Presentation is loading. Please wait.

Presentation is loading. Please wait.

Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives.

Published byAdrian Nelson Modified over 9 years ago

Similar presentations

Presentation on theme: "Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives."— Presentation transcript:

1 Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives

2 The Importance Of Auditing  Identify assets to better protect  Inventory of what you have and where it is on your network

3 The State Of Auditing Today  Relies primarily on active network scanning  Makes heavy usage of client agents  Difficult to impossible in chaotic decentralized environments

4 What Is Passive Auditing  Uses packets on the network to answer the question about the hosts  Does not affect end system logging  Uses black hat scans for white hat purposes  Aids policy enforcement  Ultimately its using event correlation to profile a host.

5 What Can Be Monitored Passively  OS  OS updates  Antivirus/firewall/spyware updates  Network services (e.g. telnet, ftp, http, etc.)  Open Ports  Service versions  Network Application Versions  Policies

6 What are its Downsides?  Getting started can be labor intensive.  It requires a lot of Data to build an accurate picture  It requires a commitment of time and money  It can be bypassed, but most end users won’t  It actually benefits from an ugly network!

7 Example Rule (AV/Firewall update) Symantec LiveUpdate --------------------------------------------------------------------------- alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - user-agent Symantec liveupdate"; \ flow:to_server,established; \ content:"|0d0a|User-Agent\: Symantec LiveUpdate"; nocase; \ content:"|0d0a|Host\: liveupdate.symantecliveupdate.com"; nocase; \ threshold: type limit, track by_src, count 1, seconds 1800; )

8 Example packets (AV/Firewall update) Symantec LiveUpdate --------------------------------------------------------------------------- IP: 10.10.29.25 -> 38.113.220.7 hlen=20 TOS=00 dgramlen=283 id=946B MF/DF=0/1 frag=0 TTL=126 proto=TCP cksum=CC44 TCP: port 1694 -> 80 seq=3152470340 ack=3992596721 hlen=20 (data=243) UAPRSF=011000 wnd=65535 cksum=74B4 urg=0 DATA: GET /symantec$20antivirus$20corporate$20client$20nt_9.0_english_livetri.zip HTTP/1.0. Accept: */*. Cache-Control: max-age=0. User-Agent: Symantec LiveUpdate. Host: liveupdate.symantecliveupdate.com. ----------: ----------. Pragma: no-cache..

9 Example Rule (OS Update) Windows updating for KB896358 (MS05-026) --------------------------------------------------------------------------- alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - Windows Update download KB896358 MS05-026";\ content:"GET |2F|"; depth:5; nocase; \ content:"kb896358"; nocase; \ content:".exe HTTP|2F|1.1|0d0a|"; nocase;)

10 Example packets (OS Update) Windows ME updating for KB896358 (MS05-026) --------------------------------------------------------------------------- IP: 10.11.19.24 -> 207.46.249.25 hlen=20 TOS=00 dgramlen=282 id=2498 MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=EE37 TCP: port 1493 -> 80 seq=0370010218 ack=2679330397 hlen=20 (data=242) UAPRSF=011000 wnd=17520 cksum=8456 urg=0 DATA: GET /msdownload/update/v3-19990518/cabpool/WindowsME-KB896358- ENU_7e9ddccce2504c0ee808dffaf52c841.EXE HTTP/1.1. Accept: */*. Range: bytes=0-16384. User-Agent: Progressive Download. Host: download.windowsupdate.com. Cache-Control: no-cache.

11 Example Rule (Anti-Spyware Detection) Microsoft Windows Malicious Software Removal Tool --------------------------------------------------------------------------- alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - Windows Spyware Tool KB890830";\ content:"GET |2F|"; depth:5; nocase; \ content:"kb890830"; nocase; \ content:".exe HTTP|2F|1.1|0d0a|"; nocase;\ Content:"|0d0a|User-Agent: Microsoft BITS"; nocase;)

