Record honeypot activity

Udgivet den juli 10, 2004 af mike

Keep track of everything that happens on your honeypot.

Once an attacker has fallen prey to your honeypot and gained access to it, it is critical that you monitor all activity on that machine. By monitoring every tiny bit of activity on your honeypot, you can not only learn the intentions of your uninvited guest, but can often learn about new techniques for compromising a system as the intruder tries to gain further access. Besides, if you’re not interested in what attackers are trying to do, why run a honeypot at all?

One of the most effective methods for tracking every packet and keystroke is to use a kernel-based monitoring tool. This way nearly everything that the attacker does on your honeypot can be monitored, even if the attackers use encryption to protect their data or network connection. One powerful package for monitoring a honeypot at the kernel level is Sebek (http://www.honeynet.org/tools/sebek/).

Sebek is a loadable kernel module for Linux and Solaris that intercepts key system calls in the kernel and monitors them for interesting information. It then transmits the data to a listening server and hides the presence of the transmissions from the local system. Sebek is actually made up of two kernel modules. The first, sebek.o, actually does the monitoring. The other module is cleaner.o, which protects sebek.o from being discovered.

To build the kernel modules on Linux, first make sure that /usr/src/linux-2.4 points to the source code of the kernel that you want to compile the modules for. Either unpack the kernel source under this directory or symlink it to an existing kernel source tree. You can then download the source distribution, unpack it, and build it with the usual commands:

$ ./configure
$ make

This will generate a tar archive containing the kernel modules and an installer script. Copy this archive to your honeypot to complete the installation.

Here’s what’s inside:

$ tar tf sebek-linux-2.1.4-bin.tar

sebek-linux-2.1.4-bin/

sebek-linux-2.1.4-bin/sebek.o

sebek-linux-2.1.4-bin/cleaner.o

sebek-linux-2.1.4-bin/sbk_install.sh

Before installing the modules on your honeypot, you’ll need to edit the sbk_install.sh script and modify several variables that tell sebek.o where to send the information that it collects. These variables are DESTINATION_MAC, DESTINATION_IP, SOURCE_PORT, and DESTINATION_PORT. These should all be set to point to the Sebek server that you will build in a moment. Make sure to use the same DESTINATION_PORT for all honeypots that you’ll be operating. In addition, you’ll need to set the MAGIC_VAL variable to the same value on all your honeypots. This variable, in conjunction with DESTINATION_PORT, is used to hide traffic from other honeypots that you are operating. If you want Sebek to only collect keystrokes from your honeypot, you can set the KEYSTROKE_ONLY variable to 1.

Now run the install script on your honeypot:

# sh sbk_install.sh
Installing Sebek:

sebek.o installed successfully

cleaner.o installed successfully

cleaner.o removed successfully

Once Sebek is installed, be sure to remove the archive and installation files. The presence of these files on a system is a pretty clear indication that it is a honeypot, and it could tip off intruders.

There are two ways to receive the data from Sebek. The simplest is to run the Sebek server, which will sniff for the information and automatically extract it for you. If you prefer to collect the data manually, you can use a sniffer on the host that you configured in the sbk_install.sh script and later use Sebek’s data extraction utility to pull the information out of your packet dumps.

To install the server, download the source distribution, unpack it, and go into the directory that it created. Then run this command:

$ ./configure && make

After compilation has finished, become root and run make install. This will install sbk_extract, sbk_ks_log.pl, and sbk_upload.pl. To extract information sent from a honeypot, use sbk_extract. You can run it in sniffer mode by using the -i and -p options to specify which interface to listen on and which destination port to look for, respectively. If you want to process packets that have already been captured using a packet capture tool, use the -f option to specify the location of the packet dump file. Once you’ve extracted the data, you can use sbk_ks_log.pl to display the attacker’s keystrokes.

Sebek also has an optional web interface that uses PHP and MySQL to allow more complex queries of the collected data. In addition to logged keystrokes, the web interface can extract files that have been uploaded to the honeypot. The sbk_upload.pl script uploads the logs to the web interface. Installation of the web interface is a bit more involved, since it requires an Apache server, PHP, and a MySQL 4 database. For more details, consult Sebek’s homepage at http://www.honeynet.org/tools/sebek/ .

< Day Day Up >

Udgivet i Knowledge Base, Networking, Old Base, Security | Skriv en kommentar

Using honneyd

Udgivet den juli 10, 2004 af mike

Use honeyd to fool would-be attackers into chasing ghosts.

As the saying goes, you will attract more flies with honey than with vinegar. (I’ve never understood that saying; who wants to attract flies, anyway?) A honeypot is used to attract the “flies” of the Internet: script kiddies and hacker wannabes that have nothing better to do with their time than scan for vulnerable hosts and try to attack them. A honeypot does this by pretending to be a server running vulnerable services, but is in fact collecting information about the attackers who think themselves so clever.

Whether you want to simulate one or one thousand vulnerable network hosts, honeyd (http://www.honeyd.org) makes the job as simple as editing a configuration file and running a daemon. The honeyd daemon can simulate thousands of hosts simultaneously and will let you configure what operating system each host will appear as when scanned with operating system detection tools like Nmap [Hack #42] . Each system that honeyd simulates will appear to be a fully functioning node on the network. Besides simply creating hosts that respond to pings and traceroutes, honeyd also lets you configure what services each host appears to be running. You can either use simple scripts to emulate a given service or have honeyd act as a proxy and forward requests to another host for servicing.

honeyd has several prerequisites that you’ll need to install before building the daemon itself. These are libevent (http://www.monkey.org/~provos/libevent/), libdnet (http://libdnet.sourceforge.net), and libpcap (http://www.tcpdump.org). These can be easily installed by downloading and unpacking them and then using the standard./configure && make install procedure. After the libraries are installed, you can install honeyd the same way. Then copy the service emulation scripts from the source distribution to somewhere more permanent (e.g., /usr/local/share/honeyd/scripts). There are only a few scripts that come with honeyd itself, but there are additional service emulation scripts available on honeyd’s contributions page (http://www.citi.umich.edu/u/provos/honeyd/contrib.html).

