linux world expo

8/14/2019 Linux World Expo

1/30

Harnessing the

Power of Snort

Brian Caswell

Principal Research EngineerSourcefire Vulnerability Research Team


2/30

2

Background

What is Snort?Open Source packet analysis tool

The most widely deployed Network Intrusion DetectionSystem (NIDS)

The de facto standard in intrusion detection andprevention

Who is Brian Caswell? Sourcefire Vulnerability Research Team - Principal

Research Engineer Keeping Snort users ahead of the threat

Snort Rules Maintainer

AuthorSnort 2.1 Intrusion Detection: Second Edition


3/30

3

Snort History

Initial release by Marty Roesch in 1998Original goals of Snort: Traffic analysis tool for home networkDebugger for service simulators Marty was developing

for a honeypot system Learning tool for libpcap

Initial open source release inDecember 1998

Just a sniffer, no rule languageRules implemented early 1999

1.0 release, June 1999 Basic rules language, stateless


4/30

4

Snort History [cont.]

Snort 1.5 released December 1999 System was rearchitected to be modular and

extensible

Same basic architecture still used today!

Snort implemented as a packet analysis pipeline

DataAquisition Decode Preprocess Detect Action


5/30

5

Snort Goes Commercial

Sourcefire founded in January 2001Snort 1.7 last release before full time

development begins Snort 1.7 is pitted head to head against 9 commercial

IDS offerings in a Network Computing test, comes in3rd overall!

Snort 1.8 released in mid-2001, contains highspeed output system, enterprise grade IP

defragmenter/TCP Stream Reassembler, etc


6/30

6

Snort Today

Snort 2.3 availableHighly stateful, 3000 detection rules + protocol

anomaly detectionRecent additions include

New portscan detector Target-based IP Defragmenter Event queuing Gigabit performance capabilities, etc

12-15000 downloads/week600k+ rule updates per month

Most Innovative @ RSA 2005


7/307

Snort Tomorrow

The futureNew extensible data acquisition/decoder

architecture

New stream reassembler

More application layer protocol analysis(SMTP/POP/IMAP, DCERPC, SNMP,Telnet/FTP, etc)

Target-based traffic analysis


8/30

Getting Started


9/309

Getting Started

Website - http://www.snort.orgStable release is always available at

http://www.snort.org/dl

Installable binary packages and source tarballsare typically available

Also available via CVS http://www.snort.org/source.html


10/30

10

Building Snort

Get the tarball from snort.org http://www.snort.org/dl/snort-2.3.0.tar.gz

Make sure libpcap and PCRE are installed

Unpack as usual Tar zxvf snort-2.3.0.tar.gz

BuildCd snort-2.3.0; ./configure && make && make install


11/30

11

Read the Docs!

Lots of documentation is available for Snort!Look in the doc directory of the tarball Snort manual in PDF format

README files cover Snort features and subsystems

Man pages available too


12/30

Running Snort


13/30

13

Snort Run Modes

Three basic modes of operation Sniffer

Packet logger

NIDS

Runtime mode is determined at run-time viacommand line switches

05/22-11:50:11.320761 127.0.0.1:55786 -> 127.0.0.1:631TCP TTL:64 TOS:0x0 ID:16546 IpLen:20 DgmLen:69 DF***AP*** Seq: 0xCE6183EE Ack: 0x89ECD4F2 Win: 0xFFFF TcpLen: 32

TCP Options (3) => NOP NOP TS: 1481027454 148102745450 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D POST / HTTP/1.1.0A .


14/30

14

NIDS Mode

Sniffer and packet logger modes are covered inthe first chapter of the Snort manual

NIDS Mode is what most people think of whentalking about Snort

Command line switches: -c : load NIDS config from -A : specify alert -s: generate alerts to syslog

Examples: Snort -c snort.conf Snort -c snort.conf -d -l ~/pktlog -s Snort -c snort.conf -b -A fast


15/30

15

NIDS Mode [cont]

Useful switches -D: daemon mode

-i : sniff on network interface

-r : read packets from

-g : set group ID of Snort process

-u : set user ID of Snort process

-t : chroot Snort process to

If no command line switches are specified, Snortlooks for snort.conf in the /etc/snort and the localdirectory

Default logging directory is /var/log/snort


16/30

Snort Rules


17/30

17

Rule Syntax

Snorts rule syntax is simple and straightforwardIt is also, unfortunately, quirky

Full rule docs in snort_manual.pdf file!


