Snort Rule Wireless/Mobile network LAB 박준석

Snort Rules  Snort Rule simple, lightweight, flexible, powerful simple, lightweight, flexible, powerful  What rules describe 잘 알려진, 공통된 공격 시도 잘 알려진, 공통된 공격 시도 관리자가 지정한 보안 정책에 위배되는 사항 관리자가 지정한 보안 정책에 위배되는 사항 관리자가 생각하기에, 네트워크 패킷이 변칙적이라고 생각하는 상황 관리자가 생각하기에, 네트워크 패킷이 변칙적이라고 생각하는 상황  Guiding Principle 룰은 한줄에 작성되야 한다 룰은 한줄에 작성되야 한다 룰은 두개의 부분 (rule header, rule option) 으로 구성 룰은 두개의 부분 (rule header, rule option) 으로 구성 Rule header : rule's action, protocol, source and destination IP addresses and CIDR (Classless Inter-Domain Routing) block, and the source and destination ports informationRule header : rule's action, protocol, source and destination IP addresses and CIDR (Classless Inter-Domain Routing) block, and the source and destination ports information Rule option : alert messages, parts of the packet you should inspectRule option : alert messages, parts of the packet you should inspect

Snort Rules (cont..)  Include allows other rule files to be included allows other rule files to be included Format Format include: include: Ex) include /etc/snort/ping-libEx) include /etc/snort/ping-lib  Variable variables may be defined variables may be defined Format Format var: var: Simple substitution Simple substitution ExampleExample var MY_NET [ /24, /24] var MY_NET [ /24, /24] alert tcp any any -> $MY_NET any (flags: S; msg: "SYN packet";) alert tcp any any -> $MY_NET any (flags: S; msg: "SYN packet";)

Snort Rules (cont..)  Variable (cont..) Variable modification Variable modification $var$var define meta variable define meta variable $(var)$(var) replace with the contents of variable "var“ replace with the contents of variable "var“ $(var:-default)$(var:-default) replace with the contents of the variable "var" or with "default" if "var" is undefined replace with the contents of the variable "var" or with "default" if "var" is undefined $(var:?message)$(var:?message) replace with the contents of variable "var" or print out the error message "message" and exit replace with the contents of variable "var" or print out the error message "message" and exit ExampleExample var MY_NET $(MY_NET: /24) var MY_NET $(MY_NET: /24) log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23 log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23

Snort Rules (cont..)  Example alert tcp any any -> / (content:"| a5|"; msg: "mountd access";) Rule ActionTCP Protocol Source : Any IP and PortIncoming Target : IP – , C class( ~ ) Port Header : Who, Where and What Option : Alert, Packet Inspection Information Find this contents Alert Message

Basics in Writing : Rule Action  Here we are!  Rule Action alert : 선택된 경고 방법을 사용하여 경고를 내보내고, 패 킷을 기록한다. alert : 선택된 경고 방법을 사용하여 경고를 내보내고, 패 킷을 기록한다. log : 패킷을 기록한다. log : 패킷을 기록한다. pass : 패킷을 무시한다. pass : 패킷을 무시한다. activate : alert 수행 후 다른 동적룰 (dynamic rule) 을 활성 화한다. activate : alert 수행 후 다른 동적룰 (dynamic rule) 을 활성 화한다. dynamic : 다른룰에 의해 활성화되기 이전까지 가만히 있 다가, log rule 로서 동작을 시작한다. dynamic : 다른룰에 의해 활성화되기 이전까지 가만히 있 다가, log rule 로서 동작을 시작한다. alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)

Basics in Writing : Protocol  Here we are!  Protocol Currently available protocols Currently available protocols TCPTCP UDPUDP ICMPICMP In the future In the future ARP, IGRP, GRE, OSPF, RIP, and IPXARP, IGRP, GRE, OSPF, RIP, and IPX alert tcp any any -> / (content:"| a5|"; msg: “external mountd access";)

Basics in Writing : IP address and Port  Here we are!  IP address and PORT Format Format IP address + CIDR Port number IP address + CIDR Port number IP address definition IP address definition any : define any addressany : define any address hostname lookup feature does not supportedhostname lookup feature does not supported alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)

Basics in Writing : IP address and Port  CIDR 룰에 적용되는 IP address 에 대해서 넷마스크 지정 룰에 적용되는 IP address 에 대해서 넷마스크 지정 /24 indicates a Class C network/24 indicates a Class C network /16 a Class B network/16 a Class B network /32 a specific machine address/32 a specific machine address Example Example /24 : from to /24 : from to

Basics in Writing : IP address and Port  Some operators ! negation operator ! negation operator : range operator : range operator Example Example alert tcp ! /24 any -> / (content: "| a5|"; msg: "external mountd access";)alert tcp ! /24 any -> / (content: "| a5|"; msg: "external mountd access";) on any traffic that originates outside of the local network on any traffic that originates outside of the local network log tcp any any -> /24 !6000:6010log tcp any any -> /24 !6000:6010 log everything except the X Windows ports log everything except the X Windows ports log tcp any :1024 -> /24 500:log tcp any :1024 -> /24 500: log TCP traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500 log TCP traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500

