Professional Documents
Culture Documents
P
Penetration
t ti T Testing
ti
and Security Analysis
Module 8
Snort Analysis
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
Snort O
S Overview
i
Modes of operation
Configuring Snort
Plug-ins
l i and d Pre-processors
Workings of Snort
Writing Snort Rule
Rule Headers
Rule Options
Tool: IDS Policy Manager
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort Overview
Snort, an O
S Open S
Source network-based
k b d iintrusion
i d detection
i sensor, iis the
h
most widely installed NIDS in the world.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort Overview (contd)
Linux.
Linux
Open/Free/NetBSD.
Solaris, SunOS 4.1.X.
HP UX.
HP-UX.
AIX.
IRIX.
Tru64.
Mac OSX.
Win32.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Modes of Operation
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Features of Snort
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Configuring Snort
Variables
Pre-processors
Output plug-ins
Rules
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort: Variables
Variables
i bl are used d to d
define
fi parameters ffor d detection,
i
specifically those of your local network and/or specific
servers or p
ports for inclusion or exclusion in rules.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort: Pre-processors
Pre-processors
Pre processors are used to implement ad advanced
anced features
features,
control deltas for specific checks, and/or implement specific
plug-ins (i.e., anomaly detection).
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
disable evasion alerts
preprocessor stream4_reassemble
preprocessor http_inspect_server: server default \
profile all p
p ports { 80 8080 8180 } \
oversize_dir_length 500
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort: Output Plug-ins
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort: Rules
Rules
R l are the
th means bby which
hi h Snort
S tddetects
t t suspicious
i i
behavior and compromise attempts.
include $
$RULE_PATH/ftp.rules
p
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/netbios.rules
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort: Rules (contd)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt";
flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference
:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_s
erver,established; content:"GET "; depth:8; nocase; reference:arachnids,461; cla
sstype:bad-unknown; sid:514; rev:4;)
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How Snort Operates
Initialization Decoding
Detection Preprocessing
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Initializing Snort
Th
The SnortMain()
S tM i () function
f ti b begins
i b by associating
i ti a sett off h
handlers
dl
for the signals Snort receives:
It does this using the signal() function.
When SnortMain() () finishes,, the return value from this function is
returned to the shell.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Signal Handlers
Snort calls the ParseRuleFile() function to parse the selected configuration file:
This function reads in the configuration file line-by-line and passes it to the
ParseRule() function for testing.
The ParseRule() function tests the start of the rule to determine what type of
rule has been passed.
ParsePreprocessor():
ParseOutputPlugin():
If the line in the configuration file being parsed describes an output plug-in,
plug-in this function
is called to set up the appropriate data structures.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Decoding
Execution b
begins
g at the ProcessPacket()
() function when a new p
packet is
received.
The definition
Th d fi iti off th
the ProcessPacket()
P P k t() function
f ti iis shown
h iin th
the ffollowing
ll i
example:
At a basic level, each of these decoders parses its appropriate header data,
validating certain fields before setting the packet pointer to the next header and
passing the pointer to the next decoder.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Possible Decoders
Decoder Description
DecodeIptablesPkt This decoder is used to decode Iptables packets in Inline mode
mode. It is
basically a wrapper around the DecodeIP() Function.
DecodeIpfwPkt This decoder is used to decode packets from the Internet Protocol
Firewall (IPFW) firewall; at the moment, this function is also a
wrapper around d the
h ffunction.
i
DecodeEthPkt This decoder checks the ether_type field of the Ethernet header, and
calls the appropriate packet decoders to break the packet down further.
DecodeIEEE80211 This decoder examines 802
802.11
11 Wireless Local Area Network (WLAN)
Pkt packets.
DecodeFDDIPkt This decoder is used to decode Fiber Distributed Data Interface (FDDI)
packets.
DecodePppPkt This decoder is used to decode Point-to-Point Protocol (PPP) traffic. It
does this using RFC 1661 standards.
