Penetration Testing Security Analysis and Advanced Tools:

1. Penetration TestingSecurity Analysis and Advanced Tools: Snort

2. Introduction to Snort Analysis • Snort • Widely used, open-source, network-based intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks • Performs protocol analysis and content matching to detect a variety of attacks and probes such as: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more

3. Modes of Operation • Snort can be configured to run in the following modes: • Packet Sniffer • Packet Logger • Network Intrusion Detection System • Inline

4. Features of Snort • Features of Snort: • Protocol analysis • Content searching/matching • Real-time alerting capability • Can read a Tcpdump trace and run it against a rule set • Flexible rules language • Snort can be configured to watch a network for a particular type of attack profile • It can alert the incident response team as soon as the attack takes place

5. Configuring Snort • Snort is configured using the text file snort.conf • include keyword allows other rules files to be included within the rules file • Variables • Used to define parameters for detection, specifically those of the local network or specific servers or ports for inclusion or exclusion in the rules • Snort Preprocessors • Offer additional detection capabilities • Port scan: TCP connection that attempts to send to more than P ports in T seconds or as UDP packets sent to more than P ports in T seconds

6. Configuring Snort (cont’d.) These are the different directives that can be used with the config command

7. Configuring Snort (cont’d.) • Output Plug-ins • Allow Snort to be much more flexible in the formatting and presentation of output to its users • Snort has nine output plug-ins: • alert_syslog • alert_fast • alert_full • alert_unixsock • log_tcpdump • database • csv • unified • log_null

8. How Snort Works • Initializing Snort • Starting Up • Parsing the Configuration File • Decoding • Execution begins at the ProcessPacket() function when a new packet is received • Preprocessing • ProcessPacket() function tests to see the mode in which Snort is running • Detection • Detection phase begins in the Detect() function

9. Content Matching • Snort uses a series of string matching and parsing functions • Contained in the src/mstring.c and src/mstring.h files in the Snort source tree • Detection engine slightly changes the way Snort works by having the first phase be a setwise pattern match • Some detection options, such as pcre and byte test, perform detection in the payload section of the packet, rather than using the setwise pattern-matching engine

10. The Stream4 Preprocessor • stream4 module • Provides TCP stream reassembly and stateful analysis capabilities to Snort • Gives large-scale users the ability to track many simultaneous TCP streams • Set to handle 8,192 simultaneous TCP connections in its default configuration • Stream4 contains two configurable modules: • Global Stream4 preprocessor • Stream4 reassemble preprocessor

11. Inline Functionality • Implemented utilizing the iptables or ipfw firewall option to provide the functionality for a new set of rule types: drop, reject, and sdrop • Inline Initialization • inline_flag variable is used to toggle the use of inline functionality in Snort • Inline Detection • To receive packets from ipqueue or ipfw, calls to the IpqLoop() and IpfwLoop() functions are added to the SnortMain() function

12. Writing Snort Rules • Snort uses a simple, lightweight rules description language that is both flexible and powerful • The Rule Header (fields) • Rule action • Protocol • IP address • Port information • Directional operator • Rule Options • Specify exactly what to match and what to display after a successful match

13. Writing Snort Rules (cont’d.) These are all available Snort rule options.

14. Writing Snort Rules (cont’d.) • Writing Good Snort Rules • Develop effective content-matching strings • Catch the vulnerability, not the exploit • Catch the oddities of the protocol in the rule • Optimize the rules

15. Snort Tools • IDS Policy Manager • Written to manage Snort IDS sensors in a distributed environment • Snort Rules Subscription • Sourcefire, the company behind Snort, uses a registration and subscription model for distribution of new rules • Honeynet Security Console • Analysis tool to view events on a personal network or honeynet

16. Snort Tools (cont’d.) IDS Policy Manager configures Snort with a graphical user interface.

17. Snort Tools (cont’d.) HoneynetSecurity Console displays and analyzes events from several IDS programs.

18. Summary • Snort is a powerful intrusion detection system (IDS) and traffic analyzer • A Snort configuration file has four major components: • Variables • Preprocessors • Output plug-ins • Rules • A Snort rule contains a rule header and rule options • Users can write their own Snort rules either manually or with the assistance of tools

19. Summary (cont’d.) • A three-homed firewall DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ • A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN • Authentication may not be desired if a network is publicly accessible • An access point is a layer-2 device that serves as an interface between the wireless network and the wired network