Intrusion Detection

1. Intrusion Detection snort

2. Snort • Get snort • Installation • Configure • Setup logs • Rules • Start

3. Get snort source • http://www.snort.org/ • tar.gz • Source • http://www.snort.org/dl/current/snort-2.8.2.3.tar.gz • Rpm's – Redhat Package Manager • yum install snort • Apt-get – Debian package manager • apt-get install snort

4. InstallMake from source • Source based installation • Move the tar.gz file to • /usr/local/src/ or • /usr/src/redhat/SOURCES • tar -zxvf snort-2.4.3.tar.gz • Unpacks the source in snort-2.4.3 • Build the app • cd snort-2.4.3 • ./configure • make • make install

5. Documentation • Included documentation in the distribution AUTHORS BUGS CREDITS faq.pdf faq.tex INSTALL Makefile Makefile.am Makefile.in NEWS PROBLEMS README README.alert_order README.asn1 README.csv README.database README.event_queue README.FLEXRESP README.flow README.flowbits README.flow-portscan README.frag3 README.http_inspect README.INLINE README.PLUGINS README.sfportscan README.thresholding README.UNSOCK README.WIN32 README.wireless RULES.todo snort_manual.pdf snort_manual.tex snort_schema_v106.pdf TODO USAGE WISHLIST • man snort • More documentation on the snort website

6. Configure • Create directory mkdir /etc/snort, cd /etc/snort • Get snort rules • ttp://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz • Unpack the rule set • tar -zxvfsnortrules-pr-2.4.tar.gz • Edit /etc/snort/rules/snort.conf • mkdir /var/log/snort • Snort has to know where everything is

7. snort.conf var HOME_NET any var HOME_NET 192.168.50.0/24 var EXTERNAL_NET any var EXTERNAL_NET !$HOME_NET var SMTP $HOME_NET var HTTP_SERVICES $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NETvar RULE_PATH /etc/snort/rules

8. Modes of operation • Sniffer mode • On screen packet sniffer • Packet logger mode • Logs in text format or tcpdump format • Direct the logging to a remote host • Logs every packet • NIDS mode • Uses snort.conf • Logs only the packets that satisfies a rule

9. Sniffer mode • snort -v -i eth0 Shows only the headers on the screen 02/16-12:59:45.856485 127.0.0.1 -> 127.0.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:13104 Seq:256 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-12:59:45.856519 127.0.0.1 -> 127.0.0.1 ICMP TTL:64 TOS:0x0 ID:50341 IpLen:20 DgmLen:84 Type:0 Code:0 ID:13104 Seq:256 ECHO REPLY =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10. Sniffer mode • snort -vd -i eth0 Shows headers and packet contents on the screen 02/16-13:07:28.498178 127.0.0.1 -> 127.0.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:15408 Seq:256 ECHO 90 FD 4F 3E E7 99 07 00 08 09 0A 0B 0C 0D 0E 0F ..O>............ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 02/16-13:07:28.498206 127.0.0.1 -> 127.0.0.1 ICMP TTL:64 TOS:0x0 ID:50342 IpLen:20 DgmLen:84 Type:0 Code:0 ID:15408 Seq:256 ECHO REPLY 90 FD 4F 3E E7 99 07 00 08 09 0A 0B 0C 0D 0E 0F ..O>............ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11. Logger mode • snort -d -l ./log -i eth0 • Logs packets to current_dir/log/eth0 • Log file must exist • Logged as ASCII • -e Also records the Data link layer info • snort -de -l ./log -b -i eth0 • Logs complete packets in binary format, i.e. tcpdump format

12. NIDS Mode • Runs snort as an intrusion detector • Every packet is not recorded • Only those packets matching a rule • snort -de -l -i eth0 -c snort.conf • Uses rules in snort.conf • tcpdump format • Sends log files to /var/log/snort

13. Rules • The basis for logging or not logging a packet • Can be more that one line long – now • Each line to be continued must be terminated with a ' \‘ • That is “space \” • Generic syntax rule_header (rule_options) • Rule header • Action, addresses, ports, masks • Rule options • Messages, what to look for, where to look

14. Simple Rule • Snort rule example alert tcp any any -> 192.168.1.0/24 111 \ (content:”|00 01 86 a5|”; msg: “mountd access”;) • content: what to match in the packet • msg: log message heading Protocol Src IP mask Source Port Des IP mask Dest Port Action

15. Key Words • Include include /etc/snort/rules/ping.rules • Variables var HOME_NET 192.16.13.0/24 var RULE_PATH /etc/snort/rules include $RULE_PATH/ping.rules • Config config reference: bugtraq ttp://www.securityfocus.com/bid /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 15

16. Rule Actions/TypesField 1 • Alert, log, pass • Alert – generates an alert message and then logs the packet • Log – logs the packet • Pass – ignores the packet • Activate, dynamic • Activate – sends an alert and then turns on a dynamic rule • Dynamic – idle until activated and then acts as a log rule • User defined rule types /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 16

17. ProtocolsField 2 • tcp, udp, icmp, ip • Todate • arp, igrp, gre, ospf, rip, etc. • The distant future /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 17

18. AddressesFields 3 & 5 • Usual dotted decimal notation with mask indicated • 192.16.13.0/24 • Dereferenced variable • $HOME_NET • Keyword any • List[192.16.13.0/24,10.1.1.0/24] • Negation!192.16.13.1 /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 18

19. PortsFields 4 & 6 • Numerical, “any” • 80, 21, 23, etc. • 100:1024 - ports 100 through 1024 • :600 - ports 0 through 600 • 500: - ports greater than or equal to 500 • Typical address/port fields !192.16.13.0/24 any -> 192.16.13.0/24 111 /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 19