Once honeyd has been installed, you’ll need to create a configuration file that defines the types of operating systems and services honeyd will emulate, and the IP addresses honeyd will respond to. First, create some operating system templates:

### Windows computers

create windows-web

set windows-web personality “MS Windows2000 Professional

RC1/W2K Advance Server Beta3”

set windows-web default tcp action reset

set windows-web default udp action reset

add windows-web tcp port 80 “perl scripts/win2k/iisemulator-0.95

/iisemul8.pl”

add windows-web tcp port 139 open

add windows-web tcp port 137 open

add windows-web tcp port 5900 “sh scripts/win2k/vnc.sh”

add windows-web udp port 137 open

add windows-web udp port 135 open

create windows-xchng

set windows-xchng personality “MS Windows2000 Professional RC1/W2K Advance Server Beta3”

set windows-xchng default tcp action reset

set windows-xchng default udp action reset

add windows-xchng tcp port 25 “sh scripts/win2k/exchange-smtp.sh”

add windows-xchng tcp port 110 “sh scripts/win2k/exchange-pop3.sh”

add windows-xchng tcp port 119 “sh scripts/win2k/exchange-nntp.sh”

add windows-xchng tcp port 143 “sh scripts/win2k/exchange-imap.sh”

add windows-xchng tcp port 5900 “sh scripts/win2k/vnc.sh”

add windows-xchng tcp port 139 open

add windows-xchng tcp port 137 open

add windows-xchng udp port 137 open

add windows-xchng udp port 135 open

### Linux 2.4.x computer

create linux

set linux personality “Linux 2.4.7 (X86)”

set linux default tcp action reset

set linux default udp action reset

add linux tcp port 110 “sh scripts/pop3.sh”

add linux tcp port 25 “sh scripts/smtp.sh”

add linux tcp port 21 “sh scripts/ftp.sh”

And then bind them to the IP addresses that you want to use:

bind 192.168.0.10 windows-web

bind 192.168.0.11 windows-xchng

bind 192.168.0.12 linux

Save this configuration file in a good place (e.g., /usr/local/share/honeyd/honeyd.conf). Then start honeyd and arpd like this:

# arpd 192.168.0.10-192.168.0.12

# cd /usr/local/share/honeyd

# honeyd -p nmap.prints -x xprobe2.conf -a nmap.assoc \

-0 pf.os -f honeyd.conf

honeyd[5861]: started with -p nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -f

honeyd.conf

honeyd[5861]: listening on eth0: (arp or ip proto 47 or (ip )) and not ether src

00:0c:29:e2:2b:c1

Honeyd starting as background process

Now try running Nmap on the IP addresses that honeyd is handling:

# nmap -sS -sU -O 192.168.0.10-12

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on (192.168.0.10):

(The 3063 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp open http

135/udp open loc-srv

137/tcp open netbios-ns

137/udp open netbios-ns

139/tcp open netbios-ssn

5900/tcp open vnc

Remote operating system guess: MS Windows2000 Professional RC1/W2K

Advance Server Beta3

Uptime 2.698 days (since Sun Jan 11 03:52:35 2004)

Interesting ports on (192.168.0.11):

(The 3060 ports scanned but not shown below are in state: closed)

Port State Service

25/tcp open smtp

110/tcp open pop-3

119/tcp open nntp

135/udp open loc-srv

137/tcp open netbios-ns

137/udp open netbios-ns

139/tcp open netbios-ssn

143/tcp open imap2

5900/tcp open vnc

Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance Server Beta3

Uptime 2.172 days (since Sun Jan 11 16:29:38 2004)

Interesting ports on (192.168.0.12):

(The 1598 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

25/tcp open smtp

110/tcp open pop-3

Remote operating system guess: Linux 2.4.7 (X86)

You can certainly see that honeyd fools Nmap. But what happens when you try to access one of the services that are purportedly running? Try connecting to the port 25 of the fake Windows mail server:

$ telnet 192.168.0.11 25

Trying 192.168.0.11…

Connected to 192.168.0.11.

Escape character is ‘^]’.

220 bps-pc9.local.mynet Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at

Mon Jan 12 12:55:04 MST 2004

EHLO kryten

250-bps-pc9.local.mynet Hello [kryten]

250-TURN

250-ATRN

250-SIZE

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250-X-EXPS GSSAPI NTLM LOGIN

250-X-EXPS=LOGIN

250-AUTH GSSAPI NTLM LOGIN

250-AUTH=LOGIN

250-X-LINK2STATE

250-XEXCH50}

250 OK

Pretty effective at first glance isn’t it? If you’d like to specify some real services for attackers to play with, you can use the proxy keyword to forward any port to a host on another machine. For example, this will forward SSH requests from our imaginary Linux host to the machine at 192.168.1.100:

add linux tcp port 22 proxy 192.168.0.100:22

In addition to running the service emulation scripts, honeyd can limit inbound or outbound bandwidth, or even slow down access to a particular service. This can be used to tie up spammer’s resources, by holding open an apparently open mail relay. The possibilities provided by honeyd are limited only by your imagination and the time you’re willing to spend building your virtual fly-catching network.

Udgivet i Knowledge Base, Networking, Old Base | Skriv en kommentar

Apache IDS

Udgivet den juli 10, 2004 af mike

Protect your web server and dynamic content from intrusions.

Detecting intrusions that utilize common protocols and services is a job that a network intrusion detection system is well suited for. However, due to the complexity of web applications and the variety of attacks they can be vulnerable to, it is more difficult to detect and prevent intrusions without generating many false positives. This is especially true for web applications that use SSL, since this requires you to jump through hoops to enable the NIDS to actually get access to the unencrypted traffic coming to and from the web server. One way to get around these issues is to integrate the intrusion detection system into the web server itself. This is just what mod_security (http://www.modsecurity.org) does for the popular Apache (http://www.apache.org) web server.

mod_security, as the name suggests, is a module for the Apache web server that is meant to increase the security of a web server by providing facilities for filtering requests and performing arbitrary actions based on user-specified rules. In addition, mod_security will also perform various sanity checks that normalize the requests that the web server receives. With the proper filtering rules, mod_security can be effective at defeating directory traversal, cross-site scripting, SQL injection, and buffer overflow attacks.

To install mod_security, download and unpack the source distribution. If you wish to install it as a DSO (i.e., a module), you can do so easily with the apxs utility. First change to the directory appropriate for the version of Apache that you are using—apache1 or apache2. Then run a command like this:

# apxs -cia mod_security.c

This will compile mod_security and configure Apache to load it at startup. If you would like to statically compile mod_security, you will have to rebuild Apache. If you are using Apache 1.x, you can compile it statically by copying mod_security.c to the src/modules/extra directory in the Apache source tree. Then, when you run Apache’s configure script, use these command-line switches:

–activate-module=src/modules/extra/mod_security

–enable-module=security

Now that mod_security has been installed, you’ll need to enable it. You can do this by putting the following lines in your httpd.conf file:

<IfModule mod_security.c>

SecFilterEngine On

</IfModule>

This will enable the request normalization features of mod_security for all requests made to the web server. Alternatively, you can enable it only for dynamic content by setting the SecFilterEngine variable to DynamicOnly. When mod_security is enabled, it will intercept all requests coming into the web server and perform several checks on it before passing it through any user-defined filters and finally either servicing or denying the requests. During these sanity checks, mod_security will convert several different types of evasive character sequences to their more commonly used equivalent forms. Thus the character sequences // and /./ will be transformed to /, and on Windows the \ character will be converted to /. In addition, any URL-encoded characters will be decoded. In addition to these checks, mod_security can also be configured to scan the payload of POST method requests and validate URL encoding and Unicode encoding contained within requests.

