A Snort Sampler or A Little Taste of Snort or A Stimulus Response Experiment Exploring Intrusion Det

1
A Snort SamplerorA Little Taste of
SnortorA Stimulus / Response Experiment
ExploringIntrusion Detection Systems using Snort.
Baby Back Ribs
2
Baby Back Ribs

• CMS 463 Networks II
• James Dyke

http//www.snort.org/
3
Snort Modes

• Sniffer
• Intrusion Detection
• Intrusion Prevention

4
Sniffer

• snort v
• Print out IP and TCP/UDP/ICMP packet headers to
  screen
• snort vd
• Print out application data
• snort vd l filename
• Log to a file

5
IDS Intrusion Detection System

• Don't record every single packet on the wire
• Uses a rules file to screen packets
• Sends information to log files or to data base
• snort c snort.conf

6
Intrusion Prevention

• Inline IDS
• Works with iptables a Unix Based Firewall
• iptables will pass or drop packets based on Snort
  rules

7
Snort Rules

• Rule Format
• Action Protocol Source address port -gt
  Destination address port (rulevalue
  rulevalue)

8
Snort Rules

• Addresses use CIDR
• Classless Internet Domain Routing
• address/mask bits
• 10.0.0.0/24
• equivalent to
• 10.0.0.0 with 255.255.255.0 mask

9
Snort Rule Examples

• log udp 10.0.0.8/32 3000 -gt 10.0.0.0/24 53
  
• log udp traffic from a specific address/port
• to any machine on our network on port 53 (DNS)

Rule Format Action Protocol Source address
port -gt Destination address port (rulevalue
rulevalue)
10
Snort Rule Examples

• alert tcp any any -gt 10.0.0.0/24 any
  (ipoptslsrr)
• alert on any tcp traffic using loose source
  routing
• in the ip options flags

Rule Format Action Protocol Source address
port -gt Destination address port (rulevalue
rulevalue)
11
Snort Rule Examples

• Can use variables - - -
• var MY_NET 10.0.0.0/24
• And a negation operator - - - !MY_NET
• alert udp !MY_NET any -gt MY_NET 53
• Different from
• alert udp any any -gt MY_NET 53

12
Payload Detection Rules

• content nocase rawbytes
• depth offset distance
• within uricontent isdataat
• pcre byte_test byte_jump

13
Payload Detection Example

• alert tcp any any -gt 10.0.0.0/24 21 (msg"FTP
  ROOT" content"user root" nocase)
• look for an attempt to ftp
• with the user name root

14
Non-Payload Detection Rules

• fragoffset ttl tos
• id ipopts fragbits
• dsize flags flow
• flowbits seq ack
• window itype icode
• icmp_id icmp_seq rpc
• ip_proto sameip

15
Example TCP flag bits

• F FIN (LSB in TCP Flags byte)
• S SYN
• R RST
• P PSH
• A ACK
• U URG
• 1 Reserved bit 1 (MSB in TCP Flags byte)
• 2 Reserved bit 2
• 0 No TCP Flags Set
• alert tcp any any -gt any any (flagsSF)

16
Stimulus / Response

• A traceroute for an ip address inside the local
  network will be executed from within the local
  network.
• An ftp to the Snort computer using the user name
  root will be attempted.
• A port scan will be performed using SuperScan4, a
  Windows based port scanner, from a computer
  within the local network.

17
Rule Test Set

• alert ip HOME_NET any -gt HOME_NET any (msgjim
  traceroute ttllt3)
• alert tcp any any -gt HOME_NET any (msgjim
  ftp root contentroot)

18
Snort Preprocessor Modules

• Use the sfPortscan preprocessor to detect
  portscan attempts.
• Looks at multiple packets for a single ip address
  probing for open ports.

19
Snort Test Configuration

• Snort running on 10.0.0.20
• MySQL data base
• Apache web server
• At 10.0.0.20 on port 80
• BASE Basic Analysis and Security Engine
• Database analysis server
• http//10.0.0.20/base
• SuperScan Windows network scanner