Snort Intrusion Detection System

1
SnortIntrusion Detection System

• www.snort.org

2
Outline

• What is snort?
• What can it do?
• How is it installed?
• How is it configured?
• How is it used?

3
History

• First released in 1998 by Martin Roesch
• Originally intended to be a lightweight intrusion
  detection technology.
• Has evolved ...
• 3 Million downloads
• 225k active users.

4
Capabilities

• Four modes of operation
• Packet Sniffer mode
• Packet Logger mode
• Network Intrusion Detection Mode
• Network Intrusion Prevention

cs490ns - cotter
4
5
Capabilities

• Packet Sniffer mode
• Read packets (based on rules) and display on
  console
• ./snort -dev
• Packet Logger
• Log all packets into a local log, organized into
  directories by IP address
• ./snort dev l ./log
• ./snort dev l ./log h 192.168.1.0/24

6
Capabilities

• NIDS Mode
• Scan packets for a given combination of
  parameters
• Output options ASCII / binary (tcpdump format)
• ./snort d l ./log h 192.168.1.0/24 c
  snort.conf

7
Snort Rule

• alert tcp any any -gt Home 80 (flagsS msgPort
  80 SYN)
• Action Field
• alert, log, pass, activate, dynamic
• Protocol Field
• tcp, udp, icmp, ip
• Source / Destination address and port
• direction indicator
• Rule Options
• msg, logto, id, dsize, seq, ack, flags, content,
  session

8
Example Rules

• alert tcp any any -gt 192.168.5.0/24 21 \
• (msg attempted anonymous ftp access \
• content anonymous offset 5)
• alert tcp any any -gt any any (msg Null Scan \
• flags 0)
• log tcp any any ltgt 192.168.5.0/24 21 \
• (session printable)
• alert udp any any -gt 192.168.5.0/24 31337 \
• (msg Back Orifice)

9
Rule Types

• Alert Rules
• Pass Rules
• Log Rules
• Safe Order Alert, Pass, Log
• Efficient Order Pass, Alert, Log

10
Installing Snort

• Locating the IDS relative to network
• Place Snort outside of firewall
• Place Snort just inside firewall
• Place Snort on critical systems (host based)
• Install software
• Download source or binaries from snort.org
• Windows / Linux
• Compile and/or install.
• /etc/snort (configuration files)
• /usr/sbin (executable program)
• /var/log/snort (typical log file directory)

11
/etc/snort/snort.conf

• Serves as a default configuration
• (once home network has been identified)
• Data Types
• include (similar to programming includes)
• include reference.config
• preprocessor (functional modules)
• preprocessor frag3
• var (variables)
• var HOME_NET 192.168.1.0/24
• config (configure various options)
• config disable_tcpopt_obsolete_alerts

12
snort.conf setup

• 1) Set the variables for your network
• 2) Configure dynamic loaded libraries
• 3) Configure preprocessors
• 4) Configure output plugins
• 5) Add any runtime config directives
• 6) Customize your rule set

13
snort.conf setup

• Set the variables for your network
• var HOME_NET 10.1.1.0/24,192.168.1.0/24
• var EXTERNAL_NET any
• var DNS_SERVERS HOME_NET
• var HTTP_SERVERS HOME_NET
• var HTTP_PORTS 80
• var ORACLE_PORTS 1521
• var RULE_PATH /etc/snort/rules

14
snort.conf setup

• Configure dynamic loaded libraries
• Located in /usr/lib/snort-2.x.x_dynamicpreprocesso
  r
• libsf_dcerpc_preproc.so
• libsf_dcerpc_preproc.so.0
• libsf_dns_preproc.so
• libsf_dns_preproc.so.0
• libsf_ftptelnet_preproc.so
• libsf_ftptelnet_preproc.so.0

15
snort.conf setup

• Configure preprocessors
• preprocessor flow stats_interval 0 hash 2
• preprocessor frag3_global max_frags 65536
• preprocessor frag3_engine policy first
  detect_anomalies
• preprocessor stream4 disable_evasion_alerts
• preprocessor rpc_decode 111 32771
• preprocessor bo

