Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced IDS Brian Caswell & Jeff Nathan. Kung Fu IDS Brian Caswell Jeff Nathan

Published byNicholas Gregory Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced IDS Brian Caswell & Jeff Nathan. Kung Fu IDS Brian Caswell Jeff Nathan"— Presentation transcript:

1 Advanced IDS Brian Caswell & Jeff Nathan

2 Kung Fu IDS Brian Caswell Jeff Nathan bmc@snort.org jeff@snort.org

3 3 The life of a packet through Snort’s detection engine

4 4 Overview of protocol decoding and protocol anomaly detection Static Decoders Normalization of Data Static Decoders Normalization of Data

5 5 Recent detection improvements Advanced content options (distance, within, byte_test and byte_jump) All purpose state engine (conversation) Improved message passing between components Advanced content options (distance, within, byte_test and byte_jump) All purpose state engine (conversation) Improved message passing between components

6 6 Recent detection improvements Advanced content options (distance, within, byte_test and byte_jump) All purpose state engine (conversation) Improved message passing between components Advanced content options (distance, within, byte_test and byte_jump) All purpose state engine (conversation) Improved message passing between components

7 7 Distance content:"SITE"; nocase; content:"EXEC"; distance:0; nocase;

8 8 Within content: "Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;

9 9 Byte jump byte_jump:4,4, relative,align; byte_jump:4,4, relative,align; content: "|00 01 86 A5|"; within:4;

10 10 Byte test byte_test:1,>,7,1;

11 11 Advantages and Disadvantages of static preprocessors Advantages Relatively Fast State-based implementations Advantages Relatively Fast State-based implementations Disadvantages Users are not programmers Requires recompilation of the entire system Requires specific knowledge of the protocol (in addition to Snort)

12 12 The promise of advanced rules A quicker development cycle for discrete protocol anomaly detection Only requires knowledge of Snort’s rule language and the protocol itself NO NEED TO LEARN C A quicker development cycle for discrete protocol anomaly detection Only requires knowledge of Snort’s rule language and the protocol itself NO NEED TO LEARN C

13 13 Where existing advanced rules and preprocessors fall short New preprocessors can require significant development time Preprocessors rely on Snort’s pattern matching for detection of normalized data No advanced constructs (loops, regex, and data munging) Not all vulnerabilities can be covered with advanced rules and existing preprocessors New preprocessors can require significant development time Preprocessors rely on Snort’s pattern matching for detection of normalized data No advanced constructs (loops, regex, and data munging) Not all vulnerabilities can be covered with advanced rules and existing preprocessors

14 14

15 15 A new solution: sp_perl Two new detection keywords: “perlre” provides real regular expressions “perl” provides runtime evaluation of virtually any perl code Two new detection keywords: “perlre” provides real regular expressions “perl” provides runtime evaluation of virtually any perl code

16 16 sp_perl, are we nuts? Extensibility through perl No additional CPU cost for non-perl rules Rapid updates to Snort’s detection capabilities without re-implementing N-CODE (And since you asked, we are nuts, but not because we added perl to Snort) Extensibility through perl No additional CPU cost for non-perl rules Rapid updates to Snort’s detection capabilities without re-implementing N-CODE (And since you asked, we are nuts, but not because we added perl to Snort)

17 17 OK, so we’re nuts. How does this actually work? Create an embedded perl interpreter Parse all the rules and store perl data for later When a perl rule option is triggered: –Convert the Payload, IPs, and Ports to perl scalars –Pass perl scalars to perl –Evaluate packet data and persistent data On exit, destroy the runtime interpreter Create an embedded perl interpreter Parse all the rules and store perl data for later When a perl rule option is triggered: –Convert the Payload, IPs, and Ports to perl scalars –Pass perl scalars to perl –Evaluate packet data and persistent data On exit, destroy the runtime interpreter

18 18 Embedded perl PerlInterpreter *my_perl = perl_alloc(); perl_construct(my_perl); perl_parse(my_perl, NULL, 2, perl_cmdline_opts, NULL) perl_run(my_perl); perl_destruct(my_perl); perl_free(my_perl); PerlInterpreter *my_perl = perl_alloc(); perl_construct(my_perl); perl_parse(my_perl, NULL, 2, perl_cmdline_opts, NULL) perl_run(my_perl); perl_destruct(my_perl); perl_free(my_perl);

19 19 OK, but how does that work inside of Snort? SetupPerlKungFoo() Verifies the file with our perl functions is there Registers our keywords as valid detection options Allocates a runtime perl interpreter Initializes the perl stack for our runtime interpreter Parses our perl file to get our functions into the runtime environment Stores the persistent data specific to sp_perl in the OptTreeNode(s) SetupPerlKungFoo() Verifies the file with our perl functions is there Registers our keywords as valid detection options Allocates a runtime perl interpreter Initializes the perl stack for our runtime interpreter Parses our perl file to get our functions into the runtime environment Stores the persistent data specific to sp_perl in the OptTreeNode(s)

