Transcript IDS Survey - National Chiao Tung University

Snort - Open Source
Network Intrusion
Detection System
Survey
Outline
•
•
•
•
•
•
What is Snort
Snort operational modes
NIDS mode
Snort 1.X
Snort 2.X
Snort Rule Signature
What is Snort
• A “lightweight” network intrusion
detection system with the
capabilities of the sniffer, packet
logger, network traffic analysis
• Can be deployed to monitor small
TCP/IP networks and detect a wide
variety of suspicious network traffic
as well as outright attacks.
Snort Features
•
•
•
•
•
•
•
•
•
•
•
Multi-operational packet processing tools
Rules-based detection engine
Small ~800k source
Cross platform : Linux, Windows, MacOS X, Solaris, BSD,
IRIX, Tru64, HP-UX, etc
High speed of detection for a given attack on 100 Mbps
networks
Easy rules language, many reporting/logging options
Free (GPL/Open Source Software)
Libpcap-based sniffing interface
Capability to filter traffic with Berkeley Packet Filter (BPF)
commands
Plug-in system are flexible
Real-time alerting capability, with alerts being sent to
syslog, Server Message Block (SMB) "WinPopup" messages,
or a separate "alert" file.
Snort Operational Modes
• Operational modes are configured via
command line
– Default is NIDS mode if no command line
switches
• Three main operational modes
– Sniffer Mode
– Packet Logger Mode
– NIDS Mode
Packet Logger Mode
• Multiple packet logging options
– Flat ASCII, tcpdump, XML, database,
etc
• Log the data and post-processing to
look the anomalous activities
Sniffer Mode
• Works much like tcpdump
• Decodes packets and dumps them to
stdout
• Packet filtering interface available to
shape displayed network traffic
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23
TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20
FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS
49 FF F0
I..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
NIDS Mode I
Honeypot
(Deception System)
Generic Server
(Host-Based ID)
(Snort 2.0)
Internet
Filtering
Router
(Perimeter Logs)
Firewall
(Perimeter
Logs)
Statistical IDS
(Snort)
Network IDS
(Snort)
NIDS Mode II
• Can use snort + plug-ins for both misuse detection
and anomalous activity
• Can perform portscan detection, IP
defragmentation, TCP stream reassembly,
application layer analysis and normalization, etc
• Various output options available
• Multiple detection modes available
– Rules/signature
– Statistical anomaly
– Protocol verification
Snort 1.x Architecture
Snort
Packet Decoder
Preprocessor
(Plug-ins)
Detection Engine
(Plug-ins)
Output Stage
(Plug-ins)
Data Flow
Packet Stream
Sniffing
Alerts/Logs
Snort 1.x Detection
Engine
• Rule based detection engine
• Rules are detection elements which are
combined to form the signature
• Detection rules in a two dimensional linked
list
– Chain Headers
– Chain Options
• Wide range of detection capabilities
– Stealth scans, OS fingerprinting, buffer
overflows, back doors, CGI exploits, etc.
Detection Engine: Rules
Rule Header
Rule Options
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: SF; msg: “SYN-FIN Scan”;)
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;)
Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: F; msg: “FIN Scan”;)
Rule Node
Alert tcp 1.1.1.1 any -> 2.2.2.2 any
Option Node
Internal Representation
(flags: SF; msg: “SYN-FIN Scan”;)
(flags: S12; msg: “Queso Scan”;)
(flags: F; msg: “FIN Scan”;)
Detection Engine: Fully
Populated
Rule
Node
Rule
Node
Rule
Node
Rule
Node
Rule
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Snort 1.x Pro and Con
• Pro
– Wide rules available (~1300 by June 2001)
– Very high speed decoding and stateless intrusion
detection
• 100Mbps is not too difficult
– Flexibility & multi-platform
• Con
• Good choice for a number of applications in the rapid
prototyping platform for new ideas in intrusion detection
– Data structure and rule description language is limited
at the protocol level
• Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard to
describe HTTP, RPC, SMTP, etc
– Tendency to write slow output plug-ins!
Snort 2.0
• Multi-format rules input
– DB, XML, etc
• Traffic decoders
– Support arbitrary protocol, multi-path traffic flows
– Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw, IP, ARP,
TCP, UDP, ICMP
• Pluggable detection engines
– Standard NIDS, Target-based IDS, Statistical IDS,
Host-based IDS
• ~500% in pattern matching performance
improvement reported in research work!
• Spooling output
Snort 2.0 Detection Engine
Comparison – V 1.x
alert
tcp
Sip: 1.1.1.1
Dip: 2.2.2.2
Dp: 80
(flags: A+; content: “”foo”;)
(flags: A+; content: “bar”;)
(flags: A+; content: “baz”;)
Snort 2.0 Detection Engine
Comparison – V 2.0
alert
tcp
Sip: 1.1.1.1
Dip: 10.1.1.0/24
content: “”foo”;
Dip: 2.2.2.2
Dp: 80
Flags: A+;
content: “bar”;
content: “baz”;
Snort Signature Example
SID
630
message
SCAN synscan portscan
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id:
39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;)
Summary
A host has scanned the network looking for vulnerable servers.
Impact
Information leak, reconnaisance, preperation for automated attack such as worm
propagation
Detailed
Information
Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is
included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn
scanner.
Attack Scenarios
This is a scanning tool that is often the precursor to a worm infection.
Ease of Attack
This scanner is fast and easy to use. It is readily available and was included with several
worms.
False Positives
sscan, mscan, and several other tools used ID=39426 but the use of SYNFIN is unique to
synscan [1.5|1.6]
False Negatives
NONE.
Corrective Action
Run flexresp with synscan kill.
Contributors
Don Smith Initial Research
Josh Gray Edits
References
arachnids,441
Format of Snort Rule
Language
• Rules Headers
– Rule Actions
–
–
–
–
–
• alert, log, pass, activate, dynamic
Protocols
IP Addresses
Port Numbers
The Direction Operator
..
• Rule Options
– msg: "<message text>“
– logto: "<filename>"
– …
• Content-list
– multiple content strings to be specified in the place of a single
content option