Download presentation
Presentation is loading. Please wait.
1
Snort Based Intrusion Detection System
Part 1
2
Some terms related to security
IDS NIDS HIDS Signatures Alerts Logs False Alarms Sensor
3
Introduction to Intrusion Detection
Network defense or “protection” model Planning Prevention Detection Response Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities
4
Introduction to Intrusion Detection
All network and computer activities fall in one of three categories: Normal Abnormal but not malicious Malicious Intrusion detection operates in two arenas: What a computer says: network traffic What a computer thinks: computer processes
5
Introduction to Intrusion Detection
Network traffic is monitored by network-based intrusion detection systems (NIDS) Computer processes are monitored by host-based intrusion detection systems (HIDS) So-called “hybrid” systems examine network traffic to or from a host, as well as processes on that host NIDS are easier to deploy and manage, but HIDS may give greater visibility to events
6
What is Snort? Snort is a fast, flexible, small-footprint, open-source NIDS developed by the security community and a “benevolent dictator” Lead coder: Marty Roesch, now founder of Sourcefire ( Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump Sourcefire, owned by Cisco since 2013 In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest open source software of all time"
7
Typical locations for snort
8
Block Diagram Of Complete IDS
9
Multiple Snort sensors in the enterprise logging to a centralized database server
10
Modes of Snort Sniffer mode-> simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen) Packet Logger mode-> logs the packets to disk Network Intrusion Detection System (NIDS) mode -> the most complex and configurable configuration, which allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions based upon what it sees Honeypots Monitor ->Used to deceive hostile parties
11
Sniffer Mode Works much like tcpdump
Decodes packets and dumps them to stdout BPF filtering interface available to shape displayed network traffic
12
What Do The Packet Dumps Look Like?
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12: :1032 -> :23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA E #..'..$....ANS 49 FF F I.. 11/09-11:12: :23 -> :1032 TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20 0D 0A 0D 0A E 4F E 37 0D 0A 0D ....SunOS 00 0D 0A 0D
13
Packet Logger Mode save packets to disk…
Multi-mode packet logging options available Flat ASCII, tcpdump, XML, database, etc available Log all data and post-process to look for anomalous activity
14
NIDS Mode Wide variety of rules available for signature engine
Multiple detection modes available via rules and plug-ins Rules/signature Statistical anomaly Protocol verification Uses all phases of Snort + plug-ins to analyze traffic for both misuse detection and anomalous activity Can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis and normalization, etc
15
Components of Snort • Packet Decoder • Preprocessors • Detection Engine • Logging and Alerting System • Output Modules
16
Data Flow Snort Packet Stream Sniffing Packet Decoder Data Flow
Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Alerts/Logs
17
Packet Decoder The packet decoder takes packets from different types of network interfaces and prepares the packets to be preprocessed or to be sent to the detection engine The interfaces may be Ethernet, SLIP, PPP and so on
18
Preprocessor Components or plug-ins that can be used with Snort to arrange or modify data packets before the detection engine does some operation to find out if the packet is being used by an intruder Important for any IDS to prepare data packets to be analyzed against rules in the detection engine Also used for packet defragmentation
19
The Detection Engine The detection engine is the most important part of Snort. Its responsibility is to detect if any intrusion activity exists in a packet. The detection engine employs Snort rules for this purpose. The rules are read into internal data structures or chains where they are matched against all packets. If a packet matches any rule, appropriate action is taken; otherwise the packet is dropped
20
Detection Engine The time-critical part of Snort
The load on the detection engine depends upon the following factors: Number of rules Power of the machine on which Snort is running Speed of internal bus used in the Snort machine Load on the network The detection system can dissect a packet and apply rules on different parts of the packet
21
Rules rule header rule options In a single line
Rules are created by known intrusion signatures. Usually place in snort.conf configuration file. rule header rule options
22
Snort Rule The basic format of a rule is as follows:
function protocol source_ip/mask source_port -> destination_ip/mask destination_port options let's look at a simple rule: log tcp any any -> /24 23 This rule says to log tcp traffic coming from any IP address and any source port to this network where the destination port is 23 (telnet)
23
Rule example destination ip address Apply to all ip packets
Destination port Source ip address Source port # Rule options Alert will be generated if criteria met Rule header
