Martin Roesch Sourcefire Inc.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Snort - Open Source Network Intrusion Detection System Survey.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Modified slides from Martin Roesch Sourcefire Inc.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Modified slides from Martin Roesch Sourcefire Inc.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Martin Roesch Sourcefire Inc.. Topics Background –What is Snort? Using Snort Snort Architecture The Future of Snort and Snort 2.0.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Intrusion Detection System [Snort]
The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
SNORT An Open Source Network Intrusion Prevention and Detection System. (NIPS and NIDS)
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
What is a “Network Intrusion Detection System (NIDS)"?
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Cs490ns - cotter1 Snort Intrusion Detection System
Intrusion Detection System (Snort & Barnyard) : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Vic Ho & Kashif.
Copyright 2001 Martin Roesch, All Rights Reserved Martin Roesch Sourcefire Inc.
Linux Networking and Security
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
An overview.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Intrusion Detection System (NIDS)
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Principles of Computer Security
SNORT.
James Logan CS526 Dr. Chow April 29, 2009
CompTIA Security+ Study Guide (SY0-401)
Intrusion Detection Systems (IDS)
Modified slides from Martin Roesch Sourcefire Inc.
Intrusion Detection system
Snort Based Intrusion Detection System
Presentation transcript:

Martin Roesch Sourcefire Inc. Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Topics Background What is Snort? Using Snort Snort Architecture The Future of Snort and Snort 2.0 Copyright 2001 Martin Roesch, All Rights Reserved

Background – Intrusion Detection Intrusion Detection defined: “the problem of identifying individuals who are using a computer system without authorization” Attempts to break in also have to be identified Intrusion detection is NOT intrusion prevention! Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Background – Policy Successful intrusion detection depends on policy and management as much as technology Security Policy (defining what is acceptable and what is being defended) is the first step Notification Who, how fast? Response Coordination Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Intro to Snort What is Snort? Snort is a multi-mode packet analysis tool Sniffer Packet Logger Forensic Data Analysis tool Network Intrusion Detection System Where did it come from? Developed out of my evolving need to perform network traffic analysis in both real-time and for forensic post processing Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort “Metrics” Small (~800k source download) Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc) Fast (High probability of detection for a given attack on 100Mbps networks) Configurable (Easy rules language, many reporting/logging options Free (GPL/Open Source Software) Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort Design Packet sniffing “lightweight” network intrusion detection system Libpcap-based sniffing interface Rules-based detection engine Plug-in system allows endless flexibility Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Detection Engine Rules form “signatures” Modular detection elements are combined to form these signatures Wide range of detection capabilities Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. Rules system is very flexible, and creation of new rules is relatively simple Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Plug-Ins Preprocessor Packets are examined/manipulated before being handed to the detection engine Detection Perform single, simple tests on a single aspect/field of the packet Output Report results from the other plug-ins Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Uses for Snort Standard packet sniffing NIDS Policy Enforcement Honeypot monitor Scan detection/traps Copyright 2001 Martin Roesch, All Rights Reserved

IDS Implementation Map Honeypot (Deception System) Generic Server (Host-Based ID) (Snort 2.0) Internet Firewall (Perimeter Logs) Filtering Router (Perimeter Logs) Statistical IDS (Snort) Network IDS (Snort) Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Using Snort Three main operational modes Sniffer Mode Packet Logger Mode NIDS Mode (Forensic Data Analysis Mode) Operational modes are configured via command line switches Snort automatically tries to go into NIDS mode if no command line switches are given, looks for snort.conf configuration file in /etc Copyright 2001 Martin Roesch, All Rights Reserved

Using Snort – Sniffer Mode Works much like tcpdump Decodes packets and dumps them to stdout BPF filtering interface available to shape displayed network traffic Copyright 2001 Martin Roesch, All Rights Reserved

What Do The Packet Dumps Look Like? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS 49 FF F0 I.. 11/09-11:12:02.956582 10.1.1.8:23 -> 10.1.1.6:1032 TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20 0D 0A 0D 0A 53 75 6E 4F 53 20 35 2E 37 0D 0A 0D ....SunOS 5.7... 00 0D 0A 0D 00 ..... Copyright 2001 Martin Roesch, All Rights Reserved