To enable these features, add these lines to your httpd.conf:

SecFilterScanPOST On

SecFilterCheckURLEncoding On

SecFilterCheckUnicodeEncoding On

URL encoding allows someone making a request to encode characters by using hexadecimal values, which use the numbers 0 through 9 and the letters A through F prefixed by the % character. When URL-encoding validation is enabled, mod_security simply ensures that any URL-encoded characters don’t violate the hexadecimal numbering system. When performing Unicode validation, mod_security basically does the same type of thing—ensure that the string seen by the web server in fulfilling the request is a valid Unicode string. Unicode validation is useful if your web server is running on an operating system that supports Unicode or your web application makes use of it.

To avoid buffer overflow exploits, you can also limit the range of bytes that are allowed in request strings. For instance, to allow only printable characters (and not ones that might show up in exploit shell code), add a line like this to your httpd.conf:

SecFilterForceByteRange 32 126

User-defined filters are created with either the SecFilter or the SecFilterSelective keyword. You can use SecFilter to search just the query string, or you can use SecFilterSelective if you would like to filter requests based on the value of an internal web server variable. Both of these filtering keywords can accept regular expressions.

The following are filtering rules that can help prevent some common attacks.

The following rule will filter out requests that contain the character sequence ../:

SecFilter “\.\./”

Even though the web server will interpret the ../ correctly and disallow access if it ends up resolving to something outside of its document root, that may not be the case for scripts or applications that are on your server. This rule prevents such requests from being processed.

Cross-site scripting (XSS) attacks are invoked by inserting HTML or JavaScript into an existing page so that other users will execute it. Such attacks can be used to read a user’s session cookie and gain full control of that user’s information. You can prevent these attacks by having mod_security filter out requests that contain JavaScript.

To disallow JavaScript in requests, use a rule like this:

SecFilter “<[[:space:]]*script”

In addition, you can disallow HTML by using this rule:

SecFilter “<(.|\n)+>”

SQL-injection attacks are similar to XSS attacks, except in this case attackers modify a variable that is used for an SQL query in such a way that they can execute arbitrary SQL commands.

To protect against this class of attacks, you can employ rules similar to these:

SecFilter “delete[[:space:]]+from”

SecFilter “insert[[:space:]]+into”

SecFilter “select.+from”

This rule prevents SQL injection in a cookie called sessionid:

SecFilterSelective COOKIE_sessionid “!^(|[0-9]{1,9})$”

If a sessiondid cookie is present, the request can proceed only if the cookie contains one to nine digits.

This rule requires HTTP_USER_AGENT and HTTP_HOST headers in every request:

SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”

You can search on multiple variables by separating each variable in the list with a | character. Attackers often investigate using simple tools (even Telnet) and don’t send all headers as browsers do. Such requests can be rejected, logged, and monitored.

This rule rejects file uploads:

SecFilterSelective “HTTP_CONTENT_TYPE” multipart/form-data

This is a simple but effective protection, rejecting requests based on the content type used for file upload.

This rule logs requests without an Accept header, so you can examine them later:

SecFilterSelective “HTTP_ACCEPT” “^$” log,pass

Again, manual requests frequently do not include all HTTP headers. The Keep-Alive header is another good candidate. Notice that in addition to the variable and search string this rule contains the keywords log and pass, which specify the actions to take if a request matches the rule. In this case, any requests that match will be logged to Apache’s error log, and then the request will go on for further processing by the web server. If you do not specify an action for a filter rule, the default action will be used.

You can specify the default action like this:

SecFilterDefaultAction “deny,log,status:500”

If you set this as the default action, the web server will deny all requests that match filter rules and that do not specify a custom action. In addition, they will be logged and then redirected to an HTTP 500 status page, which will inform the client that an internal server error occurred. Other possible actions are allow, which is similar to pass, but stops other filters from being tried; redirect, which redirects the client to an arbitrary URL; exec, which executes an external binary or script; and chain, which allows you to effectively AND rules together.

In addition to filtering, mod_security provides extensive auditing features, allowing you to keep logs of the full request sent to the server. To turn on audit logging, add lines similar to these to your httpd.conf:

SecAuditEngine On

SecAuditLog logs/audit_log

However, this will log all requests sent to the web server. Obviously, this can generate quite a lot of data very quickly. To only log requests that triggered a filter rule, set the SecAuditEngine variable to RelevantOnly. Alternatively, you can set this variable to DynamicOrRelevant, which will log requests to dynamic content or requests that triggered a filter rule.

As with most other Apache configuration directives, you can enclose mod_security configuration directives within a <Location> tag to specify individual configurations for specific scripts or directory hierarchies.

mod_security is a very powerful tool for protecting your web applications, but it should not take the place of actually validating input in your application or other secure coding practices. If at all possible, it is best to employ such methods in addition to using a tool such as mod_security.

Udgivet i Apache, Knowledge Base, Networking, Old Base | Skriv en kommentar

Optimizing snort for high performance / Database

Udgivet den juli 10, 2004 af mike

Decouple Snort’s output stage so it can keep pace with the packets.

Snort by itself is fine for monitoring small networks or networks with low amounts of traffic, but it does not scale very well without some additional help. The problem is not with Snort’s detection engine itself, but stems from the fact that Snort is a single-threaded application. Because of this, whenever an alert or log event is triggered, Snort must first send the alert or log entry to its final destination before it can go back to looking at the incoming data stream. This isn’t such a big deal if you’re just having Snort write to a file, but it can become a problem if you are logging to a database, which can cause Snort to wait a relatively long time for the database insert to complete. This of course is exacerbated when you’re having Snort log to a remote database server.

To solve this, another application called Barnyard (http://www.snort.org/dl/barnyard/) was written. Functionally, Barnyard is the equivalent of Snort’s output plug-ins all rolled into one program, with a frontend for reading in files that Snort generates and then sending them to the same database or other destination that you would normally have Snort log to. The only draw back to Barnyard is its limited database support: Barnyard supports only MySQL, whereas Snort supports MySQL, PostgreSQL, Oracle, and ODBC outputs (Barnyard claims to support PostgreSQL, but unfortunately its current support is shaky at best).