20. Rule Options Key words: - msgprints a message in the log - ttltest the ip header's ttl value - tostest the tos field - idtest the ip header's id field - fragbitstest the fragmentation bits - dsizetest the packet's payload size - flagstest tcp flags - seqtest the sequence number for a specific value - acktest the ack bit for set or clear - itypetest icmp type - sidsnort rule for id - revrule revision number - ip_protoip header's protocol number - referenceexternal attack /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 20

21. OptionsExamples • msg • Puts a message in the log record to identify the snort rule msg: “SYN packet malformed”; • ttl • Tests for a specific ttl value ttl: “127”; • dsize • Tests for a specific size of the packet, >, <, <> dsize: “400<>500”; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 21

22. OptionsExamples cont'd • fragbits • Tests for configuration of the IP dgram frag bits RB, MF, DF (reserved bit, more frags bit, do not frag bit) modifiers: + all have to match * any have to match ! match if bits are not set fragbits: R+; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 22

23. OptionsExamples cont'd • content • Tests for specific content within the payload packet • Binary data enclosed by “| ... |” • ASCII data enclosed by “ ... “ • ! tests that the content does not contain the string • content: “|90CB C0FF FFF|/bin/sh”; • content: !”GET”; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 23

24. OptionsExamples cont'd • offset • Dictates the starting position of the content search offset: 3; • depth • Dictates the maximum depth of the content search depth: 22; • nocase • Content search is not case sensitive nocase; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 24

25. OptionsExamples cont'd • flags • Tests for TCP flags for a match F, S, R, P, A, U, 2, 1, 0 1 & 2 are the reserved bits in the flag octet 0 no flag is set ! tests that the content does not contain the string modifiers: + all have to match * any have to match ! match if bits are not set flags: SF; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 25

26. OptionsExamples cont'd • ip_proto • Checks the IP Protocol field, permissible are in/etc/protocols ip_proto: 6; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 26

27. # /etc/protocols: • # $Id: protocols,v 1.3 2001/07/07 07:07:15 nalin Exp $ • # • # Internet (IP) protocols • # • # from: @(#)protocols 5.1 (Berkeley) 4/17/89 • # • # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992). • # • # See also http://www.iana.org/assignments/protocol-numbers • ip 0 IP # internet protocol, pseudo protocol number • #hopopt 0 HOPOPT # hop-by-hop options for ipv6 • icmp 1 ICMP # internet control message protocol • igmp 2 IGMP # internet group management protocol • ggp 3 GGP # gateway-gateway protocol • ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'') • st 5 ST # ST datagram mode • tcp 6 TCP # transmission control protocol • cbt 7 CBT # CBT, Tony Ballardie <A.Ballardie@cs.ucl.ac.uk> • egp 8 EGP # exterior gateway protocol • igp 9 IGP # any private interior gateway (Cisco: for IGRP) • bbn-rcc 10 BBN-RCC-MON # BBN RCC Monitoring • nvp 11 NVP-II # Network Voice Protocol • pup 12 PUP # PARC universal packet protocol • argus 13 ARGUS # ARGUS • emcon 14 EMCON # EMCON • xnet 15 XNET # Cross Net Debugger • chaos 16 CHAOS # Chaos • udp 17 UDP # user datagram protocol • mux 18 MUX # Multiplexing protocol • dcn 19 DCN-MEAS # DCN Measurement Subsystems • hmp 20 HMP # host monitoring protocol • prm 21 PRM # packet radio measurement protocol

28. OptionsExamples cont'd • classtype • Categorizes snort detects into attack classes classtype: <class name>; Listed in classification:config classtype: misc-attack; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 28

29. OptionsExamples cont'd • itype • Checks the value of the ICMP type field itype: 0; • icode • Checks the value of the ICMP code field icode: 8; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 29

30. OptionsExamples cont'd • reference • References to external attack identification systems Bugtrack, CVE, Arachnids McAfee, url reference: <id-system>,<id> reference: arachNIDS,IDS287; reference: bugtraq,1387; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 30

31. OptionsExamples cont'd • flow • Used with TCP stream reassembly, applies to certain directions • Applies to either client or server to_client - triggers on server responses to_server – triggers on client requests from_client – triggers on client requests from_server – triggers on server responses established – triggers only on established TCP connections flow: from_server; /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 31

32. Rule Example Alert TCP any any -> any 7070 \ (msg: “IDS411/dos-realaudio”; \ flags: AP; content: “|fff4 fffd 06|”; \ reference: arachNIDS,IDS411;) /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 32

33. Rule Example alert udp any any -> any 1434 \ (msg: “MS-SQL Worm propagation attempt”; \ content: “|04|”; depth:1; \ content:”|81 f1 03 01 04 9b 81 f1 01|” \ content:”sock”; \ content:”send”; \ reference:bugtraq,5310; \ reference:bugtraq,5311; reference:url,il.nai.com/vil/content/v_99992.htm; \ classtype:misc-attack; sid:2003; rev:2;) /home/courses/Comp_Sec_II/Lectures/6.IDS/06/IDS.2.odp: Slide 33

34. Final Lab Setup and configure snort. Select a rule set. Be sure to include scanning rules Start snort in NIDS mode. With your firewall up and down: Scan your system using ping scan, xmas tree scan, OS scan Check your syslog and snort logs and nmap e.g. Icmp ping scan, map returns 1. With shields up what got through and what did snort think was happening. 2. With shields down what got through and what did snort think was happening. 3. What did nmap think it saw in each case. Hand in: 1. Firewall policies 2. Firewall script with comments, especially how each policy is enforced 3. snort.conf 4. Discussion from the experiments above.