Snort & ACID Low cost, highly configurable IDS by Patrick Southcott

Large topic, General outline: 1.What is snort? 2.Where does an IDS fit in the network? 3.Snort 2.0, Marty and Sourcefire.com 4.Snort system overview –config file –rules (custom & public) 5.ACID : opensource, web-based, simple alert management. 6.PROS & CONS of snort as an IDS. 7.Building a snort sensor on Redhat9.

What is Snort? Snort is an application which listens to network traffic and uses rules to determine if it sees particular types of traffic. It logs, alerts for and listens to network traffic. The System Architecture consists of these main parts: Sniffer Promiscuous Mode NIC Preprocessor frag2, stream4, http_decode Detection Engine Using Rules Logging and Alerting plugins log mysql, alert smb Packets on the wire Snort Detection Process Records in a SQL db

Snort in the larger picture Snort sensors can be placed on any network device. Hubs work best. Sensors may log to a central database over secure tunnels or private media. Management console using ACID.

Network Overview sensor DMZ hosts Internet Router / firewall DMZ sensor Router / firewall Private LAN IDS network Management Console

IDS in Perspective Management / Executive System Admin Network Admin / Analyst low TCO (End-to-end, openness) Wants reports which show ROE Configures and runs everything. Routers, firewalls, servers. Endless game to keep up-to-date. Wants to be user of IDS High quality data Auto-response to new vulnerabilities. Maintains network Event Correlation Broad -> Specific Tune rules

Marty Roesch and Sourcefire Created snort in Sourcefire sells IDS boxes which they install, configure and support. Different security needs may involve specific tuning to customers network. Sourcefire is the major commercial supporter of snort. Gig speeds with multiprocessors and linux –same kernel, custom drivers, minimal footprint demo-sensor.sourcefire.com

Snort Usage Run on Console Run as Daemon $./snort –c snort.conf –l /home/snort/snort_spool/ $./snort –D –c snort.conf –l home/snort/snort_spool/ Snort Config File: config daemon $./snort –l /home/snort/snort_spool/ Running in packet logging mode Log directory = /snort/snort_spool/ Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0rc4 (Build 70) By Martin Roesch Shell output from snort init.:

Snort Console Output ================================================================ Snort analyzed 4 out of 4 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 4 ( %) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 4 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ================================================================ Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ================================================================ Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ….

Snort Configuration File var HOME_NET var EXTERNAL_NET var FOO_SERVERS config interface: eth0 config set_uid: snort config dump_payload config daemon preprocessor frag2 preprocessor stream4 preprocessor portscan2 output database: log, mysql, user=snort password=foobar dbname=snort host=localhost Variables Configuration Preprocessor Output SQL Database Each bullet is a line in the config file. Variables are used in the files with the snort rules.

Snort Preprocessors Frag2 Preprocessor –snort.conf: preprocessor frag2 –packet fragmentation can lead to the IDS missing packets or getting different ones than the host gets. This cleans fragmented packets. The stream4 Preprocessor –snort can keep track of tcp sessions. stateful –detection of stealth scans from software like nmap. Portscan and portscan2 Preprocessors –detection of single host access to many ports.

Snort Rules... include $RULE_PATH/local.rules local.rules : snort.conf : Rules to log all tcp, udp and icmp traffic. activate tcp any any -> any 23 (activates: 23; msg:Potential Telnet Login Credentials Logged;) dynamic tcp any any -> any 23 (activated_by: 23; count:20;) log tcp any any -> any any (msg: tcp traffic;) log udp any any -> any any (msg: udp traffic;) log icmp any any -> any any (msg: icmp traffic;)

Snort Rules web-iis.rules : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; \ content:"cmd.exe"; nocase; classtype:web-application-attack; \ sid:1002; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-IIS CodeRed v2 root.exe access"; \ flow:to_server,established; uricontent:"/root.exe";\ nocase; classtype:web-application-attack; \ reference:url, \ sid:1256; rev:7;) # action = pass, log, alert, dynamic, activate # protocol = icmp, tcp, ip, udp action protocol source -> destination ( optional_rule_body )

Snort Rules Default rules for known bad packets. attack-responses.rules backdoor.rules bad-traffic.rules chat.rules ddos.rules deleted.rules DMZ.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules imap.rules info.rules local.rules misc.rules multimedia.rules mysql.rules netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules policy.rules pop2.rules pop3.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules smtp.rules snmp.rules sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules x11.rules

ACID to manage Alerts Sort and display alerts based on ip, port, date, unique alerts. Search alerts Display layer 3 and 4 packet data Graphs and statistics for alert frequency. Alert grouping, archiving, managing

Connecting mysql with stunnel Generate foo.pem for tunnel. openssl req -new -out stunnel.pem -keyout \ stunnel.pem -nodes -x509 -days 365 Cert = /foobar/stunnel.pem [mysqls] accept = 3307 connect = 3306 #!/bin/sh /usr/local/sbin/stunnel -c -d r :3307 stunnel 4 with config ( stunnel.conf) stunnel 3.22 from shell prompt.

Snort IDS: PROs and CONs Powerful, specific rules to match packets. No backdoors Weakness quickly found & published. Rules actively published for detection of new worms etc. Open Source software developers know code will be checked. Fewer hacks. Snort/ACID is only part of a secure network. Does not record the success or failure of a detected intrusion Does nothing to stop an intrusion in progress. False sense of security. PROsCONs

Installing snort on RedHat 9

IDS component overview Open Source Network Intrusion Detection System (Snort) –snort-2.0.0rc4.tar.gz –mysql tar.gz Analysis Console for Intrusion Databases (ACID) –apache_ tar.gz –php tar.gz –acid-0.9.6b23.tar.gz

Apache & php Setup./configure --prefix=/home/apache/apache_prefix/ -- activate-module=src/modules/php4/libphp4.a make && make install./configure --prefix=/home/apache/php_prefix --with- mysql --enable-bcmath --with-gd --enable-sockets --with- zlib-dir=/home/apache/php-4.3.1/zlib-1.1.4/ --with- apache=../apache_ Php needs graphics libs: – zlib-1.1.4, libpng-1.2.5, gd-1.8.4, phplot-4.4.6

Snort System Setup mysql /configure --prefix=/home/snort/snort_prefix --enable-smbalerts --with-mysql Make && make check && make install; Webmin –snort-1.0.wbm

Create snort database & tables CREATE DATABASE snort;" | mysql -u root –p grant INSERT,SELECT on snort.* to mysql -D snort -u root -p <./contrib/create_mysql

Snort Config Setup output database: log, mysql, user=snortusr password=foobar dbname=snort host=localhost Modify alert rules to personal taste

ACID Setup adodb331.zip in www_root tar zxfp acid-0.9.6b23.tar.gz –mv acid /var/www/html edit acid/acid_conf.php –$DBlib_path = "/var/www/html/adodb"; –$aler_dbname = "snort