Snort - Lightweight Intrusion Detection for Networks
Download
Report
Transcript Snort - Lightweight Intrusion Detection for Networks
Snort - Lightweight Intrusion
Detection for Networks
YOUNG Wo Sang
Program Committee, PISA
[email protected]
Introducing Snort
• Snort is:
– Small (~1.2M source distribution)
– Portable (Linux, Solaris, *BSD, IRIX, HP-UX, WIN32)
– Fast (High probability of detection for a given attack on
“average” networks)
– Configurable (Easy rules language, many
reporting/logging options)
– Free (GPL/Open Source Software)
– Current version 1.8.1 as of Aug 2001
Snort Design
• Packet sniffing network intrusion detection
system
• Libpcap-based sniffing interface
• Rules-based detection engine
• Multiple output options
– decoded logs, tcpdump formatted logs
– real-time alerting to syslog, file, database, xml
Detection Engine
• Rules form “signatures”
• Modular detection elements are combined
to form these signatures
• Anomalous activity detection is possible
– stealth scans, OS fingerprinting, invalid ICMP
codes, etc
• Rules system is very flexible, and creation
of new rules is relatively simple
Rules Format
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags: SF; msg: “SYN-FIN Scan”;)
• Two sections to a rule
• rule header:
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any
• rule options:
(flags: SF; msg: “SYN-FIN Scan”;)
• Rule headers and options can be strung together in any
combination
Rule Header Features
• IP addresses
– negation, CIDR blocks
• TCP/UDP ports
– negation, ranges, greater than/less than
• uni/bi-directional port/address consideration
Rule Option Features
•
•
•
•
•
•
•
IP TTL
IP ID
Fragment size
TCP Flags
TCP Ack number
TCP Seq number
Payload size
•
•
•
•
•
•
•
Content
Content offset
Content depth
Session recording
ICMP type
ICMP code
Alternate log files
Uses for Snort
•
•
•
•
Packet Sniffing NIDS
Honeypot Monitor
Scan Detection/Traps
Other Fun Stuff
Packet Sniffing NIDS
• Load up a good rules set and let it run!
– www.whitehats.com
• Automatically generates alerts and logs full
packet data
• Alternative alerting/actions can be handled
by something like Swatch
– email alerts, active response, etc
Honeypot Monitor
• Honeypots are “deception systems” that
perform intrusion detection by inclusion
– Gets rid of all the false alarms!
• Use Snort’s filtering capability to log all the
traffic going to the honeypot
• Post process the data with a good ruleset
Scan Detection/Traps
• Snort has no formal port scan detection
mechanism
• Setup rules to log traffic to known closed
ports & unused addresses
• Poor man’s honeypot/port scan detector
Alert tcp any any -> 10.1.1.0/24 100:600 (flags: S; msg: “TRAP!”;)
Other Fun Stuff
• Snort is a packet sniffer, can be used to
analyze traffic in real-time
• Motivated people can write rules to pick up
all sorts of naughty things
– SQL/ODBC, ActiveX, Java/JavaScript, Macro
Viruses
Other Fun Stuff (Cont.)
• SHADOW sensor replacement
• SHADOW is a free NIDS based on
tcpdump
• Snort can use the SHADOW BPF rule set,
plus it’s own!
• Gains:
– real-time alerting, payload analysis, rules
simplicity, post-processing, etc.
Snort Internal
• Plugin architecture
– stream4 : detect stealth portscans
• Write detection modules and add them to
rule set
• Hooks for preprocessors
– IP defrag, TCP stream reassembly, statistics, etc
• Hooks for backend/output
– database, SNMP, tunnels, etc.
Snort Addon
•
•
•
•
•
•
Guardian 1.2.0, by Anthony Stevens and Ernie Lim
http://home.golden.net/~elim/
Guardian is a stand-alone Perl script which watches the output of snort, and will add rules to IPChains on the fly as
snort detects and reports an attack.
snort-panel, by Xato
http://www.xato.net/files.htm
A very useful windows-based utility for managing, controlling, and monitoring the win32 port of Snort.
snortnet, by Fyodor
http://snortnet.scorpions.net/
This code is an output plugin that allows you to log Snort alerts to a remote machine. Requires libiap-0.1.tar.gz
Spade 01172001.1, by Silicon Defense
http://www.silicondefense.com/spice/
SPADE stands for the Statistical Packet Anomaly Detection Engine. It is a Snort preprocessor plugin which sends
alerts of anomalous packet through standard Snort reporting mechanisms. Please consider this to be experimental,
though it has worked well for us.
ACID 0.9.6b9, by CERT
http://acidlab.sourceforge.net/
ACID is a PHP-based analysis engine to search and process a database of security incidents generated by Snort.
Requires PHP and MySQL.
… more
FIN
• Get Snort from:
<http://www.snort.org/downloads.html>
• Writing Snort rules:
<http://www.snort.org/docs/writing_rules/>