Intrusion Detection - PowerPoint PPT Presentation
1 / 34
Title:
Intrusion Detection
Description:
Intrusion Detection snort Final Lab Setup and configure snort. Select a rule set. Be sure to include scanning rules Start snort in NIDS mode. With your firewall up ... – PowerPoint PPT presentation
Number of Views:110
Avg rating:3.0/5.0
Title: Intrusion Detection
1
Intrusion Detection
- snort
2
Snort
- Get snort
- Installation
- Configure
- Setup logs
- Rules
- Start
3
Get snort source
- http//www.snort.org/
- tar.gz
- Source
- http//www.snort.org/dl/current/snort-2.8.2.3.tar.
gz - Rpm's Redhat Package Manager
- yum install snort
- Apt-get Debian package manager
- apt-get install snort
4
InstallMake from source
- Source based installation
- Move the tar.gz file to
- /usr/local/src/ or
- /usr/src/redhat/SOURCES
- tar -zxvf snort-2.4.3.tar.gz
- Unpacks the source in snort-2.4.3
- Build the app
- cd snort-2.4.3
- ./configure
- make
- make install
5
Documentation
- Included documentation in the distribution
AUTHORS BUGS CREDITS faq.pdf faq.tex INSTALL
Makefile Makefile.am Makefile.in NEWS PROBLEMS
README README.alert_order README.asn1 README.cs
v README.database README.event_queue README.FLEXR
ESP README.flow README.flowbits README.flow-port
scan README.frag3 README.http_inspect README.INL
INE README.PLUGINS README.sfportscan README.th
resholding README.UNSOCK README.WIN32 README.wir
eless RULES.todo snort_manual.pdf snort_manual.
tex snort_schema_v106.pdf TODO USAGE WISHLIST
- man snort
- More documentation on the snort website
6
Configure
- Create directory mkdir /etc/snort, cd /etc/snort
- Get snort rules
- ttp//www.snort.org/pub-bin/downloads.cgi/Download
/vrt_pr/snortrules-pr-2.4.tar.gz - Unpack the rule set
- tar -zxvf snortrules-pr-2.4.tar.gz
- Edit /etc/snort/rules/snort.conf
- mkdir /var/log/snort
- Snort has to know where everything is
7
snort.conf
var HOME_NET any var HOME_NET
192.168.50.0/24 var EXTERNAL_NET any var
EXTERNAL_NET !HOME_NET var SMTP HOME_NET var
HTTP_SERVICES HOME_NET var SQL_SERVERS
HOME_NET var DNS_SERVERS HOME_NETvar RULE_PATH
/etc/snort/rules
8
Modes of operation
- Sniffer mode
- On screen packet sniffer
- Packet logger mode
- Logs in text format or tcpdump format
- Direct the logging to a remote host
- Logs every packet
- NIDS mode
- Uses snort.conf
- Logs only the packets that satisfies a rule
9
Sniffer mode
- snort -v -i eth0 Shows only the headers on the
screen - 02/16-125945.856485 127.0.0.1 -gt 127.0.0.1
- ICMP TTL64 TOS0x0 ID0 IpLen20 DgmLen84 DF
- Type8 Code0 ID13104 Seq256 ECHO
- 02/16-125945.856519 127.0.0.1 -gt 127.0.0.1
- ICMP TTL64 TOS0x0 ID50341 IpLen20 DgmLen84
- Type0 Code0 ID13104 Seq256 ECHO REPLY
10
Sniffer mode
- snort -vd -i eth0 Shows headers and packet
contents on the screen
02/16-130728.498178 127.0.0.1 -gt 127.0.0.1 ICMP
TTL64 TOS0x0 ID0 IpLen20 DgmLen84 DF Type8
Code0 ID15408 Seq256 ECHO 90 FD 4F 3E E7
99 07 00 08 09 0A 0B 0C 0D 0E 0F
..Ogt............ 10 11 12 13 14 15 16 17 18 19 1A
1B 1C 1D 1E 1F ................ 20 21 22 23 24
25 26 27 28 29 2A 2B 2C 2D 2E 2F
!"'(),-./ 30 31 32 33 34 35 36 37
01234567
02/16-130728.498206 127.0.0.1 -gt
127.0.0.1 ICMP TTL64 TOS0x0 ID50342 IpLen20
DgmLen84 Type0 Code0 ID15408 Seq256 ECHO
REPLY 90 FD 4F 3E E7 99 07 00 08 09 0A 0B 0C 0D
0E 0F ..Ogt............ 10 11 12 13 14 15 16 17
18 19 1A 1B 1C 1D 1E 1F ................ 20 21
22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
!"'(),-./ 30 31 32 33 34 35 36 37
01234567
11
Logger mode
- snort -d -l ./log -i eth0
- Logs packets to current_dir/log/eth0
- Log file must exist
- Logged as ASCII
- -e Also records the Data link layer info
- snort -de -l ./log -b -i eth0
- Logs complete packets in binary format, i.e.
