Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Snort

Published byClare Ellis Modified over 5 years ago

Similar presentations

Presentation on theme: "An Introduction to Snort"— Presentation transcript:

1 An Introduction to Snort
Richard Bejtlich TaoSecurity Houston ISSA Meeting 11 Apr 02

2 Outline Introduction to Intrusion Detection What is Snort?
Installing Snort Snort Rules Snort in Action Third-Party Enhancements Conclusion

3 About Me Bejtlich = “bate-lik”
Senior engineer for managed network security operations, BATC (2001-) Former captain at US Air Force Computer Emergency Response Team ( ) Student of intrusion detection, incident response, and digital forensics

4 Introduction to Intrusion Detection
Network defense or “protection” model Planning Prevention Detection Response Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities

5 Introduction to Intrusion Detection
All network and computer activities fall in one of three categories: Normal Abnormal but not malicious Malicious Intrusion detection operates in two arenas: What a computer says: network traffic What a computer thinks: computer processes

6 Introduction to Intrusion Detection
Network traffic is monitored by network-based intrusion detection systems (NIDS) Computer processes are monitored by host-based intrusion detection systems (HIDS) So-called “hybrid” systems examine network traffic to or from a host, as well as processes on that host NIDS are easier to deploy and manage, but HIDS may give greater visibility to events

7 What is Snort? Snort is a fast, flexible, small-footprint, open-source NIDS developed by the security community and a “benevolent dictator” Lead coder: Marty Roesch, now founder of Sourcefire ( Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump Licensed under GPL, but version 2.0 may change to a different license

8 Installing Snort As of 16 Mar 02, version available at in these forms: UNIX source Solaris, FreeBSD, Windows binary packages Red Hat .rpm Requires installation of libpcap first! UNIX: or newest available source Windows: netgroup-serv.polito.it/winpcap/install/ offers winpcap 2.2 and 2.3 beta (XP requires 2.3)

9 Installing Snort On Red Hat Linux 7.2, as root: Files installed:
Download and install libpcap Download and install these three .rpm: libnet-1.0.2a-1snort.i386.rpm snort snort.i386.rpm snort-postgresql+flexresp snort.i386.rpm Create /var/log/snort directory Files installed: /etc/snort contains conf and rule files /var/log/snort will contain logs /usr/sbin/snort contains snort binary

10 Installing Snort For a quick test, execute this command within the /etc/snort directory: snort –A console From a separate machine, use nmap to generate events for Snort to detect: nmap –sP <snort_machine_IP_address> You should see an alert like this: 03/27-15:18: [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} >

11

12

13 Installing Snort On Windows 2000, as administrator:
Download and install winpcap Download and execute Snort184Win32.exe, and select “typical” installation mkdir “c:\Program Files\Sourcefire\Snort\log” Files installed in c:\Program Files\Sourcefire\Snort: snort.conf \rules directory contains rules snort.exe executable

14 Installing Snort To test, execute this command within the c:\Program Files\Sourcefire\Snort directory: snort –A console You may need to specify and interface with ‘-i 2’ From a separate machine, use nmap to generate events for Snort to detect: nmap –sP <snort_machine_IP_address> You should see an alert like this: 03/27-15:18: [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} >

15

16

17 Installing Snort While not an element of Snort, Ethereal is the best open source GUI-based packet viewer offers: Windows: UNIX: Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/

18

19 Installing Snort Also not an element of Snort, tcpdump is a well-established CLI packet capture tool offers UNIX source netgroup-serv.polito.it/windump/install/ offers windump, a Windows port of tcpdump windump is helpful because it will help you see the different interfaces available on your sensor Next slide shows two available interfaces; note only the second is capable of sniffing snort –A console –i 2

20

21 Snort Rules Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;) Elements before parentheses comprise ‘rule header’ Elements in parentheses are ‘rule options’

22 Snort Rules alert action to take; also log, pass, activate, dynamic
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;) alert action to take; also log, pass, activate, dynamic tcp protocol; also udp, icmp, ip $EXTERNAL_NET source address; this is a variable – specific IP is ok 27374 source port; also any, negation (!21), range (1:1024) -> direction; best not to change this, although <> is allowed $HOME_NET destination address; this is also a variable here any destination port

23 Snort Rules other rule options possible, like offset, depth, nocase
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;) msg:”BACKDOOR subseven 22”; message to appear in logs flags: A+; tcp flags; many options, like SA, SA+, !R, SF* content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches reference…; where to go to look for background on this rule sid:103; rule identifier classtype: misc-activity; rule type; many others rev:4; rule revision number other rule options possible, like offset, depth, nocase

24 Snort Rules bad-traffic.rules exploit.rules scan.rules
finger.rules ftp.rules telnet.rules smtp.rules rpc.rules rservices.rules dos.rules ddos.rules dns.rules tftp.rules web-cgi.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-attacks.rules sql.rules x11.rules icmp.rules netbios.rules misc.rules backdoor.rules shellcode.rules policy.rules porn.rules info.rules icmp-info.rules virus.rules local.rules attack-responses.rules