16
snort.conf setup

• Configure output plugins
• output alert_syslog LOG_AUTH LOG_ALERT
• output database log, mssql, dbnamesnort
  \usersnort passwordtest
• output alert_unified filename snort.alert, limit
  128
• ruletype suspicious type log output
  log_tcpdump suspicious.log
• suspicious tcp HOME_NET any -gt HOME_NET 6667 \
  (msg"Internal IRC Server")

17
snort.conf setup

• Add any runtime config directives
• config ignore_ports tcp 21 66676671 1356
• config ignore_ports udp 117 53
• config disable_decode_alerts
• config disable_tcpopt_obsolete_alerts

18
snort.conf setup

• Customize your rule set
• include RULE_PATH/local.rules
• include RULE_PATH/bad-traffic.rules
• include RULE_PATH/exploit.rules
• include RULE_PATH/scan.rules
• include RULE_PATH/finger.rules
• include RULE_PATH/ftp.rules
• (More than 50 sets of rules defined)

19
bad-traffic rules

• 12 rules in test rule set
• alert tcp EXTERNAL_NET any ltgt HOME_NET 0
  (msg"BAD-TRAFFIC tcp port 0 traffic"
  flowstateless classtypemisc-activity sid524
  rev8)
• Capture any incoming traffic to port 0 of any LAN
  HOME_NET machine.
• More information given in signature file 524.txt

20
Signature 524.txt

• Rule
• --
• Sid 524
• --
• Summary
• This event is generated when TCP traffic to port
  0 is detected. This should not be seen in normal
  TCP communications.
• --
• Impact
• Possible reconnaisance. This may be an attempt to
  verify the existance of a host or hosts at a
  particular address or address range.
• --
• Detailed Information
• TCP traffic to port 0 is not valid under normal
  circumstances.
• an indicator of unauthorized network use,
  reconnaisance activity or system compromise.
  These rules may also generate an event due to
  improperly configured network devices.
• --
• Affected Systems
• Any
• --

• Attack Scenarios
• The attacker could send packets to a host with a
  destination port of 0. The attacker might also be
  using hping to verify the existance of a host as
  a prelude to an attack.
• --
• Ease of Attack
• Simple
• --
• False Positives
• None Known
• --
• False Negatives
• None Known
• --
• Corrective Action
• Disallow TCP traffic to port 0.
• --
• Contributors
• Original rule writer unknown
• Sourcefire Vulnerability Research Team
• Nigel Houghton nigel.houghton_at_sourcefire.com

21
Certified Rules for Snort

• http//www.snort.org/pub-bin/downloads.cgi
• Subscription User Rules
• Available immediately upon release
• Registered User Rules
• Same rules, but released with a 30 day delay
• Unregistered User Rules
• Single set of rules for each snort release
  (mostly for testing purposes).

22
Typical Installations

• Used in any of the configurations discussed in
  IDS lecture
• Installation may be configured with several Snort
  sensors
• outside network
• monitoring traffic just inside firewall
• monitoring key servers

23
Inline Mode

• Configure Snort to receive packets from iptables
  rather than libpcap.
• Separate capability that must be explicitly
  installed.
• Adds 3 new rule types
• Drop iptables drops packet and snort logs
• Reject iptables rejects packet and snort logs
• Sdrop iptables will drop packet. No logging.

24
Inline Mode

• Start iptables
• iptables A OUTPUT p tcp dport j QUEUE
• Traffic is routed to QUEUE, where it can be
  captured by snort_inline
• Start Snort
• snort_inline QDc ../etc/drop.conf l
  /var/log/snort
• -Q get packets from iptables
• -D run in daemon mode
• -c specify configuration file
• -l specify log file

25
Complex installations

• Use Snort to monitor traffic and log suspicious
  or dangerous traffic.
• Store information in binary format
• Much faster than ascii storage.
• Store information to a database
• mysql, postgresql, oracle, MS sql, ODBC
• Much easier to process / analyze data
• Use data analysis front-ends to examine logs
• Barnyard (www.snort.org)
• BASE (Basic Analysis and Security Engine)

26
Summary

• Snort is a powerful tool for monitoring network
  traffic for anomalies that might indicate network
  intrusion
• Can be used in several different configurations
• Well supported
• Code Base
• Rules Sets