After downloading Barnyard and unpacking it, change to the directory it created and run its configure script:

$ ./configure –enable-mysql

This will enable MySQL support when Barnyard is compiled. If you’ve installed your MySQL libraries and include files in a nonstandard place (i.e., underneath the /usr or /usr/local hierarchies), you’ll probably need to add the –with-mysql-includes and –with-mysql-libraries command-line options.

After you’re done with the configure script, you can compile Barnyard by running make. When it finishes compiling, install it by becoming root and running make install.

Before you use Barnyard, you’ll need to configure Snort to use its unified output format. This is a binary format that includes both the alert information and the data for the packet that triggered the alert, and it is the only type of input that Barnyard will understand.

To configure Snort to use the unified output format for both alert and log events, add lines similar to these to your Snort configuration (e.g., /etc/snort/snort.conf or /usr/local/etc/snort/snort.conf):

output alert_unified: filename snort.alert, limit 128

output log_unified: filnemae snort.log, limit 128

The filenames specified here are the basenames for the files that Snort will write its alert and log event information to. When it writes a file, it will append the current Unix timestamp to the end of the basename. In addition, the size of these files will be limited to 128MB.

Now you’ll need to create a configuration file for use with Barnyard. To run Barnyard in daemon mode and have it automatically fork itself into the background, add this line to your configuration file:

config daemon

If you’re going to be logging to a database for use with ACID [Hack #83], you’ll also want to add two lines similar to these:

config hostname: colossus

config interface: eth0

These two lines should be set to the name of the machine that you’re running Barnyard on and the interface that Snort is reading packets from. Next, you’ll need to actually tell Barnyard to read your unified log files.

You can do this for alert events by using this line:

processor dp_alert

Or, if you want to process log events, use this line:

processor dp_log

Note that Barnyard can process only one type of unified log at a time. So, if you want it to process both alert and log events, you’ll need to run an instance of Barnyard for each type.

Now all that’s left to configure is where Barnyard will send the data. If you want to use Snort’s fast alert mode to generate single-line abbreviated alerts, you can use the alert_fast output plug-in:

output alert_fast: fast_alerts.log

Or, if you want Barnyard to generate ASCII packet dumps of the data contained in the unified logs, you can use a line similar to this:

output log_dump: ascii_dump.log

To have Barnyard output to your syslog daemon, you can use the alert_syslog plug-in just like you would in your snort.conf. For instance, if you wanted to send data to the local syslogd and use the auth facility and the alert log level, you could use a line like this:

output alert_syslog: LOG_AUTH LOG_ALERT

Or, if you want to send to a remote syslog daemon, you can use a line similar to this:

output alert_syslog: hostname=loghost, LOG_AUTH LOG_ALERT

You can also have Barnyard create Pcap-formatted files from the data in the unified logs. This is useful for analyzing the data later in tools such as Ethereal. To do this, use the log_pcap plug-in:

output log_pcap: alerts.pcap

Finally, you can also have Barnyard output to a database by using the alert_acid_db plug-in for logging alert events and the log_acid_db for capturing log events.

For instance, this line would send alerts to the SNORT MySQL database running on dbserver using the username snort:

output alert_acid_db: mysql, sensor_id 0, database SNORT, server dbserver, user snort

The sensor_id is the one assigned by ACID to the particular instance of Snort that is gathering the data. You can find what sensor ID to use by clicking on the Sensors link on ACID’s front page [Hack #83], which will show you a list of the sensors that are currently logging to ACID.

The log_acid_db plug-in is similar, except it does not use the sensor_id option:

output log_acid_db: mysql, database SNORT, server dbserver, user snort, detail full

You can start Barnyard by simply using a command similar to the following if Snort’s configuration files are stored in /etc/snort and Snort is set to keep its logs in /var/log/snort:

# barnyard -f snort.alert

Of course, this assumes that you used snort.alert when configuring Snort’s alert_unified plug-in. If your Snort configuration files aren’t stored in /etc/snort, you can specify the locations of all the files that Barnyard needs to access by running a command similar to this one:

# barnyard -c /usr/local/etc/snort/barnyard.conf \

-g /usr/local/etc/snort/gen-msg.map \

-s /usr/local/etc/snort/sid-msg.map -f snort.alert

This would tell Barnyard where to find all the files it needs if they are in /usr/local/etc/snort (and are too stubborn to create a symlink to /etc/snort). If you’re using a directory other than /var/log/snort to store Snort’s logs, you can specify it with the -d option.

Congratulations. With Barnyard running, you should be able to hand

Udgivet i Knowledge Base, Linux, Networking, Old Base | Skriv en kommentar

Stealthing the sensorts

Udgivet den juli 10, 2004 af mike

Keep your IDS sensors safe from attack, while still giving yourself access to their data.

Your IDS sensors are the early warning system that can both alert you to an attack and provide needed evidence for investigating a break-in after one has occurred. You should take extra care to protect them and the data that they collect. One way to do this is to run your IDS sensors in stealth mode.

To do this, simply don’t configure an IP address for the interface that your IDS software will be collecting data from. Putting the interface up, but without specifying an IP address, can do this.

For example:

# tcpdump -i eth1

tcpdump: bind: Network is down

# ifconfig eth1 up promisc

# ifconfig eth1

eth1 Link encap:Ethernet HWaddr 00:DE:AD:BE:EF:00

UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Interrupt:11 Base address:0x1c80

# /usr/sbin/tcpdump -i eth1

tcpdump: WARNING: eth1: no IPv4 address assigned

tcpdump: listening on eth1

After you’ve put the interface up, just start your IDS [Hack #82] . Your IDS will run as normal, but since there is no way to directly access the machine, it is very difficult to attack it.

However, just like potential attackers, you will be unable to access the machine remotely. Therefore, if you want to manage the sensor remotely, you’ll need to put in a second network interface. Of course, if you did this and hooked it up to the same network that the IDS sensor is monitoring, it would totally defeat the purpose of running the other interface without an IP address. To keep the traffic isolated, you should create a separate network for managing the IDS sensors. You can of course attach this network to one that is remotely accessible and then firewall it heavily.

Another approach is to access the box using an alternate channel, such as a serial port connected to another machine that does have a network connection. Just run a console on the serial port, and take care to heavily secure the second machine. You could also connect a modem (remember those?) to an unlisted phone number or, better yet, an unlisted extension on your office’s PBX. Depending on your situation, simply using the console for access may be the simplest and most secure method.

