Snort – network intrusion detection system 2008 Lab seminars June 2, 2008 Laziz Yunusov Advanced Networking Technology Lab. (YU-ANTL) Dept. of Information & Comm. Eng, Graduate School, Yeungnam University, KOREA (Tel : ; Fax :

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 2 Outline  Introduction  Classifications of IDSs  Snort architecture Packet decoder Preprocessors Rules  Examples  Snort Logging and Alerting  Snort add-ons

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 3 Introduction  Intrusion detection systems Used to detect several types of malicious behaviors that can compromise the security and trust of a computer system  Network attacks against vulnerable services  data driven attacks on applications  host based attacks – privilege escalation – unauthorized logins – access to sensitive files  Malware (viruses, Trojan horses, and worms)

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 4 Classifications of IDSs  Two general types Anomaly detection-based  “abnormal behavior”  May not be undesirable behavior  High false positive rate Signature detection  Close to previously-defined bad behavior  Has to be constantly updated  Slow to catch new malicious behavior  Taxonomy by Intrusion Detection Principles Self-training  Trains on “normal” behavior Programmed  User must know difference between normal & abnormal Signature-inspired  Combination of anomaly and signature methods  Real time vs. non-real time

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 5 Snort  The Snort is The most widely deployed Network Intrusion Detection System (NIDS) The de facto standard in intrusion detection and prevention  Performs Real-time traffic analysis, logging, and alerting Supports 2 types of IDS/IPS functionality:  Normalized analysis of traffic  Signature-based analysis of traffic  Snort can be run in one of several configuration modes Sniffer Mode – Snort reads packets off of the network and displays them on console Packet Logger Mode – simply logs packets to disk Network Intrusion Detection System (NIDS) mode – Snort grabs traffic from the network using libpcap, analyzes for matches to a defined rule set and generates alerts (as appropriate) Inline Mode – obtains packet data from iptables (versus libpcap) and signals iptables to drop or pass packets using inline-specific rules

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 6 Snort  Features of Snort Snort is Open Source, covered under the GPL  Rules are readily editable and freely available Highly stateful, 3000 detection rules + protocol anomaly detection Snort Development efforts proceed under the GPL and have contributed to Snort being a robust IDS solution Good way to get started with IDS for a minimal investment (time and money) The Snort Community is very active  Signature updates are often made available within hours of a new exploit Several commercial vendors use Snort as a basis for commercial IDS solutions (or to supplement third party IDS)  Snort is considered to be an enterprise-grade IDS Can be extended by using add-ons

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 7 A basic snort architecture Sensor(s) Console Server  Snort IDS  Detect Events  Forward Alerts  MySQL, Apache Syslog  Receives & Stores Alerts  Web Browser  Displays Alerts

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 8 Snort (Sensor) Technical Details libpcapPreprocessor Packet Decoder Detection EngineOutput Plugin

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 9 Snort (Sensor) – Packet Decode  libpcap External Packet Capture Library (UNIX, Windows ports (winpcap)) Captures raw packets (required for Snort processing)  Packet Decoder(s) Series of Packet Decoders decode specific protocol elements of each packet (working up OSI Model) As packets are decoded, decoded packet data is stored in a Snort data structure for analysis  Preprocessor(s) Perform a couple of functions  Examine suspicious packets (non-signature)  Manipulate packets to prepare for Detection Engine inspection (signature matching normalization) Packets are passed through every Preprocessor  Ensures thorough packet inspection process  Guards against attacks designed to circumvent the IDS

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 10 Snort Preprocessors  Key Preprocessors  Frag2 timeout = number of seconds to save inactive stream fragments in state table (default = 60, recommended = 65) detect_state_problems = enables detection of overlapping fragments ttl_limit number = specifies the maximum delta in TTL values that fragmented packets with the same fragment ID can have (default=7, recommended=8)  Stream4 detect_scans = detects normal TCP connect scans and stealthy scans (e.g. Half Open, and SYN-FIN scans) timeout = number of seconds to keep an inactive stream in the state table (default = 30, recommended = 35) Frag2 Stream4 HTTP Inspect RPC_Decode Telnet_Decode ARPSpoof ASN1_Decode Flow SfPortscan Performance Monitor

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 11 Snort Preprocessors (2)  HTTP Inspect iis_unicode_map = Unicode codepoint map (details code pages to use when decoding Unicode) double_encode = detects double encoding attacks  ARPspoof host IP host MAC – must specify list of hosts to be monitored via ARPspoof in snort.conf  SfPortscan sense_level = sensitivity levels for portscans (tune, as appropriate) scan_type = types of port scans to detect (all, portscan, portsweep) Note that the flow preprocessor is required for SfPortscan

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 12 Snort detection engine  Detection Engine Performs Several Functions  Rule Parsing – rules are loaded into internal data structures, and guide packet inspection  Signature Detection – attack signatures are constructed by parsing Snort rules Rules are divided into two sections  Rule Header – information that governs application of the signature (e.g. protocol, IP, etc.)  Rule Option – contains the attack signature, priority level, and attack information Each packet is tested against increasingly specific signatures until there is a match (or the packet passes)

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 13 Snort rules  Snort’s rule syntax is simple and straightforward  Full rule docs are available from Snort’s rule manuals pdf  Rule format  Rule Header static definition has to be in every rule  Rule Options variable definition not always necessary 50+ options available alert tcp $BAD any -> $GOOD any (flags: SF; msg: “SYN-FIN scan”;) Rule Header Rule Options

