1 / 20

Snort Rule

Snort Rule . Wireless/Mobile network LAB 박준석. Snort Rules. Snort Rule simple, lightweight, flexible, powerful What rules describe 잘 알려진 , 공통된 공격 시도 관리자가 지정한 보안 정책에 위배되는 사항 관리자가 생각하기에 , 네트워크 패킷이 변칙적이라고 생각하는 상황 Guiding Principle 룰은 한줄에 작성되야 한다

abdul-gordon
Download Presentation

Snort Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort Rule Wireless/Mobile network LAB 박준석

  2. Snort Rules • Snort Rule • simple, lightweight, flexible, powerful • What rules describe • 잘 알려진, 공통된 공격 시도 • 관리자가 지정한 보안 정책에 위배되는 사항 • 관리자가 생각하기에, 네트워크 패킷이 변칙적이라고 생각하는 상황 • Guiding Principle • 룰은 한줄에 작성되야 한다 • 룰은 두개의 부분 (rule header, rule option)으로 구성 • Rule header : rule's action, protocol, source and destination IP addresses and CIDR (Classless Inter-Domain Routing) block, and the source and destination ports information • Rule option : alert messages, parts of the packet you should inspect

  3. Snort Rules (cont..) • Include • allows other rule files to be included • Format include:<includefilepath/name> • Ex) include /etc/snort/ping-lib • Variable • variables may be defined • Format var:<name><value> • Simple substitution • Example • varMY_NET[192.168.1.0/24,10.1.1.0/24] alerttcpanyany-> $MY_NETany(flags:S;msg:"SYNpacket";)

  4. Snort Rules (cont..) • Variable (cont..) • Variable modification • $var define meta variable • $(var) replace with the contents of variable "var“ • $(var:-default) replace with the contents of the variable "var" or with "default" if "var" is undefined • $(var:?message) replace with the contents of variable "var" or print out the error message "message" and exit • Example • varMY_NET$(MY_NET:-192.168.1.0/24) • logtcpanyany->$(MY_NET:?MY_NETisundefined!)23

  5. Rule Action TCP Protocol Incoming Source : Any IP and Port Target : IP – 192.168.1.0, C class(192.168.1.1~192.168.1.255) Port - 111 Alert Message Find thiscontents Snort Rules (cont..) • Example alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) Header : Who, Where and What Option : Alert, Packet Inspection Information

  6. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) Basics in Writing : Rule Action • Here we are! • Rule Action • alert : 선택된 경고 방법을 사용하여 경고를 내보내고, 패킷을 기록한다. • log : 패킷을 기록한다. • pass : 패킷을 무시한다. • activate : alert 수행 후 다른 동적룰(dynamic rule)을 활성화한다. • dynamic : 다른룰에 의해 활성화되기 이전까지 가만히 있다가, log rule로서 동작을 시작한다.

  7. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: “external mountd access";) Basics in Writing : Protocol • Here we are! • Protocol • Currently available protocols • TCP • UDP • ICMP • In the future • ARP, IGRP, GRE, OSPF, RIP, and IPX

  8. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) Basics in Writing : IP address and Port • Here we are! • IP address and PORT • Format IP address + CIDR <space> Port number • IP address definition • any : define any address • hostname lookup feature does not supported

  9. Basics in Writing : IP address and Port • CIDR • 룰에 적용되는 IP address에 대해서 넷마스크 지정 • /24 indicates a Class C network • /16 a Class B network • /32 a specific machine address • Example • 192.168.1.0/24 : from 192.168.1.1 to 192.168.1.255

  10. Basics in Writing : IP address and Port • Some operators • ! negation operator • : range operator • Example • alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content: "|00 01 86 a5|"; msg: "external mountd access";) • on any traffic that originates outside of the local network • log tcp any any -> 192.168.1.0/24 !6000:6010 • log everything except the X Windows ports • log tcp any :1024 -> 192.168.1.0/24 500: • log TCP traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500

  11. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) Basics in Writing : Direction Operator • Here we are! • Indication of orientation • indicates traffic that rule applies to • -> from source to destination • <> bi-directional • useful for recording / analyzing both sides of conversation • ex> POP3, Telnet

  12. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) Basics in Writing : Rule Options • Here we are! • Special characters • Format (Keyword : Argument; Keyword : Argument... ;) • ; Rule separation • : Argument of keyword • | Binary data

  13. Basics in Writing : Rule Options • Available Keyword • msg • prints a message in alerts and packet logs ex) msg : “<message text>” • logto • log the packet to a user specified filename instead of the standard output file ex) logto : “filename”; • ttl • test the IP header's TTL field value ex) ttl : <number>; • tos • test the IP header's TOS field value ex) tos : <number>; • id • test the IP header's fragment ID field for a specific value ex) id : <number>; • ipoption • watch the IP option fields for specific codes • fragbits • test the fragmentation bits of the IP header ex) alert tcp !$HOME_NET any -> $HOME_NET any (fragbits : R+ ; \msg: “Rerserved bit set!”;) • dsize • test the packet's payload size against a value • flags • test the TCP flags for certain values

  14. Basics in Writing : Rule Options • Keyword (cont..) • seq • test the TCP sequence number field for a specific value • ack • test the TCP acknowledgement field for a specific value • itype • test the ICMP type field against a specific value • icode • test the ICMP code field against a specific value • icmp_id • test the ICMP ECHO ID field against a specific value • icmp_seq • test the ICMP ECHO sequence number against a specific value • content • search for a pattern in the packet's payload ex) alert tcp any any -> 192.168.1.0/24 143 (content:|90C8 COFF FFFF|/bin/sh” ;\msg : “IMAP buffer overflow!”;) • content-list • search for a set of patterns in the packet's payload

  15. Basics in Writing : Rule Options • Keyword (cont..) • nocase • match the preceding content string with case insensitivity • session • dumps the application layer information for a given session • rpc • watch RPC services for specific application/procedure calls • resp • active response (knock down connections, etc) • react • active response (block web sites) • reference • external attack reference ids • sid • Snort rule id • rev • classtype • rule revision number • rule classification identifier • priority • rule severity identifier

  16. Basics in Writing : Rule Options • Keyword (cont..) • uricontent • search for a pattern in the URI portion of a packet • tag • advanced logging actions for rules • ip_proto • IP header's protocol value • sameip • determines if source ip equals the destination ip • stateless • valid regardless of stream state • regex • wildcard pattern matching • offset • modifier for the content option, sets the offset to begin attempting a pattern match • depth • modifier for the content option, sets the maximum search depth for a pattern match attempt ex) alert tcp any any -> 192.168.1.0/24 80 ( content : “cgi-bin/phf”; \ offset : 3 ; depth: 22 ; msg : “CGI-PHF access”;)

  17. Reference • Snort • http://www.snort.org/docs/writing_rules/chap2.html#sample%20snort%20rule • Cert • http://www.cert.org/security-improvement/implementations/i042.14.html

More Related