Snort - Lightweight Intrusion Detection for Networks

1
Snort - Lightweight Intrusion Detection for
Networks
YOUNG Wo Sang Program Committee,
PISA ws.young_at_pisa.org.hk
2
Introducing Snort

• Snort is
• Small (1.2M source distribution)
• Portable (Linux, Solaris, BSD, IRIX, HP-UX,
  WIN32)
• Fast (High probability of detection for a given
  attack on average networks)
• Configurable (Easy rules language, many
  reporting/logging options)
• Free (GPL/Open Source Software)
• Current version 1.8.1 as of Aug 2001

3
Snort Design

• Packet sniffing network intrusion detection
  system
• Libpcap-based sniffing interface
• Rules-based detection engine
• Multiple output options
• decoded logs, tcpdump formatted logs
• real-time alerting to syslog, file, database, xml

4
Detection Engine

• Rules form signatures
• Modular detection elements are combined to form
  these signatures
• Anomalous activity detection is possible
• stealth scans, OS fingerprinting, invalid ICMP
  codes, etc
• Rules system is very flexible, and creation of
  new rules is relatively simple

5
Rules Format
alert tcp !10.1.1.0/24 any -gt 10.1.1.0/24 any
(flags SF msg SYN-FIN Scan)

• Two sections to a rule
• rule header
• alert tcp !10.1.1.0/24 any -gt 10.1.1.0/24 any
• rule options
• (flags SF msg SYN-FIN Scan)
• Rule headers and options can be strung together
  in any combination

6
Rule Header Features

• IP addresses
• negation, CIDR blocks
• TCP/UDP ports
• negation, ranges, greater than/less than
• uni/bi-directional port/address consideration

7
Rule Option Features

• IP TTL
• IP ID
• Fragment size
• TCP Flags
• TCP Ack number
• TCP Seq number
• Payload size

• Content
• Content offset
• Content depth
• Session recording
• ICMP type
• ICMP code
• Alternate log files

8
Uses for Snort

• Packet Sniffing NIDS
• Honeypot Monitor
• Scan Detection/Traps
• Other Fun Stuff

9
Packet Sniffing NIDS

• Load up a good rules set and let it run!
• www.whitehats.com
• Automatically generates alerts and logs full
  packet data
• Alternative alerting/actions can be handled by
  something like Swatch
• email alerts, active response, etc

10
Honeypot Monitor

• Honeypots are deception systems that perform
  intrusion detection by inclusion
• Gets rid of all the false alarms!
• Use Snorts filtering capability to log all the
  traffic going to the honeypot
• Post process the data with a good ruleset

11
Scan Detection/Traps

• Snort has no formal port scan detection mechanism
• Setup rules to log traffic to known closed ports
  unused addresses
• Poor mans honeypot/port scan detector

Alert tcp any any -gt 10.1.1.0/24 100600 (flags
S msg TRAP!)
12
Other Fun Stuff

• Snort is a packet sniffer, can be used to analyze
  traffic in real-time
• Motivated people can write rules to pick up all
  sorts of naughty things
• SQL/ODBC, ActiveX, Java/JavaScript, Macro Viruses

13
Other Fun Stuff (Cont.)

• SHADOW sensor replacement
• SHADOW is a free NIDS based on tcpdump
• Snort can use the SHADOW BPF rule set, plus its
  own!
• Gains
• real-time alerting, payload analysis, rules
  simplicity, post-processing, etc.

14
Snort Internal

• Plugin architecture
• stream4 detect stealth portscans
• Write detection modules and add them to rule set
• Hooks for preprocessors
• IP defrag, TCP stream reassembly, statistics, etc
• Hooks for backend/output
• database, SNMP, tunnels, etc.

15
Snort Addon

• Guardian 1.2.0, by Anthony Stevens and Ernie
  Limhttp//home.golden.net/elim/Guardian is a
  stand-alone Perl script which watches the output
  of snort, and will add rules to IPChains on the
  fly as snort detects and reports an attack.
• snort-panel, by Xatohttp//www.xato.net/files.htm
  A very useful windows-based utility for
  managing, controlling, and monitoring the win32
  port of Snort.
• snortnet, by Fyodorhttp//snortnet.scorpions.net/
  This code is an output plugin that allows you to
  log Snort alerts to a remote machine. Requires
  libiap-0.1.tar.gz
• Spade 01172001.1, by Silicon Defensehttp//www.si
  licondefense.com/spice/SPADE stands for the
  Statistical Packet Anomaly Detection Engine. It
  is a Snort preprocessor plugin which sends alerts
  of anomalous packet through standard Snort
  reporting mechanisms. Please consider this to be
  experimental, though it has worked well for us.
• ACID 0.9.6b9, by CERThttp//acidlab.sourceforge.n
  et/ACID is a PHP-based analysis engine to search
  and process a database of security incidents
  generated by Snort. Requires PHP and MySQL.
• more

16
FIN

• Get Snort fromlthttp//www.snort.org/downloads.ht
  mlgt
• Writing Snort ruleslthttp//www.snort.org/docs/wr
  iting_rules/gt