Basics in Writing : Direction Operator  Here we are!  Indication of orientation indicates traffic that rule applies to indicates traffic that rule applies to -> from source to destination -> from source to destination <> bi-directional <> bi-directional useful for recording / analyzing both sides of conversationuseful for recording / analyzing both sides of conversation ex> POP3, Telnetex> POP3, Telnet alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)

Basics in Writing : Rule Options  Here we are!  Special characters Format Format (Keyword : Argument; Keyword : Argument... ;) (Keyword : Argument; Keyword : Argument... ;) ; Rule separation ; Rule separation : Argument of keyword : Argument of keyword | Binary data | Binary data alert tcp any any -> / (content:"| a5|"; msg: "mountd access";)

Basics in Writing : Rule Options  Available Keyword msg msg prints a message in alerts and packet logs ex) msg : “ ”prints a message in alerts and packet logs ex) msg : “ ” logto logto log the packet to a user specified filename instead of the standard output filelog the packet to a user specified filename instead of the standard output file ex) logto : “filename”; ex) logto : “filename”; ttl ttl test the IP header's TTL field value ex) ttl : ;test the IP header's TTL field value ex) ttl : ; tos tos test the IP header's TOS field value ex) tos : ;test the IP header's TOS field value ex) tos : ; id id test the IP header's fragment ID field for a specific value ex) id : ;test the IP header's fragment ID field for a specific value ex) id : ; ipoption ipoption watch the IP option fields for specific codeswatch the IP option fields for specific codes fragbits fragbits test the fragmentation bits of the IP headertest the fragmentation bits of the IP header ex) alert tcp !$HOME_NET any -> $HOME_NET any (fragbits : R+ ; \msg: “Rerserved bit set!”;) ex) alert tcp !$HOME_NET any -> $HOME_NET any (fragbits : R+ ; \msg: “Rerserved bit set!”;) dsize dsize test the packet's payload size against a valuetest the packet's payload size against a value flags flags test the TCP flags for certain valuestest the TCP flags for certain values

Basics in Writing : Rule Options  Keyword (cont..) seq seq test the TCP sequence number field for a specific valuetest the TCP sequence number field for a specific value ack ack test the TCP acknowledgement field for a specific valuetest the TCP acknowledgement field for a specific value itype itype test the ICMP type field against a specific valuetest the ICMP type field against a specific value icode icode test the ICMP code field against a specific valuetest the ICMP code field against a specific value icmp_id icmp_id test the ICMP ECHO ID field against a specific valuetest the ICMP ECHO ID field against a specific value icmp_seq icmp_seq test the ICMP ECHO sequence number against a specific valuetest the ICMP ECHO sequence number against a specific value content content search for a pattern in the packet's payloadsearch for a pattern in the packet's payload ex) alert tcp any any -> / (content:|90C8 COFF FFFF|/bin/sh” ;\msg : “IMAP buffer overflow!”;) ;\msg : “IMAP buffer overflow!”;) content-list content-list search for a set of patterns in the packet's payloadsearch for a set of patterns in the packet's payload

Basics in Writing : Rule Options  Keyword (cont..) nocase nocase match the preceding content string with case insensitivitymatch the preceding content string with case insensitivity session session dumps the application layer information for a given sessiondumps the application layer information for a given session rpc rpc watch RPC services for specific application/procedure callswatch RPC services for specific application/procedure calls resp resp active response (knock down connections, etc)active response (knock down connections, etc) react react active response (block web sites)active response (block web sites) reference reference external attack reference idsexternal attack reference ids sid sid Snort rule idSnort rule id rev rev classtype classtype rule revision numberrule revision number rule classification identifierrule classification identifier priority priority rule severity identifierrule severity identifier

Basics in Writing : Rule Options  Keyword (cont..) uricontent uricontent search for a pattern in the URI portion of a packetsearch for a pattern in the URI portion of a packet tag tag advanced logging actions for rulesadvanced logging actions for rules ip_proto ip_proto IP header's protocol valueIP header's protocol value sameip sameip determines if source ip equals the destination ipdetermines if source ip equals the destination ip stateless stateless valid regardless of stream statevalid regardless of stream state regex regex wildcard pattern matchingwildcard pattern matching offset offset modifier for the content option, sets the offset to begin attempting a pattern matchmodifier for the content option, sets the offset to begin attempting a pattern match depth depth modifier for the content option, sets the maximum search depth for a pattern match attemptmodifier for the content option, sets the maximum search depth for a pattern match attempt ex) alert tcp any any -> /24 80 ( content : “cgi-bin/phf”; \ offset : 3 ; depth: 22 ; msg : “CGI-PHF access”;)

Reference  Snort sample%20snort%20rule sample%20snort%20rule  Cert improvement/implementations/i html improvement/implementations/i html