Lecture10:SnortIntroductiontoComputerSecurityBackground–PolicySuccessfulintrusiondetectiondependsonpolicyandmanagementasmuchastechnologySecurityPolicy(definingwhatisacceptableandwhatisbeingdefended)isthefirststepNotificationWho,howfast?ResponseCoordinationIntrotoSnortWhatisSnort?Snortisamulti-modepacketanalysistoolSnifferPacketLoggerForensicDataAnalysistoolNetworkIntrusionDetectionSystemWherediditcomefrom?Developedoutoftheevolvingneedtoperformnetworktrafficanalysisinbothreal-timeandforforensicpostprocessingSnort“Metrics”Small(~800ksourcedownload)Portable(Linux,Windows,MacOSX,Solaris,BSD,IRIX,Tru64,HP-UX,etc)Fast(Highprobabilityofdetectionforagivenattackon100Mbpsnetworks)Configurable(Easyruleslanguage,manyreporting/loggingoptionsFree(GPL/OpenSourceSoftware)SnortDesignPacketsniffing“l(fā)ightweight”networkintrusiondetectionsystemLibpcap-basedsniffinginterfaceRules-baseddetectionenginePlug-insystemallowsendlessflexibilityDetectionEngineRulesform“signatures”ModulardetectionelementsarecombinedtoformthesesignaturesWiderangeofdetectioncapabilitiesStealthscans,OSfingerprinting,bufferoverflows,backdoors,CGIexploits,etc.Rulessystemisveryflexible,andcreationofnewrulesisrelativelysimplePlug-InsPreprocessorPacketsareexamined/manipulatedbeforebeinghandedtothedetectionengineDetectionPerformsingle,simpletestsonasingleaspect/fieldofthepacketOutputReportresultsfromtheotherplug-insUsingSnortThreemainoperationalmodesSnifferModePacketLoggerModeNIDSMode(ForensicDataAnalysisMode)OperationalmodesareconfiguredviacommandlineswitchesSnortautomaticallytriestogointoNIDSmodeifnocommandlineswitchesaregiven,looksforsnort.confconfigurationfilein/etcUsingSnort–SnifferModeWorksmuchliketcpdumpDecodespacketsanddumpsthemtostdoutBPFfilteringinterfaceavailabletoshapedisplayednetworktrafficWhatDoThePacketDumpsLookLike?=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+11/09-11:12:02.954779:1032->:23TCPTTL:128TOS:0x0ID:31237IpLen:20DgmLen:59DF***AP***Seq:0x16B6DAAck:0x1AF156C2Win:0x2217TcpLen:20FFFC23FFFC27FFFC24FFFA1800414E53..#..'..$ANS49FFF0I..=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+11/09-11:12:02.956582:23->:1032TCPTTL:255TOS:0x0ID:49900IpLen:20DgmLen:61DF***AP***Seq:0x1AF156C2Ack:0x16B6EDWin:0x2238TcpLen:200D0A0D0A53756E4F5320352E370D0A0DSunOS5.7...000D0A0D00=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+PacketLoggerModeGee,itsurewouldbeniceifIcouldsavethosepacketstodisk…Multi-modepacketloggingoptionsavailableFlatASCII,tcpdump,XML,database,etcavailableLogalldataandpost-processtolookforanomalousactivityNIDSModeWidevarietyofrulesavailableforsignatureengine(~1300asofJune2001,growto~2900atMay2005)Multipledetectionmodesavailableviarulesandplug-insRules/signatureStatisticalanomalyProtocolverificationSnortRulesSnortRulesSnortrulesareextremelyflexibleandareeasytomodify,unlikemanycommercialNIDSSampleruletodetectSubSeventrojan:alerttcp$EXTERNAL_NET27374->$HOME_NETany(msg:"BACKDOORsubseven22";flags:A+;content:"|0d0a5b52504c5d3030320d0a|";reference:arachnids,485;/subseven/;sid:103;classtype:misc-activity;rev:4;)Elementsbeforeparenthesescomprise‘ruleheader’Elementsinparenthesesare‘ruleoptions’SnortRulesalerttcp$EXTERNAL_NET27374->$HOME_NETany(msg:"BACKDOORsubseven22";flags:A+;content:"|0d0a5b52504c5d3030320d0a|";reference:arachnids,485;/subseven/;sid:103;classtype:misc-activity;rev:4;)alertactiontotake;alsolog,pass,activate,dynamictcpprotocol;alsoudp,icmp,ip$EXTERNAL_NETsourceaddress;thisisavariable–specificIPisok27374sourceport;alsoany,negation(!21),range(1:1024)->direction;bestnottochangethis,although<>isallowed$HOME_NETdestinationaddress;thisisalsoavariablehereanydestinationportSnortRulesalerttcp$EXTERNAL_NET27374->$HOME_NETany(msg:"BACKDOORsubseven22";flags:A+;content:"|0d0a5b52504c5d3030320d0a|";reference:arachnids,485;/subseven/;sid:103;classtype:misc-activity;rev:4;)msg:”BACKDOORsubseven22”;messagetoappearinlogsflags:A+;tcpflags;manyoptions,likeSA,SA+,!R,SF*content:“|0d0…0a|”;binarydatatocheckinpacket;contentwithout|(pipe)charactersdosimplecontentmatchesreference…;wheretogotolookforbackgroundonthisrulesid:103;ruleidentifierclasstype:misc-activity;ruletype;manyothersrev:4;rulerevisionnumberotherruleoptionspossible,likeoffset,depth,nocaseSnortRulesbad-traffic.rules exploit.rules scan.rulesfinger.rules ftp.rules telnet.rulessmtp.rules rpc.rules rservices.rulesdos.rules ddos.rules dns.rulestftp.rules web-cgi.rules web-coldfusion.rulesweb-frontpage.rules web-iis.rules web-misc.rulesweb-attacks.rules sql.rules x11.rulesicmp.rules netbios.rules misc.rulesbackdoor.rules shellcode.rules policy.rulesporn.rules info.rules icmp-info.rulesvirus.rules local.rules attack-responses.rulesSnortRulesRuleswhichactuallycaughtintrusionsalerttcp$EXTERNAL_NETany->$SQL_SERVERS1433(msg:"MS-SQLxp_cmdshell-programexecution";content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|";nocase;flags:A+;classtype:attempted-user;sid:687;rev:3;)caughtcompromiseofMicrosoftSQLServeralerttcp$EXTERNAL_NETany->$HTTP_SERVERS80(msg:"WEB-IIScmd.exeaccess";flags:A+;content:"cmd.exe";nocase;classtype:web-application-attack;sid:1002;rev:2;)caughtCodeRedinfectionalerttcp$EXTERNAL_NETany->$HOME_NET21(msg:"INFOFTP\"MKD/\"possiblewarezsite";flags:A+;content:"MKD/";nocase;depth:6;classtype:misc-activity;sid:554;rev:3;)caughtanonymousftpserverSnortArchitectureDataFlowPacketDecoderPreprocessor(Plug-ins)DetectionEngine(Plug-ins)OutputStage(Plug-ins)PacketStreamSniffingSnortDataFlowAlerts/LogsRuleHeaderAlerttcpany->anyRuleOptions(flags:SF;msg:“SYN-FINScan”;)Alerttcpany->anyAlerttcpany->any(flags