20 20 sp_perl, what the ugly C does Calls perl_regex with the pattern, type of test (perl vs perlre), along with the IP addresses and ports Pushes args onto a local copy of the perl stack, then replace the global perl stack with our stack Calls the appropriate perl function using the new global perl stack Pops the return code from the perl stack, convert to an integer Returns the next test on the OptTreeNode on success, otherwise 0 Calls perl_regex with the pattern, type of test (perl vs perlre), along with the IP addresses and ports Pushes args onto a local copy of the perl stack, then replace the global perl stack with our stack Calls the appropriate perl function using the new global perl stack Pops the return code from the perl stack, convert to an integer Returns the next test on the OptTreeNode on success, otherwise 0

21 21 Example Rules

22 22 IMAP LSUB Buffer Overflow CAN-2000-0284 11/11-10:45:41.482210 172.16.2.130:33012 -> 10.2.2.250:143 ***AP*** Seq: 0x6F578C60 Ack: 0xFE6E84A1 Win: 0x16D0 TcpLen: 32 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064} 0D 0A.. 11/11-10:45:41.482699 10.2.2.250:143 -> 172.16.2.130:33012 ***AP*** Seq: 0xFE6E84A1 Ack: 0x6F578C72 Win: 0x7BFC TcpLen: 32 TCP Options (3) => NOP NOP TS: 26213694 338288987 2B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75 + Ready for argu 6D 65 6E 74 0D 0A ment.. 11/11-10:45:41.483459 172.16.2.130:33012 -> 10.2.2.250:143 ***AP*** Seq: 0x6F578C72 Ack: 0xFE6E84B7 Win: 0x16D0 TcpLen: 32 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................ CAN-2000-0284 11/11-10:45:41.482210 172.16.2.130:33012 -> 10.2.2.250:143 ***AP*** Seq: 0x6F578C60 Ack: 0xFE6E84A1 Win: 0x16D0 TcpLen: 32 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064} 0D 0A.. 11/11-10:45:41.482699 10.2.2.250:143 -> 172.16.2.130:33012 ***AP*** Seq: 0xFE6E84A1 Ack: 0x6F578C72 Win: 0x7BFC TcpLen: 32 TCP Options (3) => NOP NOP TS: 26213694 338288987 2B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75 + Ready for argu 6D 65 6E 74 0D 0A ment.. 11/11-10:45:41.483459 172.16.2.130:33012 -> 10.2.2.250:143 ***AP*** Seq: 0x6F578C72 Ack: 0xFE6E84B7 Win: 0x16D0 TcpLen: 32 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90................

23 23 IMAP LSUB Buffer Overflow, continued Our content: 1 LSUB “” {1064}\r\nSHELLCODEHERE So how do we detect this? –Regex –Regex and some math Our content: 1 LSUB “” {1064}\r\nSHELLCODEHERE So how do we detect this? –Regex –Regex and some math

24 24 IMAP LSUB Buffer Overflow, regex 1 LSUB “” {1064}\r\nSHELLCODEHERE Regex ^\d+\s+LSUB\s+""\s+{\d{4,}} 1 LSUB “” {1064}\r\nSHELLCODEHERE Regex ^\d+\s+LSUB\s+""\s+{\d{4,}}

25 25 IMAP LSUB Buffer Overflow, regex and some math 1 LSUB “” {1064}\r\nSHELLCODEHERE Regex ^\d+\s+LSUB\s+""\s+{(\d+)} Math $1 > 1000 1 LSUB “” {1064}\r\nSHELLCODEHERE Regex ^\d+\s+LSUB\s+""\s+{(\d+)} Math $1 > 1000

26 26 IMAP LSUB Buffer Overflow, the rules alert ip any any -> any any (perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;) alert ip any any -> any any (perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";) alert ip any any -> any any (perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;) alert ip any any -> any any (perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)

27 27 IMAP LSUB Buffer Overflow, the optimized rules alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;) alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";) alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;) alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)

28 28 FTP Port Bounce CVE-1999-0017 12/31--5:00:00.007051 10.1.1.254:3161 -> 10.1.1.113:21 ***AP*** Seq: 0x4FE9C1C4 Ack: 0x1E001761 Win: 0x7D78 TcpLen: 32 70 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32 port 172,16,0,32 2C 31 32 2C 37 32 0A,12,72. CVE-1999-0017 12/31--5:00:00.007051 10.1.1.254:3161 -> 10.1.1.113:21 ***AP*** Seq: 0x4FE9C1C4 Ack: 0x1E001761 Win: 0x7D78 TcpLen: 32 70 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32 port 172,16,0,32 2C 31 32 2C 37 32 0A,12,72.

