200 likes | 437 Views
Snort Rules (How to keep your insanity?). Why Snort Rules?. Best way I know to learn is, to do it And, most importantly; without rules, Snort will never detect someone trying to hack your machine Brace yourselves!. Good News, Bad News. Good News: There are tons of pre-written Snort Rules
E N D
Why Snort Rules? • Best way I know to learn is, to do it • And, most importantly; without rules, Snort will never detect someone trying to hack your machine Brace yourselves!
Good News, Bad News • Good News: There are tons of pre-written Snort Rules • Bad News: There just might be a time where you need to write one yourself
What do you need? • A machine to do your development on • Rules cannot be run on a production server • Client machine to connect to the machine which Snort is running on • EnGarde Secure Community 3.0.18 or above with Snort installed • Some insanity
Syntax: The Real Deal of the Rules • Syntax may look a little strange first To make it simple; • Snort Rules has two parts; • Rule Header • Rule Options
Snort Rule Parts • Header contains: actions, protocol, source and destination IP addresses, and source and destination ports • Rule Options contain: alert message, and information on the parts of the packet that should be looked at to see if the rule action should be taken
Snort Rules • Could be very simple • Could be very complex • You need to know syntax to write the rules Here is a rule for you in plain English “If a burglar approaches to my back door or to my front door, my flood lights will light up and my burglar sensor will notify the police department”
Let’s look at this rule closely “If a burglar approaches to my back door or to my front door, my flood lights will light up and my burglar sensor will notify the police department” • Describes the state and an action to perform if the state is “true” • But what is the problem? • How and in what conditions the system will understand that the person is burglar not my mail carrier
What now? • We have to understand the rules • Then we have to describe these variables for the system to recognize the real danger • Let’s see more scientific rule (hardly!) “If a packet containing the string “/cmd.exe” approaches to Web server in the DMZ, alert the security staff and capture that packet for analysis” The question is; is this specific enough? (again, hardly!)
Do not worry • Yes, it is important to understand rules • Yes, you can add or delete words to make it almost perfect • All you need is time and experience which can be earned trying and retrying • If you can distinguish the events detected as “false positive or true positives”, touch down!
Here some facts for success • Understand and know your system • Customize your rules accordingly • Minimize false positives
Where do we get those written rules for love of God? • Currently there are 9,500 rules in the four primary rule repositories • These are; • Original Snort.org GPL rule set • VRT (Vulnerability Response Team) maintained by Sourcefire rule set • Bleeding Edge Threats rule set • Community rule set Let’s get to know these rule sets
Snort.org GPL (General Public License) • Believe it or not, maintained by the volunteers until the formation of Sourcefire • Then they began to be maintained by a corps of full-time researchers • Well documented • It is free • This is a must for any Snort installation
The Sourcefire VRT (Vulnerability Research Team) • Full-time staff • Very experienced IDS researchers • Available only for paid subscribers • Tested extensively for high quality
Community Rule Set • Maintained and distributed by Sourcefire • They are lightly tested • Validate before putting any of them into IDS
Bleeding Edge Threats • Major non-Sourcefire rule set • Came about 2003 under Berkeley Software Distribution license • Was founded by Matt Jonkman • Rules are generally of high quality, but some are good in only certain situations
Mailing List to check about rules • http://lists.sourceforge.net/lists/listinfo/snort-sigs • http://lists.bleedingedgethreats.com/mailman/listinfo/bleeding-sigs • These are excellent sources to ask questions about false positives and to learn more advanced techniques
Some real life situations • Suspected employee is on Yahoo at all times, spending too much time on Internet • Maybe you are allowing them to reach their home emails accounts from work but you should be able to watch • Is he sending information about the company? Or through instant messaging • You may log all that information and conversations
Snort is a software you need… • Humans to follow up on every event and judge whether it requires action • Snort events are clues or leads not facts • Whether an employee from accounting downloads porno, rule is triggered (we need music here to make it more dramatic) • Do I go and confront 300 pound guy? • Do I call security?
No, you don’t or noooo, you didn’t! • Investigate first! • Poor Bob’s system maybe has been infected with spyware, pulling porn ads (yeah right!) • Is poor Bob sitting in front of the computer? • Or the content really pornographic?