Security Onion Advance
-
Upload
kaustubh-padwad -
Category
Internet
-
view
529 -
download
0
description
Transcript of Security Onion Advance
“SO” Continue
Security onion Advance
S3CuriTy B3a$t
Agenda
● Some old questions answer● Default detectable/Undetectable
attacks ● Optimization’s● Rule writing basics ● Alert (Something special here from me)● Demo ● Questions● Thanks S3CuriTy B3a$t
Some Old Questions
● Snort or suricata?● What is pf_ring,netsnif-ng?● ??
S3CuriTy B3a$t
Less Spread
OISF(Open information security foundation )
Snort Inline used with snor
Multy threaded
S3CuriTy B3a$t
● Open Source De-Facto-Standard● SourceFire● IPS Optional● Single Threaded
Test Group Priority # of tests Suricata score Snort score
Test rules 3 8 6 8
Bad Traffic (non RFC compliant) 2 4 1 1
Fragmented packets 2 2 1 3
Multiple failed logins 3 1 1 0
Evasion techniques 2 15 21 29
Malware & viruses 3 14 9 7
Shellcodes 3 11 12 7
Denial of Service (DoS) 3 3 3 3
Client-side attacks 3 257 127 157
Performance 3 0 2 1
Inline / Prevention capabilities 2 0 1 1
TOTAL (unweighted sum) 315 184 217
TOTAL (weighted sum) 528 617
What is pf_ring and netsniff-ng
S3CuriTy B3a$t
PF_RING™ is a new type of network socket that dramatically improves the packet capture speed
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will.Its gain of performance is reached zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.
Default Detectable Attack
S3CuriTy B3a$t
S3CuriTy B3a$t
Internal Network and Threat
Server ROOM
Optimization’s
Less False positive Mature TrafficImproved LAN Cards Which support PF-RingCustomization of Snort and RuleSetAnd Many More………!
S3CuriTy B3a$t
action proto src_ip src_port direction dst_ip dst_port (options)
alert tcp 10.0.9.4 any -> any any (msg:"Traffic from 10.0.9.4”;)
Action :- alert - generate an alert using the selected alert method, and then log the packetlog - log the packetpass - ignore the packetactivate - alert and then turn on another dynamic ruledynamic - remain idle until activated by an activate rule, then act as a log rule
Write your Own Snort Rule
S3CuriTy B3a$t
Protocol :- Which protocol should be looked atTCPUDPICMPIP Addresses :- IPs,any & CIDR FashionPort Numbers :- any any, from to, from <= & to >=Ex. ip any -> IP 1:1020 -> from any port to 1-1024 any any -> ip:6000 -> from any to port less than or equal to
6000 ip:1024 -> ip:500: -> from port less than 1024 to port greater
than 500
Direction oprator -> or <>
Write your Own Snort Rule
S3CuriTy B3a$t
Options :-logto - log the packet to a user specified filename instead of the standard output filettl - test the IP header's TTL field valuetos - test the IP header's TOS field valueid - test the IP header's fragment ID field for a specific valueipoption - watch the IP option fields for specific codesfragbits - test the fragmentation bits of the IP headerdsize - test the packet's payload size against a valueflags - test the TCP flags for certain valuesseq - test the TCP sequence number field for a specific value
Write your own snort rule
S3CuriTy B3a$t
ack - test the TCP acknowledgement field for a specific valueitype - test the ICMP type field against a specific valueicode - test the ICMP code field against a specific valueicmp_id - test the ICMP ECHO ID field against a specific valueicmp_seq - test the ICMP ECHO sequence number against a specific valuecontent - search for a pattern in the packet's payloadcontent-list - search for a set of patterns in the packet's payloadnocase - match the preceeding content string with case insensitivitysession - dumps the application layer information for a given sessionrpc - watch RPC services for specific application/proceedure callsresp - active response (knock down connections, etc)
Write your own snort rule
S3CuriTy B3a$t
Questions?
S3CuriTy B3a$t
Thanks You
Contact Details:Twitter: @s3curityb3astBlog: breakthesec.comEmail: [email protected]