Snort - Open Source Network Intrusion Detection System Survey.
-
Upload
lilian-hart -
Category
Documents
-
view
223 -
download
4
Transcript of Snort - Open Source Network Intrusion Detection System Survey.
Snort - Open Source Snort - Open Source Network Intrusion Network Intrusion Detection System Detection System
SurveySurvey
Snort - Open Source Snort - Open Source Network Intrusion Network Intrusion Detection System Detection System
SurveySurvey
Outline• What is Snort• Snort operational modes• NIDS mode• Snort 1.X• Snort 2.X• Snort Rule Signature
What is Snort• A “lightweight” network intrusion dete
ction system with the capabilities of the sniffer, packet logger, network traffic analysis
• Can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks.
Snort Features• Multi-operational packet processing tools• Rules-based detection engine• Small ~800k source• Cross platform : Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, H
P-UX, etc• High speed of detection for a given attack on 100 Mbps networks• Easy rules language, many reporting/logging options• Free (GPL/Open Source Software)• Libpcap-based sniffing interface• Capability to filter traffic with Berkeley Packet Filter (BPF) commands • Plug-in system are flexible• Real-time alerting capability, with alerts being sent to syslog, Server M
essage Block (SMB) "WinPopup" messages, or a separate "alert" file.
Snort Operational Modes
• Operational modes are configured via command line– Default is NIDS mode if no command line switc
hes • Three main operational modes
– Sniffer Mode– Packet Logger Mode– NIDS Mode
Packet Logger Mode• Multiple packet logging options
– Flat ASCII, tcpdump, XML, database, etc• Log the data and post-processing to l
ook the anomalous activities
Sniffer Mode• Works much like tcpdump• Decodes packets and dumps them to
stdout • Packet filtering interface available to
shape displayed network traffic=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS49 FF F0 I..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
NIDS Mode I
FilteringRouter
(Perimeter Logs)
Firewall(Perimeter
Logs)
Generic Server(Host-Based ID)
(Snort 2.0)
Network IDS(Snort)
Internet
Honeypot(Deception System)
Statistical IDS (Snort)
NIDS Mode II• Can use snort + plug-ins for both misuse detection
and anomalous activity• Can perform portscan detection, IP defragmentati
on, TCP stream reassembly, application layer analysis and normalization, etc
• Various output options available• Multiple detection modes available
– Rules/signature– Statistical anomaly– Protocol verification
Snort 1.x Architecture
Packet Decoder
Preprocessor(Plug-ins)
Detection Engine(Plug-ins)
Output Stage(Plug-ins)
Packet S
tream
Sniffing
SnortD
ata Flow
Alerts/Logs
Snort 1.x Detection Engine
• Rule based detection engine• Rules are detection elements which are
combined to form the signature• Detection rules in a two dimensional linked
list – Chain Headers– Chain Options
• Wide range of detection capabilities– Stealth scans, OS fingerprinting, buffer
overflows, back doors, CGI exploits, etc.
Rule HeaderAlert tcp 1.1.1.1 any -> 2.2.2.2 any
Rule Options(flags: SF; msg: “SYN-FIN Scan”;)
Alert tcp 1.1.1.1 any -> 2.2.2.2 any
Alert tcp 1.1.1.1 any -> 2.2.2.2 any
(flags: S12; msg: “Queso Scan”;)
(flags: F; msg: “FIN Scan”;)
Detection Engine: Rules
Alert tcp 1.1.1.1 any -> 2.2.2.2 any
Rule Node
(flags: SF; msg: “SYN-FIN Scan”;)
(flags: S12; msg: “Queso Scan”;)
(flags: F; msg: “FIN Scan”;)
Option Node
Internal Representation
RuleNode
RuleNode
RuleNode
RuleNode
RuleNode
OptionNode
OptionNode
OptionNode
OptionNode
OptionNode
OptionNode
OptionNode
OptionNode
OptionNode
OptionNode
OptionNode
Detection Engine: Fully Populated
Snort 1.x Pro and Con• Pro
– Wide rules available (~1300 by June 2001)– Very high speed decoding and stateless intrusion
detection• 100Mbps is not too difficult
– Flexibility & multi-platform• Good choice for a number of applications in the rapid
prototyping platform for new ideas in intrusion detection
• Con– Data structure and rule description language is limited
at the protocol level• Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard to
describe HTTP, RPC, SMTP, etc– Tendency to write slow output plug-ins!
Snort 2.0• Multi-format rules input
– DB, XML, etc
• Traffic decoders– Support arbitrary protocol, multi-path traffic flows– Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw, IP, ARP, TCP, UDP,
ICMP
• Pluggable detection engines– Standard NIDS, Target-based IDS, Statistical IDS, Host-based IDS
• ~500% in pattern matching performance improvement reported in research work!
• Spooling output
Snort 2.0 Detection Engine Comparison – V 1.x
Sip: 1.1.1.1 Dip: 2.2.2.2 Dp: 80
(flags: A+; content: “”foo”;)
(flags: A+; content: “bar”;)
(flags: A+; content: “baz”;)
alert
tcp
Snort 2.0 Detection Engine Comparison – V 2.0
content: “”foo”;
content: “bar”;
content: “baz”;
alert tcp
Dip: 2.2.2.2
Dip: 10.1.1.0/24
Flags: A+;
Sip: 1.1.1.1
Dp: 80
Snort Signature Example
SID 630 message SCAN synscan portscan
Signature alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;)
Summary A host has scanned the network looking for vulnerable servers.
Impact Information leak, reconnaisance, preperation for automated attack such as worm propagation
Detailed Information
Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner.
Attack Scenarios This is a scanning tool that is often the precursor to a worm infection.
Ease of Attack This scanner is fast and easy to use. It is readily available and was included with several worms.
False Positives sscan, mscan, and several other tools used ID=39426 but the use of SYNFIN is unique to synscan [1.5|1.6]
False Negatives NONE.
Corrective Action Run flexresp with synscan kill.
Contributors Don Smith Initial ResearchJosh Gray Edits
References arachnids,441
Format of Snort Rule Language
• Rules Headers– Rule Actions
• alert, log, pass, activate, dynamic– Protocols– IP Addresses– Port Numbers– The Direction Operator– ..
• Rule Options– msg: "<message text>“– logto: "<filename>"– …
• Content-list– multiple content strings to be specified in the place of a single content
option