How is it different from tcpdump? 11:16:35.648944 10.1.1.8.23 > 10.1.1.6.1033: P 16:34(18) ack 16 win 8760 (DF) (ttl 255, id 49913) 4500 003a c2f9 4000 ff06 a2b4 0a01 0108 0a01 0106 0017 0409 1cf9 e7f6 001a e050 5018 2238 31c6 0000 fffe 1fff fe23 fffe 27ff fe24 fffa 11:16:35.649457 10.1.1.6.1033 > 10.1.1.8.23: P 16:19(3) ack 34 win 8727 (DF) (ttl 128, id 57861) 4500 002b e205 4000 8006 02b8 0a01 0106 0a01 0108 0409 0017 001a e050 1cf9 e808 5018 2217 6f19 0000 fffc 1f20 2020 Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Packet Logger Mode Gee, it sure would be nice if I could save those packets to disk… Multi-mode packet logging options available Flat ASCII, tcpdump, XML, database, etc available Log all data and post-process to look for anomalous activity Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved NIDS Mode Uses all phases of Snort + plug-ins to analyze traffic for both misuse detection and anomalous activity Can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis and normalization, etc Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved NIDS Mode… Various output options available Database (MySQL, PostgreSQL, Oracle, unixODBC, etc) XML (snml DTD from CMU/CERT) Tcpdump binary format Unified (Snort specific) format ASCII, syslog, WinPopup (SMB) Etc. Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved NIDS Mode… Wide variety of rules available for signature engine (~1300 as of June 2001) Multiple detection modes available via rules and plug-ins Rules/signature Statistical anomaly Protocol verification Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort Architecture Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 1.x Data Flow Packet Stream Snort Sniffing Packet Decoder Data Flow Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Alerts/Logs Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 1.x Architecture Snort’s existing architecture for the 1.x series of code is a study in organic software development Snort’s evolution Sniffer->packet logger->NIDS Speed by subsystem Decode = very fast Detection engine = fast Output/preprocessor modules = implementation dependent Copyright 2001 Martin Roesch, All Rights Reserved

Snort 1.x Detection Engine Implemented as a 3-dimensional linked list Dimensions 1 & 2 contain data nodes to be tested against current packet Dimension 3 contains linked lists of function pointers to test the node’s data against the packet Entire engine is walked recursively Very fast, very robust “First exit” detection strategy First detect causes engine to perform rule action & then go on to next packet Copyright 2001 Martin Roesch, All Rights Reserved

Detection Engine: Rules Rule Header Rule Options Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: F; msg: “FIN Scan”;) Copyright 2001 Martin Roesch, All Rights Reserved

Detection Engine: Internal Representation Rule Node Alert tcp 1.1.1.1 any -> 2.2.2.2 any Option Node (flags: SF; msg: “SYN-FIN Scan”;) (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Copyright 2001 Martin Roesch, All Rights Reserved

Detection Engine: Fully Populated Rule Node Rule Node Rule Node Rule Node Rule Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Copyright 2001 Martin Roesch, All Rights Reserved

