
-> is from source to destination-> is from source to destination <> is from source to destination and <> is from source to destination and
destination to sourcedestination to source
Rule optionsRule options
_action _protocol _ip1 _direction _ip2 _action _protocol _ip1 _direction _ip2
((optionsoptions)) alert tcp any any -> $HOME_NET 31337 alert tcp any any -> $HOME_NET 31337
(msg: "BLEEDING-EDGE ATTACK (msg: "BLEEDING-EDGE ATTACK RESPONSE Potential root shell RESPONSE Potential root shell connection detected!"; flow: connection detected!"; flow: established,to_server; tag: session, 20, established,to_server; tag: session, 20, packets; classtype: bad-unknown; sid: packets; classtype: bad-unknown; sid: 2001545; rev:2; )2001545; rev:2; )
Rule structure for Rule structure for wirelesswireless
<action> wifi <mac> <direction> <mac> <action> wifi <mac> <direction> <mac> (<rule options>)(<rule options>)
<MAC address> Rule <MAC address> Rule optionsoptions
# Single MAC Address# Single MAC Address00:DE:AD:BE:EF:0000:DE:AD:BE:EF:00
# MAC Address List # MAC Address List [00:DE:AD:BE:EF:00, [00:DE:AD:BE:EF:00, 00:DE:AD:C0:DE:00, ....] 00:DE:AD:C0:DE:00, ....]
LogsLogs
Using syslog logsUsing syslog logs SawmillSawmill
Logs need to be converted to plaintext Logs need to be converted to plaintext to be processedto be processed
Web interface to analyze trafficWeb interface to analyze traffic Windump -r _log_ -tt > _txtFile_Windump -r _log_ -tt > _txtFile_
Snort StatusSnort Status
DB connection is problematic for DB connection is problematic for FreeBSD versionFreeBSD version
Snort currently captures traffic and Snort currently captures traffic and creates logs based on rulescreates logs based on rules
Lab3 is now the sniffer boxLab3 is now the sniffer box WinPcap and SnortWinPcap and Snort
Plugged into physical port FA0/23Plugged into physical port FA0/23 Receiving all switch trafficReceiving all switch traffic
NMAPNMAP
NmapNmap
Network MapperNetwork Mapper Discovers services available on Discovers services available on
different hosts in a networkdifferent hosts in a network Command line, GUI versionsCommand line, GUI versions
Nmap and nmapfe packages in Nmap and nmapfe packages in FreeBSDFreeBSD
FeaturesFeatures
Enumerates ports on target Enumerates ports on target machinesmachines
Identify services running on those Identify services running on those portsports
OS fingerprintingOS fingerprinting
Typical usesTypical uses
List services available on a machineList services available on a machine Run network security audit of Run network security audit of
machinesmachines Identify computers that may be Identify computers that may be
exploitedexploited Audit individual machine securityAudit individual machine security
nmapfenmapfe
Just the beginning…Just the beginning…
Nmap is one tool in an arsenal for Nmap is one tool in an arsenal for black hat hackersblack hat hackers
Prelude to exploitation toolsPrelude to exploitation tools Metasploit - used for actual exploitation Metasploit - used for actual exploitation
attemptattempt
Nmap commandNmap command
nmap –snmap –s~~ -P -P~~ -O -p 1-1024 -O -p 1-1024 134.198.161.*134.198.161.*
Scan Type
Ping Type
OS detection
Port range
IP range/address
Enumerate ports / Enumerate ports / servicesservices
““Well-known” or “Interesting” portsWell-known” or “Interesting” ports
- 1-1024- 1-1024
- 65,535 total TCP & UDP ports- 65,535 total TCP & UDP ports Port/Protocol State Service Port/Protocol State Service
NameName
Types of scansTypes of scans http://www.secguru.com/nmap_cheatsheethttp://www.secguru.com/nmap_cheatsheet sS (TCP SYN scan) – half open scan; stealthysS (TCP SYN scan) – half open scan; stealthy
SYN/ACK – listening; RST – non-listenerSYN/ACK – listening; RST – non-listener sT (TCP connect scan) – uses system call to sT (TCP connect scan) – uses system call to
make connection; easily loggedmake connection; easily logged sU (UDP scans) – sends empty UDP header sU (UDP scans) – sends empty UDP header
to targeted ports; code returned indicates to targeted ports; code returned indicates port stateport state
sN; -sF; -sX (TCP Null, FIN, and Xmas sN; -sF; -sX (TCP Null, FIN, and Xmas scans)scans) If SYN, RST, ACK bits not set (TCP RFC)If SYN, RST, ACK bits not set (TCP RFC)
Any incoming segment not containing RST causes a Any incoming segment not containing RST causes a closed port to respond with an RSTclosed port to respond with an RST
No response if port is openNo response if port is open
OS detectionOS detection
Uses TCP/IP fingerprintingUses TCP/IP fingerprinting OS particular implementation of OS particular implementation of
protocol indicates target host OSprotocol indicates target host OS Checked against DB of known DB Checked against DB of known DB
signaturessignatures Why hide OS?Why hide OS?
Black hat hackers might try OS specific Black hat hackers might try OS specific exploits if knownexploits if known
http://www.csee.umbc.edu/http://www.csee.umbc.edu/~krishna/cs491n/snort_manual.pdf~krishna/cs491n/snort_manual.pdf