Whichever method you decide to use for remote access is a choice you’ll have to make by weighing the value of increased security against the inconvenience of jumping through hoops to access the machine. Security nearly always involves a trade-off between convenience and confidence.

Udgivet i Knowledge Base, Linux, Networking, Old Base | Skriv en kommentar

Automated snort rule updating

Udgivet den juli 10, 2004 af mike

Keep your Snort rules up-to-date with Oinkmaster.

If you have only a handful of IDS sensors, keeping your Snort rules up-to-date is a fairly quick and easy process. However, as the number of sensors grows it can become more difficult. Luckily, you automatically update your Snort rules with Oinkmaster (http://oinkmaster.sourceforge.net/news.shtml).

Oinkmaster is a Perl script that does much more than just download new Snort rules. It will also modify the newly downloaded rules according to rules that you specify or selectively disable them, which is useful when you’ve modified the standard Snort rules to fit your environment more closely or have disabled a rule that was reporting too many false positives.

To install Oinkmaster, simply download the source distribution and unpack it. Then copy the oinkmaster.pl file from the directory that it creates to some suitable place on your system. In addition, you’ll need to copy the oinkmaster.conf file to either /etc or /usr/local/etc. The oinkmaster.conf that comes with the source distribution is full of comments explaining all the minute options that you can configure. Oinkmaster is most useful for when you want to update your rules but have a set of rules that you don’t want enabled and that are already commented out in your current Snort rules. To have Oinkmaster automatically disable these rules, use the disablesid directive with the Snort rule ID that you want disabled when your rules are updated.

For instance, you may get a lot of ICMP unreachable datagrams on your network and have determined that you don’t want to receive alerts when Snort detects this type of traffic. So, you decided to comment out the rule in your icmp.rules file:

# alert icmp any any -> any any (msg:”ICMP Destination Unreachable

(Communication Administratively Prohibited)”; itype: 3; icode: 13; sid:485;

classtype:misc-activity; rev:2;)

This is only one rule, so it’s easy to remember to go back and comment it out again after updating your rules, but this can become quite a chore when you’ve done the same thing with several dozen other rules. If you use Oinkmaster, putting the following line in your oinkmaster.conf file will disable the preceding rule after Oinkmaster has updated your rules with the newest ones available from snort.org:

disablesid 485

Then, when you want to update your rules, run oinkmaster.pl and tell it where you’d like the updated rules to be placed:

# oinkmaster.pl -o /etc/snort/rules

Now you won’t have to remember which rules to disable ever again.

Udgivet i Knowledge Base, Linux, Old Base | Skriv en kommentar

IDS That detect abnormal behaviour automatic

Udgivet den juli 10, 2004 af mike

Detect attacks and intrusions by monitoring your network for abnormal traffic, regardless of the actual content.

Most NIDS monitor the network for specific signatures of attacks and trigger alerts when one is spotted on the network. Another means of detecting intrusions is to generate a statistical baseline of the traffic on the network and flag any traffic that doesn’t fit the statistical norms. One intrusion detection system of this type is Spade (http://www.silicondefense.com/software/spice/).

Spade, or the Statistical Anomaly Detection Engine, is actually a modified version of Snort that extends its functionality into the realm of anomaly-based intrusion detection. The Spade preprocessor uses Snort to monitor the network and then constructs probability tables based on the traffic that it sees. It then uses this table to generate an anomaly between and 1 for each packet (i.e., 0 is a definite normal, and 1 is a definite anomaly).

Installing Spade is easy. Just download the source distribution, unpack it, and change into the directory that it created. Then type a command similar to this, which will patch your Snort source code:

$ make SNORTBASE=../snort-2.0.5

Of course, if your Snort source tree isn’t at ../snort-2.0.5, you’ll need to specify a different path.

Now change to the directory containing the Snort source code, and compile and install Snort as you normally would [Hack #82] . Once you’ve done that, you’ll need to configure Snort to use Spade. You have two choices here: setting it up to use only Spade functionality or using normal Snort functionality along with Spade. For the former, you can use the spade.conf located in the Spade source distribution as a starting point.

Most of the defaults are fine. However, you will need to set the SPADEDIR variable to a place where Snort has read and write access. Spade will keep various logs and check-pointing information here so that it does not lose its probability table whenever Snort is restarted.

For example:

var SPADEDIR /var/log/snort/spade

It is also important that you tell Spade what network is your “home” network. You can do this by using a line similar to this one in your configuration file:

peprocessor spade-homenet: 192.168.1.0/24

You can specify multiple networks by separating them with commas and enclosing the list in square brackets.

If you want to run Snort with Spade and traditional Snort functionality, you can just include your spade.conf in your snort.conf with a line like this:

include spade.conf

Run Snort just as you did before. Spade will now send its output to any of the output plug-ins that you have configured when it detects anomalous behavior. This is triggered when a given packet’s anomaly score is in the range of .8 to .9 (it depends on the type of packet). Any alerts generated by Spade will be prefixed with Spade: and will include a description of the packet’s deviant behavior and its anomaly score.

Udgivet i Knowledge Base, Networking, Old Base | Skriv en kommentar

Dynamic firewall with snortsam

Udgivet den juli 10, 2004 af mike

Use SnortSam to prevent intrusions by putting dynamic firewall rules in place to stop in-progress attacks.

An alternative to running Snort on your firewall and having it activate filtering rules on the machine it’s running on [Hack #87] is to have Snort communicate which filtering rules should be put in place when the an intrusion is detected on an external firewall. To do this, you can use SnortSam (http://www.snortsam.net).

SnortSam uses Snort’s plug-in architecture and extends Snort with the ability to notify a remote firewall, which then dynamically applies filtering rules to stop attacks that are in progress. Unlike Snort_inline, which is highly dependent on Linux, SnortSam supports a wide variety of firewalls, such as Checkpoint, Cisco, Netscreen, Firebox, OpenBSD’s pf, and even Linux’s ipchains and iptables interfaces to Netfilter. SnortSam is made up of two components, a Snort plug-in and a daemon.

To set up SnortSam, first download the source distribution and then unpack it. After you’ve done that, go into the directory it created and run this command:

$ sh makesnortsam.sh

This will build the snortsam binary, which you can then copy to a suitable place in your path (e.g., /usr/bin or /usr/local/bin).