tcpdump format
12
NIDS Mode
- Runs snort as an intrusion detector
- Every packet is not recorded
- Only those packets matching a rule
- snort -de -l -i eth0 -c snort.conf
- Uses rules in snort.conf
- tcpdump format
- Sends log files to /var/log/snort
13
Rules
- The basis for logging or not logging a packet
- Can be more that one line long now
- Each line to be continued must be terminated with
a ' \ - That is space \
- Generic syntax
- rule_header (rule_options)
- Rule header
- Action, addresses, ports, masks
- Rule options
- Messages, what to look for, where to look
14
Simple Rule
- Snort rule example
- alert tcp any any -gt 192.168.1.0/24 111 \
- (content00 01 86 a5 msg mountd access)
- content what to match in the packet
- msg log message heading
Protocol
Src IP mask
Source Port
Des IP mask
Dest Port
Action
15
Key Words
- Include
- include /etc/snort/rules/ping.rules
- Variables
- var HOME_NET 192.16.13.0/24
- var RULE_PATH /etc/snort/rules
- include RULE_PATH/ping.rules
- Config
- config reference bugtraq ttp//www.securityfocus
.com/bid
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 15
16
Rule Actions/TypesField 1
- Alert, log, pass
- Alert generates an alert message and then logs
the packet - Log logs the packet
- Pass ignores the packet
- Activate, dynamic
- Activate sends an alert and then turns on a
dynamic rule - Dynamic idle until activated and then acts as a
log rule - User defined rule types
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 16
17
ProtocolsField 2
- tcp, udp, icmp, ip
- Todate
- arp, igrp, gre, ospf, rip, etc.
- The distant future
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 17
18
AddressesFields 3 5
- Usual dotted decimal notation with mask indicated
- 192.16.13.0/24
- Dereferenced variable
- HOME_NET
- Keyword any
- List 192.16.13.0/24,10.1.1.0/24
- Negation !192.16.13.1
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 18
19
PortsFields 4 6
- Numerical, any
- 80, 21, 23, etc.
- 1001024 - ports 100 through 1024
- 600 - ports 0 through 600
- 500 - ports greater than or equal to 500
- Typical address/port fields
- !192.16.13.0/24 any -gt 192.16.13.0/24 111
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 19
20
Rule Options
- Key words
- msg prints a message in the log - ttl test the
ip header's ttl value - tos test the tos field -
id test the ip header's id field - fragbits test
the fragmentation bits - dsize test the packet's
payload size - flags test tcp flags - seq test
the sequence number for a specific value -
ack test the ack bit for set or clear -
itype test icmp type - sid snort rule for id -
rev rule revision number - ip_proto ip header's
protocol number - reference external attack
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 20
21
OptionsExamples
- msg
- Puts a message in the log record to identify the
snort rule - msg SYN packet malformed
- ttl
- Tests for a specific ttl value
- ttl 127
- dsize
- Tests for a specific size of the packet, gt, lt, ltgt
- dsize 400ltgt500
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 21
22
OptionsExamples cont'd
- fragbits
- Tests for configuration of the IP dgram frag bits
- RB, MF, DF (reserved bit, more frags bit, do not
frag bit) - modifiers all have to match
- any have to match
- ! match if bits are not set
- fragbits R
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 22
23
OptionsExamples cont'd
- content
- Tests for specific content within the payload
packet - Binary data enclosed by ...