DecodeChdlcPkt This decoder is used to decode High-Level Data Link Control (HDLC)
encapsulated packets
packets. It tests the size of the packet and the various
HDLC fields before passing to the DecodeIP() function.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Pre-processing
ProcessPacket() function
f nction tests the mode in which
hich Snort is running.
r nning
If S
Snortt iis running
i iin:
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detection
This function verifies the existence of the packet and IP header before passing
the packet to the fpEvalPacket() function for further testing.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Content Matching
To accomplish
p the complex
p p
pattern matching g used in Snort rules,, the
Snort team has implemented a series of string matching and parsing
functions.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Content-Matching
Functions
F
Function
i D
Description
i i
int mSearch(char *, int, char *, The mSearch() function is also used to
int int *, int *);
int, ); test for the occurrence of a substring
within another string.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The Stream4 Pre-processor
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inline Functionality
In order for Snort to implement inline functionality via the iptables firewall, a
kernel module called the ipqueue module must be installed and functional:
The ipqueue
pq module allows p
packets to be scheduled before being
g dropped,
pp , or accepted.
p
The following commands can be used to queue all of the network traffic that the
IDS sensor can see:
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Writing Snort Rules
Snort uses a simple, lightweight rules description language that is flexible and
quite powerful.
powerful
Snort rules are divided into two logical sections, the rule header and the rule
options.
The rule header contains the rules action, protocol, source, and destination IP
addresses and netmasks, and the source and destination ports information.
The rule option section contains alert messages and information on which parts of
the packet should be inspected to determine if the rule action should be taken.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort Rule Header
Th fields
The fi lds off rule
l hheader
d are:
Rule Action
Protocol
IP Address
Port Number
Directional Operator
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort Rule Header:
Actions
Default Snort Rule Actions
Pass The packet is ignored.
Alert An alert is generated and the packet is logged.
Log
og Thee packet
pac et iss simply
s p y logged;
ogged; no
oaalert
e t iss ge
generated.
e ated.
Dynamic A rule with dynamic actions remains dormant until triggered by an
activate rule. If not triggered, it acts as a log rule.
Activate An activate rule alerts and then turns on a dynamic rule.
rule
Snort Inline Rule Actions
Drop The packet is not allowed to pass through to the destination host.
Reject The packet will be dropped by iptables and Snort will log it. A TCP
reset will be returned if the protocol is TCP, and an ICMP port
unreachable packet will be sent if it is UDP.
Sdrop The sdrop action silently drops the packet without logging it.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort Rule Header:
Other Fields
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
IP Address Negation Rule
The next portion of the rule header deals with the IP address and port information for a given
rule.
rule
The keyword any may be used to define any address. Snort does not have a mechanism to
provide host name lookup for the IP address fields in the rules file.
The addresses are formed by a straight numeric IP address and a CIDR block.
For example, the address/CIDR combination 92.168.1.0/24 would signify the block of
addresses
dd ffrom 192.168.1.1
68 to 192.168.1.255.
68
The negation operator tells Snort to match any IP address except the one indicated by the
listed IP address.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
IP Address Filters
You
ou may
ay a
also
so spec
specifyy lists
sts o
of IP add
addresses.
esses.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Port Numbers
Port numbers may be specified in a number of ways, including any ports, static
portt d
definitions,
fi iti ranges, and
dbby negation.
ti
The direction operator indicates the orientation, or direction, of the traffic to which the rule
applies.
li
The IP address and port numbers on the left side of the direction operator is considered to be
the traffic coming from the source host, and the address and port information on the right
side of the operator is the destination host.
This tells Snort to consider the address/port pairs in either the source or destination
orientation.
This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3
sessions.
The rule options allow the user to specify exactly what they want to match
and what they want to display after a successful match.
They form a semicolon (;) delimited list directly after the rule header and
are enclosed in parentheses ().