18/30

18

Rule format

alert tcp $BAD any -> $GOOD any (flags: SF; msg: SYN-FIN scan;)

Rule Header Rule Options

Rule Header- static definition

- has to be in every rule

Rule Options- variable definition

- not always necessary

- 50+ options available


19/30

19

Rule Headers

alert tcp $BAD any -> $GOOD any

ule actionProtocol

Src. CIDR

Src. Port

Direction

Dest. CIDRDest. Port


20/30

20

Rule Options

(flags: SF; msg: SYN-FIN scan;)

Option start/finish

Option Detail

flags:SF;

Keyword

SeparatorArgument

Delimiter


21/30

21

Fun with Snort Rules

Basic detection is fun and easy with Snort rulesTo detect a basic string on the network (network

grep) you just need the content keyword

Detecting basic strings is easy but can result in

false positivesBetter method is to define more constraints

under which the rule may fire

alert tcp any any -> any any \(content: foo; msg: detected foo!;)


22/30

22

Getting Stateful with Snort Rules

Two options available for Snort rules Flow: check TCP session state, direction

Flowbits: set/test/clear application state info

Stream4 preprocessor must be running for the flowkeyword to work

Flow preprocessor must be running to enable flowbits

This rule will only fire for TCP sessions that are in theESTABLISHED state and for traffic headed to the server

alert tcp any any -> any any \(flow: established, to_server; \Content: foo; msg: detected foo;)


23/30

23

Stateful Snort Rules

There is another type of state that can be used,cross-rule state

Uses the new flowbits keyword to set/test/clearbits in Snort rules

We can track application protocol state with Snort!

Example:alert tcp any any -> $SMTP 25 \

(pcre: /^DATA\n/i; \ flowbits: set,smtp.client.mode.data;

flowbits: noalert;)alert tcp any any -> $SMTP 25 \

(msg:"SMTP expn decode";flow: established, to_server;flowbits: isnotset,smtp.client.mode.data;...


24/30

24

Regular Expressions

Snort supports PCRE - powerful regularexpression payload analysis

Use with careMaintainability, performance issues

alert tcp $HOME_NET any -> $EXTERNAL_NET 25

(msg:"VIRUS OUTBOUND bad file attachment"; \

flow:to_server,established; \

content:"Content-Disposition|3A|"; nocase; \

pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|

s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|

jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|

ocx)[\x27\x22\n\r\s]/iR"; \

classtype:suspicious-filename-detect; \

sid:721; rev:7;)


25/30

Managing Output


26/30

26

Snort Output

Two basic types Alert are for real-time notification Logs are for forensics

Several alert/log output types available

Alert: syslog, text, database, unified Log: text, pcap, database, unified, CSV

Performance is a big deal in the outputsubsystem

Low performance = dropped packetsSnorts unified format was designed specifically

for high-performance output

Pcap format is for cross-platform analysis


27/30

27

Unified Output

Unified output is setup for high performance andflexibility

Unified format can be converted to any of theother formats (DB, pcap, XML, etc)

Barnyard is used to process unified files http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz

Input/output plugins

Input: Alert, log, stream (flow data)

Output: DB, CSV, syslog, pcap, SGUIL, text, XML


28/30

28

Output Futures

Unified/Barnyard are the future of Snort outputgeneration

Performance is the number one concern of thesensor process

Unfied2 coming soon, barnyard will change tosuit

Most complex post-processing should move intoBarnyard


29/30

29

Current & Future Developments

New portscan detector Uses rate-based and backscatter methods to detect portscans

New IP defragmenter (frag3) Target-based, very hard to evade or confuse, high performance

New TCP Stream Reassembler (stream5) Target-based, high performance

New data acquisition frontend Modular, extensible

New decoder architecture

Modular, extensible, easier to add protocols to Snort Additional layer-7 preprocessing

Better protocol anomaly detection, more protocols normalized,enable new protocol-specific detection keywords

Target-base detection engine


30/30

Questions & Answers

Sourcefire, framing thefuture of IT security

Information Security Magazine, The Influence List

www.sourcefire.com

800 917 4134

linux world expo

Documents