220 likes | 652 Views
Snort. Roy. INSA Lab. Outline. What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time. What is “ Snort ” ? . An open source network IDS Powerful Stand-alone real-time traffic analysis Packet logging on IP networks
E N D
Snort Roy INSA Lab.
Outline • What is “Snort”? • Working modes • How to write snort rules ? • Snort plug-ins • It’s show time
What is “Snort”? • An open source network IDS • Powerful • Stand-alone real-time traffic analysis • Packet logging on IP networks • Detect a variety of attacks and probes • Protocol analysis, content searching/matching • Log to a nicely organized, human-readable directory structure • Flexible • Rules language to describe traffic • Detection engine utilizes a modular plug-in architecture
Snort Working Modes • Sniffer mode • Tcpdump, Commview • Packet logger mode • NIDS mode
Snort Rules • Rules are similar as packet-filter expressions • Snort has 4 rule actions • activate - alert and then turn on another dynamic rule • dynamic - remain idle until activated by an activate rule , then act as a log rule • alert - generate an alert using the selected alert method, and then log the packet • pass - ignore the packet • log - log the packet Rule application order
How to Write Snort Rules ? • Simple Snort Rule • alert tcp any any -> any any (content:”|00 01 86 a5|”; msg:”mountd access”;) • Advance Snort Rule • http://www.snort.org/docs/snort_manual/node14.html • Snort Rules Database http://www.snort.org/snort-db/ Rule Actions : alert, log, pass…etc Detial of rule Protocol: tcp udp icmp…etc Direction Operator: ->, <> destination port number destination ip address Source ip address Source port number
Writing good rules 3C • Content matching • Catch the vulnerability, not the exploit • attacker changes the exploit slightly • Catch the oddities of the protocol in the rule • user root • alert tcp any any -> any any 21 (content:"user root";) • user root; user<tab>root • alert tcp any any -> any 21 (flow:to_server,established; content:"root"; pcre:"/user\s+root/i";)
Snort Plug-ins • Preprocessors • Operate on packets after they’ve been received and decoded by snort before match rules. • Ex. http_decode, port scan, frag2, stream4 • Output modules • Any rule types you define can be specified to use a particular kind of output plug-in • Ex. Alert_fast, alert_syslog, database, xml
Snort Working Architecture Snort Output module Rule Log Pass Alert Preprocessor Active
Show time • Test environment • Download and install package • Case1.Nmap port scan • Case2.MSN chat messages
Before…Install • Require libpcre • http://www.pcre.org/ libpcap • http://sourceforge.net/projects/libpcap/
Snort Go!!Go!!Go!! • Download • snort-2.1.3.tar.gz • http://www.snort.org/ • Install package
Start Snort !! Edit snort.conf Wait some minutes
View the results • Nice directory structure and file name
Case2.MSN chat message • Copy and past to create new rules • Add new rule file to snort.conf • include $RULE_PATH/msn.rules • Just execute “Snort” • Snort doesn’t include msn rules by default • Snort rule database • http://www.snort.org/snort-db/ • Using key word to search
Conclusions • Good rules get maximize efficiency and speed
Reference • Writing rules • http://www.snort.org/docs/snort_manual/node14.html • Rule database • http://www.snort.org/snort-db/