12 Example packets (Spyware Detection) Microsoft Windows Malicious Software Removal Tool --------------------------------------------------------------------------- IP: 10.11.60.7 -> 65.59.184.62 hlen=20 TOS=00 dgramlen=326 id=0611 MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=4CFC TCP: port 1078 -> 80 seq=0643000275 ack=3277861441 hlen=20 (data=286) UAPRSF=011000 wnd=65535 cksum=0FBC urg=0 DATA: GET /msdownload/update/v3-19990518/cabpool/windows-kb890830-v1.5- delta-enu_21d25af37346306a6b2dee41479b947829a529db.exe HTTP/1.1. Accept: */*. Accept-Encoding: identity. Range: bytes=0-5622. User-Agent: Microsoft BITS/6.6. Host: au.download.windowsupdate.com. Connection: Keep-Alive.

13 Example Rule (OS Update Check-In) RedHat looking for updates via up2date --------------------------------------------------------------------------- alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - RedHat Update Up2Date check-in"; flow:to_server,established; \ content:"GET |2F|"; depth:5; nocase; \ content:"header.info HTTP/1.1|0d0a|"; nocase;\ content:"|0d0a|User\-agent\: Up2date\/"; nocase;)

14 Example packets (OS Update Check-In) RedHat updating via up2date --------------------------------------------------------------------------- IP: 10.11.26.94 -> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11 MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667 TCP: port 36102 -> 80 seq=0480187150 ack=3321205591 hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0 DATA: GET /pub/fedora/linux/core/3/i386/os/headers/header.info HTTP/1.1. Host: download.fedora.redhat.com. Accept-Encoding: identity. If-Modified-Since: Wed, 03 Nov 2004 23:16:42 GMT. User-Agent: RHN-Applet/2.1.16.

15 Example Rule (another OS update) RedHat updating via up2date --------------------------------------------------------------------------- alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \ (msg:"PHA - RedHat Update Up2Date check-in"; flow:to_server,established; \ content:"GET |2F|"; depth:5; nocase; \ content:“.rpm HTTP/1.1|0d0a|"; nocase;\ content:"|0d0a|User\-agent\: Up2date\/"; nocase;)

16 Example packets (another OS update) RedHat updating via up2date --------------------------------------------------------------------------- IP: 10.11.26.94 -> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11 MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667 TCP: port 36102 -> 80 seq=0480187150 ack=3321205591 hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0 DATA: GET /pub/fedora/linux/core/updates/4/i386//kernel-2.6.12- 1.1398_FC4.i686.rpm HTTP/1.1 Accept-Encoding: identity Host: download.fedora.redhat.com Connection: close User-agent: Up2date 4.4.23-4/Yum

17 Misc. Example Rules Syn Packets for p0f --------------------------------------------------------------------------- alert tcp $HOME_NET any -> any any (msg:"PHA syn packet capture for p0f"; \ flags:s; threshold: type limit, track by_src, count 1, seconds 1800; ) --------------------------------------------------------------------------- IIS 5.1 on Windows XP --------------------------------------------------------------------------- alert tcp $HOME_NET 80 -> $EXTERNAL_NET any \ (msg:"PHA - IIS 5.1 running on Windows XP"; flow: from_server; \ content:"|0D 0A|Server\: Microsoft-IIS/5.1|0D 0A|"; nocase; \ threshold: type limit, track by_src, count 1, seconds 1800;)

18 Tools  Snort  p0f  tcpdump  tcpshow and/or ngrep  Bro IDS  Custom Scripts  Database

19 Thank You Thank you for coming today If you are interested in getting more information or volunteering to help out, you can email me at jives@passiveaudit.org Updated scripts, rules, etc will be available at http://www.passiveaudit.org

Download ppt "Passive Host Auditing Using Snort And Other Free Tools by John Ives aka. jives."

Similar presentations

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
The Free IT Management App & Community. What Do I Have? How Do I Keep Track of Everything? Is Everything Working? How Do I Fix IT? IT Admin What IT Pros.

The Free IT Management App & Community. What Do I Have? How Do I Keep Track of Everything? Is Everything Working? How Do I Fix IT? IT Admin What IT Pros.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Spiceworks Overview Enterprise Business Group Jul-2015.

Spiceworks Overview Enterprise Business Group Jul-2015.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Similar presentations

Ads by Google