Intrusion Detection using Snort Session E6 Contact Information z Matthew Hicks, CISSP, GCIA z Senior Information Security Analyst z Children’s National Medical Center, z Washington DC z mhicks@cnmc.org Responsibilities z z z z Intrusion Detection Analysis Security Investigations Maintain Security Perimeter – Firewall – IDS – VPN Anything and everything else Agenda z Quick Survey z Introduction to Intrusion Detection z Snort Overview z Using Snort z Live Demo A Quick Survey z How many consider themselves Intrusion Analysts? – Training – Reviewing data packets on a regular basis z Does anyone currently – Review of logs – Update signatures – Dedicated staff support a IDS? Food for Thought z z z z z You would be surprised at the number of organizations who have installed an IDS but do not monitor it Staff supporting the IDS are not trained as Intrusion Analyst Some Organizations have installed an IDS but do not update it or add signatures The result is the organization claims the IDS is not working and will shut it off DO NOT LET THE IDS BECOME OBSOLETE AN SELFWARE OR FLOORWARE What do you think? From: www.infosecuritymag.com/articles/august01/cover.shtml “an IDS is like a Christmas puppy,” says Pete Lindstrom, senior security analyst at Hurwitz Group, “at first, it sounds like a great idea but then once you get the thing, your are thinking like, ‘oh my god I have got to care for this and it’s a lot more work then I thought” Introduction to Intrusion Detection Intrusion Detection Not just one Piece You must have the support staff! URL Filtering IDS Firewall Email Filtering Virus Scanning Procedures and Policies Audit and Monitoring The firewall stopped 3100 hits of the SQL-Slammer worm on Jan 25th. Intrusion Analysis Tools z Ethereal – www.ethereal.com – Sniffs the network to show and capture traffic z Windump or Tcpdump – windump.polito.it – www.tcpdump.org – Dumps data packets based on a set of filters and parameters for future analysis z Snort IDS – www.snort.org SQL Slammer worm Real Life Story z z z z z The SQL Slammer worm was released on Jan 24th The worm begins to swamp the internet affecting one bank’s ATM system and an online reservation system My firewall recorded 3100 hits in 5 hours My systems were not affected by this worm because I had configured the firewall against unauthorized traffic The SQL Server Resolution Service, which operates on UDP port 1434, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance. Slammer Worm z How to tell what is a bad packet or not? z How to tell if the IDS alert is a false positive or not? z The key here is Intrusion Analysis z Capture and look at the data packet z We will look at the example of the SQL Slammer Worm SQL Slammer Worm Kernel32.dll Ws2_32.dll 02/04-14:46:04.168266 xxx.xxx.0.210:1115 -> xxx.xxx.72.29:1434 UDP TTL:111 TOS:0x0 ID:16303 IpLen:20 DgmLen:404 Len: 384 0x0000: 00 04 9A D0 DA 24 00 30 94 CB 73 E1 08 00 45 00 .....$.0..s...E. 0x0010: 01 94 3F AF 00 00 6F 11 63 FA 8E B0 00 D2 CF 10 ..?...o.c....... 0x0020: 48 1D 04 5B 05 9A 01 80 8A 40 04 01 01 01 01 01 H..[.....@...... 0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B. 0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B. 0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B.... 0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P.. 0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh.dllhel32hkern 0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT 0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f 0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs 0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P. SQL Slammer Worm z Causes SQL server to stop responding by using a buffer overflow – See the 04 in the previous slide z Writes garbage data to the buffer – See the ‘01010101010101010101010’ in previous slide z Access kernel32.dll and ws2_32.dll – See previous slide z z z 100% memory resident – no files written to hard drive Remove infection by rebooting server but easily infected if not patched Must load Win2K SP3 to protect against this worm – Some SQL applications are not cert for SP3 SQL Slammer Worm SQL Slammer Worm z Snort rule to detect the Slammer worm – alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; – Your challenge is to find the above data following the Content option in the previous packet trace. We will discuss Snort rules shortly What Is an IDS? Basic components z Traditional software – Input – Processing – Output design: z IDS components – Collection (Input) – Analysis (Processing) – Reporting (Output) IDS Data Flowchart COLLECTION 1 to n Sensors ANALYSIS 1 2 3 … 4 n REPORTING Overview of Snort Snort Is . . . z z z A lightweight Network Intrusion Detection System (NIDS) – Compact, efficient code – Light load on the system running it – Fast execution Flexible: – Highly Configurable – Broadly Scalable Multi-platform – There are performance problems running under windows z Most important of all….. Free! More about Snort z Winpcap or Libpcap-based packet sniffing – A system-independent interface for packet capture. It provides a portable framework for low-level network monitoring in the form of a include files and a library that be linked against, as is done with the Tcpdump package. z Rules-based detection engine – Completely user programmable and configurable z Plug-in based extensibility – Pre-processors, detection, output plug-ins Snort Data Flow SNORT Packet Decoder Pre-Processor <Plug-Ins> Data Flow Packet Stream Sniffing Detection Engine <Plug-Ins> Post-Processor & Output Stage <Plug-Ins> Alerts/Logs Snort Packet Decoder worm Protocol IP header Ethernet packet network Snort Packet Decoder (2) worm Protocol IP header Ethernet tcpdump binary file Introduction to Snort Usage In This Section z z Basic Invocation using command line Logging & Options – Directory sort – Binary dump – Off z (default) (tcpdump format) (no logging) Alerts & Options – Alert types – Alert delivery options z Rules – Rule file specification – Rule types Running Snort z Invoking Snort with no arguments just generates usage / options message z To do something, at least one of the following is required: -v - Verbose, dump decoded packets to stdout -c - <fn> Use rules file <fn> -b - Binary dump undecoded packets into a file (tcpdump format) Example: Basic Invocation > snort –v Initializing Network Interface ep1 Decoding Ethernet on interface ep1 -*> Snort! <*Version 1.6.1-beta1 By Martin Roesch (roesch@clark.net, www.clark.net/~roesch) 06/28-16:58:19.877894 204.89.131.233:80 -> MY.NET.150.160:1412 TCP TTL:119 TOS:0x0 ID:13696 DF ******A* Seq: 0x101AEB1 Ack: 0x9A5FA7 Win: 0x2001 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/28-16:58:19.877998 MY.NET.150.160:1412 -> 204.89.131.233:80 TCP TTL:127 TOS:0x1A ID:43538 DF ******A* Seq: 0x9A5FA7 Ack: 0x101B461 Win: 0x1C7C =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/28-16:58:19.878182 209.252.154.64:1899 -> MY.NET.253.114:80 TCP TTL:20 TOS:0x0 ID:16420 DF *****PA* Seq: 0xB3B219C Ack: 0x30A1394B Win: 0x2176 Example: Getting More Detail > snort -vd Initializing Network Interface ep1 Decoding Ethernet on interface ep1 -*> Snort! <*Version 1.6.1-beta1 By Martin Roesch (roesch@clark.net, www.clark.net/~roesch) 06/28-17:02:33.761442 208.188.32.226:64302 -> MY.NET.70.121:7777 UDP TTL:116 TOS:0x0 ID:45845 Len: 37 29 CA 48 03 01 BC 82 B9 6A DE B4 50 07 CA D6 48 ).H.....j..P...H 04 00 9C CB 8B A1 89 01 1C 11 CA BB 21 ............! =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/28-17:02:33.761503 MY.NET.20.10:39850 -> 216.115.105.60:80 TCP TTL:63 TOS:0x0 ID:62903 **S***** Seq: 0xA2DD19C5 Ack: 0x0 Win: 0x2000 TCP Options => MSS: 1460 Logging z Snort supports three kinds of logging 1. Directory sort: – Decodes packets and sorts the results into different directories by IP and port Default method – 2. Binary dump: Stores raw packet data in a binary file – 3. Off: Logging disabled – Setting the logging directory z By default, logs go to the directory – /var/log (unix) – /snort/log (win32) z Command line option: -l <logdir> – Redirects logs to directory <logdir> Logging 1 ./log/131.118.254.130/TCP:1959-119 06/28-17:08:16.561137 131.118.254.130:1959 -> MY.NET.1.6:119 TCP TTL:61 TOS:0x0 ID:32792 DF *****PA* Seq: 0xA017051A Ack: 0xA5356082 Win: 0x4470 25 5E 45 2B 26 0D 0A 4D 42 41 53 2D 53 45 45 31 %^E+&..MBAS-SEE1 2A 24 4C 51 3D 3B 39 60 37 27 37 2B 29 38 46 43 *$LQ=;9`7'7+)8FC 56 29 38 30 41 3E 2A 46 24 27 56 31 4E 2A 46 44 V)80A>*F$'V1N*FD =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/28-17:08:16.571185 MY.NET.1.6:119 -> 131.118.254.130:1959 TCP TTL:63 TOS:0x0 ID:6910 DF ******A* Seq: 0xA5356082 Ack: 0xA0178846 Win: 0x5B40 00 00 00 00 00 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/28-17:08:16.651944 MY.NET.1.6:119 -> 131.118.254.130:1959 TCP TTL:63 TOS:0x0 ID:6976 DF ******A* Seq: 0xA5356082 Ack: 0xA019428A Win: 0x5B40 00 00 00 00 00 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Logging 2 z Reading from a binary dump > snort -v -r ./log/snort-0628@1738.log Initializing Network Interface ep0 snaplen = 1514 Entering readback mode.. -*> Snort! <*Version 1.6.1-beta1 By Martin Roesch (roesch@clark.net, www.clark.net/~roesch) 06/28-17:38:40.456070 61.139.8.125:80 -> MY.NET.20.10:29568 TCP TTL:43 TOS:0x0 ID:28329 DF ******A* Seq: 0xE43A5DAA Ack: 0xC59E5EB8 Win: 0x7D78 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/28-17:38:40.456164 MY.NET.20.10:41771 -> 216.200.16.77:80 TCP TTL:63 TOS:0x0 ID:10919 ******A* Seq: 0x55CFD22 Ack: 0x5554AECE Win: 0x2238 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/28-17:38:40.456371 MY.NET.20.10:41771 -> 216.200.16.77:80 TCP TTL:63 TOS:0x0 ID:10920 *****PA* Seq: 0x55CFD22 Ack: 0x5554AECE Win: 0x2238 Logging 3: Disabled z Command line option: -N – Turns off all logging functions > snort -v -N Initializing Network Interface ep1 Decoding Ethernet on interface ep1 -*> Snort! <*Version 1.6.1-beta1 By Martin Roesch (roesch@clark.net, www.clark.net/~roesch) 06/30-14:05:39.359582 204.117.117.22:1318 -> MY.NET.151.20:1704 UDP TTL:116 TOS:0x0 ID:47822 Len: 789 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/30-14:05:39.359726 MY.NET.20.10:2672 -> 216.111.248.10:80 TCP TTL:63 TOS:0x0 ID:52617 **S***** Seq: 0x7B372741 Ack: 0x0 Win: 0x2000 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Alerting z Alerts are “special actions” that Snort can take in response to different packets. z Definition of these actions is in the rules file, but the format and delivery of alerts is specified on the Snort command line. Snort Alert Types z Command line option: -A <type> where <type> is one of the following: – full Full alert (default) z Full text with detail of packet that triggered alert – fast Fast alert z Abbreviated alert with packet header information – none No alert z disable alert function Snort Alert Delivery z By default all alerts go to a file named “alert” in the logging directory z Command line option: -s – Directs alerts to the syslog z Command line option: -M <smb-hosts-file> – Send WinPopup messages to the list of workstations contained in the smb-hosts-file Rules, Filters, and Modules z Filters – Narrow the selection of packets at collection z Rules – Specify processing and response z Modules – Pre- and Post-Processors Snort Rules z z z Rules are the core of Snort’s flexibility Specified in a rules file Actions: – Alert: generate alert message and log the packet – Log: log the packet – Pass: ignore the packet z Order of evaluation: Alert-Pass-Log – -o option changes this to Pass-Alert-Log z Command line option: -c <rules file> A Word on CIDR notation z Classless Inter-Domain