24
Snort Rules Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;) Elements before parentheses comprise ‘rule header’ Elements in parentheses are ‘rule options’
25
Snort Rules alert action to take; also log, pass, activate, dynamic
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;) alert action to take; also log, pass, activate, dynamic tcp protocol; also udp, icmp, ip $EXTERNAL_NET source address; this is a variable – specific IP is ok 27374 source port; also any, negation (!21), range (1:1024) -> direction; best not to change this, although <> is allowed $HOME_NET destination address; this is also a variable here any destination port Why need “pass”, like firewall, you may have some specific traffic you want to allow. Activate/dynamic rule pairs give Snort a powerful capability. You can now have one rule activate another when it's action is performed for a set number of packets. This is very useful if you want to set Snort up to perform follow on recording when a specific rule goes off. Activate rules act just like alert rules, except they have a *required* option field: activates. Dynamic rules act just like log rules, but they have a different option field: activated_by. Dynamic rules have a second required field as well, count. Activate rules are just like alerts but also tell Snort to add a rule when a specific network event occurs. Dynamic rules are just like log rules except are dynamically enabled when the activate rule id goes off.
26
Snort Rules other rule options possible, like offset, depth, nocase
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;) msg:”BACKDOOR subseven 22”; message to appear in logs flags: A+; tcp flags; many options, like SA, SA+, !R, SF* content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches reference…; where to go to look for background on this rule sid:103; rule identifier classtype: misc-activity; rule type; many others rev:4; rule revision number other rule options possible, like offset, depth, nocase
27
Snort Rules bad-traffic.rules exploit.rules scan.rules
finger.rules ftp.rules telnet.rules smtp.rules rpc.rules rservices.rules dos.rules ddos.rules dns.rules tftp.rules web-cgi.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-attacks.rules sql.rules x11.rules icmp.rules netbios.rules misc.rules backdoor.rules shellcode.rules policy.rules porn.rules info.rules icmp-info.rules virus.rules local.rules attack-responses.rules
28
Snort Rules Rules which actually caught intrusions
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) caught Code Red infection alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP \"MKD / \" possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server
29
Logging and Alerting System
Depending upon what the detection engine finds inside a packet, the packet may be used to log the activity or generate an alert All of the log files are stored under /var/log/snort folder by default
30
Detection Engine: Rules
Rule Header Rule Options Alert tcp any -> any (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp any -> any (flags: S12; msg: “Queso Scan”;) Alert tcp any -> any (flags: F; msg: “FIN Scan”;) Queso scan, a tool similar to NMAP,
31
Detection Engine: Internal Representation
Rule Node Alert tcp any -> any Option Node (flags: SF; msg: “SYN-FIN Scan”;) (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;)
32
Detection Engine: Fully Populated
Rule Node Rule Node Rule Node Rule Node Rule Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node
33
Output Modules Output modules or plug-ins can do different operations depending on how we want to save output generated by the logging and alerting system of Snort
34
Continued….. Depending on the configuration, output modules can do things like the following: Simply logging to /var/log/snort/alerts file or some other file Sending SNMP traps Sending messages to syslog facility Logging to a database like MySQL or Oracle Generating eXtensible Markup Language (XML) output Modifying configuration on routers and firewalls. Sending Server Message Block (SMB) messages to Microsoft Windows-based machine
36
Challenges with snort Misuse detection – avoid known intrusions
Rules database is larger and larger It continues to grow snort version 2.3.2, there are 2,600 rules (present version 2.9.8) 80% of them are signatures Snort spends 80% work time to do string match Anomaly detection – identify new attacks Probability of detection is low
37
How to protect IDS itself
Not run any service on your IDS sensor itself New threats are discovered and patches are released by vendors Configure the IDS machine so that it does not respond to ping (ICMP Echotype) packets You should use IDS only for the purpose of intrusion detection
38
Snort in special cases Snort on Stealth Interface->listens to the incoming traffic but does not send any data packets out Snort with no IP address Interfaces->when the Snort host doesn’t have an IP address itself, nobody can access it
39
Supported Platform • Linux • OpenBSD • FreeBSD • NetBSD • Solaris (both Sparc and i386) • HP-UX • AIX • IRIX • MacOS • Windows
41
Onicode Oinkcodes are unique keys associated to your user account.