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 14 Snort Rules  Most basic rule example alert tcp any any -> any any (msg:”Sample alert”;)  Header contains the following fields Action (log, alert) Protocol (ip, tcp, udp, icmp, any) Src IP & Port Dst IP & Port Direction operator (“->”, “<>”) alert tcp $EXTERNAL_NET any -> /24 80 (msg:”Sample alert”;) Src or dst IP addresses can be  Variables ($HOME_NET)  Individual IP addresses  CIDR blocks  Lists of the above – (“[ , ]”) Ports can be  Individual ports  Port ranges (“80:85”, “:1024”, “1025:”) The body

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 15 Snort Rules  Rule options The body is usually the complex part  Begins and ends with “()”  Series of “rule options” (keywords, with optional parameters) separated by “;” Five types of options  Metadata  Payload detection  Non-payload detection  Post-detection  Thresholding and suppression Metadata options provide snort with information about the rule itself or pass on information to the analyst  Examples:  “msg” specifies the human-readable alert message  “reference” includes a URL for more info  “classtype” and “priority” give some idea about the type of attack and the severity of the event  “sid” and “rev” uniquely identify the rule (including revisions & edits)

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 16 Snort rules  Other Ruleset Parameters – some apply to protocol headers, other t o packet payload data byte_test – test a byte field against a specific value (with an operator) byte_jump – reads the length of a portion of payload data fragoffset – allows for comparison of a fragment offset field against a d ecimal value ttl – used to check the IP TTL value ipopts – used to check for presence of specific IP options (e.g. nop, sec, rr, etc.) dsize – used to test the payload packet data size flags – used to test for the presence of specific TCP flags flow – used in conjunction with TCP stream reassembly, and applies rule s to certain directions of traffic flow seq – checks for a specific TCP sequence number ip_proto – allows checks against the IP protocol header

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 17 Payload Detection Options  Look inside the packet payload (not the packet headers) The key point of IDS!  There are many options to fit many needs, but the basics are “content” looks for a string of bytes “nocase” modified content, makes it case insensitive “offset” skips a certain number of bytes before searching “pcre” allows the use of Perl-compatible regular expressions (support m ust be compiled in)

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 18 Payload example Looks for the case-insensitive string “ in all traffic matched by the rule header Skips the first 12 bytes of each packet before starting search, for efficiency Note inclusion of hex ASCII code for the “:”.  The “|3a|” notation is good for non-printable data (or “:”, which must not be used in content match alert tcp $EXTERNAL_NET any -> /24 80 (msg:”Sample alert”; content:”http|3a|// nocase; offset:12; classtype: web-application-activity; reference:url, sid: ; rev:1;)

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 19 Payload example 2 Alerts on all GET requests for an HTML page (.htm or.html both work)  “i” option to pcre asks for case-insensitive matching A simple content match could be used, but sometimes…  content is not flexible enough to match the data  a single PCRE may be more clear than a bunch of individual content matches  Real-world rules are usually more complex alert tcp $EXTERNAL_NET any -> /24 80 (msg:”Sample alert”; pcre:”/GET.*\.htm/i”; classtype: web- application-activity; reference:url, sid: ; rev:1;) Alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: “WEB-IIS MDAC Content-Type overflow attempt”; flow:to_server, established; uricontent: “/msadcs.dll”; nocase; content:”Content-Type|3A|”; nocase; isdataat 50,relative; content:!”|0A|”; within:50; pcre:”/^POST\s/smi”; reference: bugtraq…, cve…, url…; classtype: web- application-attack; sid 1970; rev:9)

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 20 Snort Logging and Alerting  Technically, Alerting and Logging are functionally distinct in Snort Alerting – the alerting facility produces a short alert that summarizes an event Logging – the logging facility logs full packet data (for later analysis) Output plug-ins control how this data ultimately gets recorded  Snort Standard Alert Output [**] [116:56:1] (snort_decoder): T/TCP Detected [**]  Generator ID = first number (116). Indicates which Snort component generated the alert  Snort (Signature) ID = second number (56). Indicates which signature triggered the alert – For preprocessor SIDs, see /etc/snort/gen-msg.map  For detection engine (rules-based) SIDs, contains in rule file (for Linux- at “/etc/snort/rules”) Revision ID = third number. Indicates revision of the particular rule, if it has been updated

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 21 Snort add-ons  Barnyard Barnyard allows logging/alerting operations to be offloaded from Snort Uses data generated by the Snort Unified output plug-in (Barnyard is a Unified Log Reader) Improves the performance of Snort  Unified output logging is comparatively fast  Offloads performance-intensive logging operations from Snort (e.g. database logging)  This frees Snort to focus on packet inspection Critical for large volume, high bandwidth environments (e.g. 1000Mbps)

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 22 Snort add-ons (2)  Analysis Console for Intrusion Detection (ACID) PHP-based analysis engine to search and process a database of security events (generated by a variety of systems and devices) Requires PHP, Apache, MySQL Features include:  Query builder and search interface  Packet decoder  Alert management (ability to logically group alerts, auto-manage false positives and negatives)  Chart and statistics generation (sensor, signature, protocol, IP, classification)  Basic Analysis and Security Engine (BASE) Web Front-End to ACID  SnortSnarf Perl program that takes Snort Alerts and produces HTML breakdown

Advanced Networking Tech. Lab. Yeungnam University (YU-ANTL) Discrete Transforms Laziz Yunusov 23 Thank you for your kind attention!