Presentation on theme: "Snort & ACID Low cost, highly configurable IDS by Patrick Southcott"— Presentation transcript:
Snort & ACID Low cost, highly configurable IDS by Patrick Southcott firstname.lastname@example.org http://www.patricksouthcott.com
Large topic, General outline: 1.What is snort? 2.Where does an IDS fit in the network? 3.Snort 2.0, Marty and Sourcefire.com 4.Snort system overview –config file –rules (custom & public) 5.ACID : opensource, web-based, simple alert management. 6.PROS & CONS of snort as an IDS. 7.Building a snort sensor on Redhat9.
What is Snort? Snort is an application which listens to network traffic and uses rules to determine if it sees particular types of traffic. It logs, alerts for and listens to network traffic. The System Architecture consists of these main parts: Sniffer Promiscuous Mode NIC Preprocessor frag2, stream4, http_decode Detection Engine Using Rules Logging and Alerting plugins log mysql, alert smb Packets on the wire Snort Detection Process Records in a SQL db
Snort in the larger picture Snort sensors can be placed on any network device. Hubs work best. Sensors may log to a central database over secure tunnels or private media. Management console using ACID.
IDS in Perspective Management / Executive System Admin Network Admin / Analyst low TCO (End-to-end, openness) Wants reports which show ROE Configures and runs everything. Routers, firewalls, servers. Endless game to keep up-to-date. Wants to be user of IDS High quality data Auto-response to new vulnerabilities. Maintains network Event Correlation Broad -> Specific Tune rules
Marty Roesch and Sourcefire Created snort in 1998. Sourcefire sells IDS boxes which they install, configure and support. Different security needs may involve specific tuning to customers network. Sourcefire is the major commercial supporter of snort. Gig speeds with multiprocessors and linux –same kernel, custom drivers, minimal footprint demo-sensor.sourcefire.com
Snort Usage Run on Console Run as Daemon $./snort –c snort.conf –l /home/snort/snort_spool/ $./snort –D –c snort.conf –l home/snort/snort_spool/ Snort Config File: config daemon $./snort –l /home/snort/snort_spool/ Running in packet logging mode Log directory = /snort/snort_spool/ Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0rc4 (Build 70) By Martin Roesch (email@example.com, www.snort.org) Shell output from snort init.:
Snort Console Output ================================================================ Snort analyzed 4 out of 4 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 4 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 4 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ================================================================ Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ================================================================ Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ….
Snort Configuration File var HOME_NET var EXTERNAL_NET var FOO_SERVERS config interface: eth0 config set_uid: snort config dump_payload config daemon preprocessor frag2 preprocessor stream4 preprocessor portscan2 output database: log, mysql, user=snort password=foobar dbname=snort host=localhost Variables Configuration Preprocessor Output SQL Database Each bullet is a line in the config file. Variables are used in the files with the snort rules.
Snort Preprocessors Frag2 Preprocessor –snort.conf: preprocessor frag2 –packet fragmentation can lead to the IDS missing packets or getting different ones than the host gets. This cleans fragmented packets. The stream4 Preprocessor –snort can keep track of tcp sessions. stateful –detection of stealth scans from software like nmap. Portscan and portscan2 Preprocessors –detection of single host access to many ports.
Snort Rules... include $RULE_PATH/local.rules local.rules : snort.conf : Rules to log all tcp, udp and icmp traffic. activate tcp any any -> any 23 (activates: 23; msg:Potential Telnet Login Credentials Logged;) dynamic tcp any any -> any 23 (activated_by: 23; count:20;) log tcp any any -> any any (msg: tcp traffic;) log udp any any -> any any (msg: udp traffic;) log icmp any any -> any any (msg: icmp traffic;)
ACID to manage Alerts Sort and display alerts based on ip, port, date, unique alerts. Search alerts Display layer 3 and 4 packet data Graphs and statistics for alert frequency. Alert grouping, archiving, managing
Connecting mysql with stunnel Generate foo.pem for tunnel. openssl req -new -out stunnel.pem -keyout \ stunnel.pem -nodes -x509 -days 365 Cert = /foobar/stunnel.pem [mysqls] accept = 3307 connect = 3306 #!/bin/sh /usr/local/sbin/stunnel -c -d 3306 -r 10.1.5.1:3307 stunnel 4 with config ( stunnel.conf) stunnel 3.22 from shell prompt.
Snort IDS: PROs and CONs Powerful, specific rules to match packets. No backdoors Weakness quickly found & published. Rules actively published for detection of new worms etc. Open Source software developers know code will be checked. Fewer hacks. Snort/ACID is only part of a secure network. Does not record the success or failure of a detected intrusion Does nothing to stop an intrusion in progress. False sense of security. PROsCONs