1 / 66

All about NIDS & SNORT

All about NIDS & SNORT. Outline. Introduction to Intrusion Detection What is Snort? Installing Snort Snort Rules Snort in Action Third-Party Enhancements Conclusion. Introduction to Intrusion Detection. Network defense or “protection” model Planning Prevention Detection Response

kemal
Download Presentation

All about NIDS & SNORT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. All about NIDS & SNORT

  2. Outline • Introduction to Intrusion Detection • What is Snort? • Installing Snort • Snort Rules • Snort in Action • Third-Party Enhancements • Conclusion

  3. Introduction to Intrusion Detection • Network defense or “protection” model • Planning • Prevention • Detection • Response • Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities

  4. Introduction to Intrusion Detection • All network and computer activities fall in one of three categories: • Normal • Abnormal but not malicious • Malicious • Intrusion detection operates in two arenas: • What a computer says: network traffic • What a computer thinks: computer processes

  5. Introduction to Intrusion Detection • Network traffic is monitored by network-based intrusion detection systems (NIDS) • Computer processes are monitored by host-based intrusion detection systems (HIDS) • So-called “hybrid” systems examine network traffic to or from a host, as well as processes on that host • NIDS are easier to deploy and manage, but HIDS may give greater visibility to events

  6. Intrusion Detection Basics • Intrusions have “signatures” • Examples • Directory Traversal Vulnerability • Solaris Sadmind/IIS worm (2001) • Allowed HTTP GET requests to change to root directory with “../../”. • Allowed to copy cmd.exe into the Scripts directory. • Gained control usually at admin level GET/ scripts/../../winnt/system32/cmd.exe /c+ copy+\wint\system32\CMD.exe+root.exe

  7. Intrusion Detection Basics • Code Red Worm 2001 • Exploited vulnerability in IIS 4.0 and 5.0 • Buffer overflow vulnerability • Footprint: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbcd3%7801%u9090%u6805%ucbd3%u7801

  8. Intrusion Detection Basics • Most known attacks have an attack signature. • Sequence of bytes that characterize an attack packet almost for sure. • Intrusion Detection System can look for footprints, drop the packet, and raise an alert.

  9. Intrusion Detection Basics • IDS  Firewall • Firewall needs to process all packets. • Filtering capacity at firewall limited by need to deliver packets in timely manner. • IDS can take its time. • IDS does not drop packets, but sends alerts and logs.

  10. Intrusion Detection Basics • Intrusion Detection System can be deployed • Network IDS (behind the firewall and internal router.) • Host based IDS (at all hosts) • Distributed IDS (throughout the local network at strategic locations)

  11. Packet Sniffing NIDS • Load up a good rules set and let it run! • www.whitehats.com • Automatically generates alerts and logs full packet data • Alternative alerting/actions can be handled by something like Swatch • email alerts, active response, etc

  12. Snort • A packet sniffer: capture and display packets from the network with different levels of detail on the console • Packet logger: log data in text file • Honeypot monitor: deceiving hostile parties • NIDS: network intrusion detection system

  13. What is Snort? • Snort is a fast, flexible, small-footprint, open-source NIDS developed by the security community and a “benevolent dictator” • Lead coder: Marty Roesch, now founder of Sourcefire (www.sourcefire.com) • Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump • Licensed under GPL, but version 2.0 may change to a different license

  14. What is snort? • NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. • Snort: an open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods • Snort: the mostwidely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.

  15. Introducing Snort • Snort is: • Small (~1.2M source distribution) • Portable (Linux, Solaris, *BSD, IRIX, HP-UX, WIN32) • Fast (High probability of detection for a given attack on “average” networks) • Configurable (Easy rules language, many reporting/logging options) • Free (GPL/Open Source Software) • Current version 1.8.1 as of Aug 2001

  16. Other Fun Stuff • Snort is a packet sniffer, can be used to analyze traffic in real-time • Motivated people can write rules to pick up all sorts of naughty things • SQL/ODBC, ActiveX, Java/JavaScript, Macro Viruses

  17. Typical locations for snort

  18. Snort architecture From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.

  19. Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.

  20. Logical components of snort • Packet Decoder: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing • Preprocessor: (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams. • Detection Engine: the most important part, applies rules to packets • Logging and Alerting System • Output Modules: process alerts and logs and generate final output.

  21. TCP/IP layer Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer Physical layer

  22. Detection Engine • ※Things need to be done for detection engine: • The IP header of the packet • The transport layer header. TCP, UDP, ICMP etc. • The application layer level header. Header of DNS, FTP, SNMP, SMTP • Packet payload ※Requirement • Time critical • Fast ※How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm

  23. Detection engine • Number of rules • Traffic load on the network • Speed of network and machine • Efficiency of detection algorithm

  24. Rule Header Features • IP addresses • negation, CIDR blocks • TCP/UDP ports • negation, ranges, greater than/less than • uni/bi-directional port/address consideration

  25. IP TTL IP ID Fragment size TCP Flags TCP Ack number TCP Seq number Payload size Content Content offset Content depth Session recording ICMP type ICMP code Alternate log files Rule Option Features

  26. Snort Rules • TCP: TCP protocol, for example SMTP, HTTP, FTP • UDP: For example DNS traffic • ICMP: For example ping, traceroute. • IP: For example IPSec, IGMP

  27. Snort Rules • Content: Content checked by the Boyer Moore pattern matching algorithm. • Flow: Link to the detection plug-ins.

