snort roy insa lab.. outline what is “ snort ” ? working modes how to write snort rules ? snort...
Post on 19-Dec-2015
257 views
TRANSCRIPT
Snort
Roy
INSA Lab.
Outline
• What is “Snort”?• Working modes• How to write snort rules ?• Snort plug-ins• It’s show time
What is “Snort”?
• An open source network IDS • Powerful
• Stand-alone real-time traffic analysis• Packet logging on IP networks• Detect a variety of attacks and probes• Protocol analysis, content searching/matching• Log to a nicely organized, human-readable directory
structure
• Flexible • Rules language to describe traffic• Detection engine utilizes a modular plug-in
architecture
Snort Working Modes
• Sniffer mode• Tcpdump, Commvie
w
• Packet logger mode
• NIDS mode
Snort Rules
• Rules are similar as packet-filter expressions• Snort has 4 rule actions
• activate - alert and then turn on another dynamic rule
• dynamic - remain idle until activated by an activate rule , then act as a log rule
• alert - generate an alert using the selected alert method, and then log the packet
• pass - ignore the packet• log - log the packet
Rule application order
• Advance Snort Rule
• http://www.snort.org/docs/snort_manual/node14.html
• Snort Rules Database http://www.snort.org/snort-db/
How to Write Snort Rules ?
• Simple Snort Rule
• alert tcp any any -> any any (content:”|00 01 86 a5|”; msg:”mountd access”;)
Rule Actions : alert, log, pass…etc
Protocol: tcp udp icmp…etc
Source ip address Source port number
Direction Operator: ->, <>
destination port number
destination ip address
Detial of rule
Writing good rules
• Content matching • Catch the vulnerability, not the exploit
• attacker changes the exploit slightly • Catch the oddities of the protocol in the rule
• user root • alert tcp any any -> any any 21 (content:"user root";)
• user root; user<tab>root • alert tcp any any -> any 21 (flow:to_server,establishe
d; content:"root"; pcre:"/user\s+root/i";)
3C
Snort Plug-ins
• Preprocessors• Operate on packets after they’ve been recei
ved and decoded by snort before match rules.• Ex. http_decode, port scan, frag2, stream4
• Output modules• Any rule types you define can be specified to
use a particular kind of output plug-in• Ex. Alert_fast, alert_syslog, database, xml
Snort Working Architecture
Preprocessor
Output module
Alert
Log
Pass
Active
Rule
Snort
Show time
• Test environment• Download and install package
• Case1.Nmap port scan• Case2.MSN chat messages
Environment
Internet
Name:victim3OS:Windows 2000IP:192.168.1.103
Net Mask:255.255.255.0Gateway:192.168.1.1
IP:192.168.1.1Net Mask:255.255.255.0
Gateway:
Name:SnortOS:Linux
IP:140.123.113.60Net Mask:255.255.255.0
Gateway:140.123.113.250
Name:victim1OS:Linux
IP:192.168.1.101Net Mask:255.255.255.0
Gateway:192.168.1.1
Name:CatOS:Windows 2003IP:140.123.113.77
Net Mask:255.255.255.0Gateway:140.123.113.250
Name:MikeOS:Windows 2003IP:140.123.113.87
Net Mask:255.255.255.0Gateway:140.123.113.250
Before…Install
• Require
libpcre• http://www.pcre.org/
libpcap• http://sourceforge.net/projects/libpcap/
Snort Go!!Go!!Go!!
• Download• snort-2.1.3.tar.gz• http://www.snort.org/
• Install package
Start Snort !!
Edit snort.conf
Wait some minutes
View the results
• Nice directory structure and file name
Case1.Nmap Scan
Internet
Name:victim3OS:Windows 2000IP:192.168.1.103
Net Mask:255.255.255.0Gateway:192.168.1.1
IP:192.168.1.1Net Mask:255.255.255.0
Gateway:
Name:SnortOS:Linux
IP:140.123.113.60Net Mask:255.255.255.0
Gateway:140.123.113.250
Name:victim1OS:Linux
IP:192.168.1.101Net Mask:255.255.255.0
Gateway:192.168.1.1
Name:CatOS:Windows 2003IP:140.123.113.77
Net Mask:255.255.255.0Gateway:140.123.113.250
Name:MikeOS:Windows 2003IP:140.123.113.87
Net Mask:255.255.255.0Gateway:140.123.113.250
Internet
Name:victim3OS:Windows 2000IP:192.168.1.103
Net Mask:255.255.255.0Gateway:192.168.1.1
IP:192.168.1.1Net Mask:255.255.255.0
Gateway:
Name:SnortOS:Linux
IP:140.123.113.60Net Mask:255.255.255.0
Gateway:140.123.113.250
Name:victim1OS:Linux
IP:192.168.1.101Net Mask:255.255.255.0
Gateway:192.168.1.1
Name:CatOS:Windows 2003IP:140.123.113.77
Net Mask:255.255.255.0Gateway:140.123.113.250
Name:MikeOS:Windows 2003IP:140.123.113.87
Net Mask:255.255.255.0Gateway:140.123.113.250
Case2.MSN chat message
• Snort doesn’t include msn rules by default• Snort rule database
• http://www.snort.org/snort-db/• Using key word to search
• Copy and past to create new rules• Add new rule file to snort.conf
• include $RULE_PATH/msn.rules• Just execute “Snort”
Enjoy the result
Conclusions
• Good rules get maximize efficiency and speed
Reference
• Writing rules• http://www.snort.org/docs/snort_manual/nod
e14.html• Rule database
• http://www.snort.org/snort-db/