25 Snort Rules Rules which actually caught intrusions
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) caught Code Red infection alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP \"MKD / \" possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server

26 Snort Rules More rules that caught intrusions
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS multiple decode attempt"; flags:A+; uricontent:"%5c"; uricontent:".."; reference:cve,CAN ; classtype:web-application-attack; sid:970; rev:2;) caught NIMDA infection alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login incorrect"; nocase; flags:A+; classtype:bad-unknown; sid:1251; rev:2;) caught telnet username brute-force Consider how a rule with “Login incorrect” might trigger on many non-malicious events

27 Snort in Action Three operational modes:
Sniffer: snort –dvae will be display payloads, be verbose, display arp traffic, and display link layer data Packet logger: snort –b –l /var/log/snort will log binary data to the /var/log/snort directory NIDS: snort –b –l /var/log/snort –A full –c /etc/snort/snort.conf will log binary data in the /var/log/snort directory, with full alerts in /var/log/snort/alert, reading the configuration file in /etc/snort

28 Snort in Action Three ways to tell Snort how to act
snort.conf configures variables, preprocessors, output plugins, and active rule sets .rules files define actual signatures Command line options start snort and will override options in snort.conf file Snort will run with default snort.conf, but you will have less ‘chaff’ to sort through if you spend time configuring snort.conf properly

29 Snort in Action Snort as NIDS (third mode) captures recon
Contents of /var/log/snort/alert [**] [1:469:1] ICMP PING NMAP [**][Classification: Attempted Information Leak] [Priority: 2]03/28-09:48: > ICMP TTL:46 TOS:0x0 ID:61443 IpLen:20 DgmLen:28Type:8 Code:0 ID: Seq:0 ECHO[Xref => [**] [1:469:1] spp_portscan: PORTSCAN DETECTED from (THRESHOLD 4 connections exceeded in 0 seconds) [**]03/28-09:48: [**] [100:2:1] spp_portscan: portscan status from : 183 connections across 1 hosts: TCP(183), UDP(0) [**]03/2809:48:

30 Snort in Action Partial contents of /var/log/snort/portscan.log
Mar 28 09:48: : > :106 SYN ******S* Mar 28 09:48: : > :193 SYN ******S* Mar 28 09:48: : > :138 SYN ******S* Mar 28 09:48: : > :128 SYN ******S* Mar 28 09:48: : > :156 SYN ******S* Mar 28 09:48: : > :35 SYN ******S* Mar 28 09:48: : > :48 SYN ******S* Mar 28 09:48: : > :16 SYN ******S* Mar 28 09:48: : > :173 SYN ******S* Mar 28 09:48: : > :72 SYN ******S* Mar 28 09:48: : > :65 SYN ******S* Mar 28 09:48: : > :36 SYN ******S* Mar 28 09:48: : > :149 SYN ******S* Mar 28 09:48: : > :17 SYN ******S* Mar 28 09:48: : > :218 SYN ******S*

31 Snort in Action is in binary format; read with Ethereal or tcpdump Sample tcpdump output of this log file 09:48: > : icmp: echo request 09:48: > : icmp: echo request As configured, Snort will only log the packets which triggered an alert Packets triggering portscans are not logged by default

32 Third-Party Enhancements
SnortSnarf SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports Output intended for diagnostic inspection Silicon Defense also supplies sensors with commercial support Description and screenshot taken from SnortSnarf web

33

34 Third-Party Enhancements
Analysis Console for Intrusion Databases (ACID) acidlab.sourceforge.net/ PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation Description and screenshots taken from ACID web

35

36

37 Demarc NIDS management console, integrating Snort with the convenience and power of a centralized interface for all network sensors Monitor all servers / hosts to make sure network services such as a mail or web servers remain accessible at all times Monitor system logs for anomalous log entries that may indicate intruders or system malfunctions Description and screenshots taken from demarc web

38

39

40 Conclusion Snort is a powerful tool, but maximizing its usefulness requires a trained operator Becoming proficient with network intrusion detection takes 12 months; “expert” 24-36? Snort is considered a superior NIDS when compared to most commercial systems Managed network security providers should collect enough information to make decisions without calling clients to ask what happened

Download ppt "An Introduction to Snort"

Similar presentations

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.

Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Introduction to Snort’s Working and configuration file

Introduction to Snort’s Working and configuration file
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 4.

Intrusion Detection MIS ALTER 0A234 Lecture 4.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Martin Roesch Sourcefire Inc.. Topics Background –What is Snort? Using Snort Snort Architecture The Future of Snort and Snort 2.0.

Martin Roesch Sourcefire Inc.. Topics Background –What is Snort? Using Snort Snort Architecture The Future of Snort and Snort 2.0.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

Similar presentations

Ads by Google