  28. Rules • In a single line • Rules are created by known intrusion signatures. • Usually place in snort.conf configuration file. rule header rule options

  29. Rule examples destination ip address Apply to all ip packets Destination port Source ip address Source port # Rule options Alert will be generated if criteria met Rule header

  30. Detection engine order to scan the rules • Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: • Alert rules • Pass rules • Log rules

  31. Snort Rules • Rules contains the rule header and the rule option. alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags: SF; msg: “SYN-FIN scan) Alerts to traffic from outside the 10.1.1.x subnet to the 10.1.1.x subnet with the Syn and the Fin flags set.

  32. Snort Rules • Rule Header Fields • Action Field • Alert • Log • Pass (no longer look at package) • Activate (turns on other rules) • Dynamic (needs to be turned on by another rule)

  33. Snort Rules • Rule Header Fields • Protocol Field • TCP • UDP • ICMP • IP • Others (ARP, RARP, GRE, …) to come

  34. Snort Rules • Rule Header Fields • Source and Destination IP Address Field • Format: Address/netmask or any or • Address x.x.x.x • Netmask = bits of network mask • For example • 24.0.0.0/8 Class A • 24.3.0.0/16 Class b • 192.185.67.0/24 Class C • 192.185.67.188 host address • Special keywords: • any • ! (negation) • $HOME_NET (variable defined elsewhere)

  35. Snort Rules • Rule Header Fields • Source and Destination Port Field • Static port: 111 • All ports: any • Range: 110:3000 • Negation: !80 • Less than or equal :1023 • Greater than or equal :1024

  36. Snort Rules • Rule Header Fields • Direction Indicator (optional) • -> • Source information specified to the left of arrow, destination information specified to the right of the arrow

  37. Snort Rules • Rule Options • Separated by parentheses alert tcp !$HOME_NET any -> $HOME_NET any (flags: SF; \ msg: “Syn-Fin” scan”;)

  38. Snort Rules • Rule Options • Msg Option • Allows user to assign an appropriate message to the output of a triggered rule. • Alert or log entries only give the packet, not the rule that was triggered.

  39. Snort Rules • Rule Options • Msg Option alert udp any any -> 129.210.18.0 / 24 31337 \ (msg: “Back Orifice”;) Rule: Log: [**] Back Orifice [**] 05/10-08:44:26.398345 192.120.81.5:60256 -> 129.210.18.34:31337 UDP TTL:41 TOS:0x0 ID:49951 Len: 8

  40. Snort Rules • Rule Options • Logto Option • Specifies filename to which to log the activity. • Allows to separate the annoyances from the truly dangerous. alert udp any any -> 129.210.18.0 / 24 31335 \ (msg: “trinoo port”; logto “DDoS”)

  41. Snort Rules • Rule Options • TTL option • Allows to use the time to live field in packet • Format: ttl: number alert udp any any -> 129.210.18.0 / 24 33000;34000 \ (msg: “Unix traceroute”; ttl: 1;)

  42. Snort Rules • Rule Options • ID option • 16-bit value found in the IP header of each datagram. alert udp any any -> 129.210.18.0 / 24 33000;34000 \ (msg: “Suspicious IP Identification”; ID: 0;)

  43. Snort Rules • Rule Options • Dsize option • Size of payload alert icmp any any -> 129.210.18.0 / 24 any \ (msg: “Large ICMP payload”; dsize: >1024;)

  44. Snort Rules • Rule Options • Sequence Option • Value of tcp sequence number • Ack option • Value of ack number in tcp alert tcp any any -> any any \ (msg: “Possible Shaft DDoS”; seq: 0x28374839;) alert tcp any any -> any any \ (msg: “nmap tcp ping”; flags: A; ack: 0;)

  45. Snort Rules • Rule Options • Itype and Icode Options • Select ICMP message type and operations code alert icmp 1.1.1.0/24 any -> 129.210.18.0 / 24 any \ (msg: “port unreachable”; itype: 3; icode: 3;)

  46. Snort Rules • Rule Options • Flags option alert tcp any any -> any any \ (msg: “null scan”; flags: 0;)

  47. Snort Rules • Rule Options • Content Option alert udp $EXTERNAL_NET any -> $HOME_NET 53 \ (msg: “Exploit bind tsig Overflow attempt”; \ content: “|00 FA 00 FF|”; content: “/bin/sh”;)

  48. Snort Rules • Rule Options • Offset option • Specifies offset of content • Depth option • Specifies how far into packet to search for content • Nocase option • Makes content searches case insensitive • Regex Option • Allows wildcards in content searches

  49. Snort Rules • Rule Options • Session Options • Allows to capture TCP session. • Rest Option • Allows an automatic active response • Tag Option • Allows to dynamically capture additional packages after a rule triggers.

  50. Challenges with snort • Misuse detection – avoid known intrusions • Rules database is larger and larger • It continues to grow • snort version 2.3.2, there are 2,600 rules • 80% of them are signatures • Snort spends 80% work time to do string match • Anomaly detection – identify new attacks • Probability of detection is low

More Related