The oinkcode acts as an api key for downloading rule packages with the urls listed below. You can find your oinkcode in your user account settings page once you have logged in
42
We will need to become a Registered member on the Snort website.
This is needed in order to download and use the Sourcefire VRT Certified Rules. Snort will not be able to use updated rules without registering (and Oinkmaster will not work)
43
After you have created an account, log in to the Snort website and get a personalized Oinkcode (to be used by Oinkmaster).
44
Download the Sourcefire VRT Certified Rules (registered-user release) – be sure to grab the rules forthe version you are installing Snort for (in our case it is 2861)
45
Right-click on the snortrules-snapshot-2861. tar
Right-click on the snortrules-snapshot-2861.tar.gz file that we downloaded and choose “Extract Here”
46
Right-click on the newly extracted file (snortrules-snapshot-2861
Right-click on the newly extracted file (snortrules-snapshot-2861.tar) and choose “Extract files...” Change the Path to C:\Snort and check “Overwrite without prompt”
47
Open a Command Prompt and run c:\snort\bin\snort -W (be sure to use a capital “W
48
While still leaving the Snort command prompt window open, launch a second command prompt window. From the new window, run the command ping google.com If it hasn't occurred already, this ping command will trigger a Snort alert
49
You can now close both command prompt windows, as we have verified that Snort is installed and alerting correctly in verbose mode. To test that our configuration file is correct, open a new command prompt window and type: c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf –T (replace X with your Device Interface number) If you have correctly entered all information, you should receive a graceful exit such as the screen shot below. If you receive a fatal error, you should first verify that you have typed all modifications correctly into the snort.conf file and then search through the file for entries matching your fatal error message
50
Now run c:\snort\bin\snort -v -iX (X is your Device Interface number found from running the previous line) After a couple of seconds you will see “Not Using PCAP_FRAMES”. Snort is now running and will alert you if a Rule is triggered. If a Rule us triggered the command prompt window will rapidly scroll text
51
Snort Files Snort files can be categorized as follows: • The Snort binary files, which is the actual executable. • The Snort configuration file, which is typically snort.conf. • Other Snort configuration files like classification.config and reference.config. • Rule files. • Log files.
52
Location of Snort Files
Snort binary file is usually installed in /usr/sbin directory The main configuration file snort.conf is installed in /etc/snort directory. However, we can save this file in any directory because we have to specify path to this file on the command line when starting Snort Other configuration files like classification.config and reference.config are usually stored in the same location as the snort.conf file Rules files are referenced in the snort.conf file The location of Snort log files can be set with the help of snort.conf file or using command line options. Typically the log files are stored in /var/log/snort directory. If the log directory does not exist, we have to create it manually
53
Snort Command Line Option
-A -> sets Alert Mode -b -> used to log packets in tcpdump format -c-> to specify the location of snort.conf file -D-> enables Snort to run in the background -i-> to start Snort so that it listens to particular network interface -l-> used to set the directory where Snort logs messages -M-> have to specify a text file as argument to this option. The text file contains a list of Microsoft Windows hosts to which you want to send SMB pop-up windows -T-> useful for testing and reporting on the Snort configuration
54
Snort Installation on linux
Snort can be easily installed using RPM package using only one command rpm -install <snort_file_name.rpm> Installing from source code is a complex process and requires following steps:
55
Steps for installing using source code
Download source code file from Unpack the tar file using “tar zxvf <filename.tar.gz>” command. Run the configure script. Typical command line is something like “configure --prefix=/opt/snort --with-mysql –withsnmp -with-opnssl”. Run the make command. Run the “make install” command. Create a directory /var/log/snort. Create a directory /opt/snort/etc. Create a directory /opt/snort/rules. Copy snort.conf to /opt/snort/etc directory. Copy classification.config file to /opt/snort/etc directory. Copy reference.config file to /opt/snort/etc directory. Copy all rule files to /opt/snort/rules directory. Create startup script snortd and copy it to /etc/init.d directory. Create its links in /etc/rcx directories, where x is a run level number, so that Snort starts at the boot time. If you are using MySQL with Snort, it should be started before starting Snort
56
Sniffer Mode First, let's start with the basics. If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), try this: ./snort -v This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else. If you want to see the application data in transit, try the following: ./snort -vd This instructs Snort to display the packet data as well as the headers. If you want an even more descriptive display, showing the data link layer headers, do this: ./snort -vde (As an aside, these switches may be divided up or smashed together in any combination. The last command could also be typed out as: ./snort -d -v -e and it would do the same thing.)
