1 / 25

Network Intrusion Detection System – A case study through snort By Dijiang Huang

Network Intrusion Detection System – A case study through snort By Dijiang Huang. Intro to Snort. What is Snort? Snort is a multi-mode packet analysis tool Sniffer Packet Logger Forensic Data Analysis tool Network Intrusion Detection System. Snort Features.

everly
Download Presentation

Network Intrusion Detection System – A case study through snort By Dijiang Huang

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Intrusion Detection System – A case study through snort By Dijiang Huang

  2. Intro to Snort • What is Snort? • Snort is a multi-mode packet analysis tool • Sniffer • Packet Logger • Forensic Data Analysis tool • Network Intrusion Detection System

  3. Snort Features • Used to be compact. Now, the source is about 4.3mb version 2.8.3.2. • Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc) • Fast (High probability of detection for a given attack on Gigabit networks) • Configurable (Easy rules language, many reporting/logging options) • Free (GPL/Open Source Software)

  4. Snort Design • Packet sniffing “lightweight” network intrusion detection system • Libpcap-based sniffing interface • Rules-based detection engine • Plug-in system allows endless flexibility

  5. Detection Engine • Rules form “signatures” • Modular detection elements are combined to form these signatures • Wide range of detection capabilities • Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. • Rules system is very flexible, and creation of new rules is relatively simple

  6. Snort Architecture

  7. Architecture of Network IDS Policy script Alerts/notifications Policy Script Interpreter Event control Event stream Event Engine tcpdump filters Filtered packet stream libpcap Packet stream Network

  8. Data Flow Packet Stream Snort Sniffing Packet Decoder Data Flow Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Alerts/Logs

  9. Detection Engine: Rules Rule Header Rule Options Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: F; msg: “FIN Scan”;)

  10. Detection Engine: Internal Representation Rule Node Alert tcp 1.1.1.1 any -> 2.2.2.2 any Option Node (flags: SF; msg: “SYN-FIN Scan”;) (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;)

  11. Detection Engine: Fully Populated Rule Node Rule Node Rule Node Rule Node Rule Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node

  12. Snort Modes

  13. Using Snort • Three main operational modes • sniffer mode: snort will read the network traffic and print them to the screen. • packet logger mode: snort will record the network traffic on a file • IDS mode: network traffic matching security rules will be recorded • IPS mode: also known as snort-inline (IPS = Intrusion prevention system) • Operational modes are configured via command line switches • Snort automatically tries to go into NIDS mode if no command line switches are given, looks for snort.conf configuration file

  14. Using Snort – Sniffer Mode • Works much like tcpdump, decodes packets and dumps them to stdout. • If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), try this: ./snort -v This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else. • If you want to see the application data in transit, try the following: ./snort -vd This instructs Snort to display the packet data as well as the headers. • If you want an even more descriptive display, showing the data link layer headers, do this: ./snort -vde As an aside, these switches may be divided up or smashed together in any combination. The last command could also be typed out as: ./snort -d -v -e and it would do the same thing.

  15. What Do The Packet Dumps Look Like? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS 49 FF F0 I.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.956582 10.1.1.8:23 -> 10.1.1.6:1032 TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20 0D 0A 0D 0A 53 75 6E 4F 53 20 3 5 2E 37 0D 0A 0D ....SunOS 5.7... 00 0D 0A 0D 00 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

  16. Packet Logger Mode • It sure would be nice if I could save those packets to disk… • You need to specify a logging directory and Snort will automatically know to go into packet logger mode: ./snort -dev -l ./log This assumes you have a directory named log in the current directory. • In order to log relative to the home network, you need to tell Snort which network is the home network: ./snort -dev -l ./log -h 192.168.1.0/24 This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. • If you're on a high speed network or you want to log the packets into a more compact form for later analysis, you should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single binary file in the logging directory: ./snort -l ./log -b • If you wanted to run a binary log file through Snort in sniffer mode to dump the packets to the screen, you can try something like this: ./snort -dv -r packet.log • If you only wanted to see the ICMP packets from the log file, simply specify a BPF filter at the command line and Snort will only see the ICMP packets in the file: ./snort -dvr packet.log icmp

  17. NIDS Mode • Uses all phases of Snort + plug-ins to analyze traffic for both misuse detection and anomalous activity • To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, try this: ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf where snort.conf is the name of your rules file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don't specify an output directory for the program, it will default to /var/log/snort. • -v is for long term, it can be left off the command line for the sake of speed. It's also not necessary to record the data link headers for most applications, so you can usually omit the -e switch, too. ./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).

  18. IPS Mode (or Inline Mode) • Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability. Snort Inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules. • In order for Snort Inline to work properly, you must download and compile the iptables code to include ``make install-devel'' (http://www.iptables.org). This will install the libipq library that allows Snort Inline to interface with iptables. Also, you must build and install LibNet, which is available from http://www.packetfactory.net.

  19. Snort Rules Illustration

  20. Snort Rules • Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS • Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • Elements before parentheses comprise ‘rule header’ • Elements in parentheses are ‘rule options’

  21. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • alert action to take; also log, pass, activate, dynamic • tcp protocol; also udp, icmp, ip • $EXTERNAL_NET source address; this is a variable – specific IP is ok • 27374 source port; also any, negation (!21), range (1:1024) • -> direction; <>is allowed for either “from the first IP/Port to the second IP/Port” or from the first IP/Port to the second IP/Port. • $HOME_NET destination address; this is also a variable here • any destination port

  22. Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • msg:”BACKDOOR subseven 22”; message to appear in logs • flags: A+; tcp flags; many options, like SA, SA+, !R, SF* • content: “|0d0…0a|”;binary data to check in packet; content without | (pipe) characters do simple content matches • reference…;where to go to look for background on this rule • sid:103;rule identifier • classtype: misc-activity;rule type; many others • rev:4;rule revision number • other rule options possible, like offset, depth, nocase

  23. Snort Rules • bad-traffic.rules exploit.rules scan.rules • finger.rules ftp.rules telnet.rules • smtp.rules rpc.rules rservices.rules • dos.rules ddos.rules dns.rules • tftp.rules web-cgi.rules web-coldfusion.rules • web-frontpage.rules web-iis.rules web-misc.rules • web-attacks.rules sql.rules x11.rules • icmp.rules netbios.rules misc.rules • backdoor.rules shellcode.rules policy.rules • porn.rules info.rules icmp-info.rules • virus.rules local.rules attack-responses.rules

  24. Snort Rules • Rules which actually caught intrusions • alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;)caught compromise of Microsoft SQL Server • alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) caught Code Red infection • alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP \"MKD / \" possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server

  25. Conclusion • Snort is a powerful tool, but maximizing its usefulness requires a trained operator • Becoming proficient with network intrusion detection takes 12 months; “expert” 24-36? • Snort is considered a superior NIDS when compared to most commercial systems • Managed network security providers should collect enough information to make decisions without calling clients to ask what happened

More Related