Penetration Testing Security Analysis and Advanced Tools: Snort

Introduction to Snort Analysis Snort – Widely used, open-source, network-based intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks – Performs protocol analysis and content matching to detect a variety of attacks and probes such as: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more

Modes of Operation Snort can be configured to run in the following modes: – Packet Sniffer – Packet Logger – Network Intrusion Detection System – Inline

Features of Snort Features of Snort: – Protocol analysis – Content searching/matching – Real-time alerting capability – Can read a Tcpdump trace and run it against a rule set – Flexible rules language Snort can be configured to watch a network for a particular type of attack profile – It can alert the incident response team as soon as the attack takes place

Configuring Snort Snort is configured using the text file snort.conf – include keyword allows other rules files to be included within the rules file Variables – Used to define parameters for detection, specifically those of the local network or specific servers or ports for inclusion or exclusion in the rules Snort Preprocessors – Offer additional detection capabilities – Port scan: TCP connection that attempts to send to more than P ports in T seconds or as UDP packets sent to more than P ports in T seconds

Configuring Snort (cont’d.) These are the different directives that can be used with the config command

Configuring Snort (cont’d.) Output Plug-ins – Allow Snort to be much more flexible in the formatting and presentation of output to its users – Snort has nine output plug-ins: alert_syslog alert_fast alert_full alert_unixsock log_tcpdump database csv unified log_null

How Snort Works Initializing Snort – Starting Up – Parsing the Configuration File Decoding – Execution begins at the ProcessPacket() function when a new packet is received Preprocessing – ProcessPacket() function tests to see the mode in which Snort is running Detection – Detection phase begins in the Detect() function

Content Matching Snort uses a series of string matching and parsing functions – Contained in the src/mstring.c and src/mstring.h files in the Snort source tree Detection engine slightly changes the way Snort works by having the first phase be a setwise pattern match Some detection options, such as pcre and byte test, perform detection in the payload section of the packet, rather than using the setwise pattern- matching engine

The Stream4 Preprocessor stream4 module – Provides TCP stream reassembly and stateful analysis capabilities to Snort – Gives large-scale users the ability to track many simultaneous TCP streams – Set to handle 8,192 simultaneous TCP connections in its default configuration Stream4 contains two configurable modules: – Global Stream4 preprocessor – Stream4 reassemble preprocessor

Inline Functionality Implemented utilizing the iptables or ipfw firewall option to provide the functionality for a new set of rule types: drop, reject, and sdrop Inline Initialization – inline_flag variable is used to toggle the use of inline functionality in Snort Inline Detection – To receive packets from ipqueue or ipfw, calls to the IpqLoop() and IpfwLoop() functions are added to the SnortMain() function

Writing Snort Rules Snort uses a simple, lightweight rules description language that is both flexible and powerful The Rule Header (fields) – Rule action – Protocol – IP address – Port information – Directional operator Rule Options – Specify exactly what to match and what to display after a successful match

Writing Snort Rules (cont’d.) These are all available Snort rule options.

Writing Snort Rules (cont’d.) Writing Good Snort Rules – Develop effective content-matching strings – Catch the vulnerability, not the exploit – Catch the oddities of the protocol in the rule – Optimize the rules

Snort Tools IDS Policy Manager – Written to manage Snort IDS sensors in a distributed environment Snort Rules Subscription – Sourcefire, the company behind Snort, uses a registration and subscription model for distribution of new rules Honeynet Security Console – Analysis tool to view events on a personal network or honeynet

Snort Tools (cont’d.) IDS Policy Manager configures Snort with a graphical user interface.

Snort Tools (cont’d.) Honeynet Security Console displays and analyzes events from several IDS programs.

Summary Snort is a powerful intrusion detection system (IDS) and traffic analyzer A Snort configuration file has four major components: – Variables – Preprocessors – Output plug-ins – Rules A Snort rule contains a rule header and rule options Users can write their own Snort rules either manually or with the assistance of tools

Summary (cont’d.) A three-homed firewall DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN Authentication may not be desired if a network is publicly accessible An access point is a layer-2 device that serves as an interface between the wireless network and the wired network