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Activate/Dynamic Rules
Activate rules are jjust like alerts,, but also direct Snort to add a rule when a specific
p
network event occurs,
Dynamic rules are similar to log rules . They are dynamically enabled when the
activate rule id is triggered.
The msg rule option tells the logging and alerting engine the message to
print along with a packet dump or to an alert.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The reference Keyword
d
rev denotes revision
i i off Snort
S rules.
l
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The classtype Keyword
The classtype
yp keyword
y categorizes
g alerts to be attack classes.
The user can specify what priority each type of rule classification has.
The config
Th fi fil
file uses the
h ffollowing
ll i syntax: config classification: <class
name>,<class description>,<default priority>
alert tcp any any -> any 25 (msg:"SMTP expn root"; flags:A+;
\ content:"expn root"; nocase; classtype:attempted-recon;)
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort Default
Classifications
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Payload Detection Rule
Options: content
It allows the user to set rules that search for specific content in the packet payload
and trigger response based on that data.
If the packets payload contains the content that matches the argument data
string the test is successful and the remaining rule option tests are performed.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Payload Detection Rule
Options: content (cont
(contd)
d)
Bytecode represents binary data as hexadecimal numbers and is a good shorthand
method for describing complex binary data.
data
If the rule is preceded by a !, the alert will be triggered on packets that do not
contain this content.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Modifier Keywords
Example: nocase:
The nocase keyword allows the rule writer to specify that the Snort should look for
the specific pattern, ignoring case.
alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER
root"; nocase;)
Modified
DATA
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The offset/depth Keywords
The offset keyword allows the rule writer to specify where to start
searching for a pattern within a packet.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The uricontent Keyword
The uricontent parameter in the Snort rule language searches the NORMALIZED request
URI field.
This means that if you are writing rules that include things that are normalized, such as %2f
or directory traversals, these rules will not alert.
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
Will get normalized into:
/winnt/system32/cmd.exe?/c+ver
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The fragoffset Keyword
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The ttl Keyword
This option keyword was intended for use in the detection of traceroute
attempts.
ttl:<3;
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The id Keyword
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The flags Keyword
The flags keyword is used to check if specific TCP flag bits are present.
This example checks whether the SYN and the FIN bits are
set,, ignoring
g g reserved bit 1 and reserved bit 2:
alert tcp any any -> any any (flags:SF,12;)
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The itype
keyword: icmp id
This is useful because some covert channel programs use static ICMP
fields when they communicate.
communicate
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Writing Good Snort Rules
Content matching
Catch the vulnerability, not the exploit
Catch the oddities of the protocol in the rule
Optimizing
i i i rulesl
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sample Rule to Catch Metasploit
Buffer Overflow Exploit
Rule:
1. content:"|00 00 00 00|"; offset:4; depth:4;
2. content:"|00 01 87 88|"; offset:12; depth:4;
3. content:"|00 00 00 01 00 00 00 01|"; offset:16; depth:8;
4. byte_test:4,>,200,36;
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool for Writing Snort Rules:
IDS Policy Manager
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
IDS Policy Manager
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Subscribe to Snort Rules
Sourcefire, the company behind Snort, changed its rule licensing rule.
Enterprise customers are charged $499 per sensor per year for one to five sensors, or $399
per sensor per year for six or more sensors.
Those who do not wish to pay for Sourcefire VRT rules can register, but they will have to wait
30 days to access the latest rules.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Honeynet Security
Console Tool
It also allows you to correlate events from each of these data types
t have
to h a ffull
ll grasp off th
the attackers'
tt k ' actions.
ti
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Key Features
Intuitive interface to view all event logs on your personal network or honeynet
Integrated IP tools
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Honeynet Security Console:
Screenshots (cont
(contd)
d)
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Variables
Preprocessors
Output Plugins
Rules
We have discussed about writing Snort rules, rule header and various rule
options.
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited