1. Information Networking Security and Assurance Lab National Chung Cheng University Snort

2. Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline What is “Snort”? Working modes How to write snort rules ? Snort plug-ins It’s show time

3. Information Networking Security and Assurance Lab National Chung Cheng University 3 What is “Snort”? An open source network IDS Powerful  Stand-alone real-time traffic analysis  Packet logging on IP networks  Detect a variety of attacks and probes  Protocol analysis, content searching/matching  Log to a nicely organized, human-readable directory structure Flexible  Rules language to describe traffic  Detection engine utilizes a modular plug-in architecture

4. Information Networking Security and Assurance Lab National Chung Cheng University 4 Snort Working Modes Sniffer mode  Tcpdump, Commview Packet logger mode NIDS mode

5. Information Networking Security and Assurance Lab National Chung Cheng University 5 Snort Rules Rules are similar as packet-filter expressions Snort has 4 rule actions  activate - alert and then turn on another dynamic rule dynamic - remain idle until activated by an activate rule, then act as a log rule  alert - generate an alert using the selected alert method, and then log the packet  pass - ignore the packet  log - log the packet Rule application order

6. Information Networking Security and Assurance Lab National Chung Cheng University 6 Advance Snort Rule http://www.snort.org/docs/snort_manual/node1 4.html Snort Rules Database http://www.snort.org/snort-db/ How to Write Snort Rules ? Simple Snort Rule  alert tcp any any -> any any (content:”|00 01 86 a5|”; msg:”mountd access”;) Rule Actions : alert, log, pass … etc Protocol: tcp udp icmp … etc Source ip addressSource port number Direction Operator: ->, <> destination port number destination ip address Detial of rule

7. Information Networking Security and Assurance Lab National Chung Cheng University 7 Writing good rules Content matching Catch the vulnerability, not the exploit  attacker changes the exploit slightly Catch the oddities of the protocol in the rule  user root  alert tcp any any -> any any 21 (content:"user root";) user root; user root  alert tcp any any -> any 21 (flow:to_server,established; content:"root"; pcre:"/user\s+root/i";) 3C

8. Information Networking Security and Assurance Lab National Chung Cheng University 8 Snort Plug-ins Preprocessors  Operate on packets after they’ve been received and decoded by snort before match rules.  Ex. http_decode, port scan, frag2, stream4 Output modules  Any rule types you define can be specified to use a particular kind of output plug-in  Ex. Alert_fast, alert_syslog, database, xml

9. Information Networking Security and Assurance Lab National Chung Cheng University 9 Snort Working Architecture Preprocessor Output module Alert Log Pass Active Rule Snort

10. Information Networking Security and Assurance Lab National Chung Cheng University 10 Show time Test environment Download and install package Case1.Nmap port scan Case2.MSN chat messages

11. Information Networking Security and Assurance Lab National Chung Cheng University 11 Environment

12. Information Networking Security and Assurance Lab National Chung Cheng University 12 Before…Install Require libpcre  http://www.pcre.org/ libpcap  http://sourceforge.net/projects/libpcap/

13. Information Networking Security and Assurance Lab National Chung Cheng University 13 Snort Go!!Go!!Go!! Download  snort-2.1.3.tar.gz  http://www.snort.org/ Install package

14. Information Networking Security and Assurance Lab National Chung Cheng University 14 Start Snort !! Edit snort.conf Wait some minutes

15. Information Networking Security and Assurance Lab National Chung Cheng University 15 View the results Nice directory structure and file name

16. Information Networking Security and Assurance Lab National Chung Cheng University 16 Case1.Nmap Scan

17. Information Networking Security and Assurance Lab National Chung Cheng University 17 Case2.MSN chat message Snort doesn’t include msn rules by default Snort rule database  http://www.snort.org/snort-db/ Using key word to search Copy and past to create new rules Add new rule file to snort.conf  include $RULE_PATH/msn.rules Just execute “Snort”

18. Information Networking Security and Assurance Lab National Chung Cheng University 18 Enjoy the result

19. Information Networking Security and Assurance Lab National Chung Cheng University 19 Conclusions Good rules get maximize efficiency and speed

20. Information Networking Security and Assurance Lab National Chung Cheng University 20 Reference Writing rules  http://www.snort.org/docs/snort_manual/node14.html Rule database  http://www.snort.org/snort-db/