- ASCII data enclosed by ...
- ! tests that the content does not contain the
string - content 90CB C0FF FFF/bin/sh
- content !GET
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 23
24
OptionsExamples cont'd
- offset
- Dictates the starting position of the content
search - offset 3
- depth
- Dictates the maximum depth of the content search
- depth 22
- nocase
- Content search is not case sensitive
- nocase
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 24
25
OptionsExamples cont'd
- flags
- Tests for TCP flags for a match
- F, S, R, P, A, U, 2, 1, 0
- 1 2 are the reserved bits in the flag octet
- 0 no flag is set
- ! tests that the content does not contain the
string - modifiers all have to match
- any have to match
- ! match if bits are not set
- flags SF
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 25
26
OptionsExamples cont'd
- ip_proto
- Checks the IP Protocol field, permissible are in
/etc/protocols - ip_proto 6
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 26
27
- /etc/protocols
- Id protocols,v 1.3 2001/07/07 070715 nalin
Exp - Internet (IP) protocols
- from _at_()protocols 5.1 (Berkeley) 4/17/89
- Updated for NetBSD based on RFC 1340, Assigned
Numbers (July 1992). - See also http//www.iana.org/assignments/protoco
l-numbers - ip 0 IP internet protocol, pseudo protocol
number - hopopt 0 HOPOPT hop-by-hop options for ipv6
- icmp 1 ICMP internet control message protocol
- igmp 2 IGMP internet group management protocol
- ggp 3 GGP gateway-gateway protocol
- ipencap 4 IP-ENCAP IP encapsulated in IP
(officially IP'') - st 5 ST ST datagram mode
- tcp 6 TCP transmission control protocol
28
OptionsExamples cont'd
- classtype
- Categorizes snort detects into attack classes
- classtype ltclass namegt
- Listed in classificationconfig
- classtype misc-attack
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 28
29
OptionsExamples cont'd
- itype
- Checks the value of the ICMP type field
- itype 0
- icode
- Checks the value of the ICMP code field
- icode 8
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 29
30
OptionsExamples cont'd
- reference
- References to external attack identification
systems - Bugtrack, CVE, Arachnids McAfee, url
- reference ltid-systemgt,ltidgt
- reference arachNIDS,IDS287 reference
bugtraq,1387
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 30
31
OptionsExamples cont'd
- flow
- Used with TCP stream reassembly, applies to
certain directions - Applies to either client or server
- to_client - triggers on server responses
- to_server triggers on client requests
- from_client triggers on client requests
- from_server triggers on server responses
- established triggers only on established TCP
connections - flow from_server
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 31
32
Rule Example
- Alert TCP any any -gt any 7070 \
- (msg IDS411/dos-realaudio \
- flags AP content fff4 fffd 06 \
- reference arachNIDS,IDS411)
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 32
33
Rule Example
- alert udp any any -gt any 1434 \
- (msg MS-SQL Worm propagation attempt \
- content 04 depth1 \
- content81 f1 03 01 04 9b 81 f1 01 \
- contentsock \
- contentsend \
- referencebugtraq,5310 \
- referencebugtraq,5311
- referenceurl,il.nai.com/vil/content/v_99992.htm
\ - classtypemisc-attack sid2003 rev2)
/home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.
odp Slide 33
34
Final Lab
Setup and configure snort. Select a rule set. Be
sure to include scanning rules Start snort in
NIDS mode. With your firewall up and down Scan
your system using ping scan, xmas tree scan, OS
scan Check your syslog and snort logs and nmap
e.g. Icmp ping scan, map returns 1. With shields
up what got through and what did snort think was
happening. 2. With shields down what got through
and what did snort think was happening. 3. What
did nmap think it saw in each case. Hand in 1.
Firewall policies 2. Firewall script with
comments, especially how each policy is
enforced 3. snort.conf 4. Discussion from the
experiments above.
Recommended
CrystalGraphics Presentations