Now download the patch for Snort, which you can get from the same site as SnortSam. After you’ve done that, unpack it:

$ tar xvfz snortsam-patch.tar.gz

NOTE

patchsnort.sh

patchsnort.sh.asc

snortpatch8

snortpatch8.asc

snortpatch9

snortpatch9.asc

snortpatchb

snortpatchb.asc

Next, run patchsnort.sh and specify the directory where you’re keeping Snort’s source:

$ sh patchsnort.sh snort-2.0.5

Patching Snort version 2.0…

patching file spo_alert_fwsam.c

patching file spo_alert_fwsam.h

patching file twofish.c

patching file twofish.h

patching file plugbase.c

Hunk #1 succeeded at 29 with fuzz 2 (offset -73 lines).

Hunk #2 succeeded at 639 with fuzz 2 (offset 77 lines).

Patching Makefiles…

Done

Now compile Snort as you would normally [Hack #82] .

Before running SnortSam, you must create a configuration file for it. SnortSam’s configuration syntax is pretty easy to use, but there are quite a few options, so only a subset of the available ones will be discussed here.

One useful option is accept, which lets you tell SnortSam what Snort sensors are allowed to connect to it. This option can take a CIDR-format address range, a hostname, or a single IP address. You can optionally specify a password as well. If you don’t specify a password, the one specified by the defaultkey option is used.

For example, if you wanted to allow all hosts from the network 192.168.1.0/24 with the password qwijybo, you could put a line like this in your configuration file:

accept 192.168.1.0/24, qwijybo

To specify multiple hosts on network address ranges, you can use multiple accept entries.

Another useful option is dontblock. This enables you to construct a whitelist of hosts and networks that SnortSam will not block under any circumstances. This option takes hostnames, single IP addresses, and CIDR addresses; you can also use multiple dontblock entries, just as you can with accept.

To improve SnortSam’s performance, you may want to use the skipinterval option. This option lets you tell SnortSam how long to skip identical blocking requests before it will resume applying rules for that request. This ensures that SnortSam isn’t constantly requesting the firewall to block the same IP address and port over and over again. The skipinterval option takes a single number as its argument, which specifies how many seconds to wait.

You’ll probably want to keep tabs on what SnortSam’s doing, since you’re allowing it to modify your firewall’s rules. One way is to use the logfile option, which will cause SnortSam to log events such as program start, blocking and unblocking requests, and any errors that were encountered. This option takes a single argument, which is the filename that the logs will be written to. The log file that you specify will be created in /var/log.

A couple of other useful options are daemon and bindip. The daemon option simply tells SnortSam to fork into the background and run as a daemon; it does not take any arguments. The bindip option, on the other hand, allows you to specify which IP address to listen on, which is useful when the machine that SnortSam is running on has multiple addresses available.

For instance, if you wanted SnortSam to listen only on 192.168.1.15, you would use a line like this:

bindip 192.168.1.15

In addition, the default port that SnortSam listens on is 898, but you can change this with the port option.

After you’re done with SnortSam’s options, you’ll need to tell it what kind of firewall to communicate with and how to do it. To use SnortSam with a Checkpoint Ffwexec or fwsamW-1 firewall, you can specify either the fwexec or fwsam keywords. Use fwexec when you when you want to run SnortSam on the host that the firewall is install fwexec or fwsamed on, and use fwsam when you want to communicate with a remote firewall.

The fwexec keyword takes the full pathname to the fw executable as its only argument, whereas the fwsam keyword uses the hostname or IP of the firewall. In addition, you’ll need to modify the fwopsec.conf file on your firewall to include the following line:

sam_server port 1813

To use SnortSam with a PIX firewall, you’ll need to use the pix keyword and specify the IP address of the firewall as well as the Telnet and enable mode passwords.

For example:

pix 192.16.1.2 telnetpw enablepw

Or, if your firewall is set up to do user authentication, you can use user/password in place of the Telnet password.

If you want to use SnortSam with OpenBSD’s PF or Linux’s iptables, you’ll need to use the pf or iptables keywords. For basic usage, all you need to do is specify the interface on which to block packets.

To configure the Snort side of things, you’ll need to add the alert_fwsam output plug-in to the output plug-ins that you’re already using. This plug-in takes a hostname and an optional port to connect to, along with a password. If SnortSam is using the default port, you don’t need to specify the port here.

For example:

output alert_fwsam: firewall/mypassword firewall2:1025/mypassword

Notice that you can list multiple instances of SnortSam to send block requests to by separating them with whitespace.

Any rules that you want to trigger a firewall rule should be modified to use the fwsam rule option. This option takes as its arguments what to block and for how long the block should be in effect. To block the source of the packet that caused the alert, use src; to block the destination, use dst. If you want to block both, use either. For the duration you can use a number along with a modifier specifying what unit it’s in (i.e., seconds, minutes, hours, days, weeks, months, or years), or you can use 0 to specify an indefinite period of time.

For instance, to block the source address of the packet that triggered a rule for five minutes, you could add this to your rule options:

fwsam: src, 5 minutes;

Now that everything is configured, start SnortSam by running a command similar to this:

# snortsam /usr/local/etc/snortsam.conf

Of course, you’ll need to substitute the full path to your configuration file if it’s not /usr/local/etc/snortsam.conf. As for Snort, just start it as you normally would.

For more information on using SnortSam with other types of firewalls, be sure to check out the README files included with the source distribution.

Udgivet i Knowledge Base, Linux, Networking, Old Base | Skriv en kommentar

Hack 87 Prevent and Contain Intrusions with Snort_inline

Udgivet den juli 10, 2004 af mike

Install Snort_inline on your firewall to contain intrusions, or to stop them as they’re happening.

Wouldn’t it be nice if your NIDS could not only detect intrusions, but also do something about them? It would be nice if it could actually stop the intrusion occurring on the host that was being attacked, but the next best thing would be to block the network traffic that’s propagating the attack. One tool that can do this for you is Snort_inline (http://snort-inline.sf.net).

Snort_inline is a patch to Snort that modifies it to read data from the Linux kernel’s Netfilter queue, which allows Snort to effectively integrate itself with the firewall. This allows it to not only detect intrusions, but to decide whether to drop packets or to forward them to another host (using Libnet). This of course requires that your kernel be compiled with IP queue support, either statically or as a module.

You can see if you have the module by running a command like this:

$ locate ip_queue.o

/usr/src/linux-2.4.20-8/net/ipv4/netfilter/ip_queue.o

/usr/src/linux-2.4.20-8/net/ipv4/netfilter/.ip_queue.o.flags

/lib/modules/2.4.20-8/kernel/net/ipv4/netfilter/ip_queue.o

In this case, you can see that the module is available by looking at the last line of the output. If that doesn’t exist, you can check to see whether the file /proc/net/ip_queue exists. If you can’t find the module, but that file exists, then it means IP queue support is compiled into your kernel statically. If neither file exists, you’ll need to enable it in your kernel and recompile.

In addition to requiring IP queue support, Snort_inline also needs libipq. This is a library that comes with Netfilter and is used by applications to communicate with Netfilter’s queue. You can check to see if it’s installed on your system by running this command:

$ locate libipq

/usr/include/libipq.h

/lib/libipq.a

If you don’t see output similar to this, chances are that you don’t have libipq installed. You can install it by downloading the iptables source from the Netfilter distribution site (http://www.netfilter.org). For instructions on compiling it, refer to [Hack #41] . After compilation is finished, run make install-dev, since libipq is not installed by default.

In addition to those libraries, you’ll also need the Libnet packet injection library (http://www.packetfactory.net/projects/libnet/). To install Libnet, simply download the source distribution, unpack it, and then run ./configure && make install as root.

Now that all the prerequisites are out of the way, you can compile Snort_inline. First download and unpack the source distribution, and then change to the directory that it creates. Then run this command:

$ ./configure –enable-inline && make

You can also use any configure options that you’d normally use with Snort, since at it’s heart Snort_inline is still Snort.

Don’t be alarmed if your compile aborts with the following error:

gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I../../src/sfutil

-I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/

preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../

src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I/usr/

include/pcre -I/usr/local/include -g -O2 -Wall -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D_

_FAVOR_BSD -DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f ‘spo_alert_fast.c’ ||

echo ‘./’`spo_alert_fast.c

In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,

from /usr/include/libipq.h:37,

from ../../src/inline.h:8,

from ../../src/snort.h:38,

from spo_alert_fast.c:51:

/usr/include/linux/if.h:59: redefinition of `struct ifmap’

/usr/include/linux/if.h:77: redefinition of `struct ifreq’

/usr/include/linux/if.h:126: redefinition of `struct ifconf’

make[3]: *** [spo_alert_fast.o] Error 1

make[3]: Leaving directory `/home/andrew/snort_inline-2.1.0/src/output-plugins’

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/home/andrew/snort_inline-2.1.0/src’

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/home/andrew/snort_inline-2.1.0′

make: *** [all] Error 2

This is caused by /usr/include/linux/netfilter_ipv4/ip_queue.h including /usr/include/linux/if.h instead of /usr/include/net/if.h (a problem that the author encountered while writing this). You can fix this by simply editing ip_queue.h and changing this line near the top of the file:

#include <linux/if.h>

to this:

#include <net/if.h>

You can then restart the compilation from where it left off by simply typing make, or, if you’re paranoid, you can use this command to completely start over:

$ make clean && make

After compilation has finished, become root and type make install.

You can now configure Snort_inline just as you would configure Snort regularly. However, it’s recommended that you run a separate instance of Snort if you want alerting and use Snort_inline solely for setting firewall rules.

In addition to modifying Snort to capture packets from Netfilter rather than libpcap, the Snort_inline patch also adds three new rule types, as well as a new rule option. The new rule types are drop , sdrop, and reject. The drop rule type will drop the packet that triggered the rule without notifying the sending host, much like the iptables DROP target, and will log that it has done so. The sdrop rule type is similar, except that packets are silently dropped with no log entry to tell you that it occurred. Using the reject rule type will block the offending packet, but will notify the sending host with either a TCP RST or an ICMP port unreachable message, depending on whether the packet that triggered the rule used the TCP or UDP protocols, respectively. The new rule option added by Snort_inline allows you to replace arbitrary content within a packet with whatever you choose. The only restriction is that the replacement byte stream must be the same length as the original. This is implemented with the replace rule option and is used in conjunction with the content rule option to select what is to be replaced.

To run Snort_inline, start it just as you would start Snort. Snort_inline does add a new command-line switch, though: -Q tells it to use IP queues rather than libpcap to gather packets. So, you’ll need to use this option if you want to use it in inline mode.

The only thing left to do before actually running it in inline mode is to configure the kernel to send the packets to the IP queues. This is done with the iptables command:

# iptables -F
# iptables -A INPUT -j QUEUE

# iptables -A OUTPUT -j QUEUE

# iptables -A FORWARD -j QUEUE

This will push all traffic going in, out, and through the machine into an IP queue from which Snort_inline will read its packets. You can then start snort_inline as you would Snort (just don’t forget to use the -Q option):

# snort_inline -Qvc /etc/snort/snort_inline.conf

If you’re administering the machine remotely, you’ll probably want to start snort_inline before enabling the QUEUE targets, since it’s snort_inline that will actually pass the packets back and forth. Otherwise, your remote logins will be dropped as soon as you put the iptables rules in place. If you’re particularly paranoid, have your QUEUE target rules ignore packets coming from a certain IP address or range of addresses.

Udgivet i Knowledge Base, Networking, Old Base | Skriv en kommentar

Writing snort rules

Udgivet den juli 10, 2004 af mike

Customize Snort for your own needs quickly and easily by leveraging its flexible rule engine and language.

One of the best features of Snort is its rule engine and language. Snort’s rule engine provides an extensive language that enables you to write your own rules, allowing you to extend it to meet the needs of your own network.

A Snort rule can be broken down into two basic parts, the rule header and options for the rule. The rule header contains the action to perform, the protocol that the rule applies to, and the source and destination addresses and ports. The rule options allow you to create a descriptive message to associate with the rule, as well as check a variety of other packet attributes by making use of Snort’s extensive library of plug-ins.

Here’s the general form of a Snort rule:

action proto src_ip src_port direction dst_ip dst_port (options)

When a packet comes in, its source and destination IP addresses and ports are then compared to the rules in the ruleset. If any of them are applicable to the packet, then the options are compared to the packet. If all of these comparisons return a match, then the specified action is taken.

Snort provides several built-in actions that you can use when crafting your rules. To simply log the packet that matches a rule, use the log action. The alert action generates an alert using the method specified in your configuration file or on the command line, in addition to logging the packet. One nice feature is that you can have very general rules and then create exceptions by writing a rule that uses the pass action. This works especially well when you are using the rules distributed with Snort, but are frequently getting false positives for some of them. If this happens and it’s not a security risk to ignore them, you can simply write a pass rule for it.

The last two built-in rule actions are used together to dynamically modify Snort’s ruleset at runtime. These are the activate and dynamic actions. Rules that use the dynamic action are just like a log rule, except they will be considered only after they have been enabled by an activate rule. To accomplish this, Snort enforces the use of the activates and activated_by rule options in order to know what dynamic rules to enable once an activate rule has been triggered. In addition, dynamic rules are required to specify a count option in order for Snort to limit how many packets the rule will record.

For instance, if you wanted to start recording packets once an exploit of a SSH daemon on 192.168.1.21 was noticed, you could use a couple of rules similar to these:

activate tcp any any -> 192.168.1.21 22 (content:”/bin/sh”; activates:1; \

msg:”Possible SSH buffer overflow”; )

dynamic tcp any any -> 192.168.1.21 22 (activated_by:1; count:100;)

These two rules aren’t completely foolproof, but if someone were to run an exploit with shell code against an SSH daemon, it would most likely send the string /bin/sh in the clear in order to spawn a shell on the system being attacked. In addition, since SSH is encrypted, strings like that wouldn’t be sent to the daemon under normal circumstances. Once the first rule is triggered, it will activate the second one, which will record 100 packets and then stop. This is useful, since you might be able to catch the intruder downloading or installing a root kit within those first few packets and be able to analyze the compromised system much more quickly.

You can also define custom rule actions, in addition to those that Snort has built-in. This is done with the ruletype keyword:

ruletype redalert

{

type alert

output alert_syslog: LOG_AUTH LOG_ALERT

output database: log, mysql, user=snort dbname=snort host=localhost

}

This custom rule action tells Snort that it behaves like the alert rule action, but specifies that the alerts should be sent to the syslog daemon, while the packet will be logged to a database. When defining a custom action, you can use any of Snort’s output plug-ins, just as you would if you were configuring them as your primary output method.

Snort’s detection engine supports several protocols. The proto field is used to specify what protocol your rule applies to. Valid values for this field are ip, icmp, tcp, and udp.

The next fields in a Snort rule are used to specify the source and destination IP addresses and ports of the packet, as well as the direction the packet is traveling. Snort can accept a single IP or a list of addresses. When specifying a list of IP address, you should separate each one with a comma and then enclose the list within square brackets, like this:

[192.168.1.1,192.168.1.45,10.1.1.24]

When doing this, be careful not to use any whitespace. You can also specify ranges of IP addresses using CIDR notation, or even include CIDR ranges within lists. Snort also allows you to apply the logical NOT operator (!) to an IP address or CIDR range to specify that the rule should match all but that address or range of addresses.

As with IP addresses, Snort can accept single ports as well as ranges. To specify a range, use a colon character to separate the lower bound from the upper bound. For example, if you wanted to specify all ports from 1 to 1024, you would do it like this:

1:1024

You can also apply the NOT operator to a port, and you can specify a range of ports without an upper or lower bound.

For instance, if you only wanted to examine ports greater than 1024, you would do it this way:

1024:

Similarly, you could specify ports less than 1024 by doing this:

:1024

If you do not care about the IP address or port, you can simply specify any.

Moving on, the direction field is used to tell Snort which IP address and port is the source and which pair is the destination. In earlier versions of Snort you could use either -> or <- to specify the direction. However, the <- operator was removed since you can make either one equivalent to the other by just switching the IP addresses and port numbers. Snort does have another direction operator in addition to ->, though. Specifying <> as the direction tells Snort that you want the rule to apply bidirectionally. This is especially useful when using log rules or dynamic rules, since you can log both sides of the TCP stream rather than just one direction.

The next part of the rule includes the options. This part lets you specify many other attributes to check against. Each option is implemented through a Snort plug-in. When a rule that specifies an option is triggered, Snort will run through the option’s corresponding plug-in to perform the check against the packet. Snort has over 40 plug-ins—too many to cover in detail in this hack. Here are some of the more useful ones.

The single most useful option is msg. This option allows you to specify a custom message that will be logged in the alert when a packet matching the rule is detected. Without it, most alerts wouldn’t make much sense at first glance. This option takes a string enclosed in quotes as its argument.

For example, this specifies a logical message whenever Snort notices any traffic that is sent from 192.168.1.35:

alert tcp 192.168.1.35 any -> any any (msg:”Traffic from 192.168.1.35″;)

Be sure not to include any escaped quotes within the string. Snort’s parser is a simple one and does not support escaping characters.

Another useful option is content, which allows you to search a packet for a sequence of characters or hexadecimal values. If you are searching for a string, you can just put it in quotes. In addition, if you want it to do a case-insensitive search, you can add nocase; to the end of all your options. However, if you are looking for a sequence of hexadecimal digits, you must enclose them in | characters.

This rule will trigger when it sees the digit 0x90:

alert tcp any any -> any any (msg:”Possible exploit”; content:”|90|”;)

This digit is the hexadecimal equivalent of the NOP instruction on the x86 architecture and is often seen in exploit code since it can be used to make buffer overflow exploits easier to write.

The offset and depth options can be used in conjunction with the content option to limit the searched portion of the data payload to a specific range of bytes.

If you wanted to limit content matches for NOP instructions to between bytes 40 and 75 of the data portion of a packet, you could modify the previously shown rule to look like this:

alert tcp any any -> any any (msg:”Possible exploit”; content:”|90|”; \

offset:40; depth:75;)

You can also match against packets that do not contain the specified sequence by prefixing it with a !. In addition, many shell code payloads can be very large compared to the normal amount of data carried in a packet sent to a particular service. You can check the size of a packet’s data payload by using the dsize option. This option takes a number as an argument. In addition, you can specify an upper bound by using the < operator, or you can choose a lower bound by using the > operator. Upper and lower bounds can be expressed with <>.

For example:

alert tcp any any -> any any (msg:”Possible exploit”; content:”|90|”; \

offset:40; depth:75; dsize: >6000;)

This modifies the previous rule to match only if the data payload’s size is greater than 6000 bytes, in addition to the other options criteria.

To check the TCP flags of a packet, Snort provides the flags option. This option is especially useful for detecting portscans that employ various invalid flag combinations.

For example, this rule will detect when the SYN and FIN flags are set at the same time:

alert any any -> any any (flags: SF,12; msg: “Possible SYN FIN scan”;)

Valid flags are S for SYN, F for FIN, R for RST, P for PSH, A for ACK, and U for URG. In addition, Snort lets you check the values of the two reserved flag bits. You can specify these by using either 1 or 2. You can also match packets that have no flags set by using 0. There are also several operators that the flags option will accept. You can prepend either a + , *, or ! to the flags, to match on all the flags plus any others, any of the flags, or only if none of the flags are set, respectively.

One of the best features of Snort is that it provides many plug-ins that can be used in the options field of a rule. The options discussed here should get you off to a good start. However, if you want to write more complex rules, consult Snort’s excellent rule documentation, which contains full descriptions and examples for each of Snort’s rule options. The Snort User’s Manual is available at http://www.snort.org/docs/writing_rules/.

Udgivet i Knowledge Base, Linux, Networking, Old Base | Skriv en kommentar