29 29 FTP Port Bounce, continued Our content: port 172,16,0,32,12,72\n So how do we detect this? –Regex and some perl Our content: port 172,16,0,32,12,72\n So how do we detect this? –Regex and some perl

30 30 FTP Port Bounce, regex and some perl port 172,16,0,32,12,72 Regex $content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/ The Perl $srcip ne $1.'.'.$2.'.'.$3.'.'.$4 port 172,16,0,32,12,72 Regex $content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/ The Perl $srcip ne $1.'.'.$2.'.'.$3.'.'.$4

31 31 FTP Port Bounce, the rules alert ip any any -> any any (perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)

32 32 FTP Port Bounce, the optimized rules alert tcp any any -> any 21 ( flow:to_server,established; content:”port”; nocase; perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)

33 33 HTTP Unknown Version 04/06-20:04:12.457297 10.200.1.100:33599 -> 66.35.250.150:80 TCP TTL:64 TOS:0x0 ID:58321 IpLen:20 DgmLen:56 DF ***AP*** Seq: 0xDD594D3E Ack: 0xAEE Win: 0x1490 TcpLen: 20 47 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A GET / HTTP/0.2.. 04/06-20:04:12.457297 10.200.1.100:33599 -> 66.35.250.150:80 TCP TTL:64 TOS:0x0 ID:58321 IpLen:20 DgmLen:56 DF ***AP*** Seq: 0xDD594D3E Ack: 0xAEE Win: 0x1490 TcpLen: 20 47 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A GET / HTTP/0.2..

34 34 HTTP Unknown Version, continued Our content: GET / HTTP/0.2\n\n So how do we detect this? –Regex –Regex and some perl Our content: GET / HTTP/0.2\n\n So how do we detect this? –Regex –Regex and some perl

35 35 HTTP Unknown Version, regex GET / HTTP/0.2\n\n Regex \s+HTTP/(0\.9|1\.1|1\.0)[\r]\n GET / HTTP/0.2\n\n Regex \s+HTTP/(0\.9|1\.1|1\.0)[\r]\n

36 36 HTTP Unknown Version, regex and some perl GET / HTTP/0.2\n\n Regex \s+HTTP/([^\n]*)\n Perl $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9' GET / HTTP/0.2\n\n Regex \s+HTTP/([^\n]*)\n Perl $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'

37 37 HTTP Unknown Version, building the rules alert ip any any -> any any (perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;) alert ip any any -> any any (perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";) alert ip any any -> any any (perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;) alert ip any any -> any any (perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)

38 38 HTTP Unknown Version, the optimized rules alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;) alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";) alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;) alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)

39 39 Even more advanced foo So, you want one or two specific rules to email you when they fire. Add this to snort.pl sub insane { my ($srcip,$content) = @_; use Net::SMTP; my $server = "mail.server.com"; my $email = "perlfoo\@snort.org"; my $smtp = Net::SMTP->new($server) || die "Can't connect to mail server"; $smtp->mail($from); $smtp->to($to); $smtp->data(); $smtp->datasend("To: $email\nFrom: $email\n"); $smtp->datasend("Subject: perl alert - srcip = $srcip\n\n$content\n"); $smtp->dataend(); $smtp->quit(); } Then use it in your rule: insane($srcip,$content) So, you want one or two specific rules to email you when they fire. Add this to snort.pl sub insane { my ($srcip,$content) = @_; use Net::SMTP; my $server = "mail.server.com"; my $email = "perlfoo\@snort.org"; my $smtp = Net::SMTP->new($server) || die "Can't connect to mail server"; $smtp->mail($from); $smtp->to($to); $smtp->data(); $smtp->datasend("To: $email\nFrom: $email\n"); $smtp->datasend("Subject: perl alert - srcip = $srcip\n\n$content\n"); $smtp->dataend(); $smtp->quit(); } Then use it in your rule: insane($srcip,$content)

40 40 Future Work Cache any perl specific data in the Packet struct Figure out how to pass struct and pass *p directly with pack/unpack foo in perl Instead of raw perl, use swig Buy flak jackets to save us from the rest of the Snort developers Cache any perl specific data in the Packet struct Figure out how to pass struct and pass *p directly with pack/unpack foo in perl Instead of raw perl, use swig Buy flak jackets to save us from the rest of the Snort developers

41 41 Jed Rules

Download ppt "Advanced IDS Brian Caswell & Jeff Nathan. Kung Fu IDS Brian Caswell Jeff Nathan"

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
CPU Review and Programming Models CT101 – Computing Systems.

CPU Review and Programming Models CT101 – Computing Systems.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.

Lightweight Remote Procedure Call Brian N. Bershad, Thomas E. Anderson, Edward D. Lazowska, and Henry M. Levy Presented by Alana Sweat.
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
COMP3221: Microprocessors and Embedded Systems Lecture 12: Functions I Lecturer: Hui Wu Session 2, 2005.

COMP3221: Microprocessors and Embedded Systems Lecture 12: Functions I Lecturer: Hui Wu Session 2, 2005.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
CLIENT / SERVER ARCHITECTURE AYRİS UYGUR & NİLÜFER ÇANGA.

CLIENT / SERVER ARCHITECTURE AYRİS UYGUR & NİLÜFER ÇANGA.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Game Scripting By: Nicholas Haines. Aurora Neverwinter Toolset.

Game Scripting By: Nicholas Haines. Aurora Neverwinter Toolset.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Similar presentations

Ads by Google