Snort 1.x Performance and Flexibility Development process lead to very high speed decoding and stateless intrusion detection How fast is it? Configuration dependent, but 100Mbps is not too difficult for Snort to manage Flexibility made Snort the platform of choice for a number of applications in the R&D space Govt and University researchers frequently use Snort as a rapid prototyping platform for new ideas in intrusion detection Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 1.x Limitations Snort is an IP-centric program Packet analysis IP defragmentation and TCP stream reassembly are via the preprocessor interface Internal data structures don’t scale well for addition of new protocols NOTE: Adding new protocol support is not hard, just a little clunky Application layer is not decoded by packet decoder Left for pattern analysis in detection engine Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 1.x Limitations Detection Engine & Preprocessors Revelation: Not everyone is as concerned with performance as I am! Not all preprocessors are created equal Adding additional protocol support to detection engine is not well modularized Adding “IP” rules support took about 7 lines of code, but knowing which 7 required me to do it Rules description language is limited at the protocol level Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard to describe HTTP, RPC, SMTP, etc Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 1.x Limitations Output People have a really nasty tendency to write slow output plug-ins! Variable output formats mean performance is highly variable based on the selected output modes No way to control Snort’s performance effectively, leading to negative reviews and user e-mail “Snort’s eating 90% of the CPU!?!” Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 2.0 Architecture Basic goals Faster More extensible Better protocol support Better able to analyze the full gestalt of network intrusion activity Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 2.0 Plug-Ins More of them for more flexibility Data acquisition Traffic decoders Full protocol analysis and verification Multi-path traffic flows, packet and stream Multi-format rules input DB, XML, etc Pluggable detection engines Standard NIDS, Target-based IDS, Statistical IDS, Host-based IDS Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 2.0 Improvements Improved detection & pattern matching capabilities Aho-Corasick/Boyer-Moore implementation from Silicon Defense LANL/RADIANT Team work on set-wise Boyer-Moore-Horspool algorithm ~500% in pattern matching performance improvement reported in research work! Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Snort 2.0 Improvements Spooling output stage Write Snort alert/log data to spool files, have a secondary process (‘barnyard’) read the spools and reformat for final output Output plug-ins attach to barnyard instead of being directly linked to Snort main code Deterministic performance measurements and focused performance improvement will be possible through this method Copyright 2001 Martin Roesch, All Rights Reserved

Snort 2.0 Detection Engine Far more self-optimizing than 1.x Rules will be “treed” to a greater extent Most tests will be performed only once More rules can be loaded with less impact on the overall performance of the program Speed and structure of engine will allow “last-exit” detection strategy to be used Copyright 2001 Martin Roesch, All Rights Reserved

Snort 2.0 Detection Engine Comparison – V 1.x alert tcp Sip: 1.1.1.1 Dip: 2.2.2.2 Dp: 80 (flags: A+; content: “”foo”;) (flags: A+; content: “bar”;) (flags: A+; content: “baz”;) Copyright 2001 Martin Roesch, All Rights Reserved

Snort 2.0 Detection Engine Comparison – V 2.0 alert tcp Sip: 1.1.1.1 Dip: 10.1.1.0/24 content: “”foo”; Dip: 2.2.2.2 Dp: 80 Flags: A+; content: “bar”; content: “baz”; Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Acquisition Plugins Libpcap allows us to be very cross platform but is also a bottleneck Acquisition plugins allow arbitrary data input sources Interesting applications Netfilter/divert socket input stream Gateway IDS… Host-based IDS… High speed platform specific acquistion capability Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Decoder Plugins Arbitrary protocol support in Snort Snort is currently limited to… Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw IP, ARP TCP, UDP, ICMP With plug-ins, new decoders can be painlessly dropped into Snort, automatically making Snort “aware” of that protocol and capable of performing traffic analysis on it Additional support for “unknown” protocols will have to be added to the detection engine Copyright 2001 Martin Roesch, All Rights Reserved

Pluggable Detection Engines Current signature based engine isn’t necessarily the only way to do NID The current primary detection engine in Snort is really just a very involved preprocessor Other possibilities Snort + Netfilter (or Divert Sockets) = Gateway IDS (or “packet scrubber”) Snort + NMAP = Target-based IDS Snort + SAS = Statistical Anomaly IDS (ok, just kidding) Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved Learning More www.snort.org Writing Snort Rules www.snort.org/snort_rules.html FAQ, USAGE file, README file, man page Snort mailing lists Books Intrusion Detection: An Analysts Handbook by Northcutt Intrusion Signatures and Analysis by Northcutt The Practical Intrusion Detection Handbook by Paul Proctor Copyright 2001 Martin Roesch, All Rights Reserved

Copyright 2001 Martin Roesch, All Rights Reserved FIN Martin Roesch roesch@sourcefire.com Get Snort www.snort.org Win32 version www.datanerds.net/~mike Get Snort Rules www.whitehats.com Commercial Snort Tech Support and Info www.silicondefense.com Commercial Snort Network Security Appliances www.sourcefire.com Security Info www.securityfocus.com packetstorm.securify.com www.linuxsecurity.com www.technotronic.com Many more Copyright 2001 Martin Roesch, All Rights Reserved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.