57
Analysis Analyze the information displayed on screen when we run Snort in the packet capture mode.
58
Analysis Continued 11/20-15:56: :22 -> :2474TCP TTL:64 TOS:0x10 ID:57044 IpLen:20 DgmLen:184 DF ***AP*** Seq: 0xF5683D7A Ack: 0x9DAEEE9C Win: 0x6330 TcpLen: 20 • Date and time the packet was captured. • Source IP address is • Source port number is 22. • Destination IP address is • Destination port is • Transport layer protocol used in this packet is TCP. • Time To Live or TTL value in the IP header part is 64. • Type of Service or TOS value is 0x10. • Packet ID is • Length of IP header is 20. • IP payload is 184 bytes long. • Don’t Fragment or DF bit is set in IP header. • Two TCP flags A and P are on. • TCP sequence number is 0xF5683D7A. • Acknowledgement number in TCP header is 0xDAEEE9C. • TCP Window field is 0x6330. • TCP header length is 20.
59
Reading Pcaps Instead of having Snort listen on an interface, you can give it a packet capture to read. Snort will read and analyze the packets as if they came off the wire. This can be useful for testing and debugging Snort.
60
NIDS Mode ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, try this: ./snort -dev -l ./log -h /24 -c snort.conf where snort.conf is the name of your snort configuration file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don't specify an output directory for the program, it will default to /var/log/snort. One thing to note about the last command line is that if Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display. It's also not necessary to record the data link headers for most applications, so you can usually omit the -e switch, too. ./snort -d -h /24 -l ./log -c snort.conf This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).
61
Alert Modes in NIDS Mode
Fast Mode Full Mode Unix socket Mode No Alert Mode Sending Alert to Syslog Sending Alerts to SNMP Sending Alerts to Windows
62
Fast Mode The fast alert mode logs the alert with following information • Timestamp • Alert message (configurable through rules) • Source and destination IP addresses • Source and destination ports The following command starts Snort in fast alert mode: /opt/snort/bin/snort -c /opt/snort/etc/snort.conf -q -A fast This alert mode causes less overhead
63
Full mode This is the default alert mode.
It prints the alert message in addition to the packet header. We can start Snort with full alerting enabled with the following command: /opt/snort/bin/snort -c/opt/snort/etc/snort.conf -q -A full Additional Information contains TTL, TOS, length of IP packet, Total length of IP Packet, ICMP Type Field etc.
64
Packet logger mode Specify a logging directory and Snort will automatically know to go into packet logger mode: ./snort -dev -l ./log When Snort runs in this mode, it collects every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram. plain -l switch Snort sometimes uses the address of the remote computer as the directory in which it places packets and sometimes it uses the local host address. In order to log relative to the home network, tell Snort which network is the home network: ./snort -dev -l ./log -h /24
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.