Routing – used to identify the network Snort is protecting – MY.0.0.0/8 z Class A network MY.x.x.x – MY.NET.0.0/16 z Class B network MY.NET.x.x – MY.NET.WORK.0/24 z Class C network MY.NET.WORK.x – MY.NET.WORK.135/32 z Indicates a specific host (135) on the class C MY.NET.WORK network Snort Session with Rules zA simple rules file: var HOME_NET MY.NET.0.0/16 alert tcp any any -> $HOME_NET 21 HOME_NET is the private network you are protecting with the SNORT IDS. I.E. internal network = 192.168.1.0 HOME_NET = MY.NET.1.0 Snort Session with Rules (2) z z First line defines the variable $HOME_NET to be MY.NET.0.0/16 Second line specifies that an alert be generated for every packet that is: – alert tcp any any -> $HOME_NET 21 – A tcp packet – From any source IP z From any source port – To any destination within $HOME_NET z To destination port 21 Rules Session Output z Snort > command with -c option: snort -l ./log -c ./rules/myrules Initializing Network Interface ep1 Decoding Ethernet on interface ep1 Initializing Preprocessors! ------------------------------------------------Keyword | Preprocessor @ ------------------------------------------------http_decode : 0xd0d4 minfrag : 0xd2fc portscan : 0xdfa0 portscan-ignorehosts: 0xea30 defrag : 0x10544 ------------------------------------------------- Rules Session Output z Now > we look in the ./log directory ls ./log 209.70.98.152 210.229.79.62 212.170.18.20 213.228.3.197 alert z Note: Default style logging (IP sorted by subdirectory) occurred since we didn’t use the -N option Rules Session Output (7) > cat ./log/alert [**] Snort Alert! [**]06/30-14:58:42.567915 209.70.98.152:1168 -> MY.NET.60.11:21 TCP TTL:117 TOS:0x0 ID:28726 DF *****PA* Seq: 0x48B9BE1 Ack: 0xFF900F0 Win: 0x1EC2 [**] Snort Alert! [**]06/30-14:58:42.675093 209.70.98.152:1168 -> MY.NET.60.11:21 TCP TTL:117 TOS:0x0 ID:29238 DF *****PA* Seq: 0x48B9C03 Ack: 0xFF90122 Win: 0x1E90 … [**] Snort Alert! [**]06/30-14:58:50.565715 213.228.3.197:32575 -> MY.NET.253.105:21 TCP TTL:50 TOS:0x0 ID:37043 DF *****PA* Seq: 0x85115725 Ack: 0x176C2565 Win: 0x2238 TCP Options => NOP NOP TS: 7979439 31450159 [**] Snort Alert! [**]06/30-14:58:50.771597 213.228.3.197:32575 -> MY.NET.253.105:21 TCP TTL:50 TOS:0x0 ID:37361 DF ******A* Seq: 0x8511572C Ack: 0x176C257D Win: 0x2238 TCP Options => NOP NOP TS: 7979439 31450160 2nd Snort Session with Rules z A slightly different Snort command with options: -N -c -A fast > snort -l ./log -c ./rules/myrules -N -A fast Initializing Network Interface ep1 Decoding Ethernet on interface ep1 Initializing Preprocessors! ------------------------------------------------Keyword | Preprocessor @ ------------------------------------------------http_decode : 0xd0d4 minfrag : 0xd2fc portscan : 0xdfa0 portscan-ignorehosts: 0xea30 defrag : 0x10544 ------------------------------------------------- 2nd Rules Session Output z Now we look in the ./log directory ls ./log alert > z Note: Default logging was suppressed by the -N option but alerts were still allowed to be recorded 2nd Rules Session Output (3) z Note: Alerts in abbreviated form due to the option: -A fast > cat ./log/alert 06/30-18:03:30.238623 06/30-18:03:30.352807 06/30-18:03:30.627864 06/30-18:03:30.627991 06/30-18:03:30.761860 06/30-18:03:31.688452 06/30-18:03:31.764592 06/30-18:03:31.842841 06/30-18:03:32.036428 06/30-18:03:32.210022 06/30-18:03:32.373553 06/30-18:03:32.517695 06/30-18:03:32.619376 06/30-18:03:32.694124 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 206.136.246.12:3433 -> -> -> -> -> -> -> -> -> -> -> -> -> -> MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 MY.NET.60.16:21 Sample Rules Here are some illustrative rules: z Note the ‘msg’ option: alert tcp 195.11.50.204/32 any -> $HOME_NET any (msg:"GIAC 08-feb-2000";) z Note the ‘content’ option: alert udp any any -> $HOME_NET any (msg:"Trin00 password";content:"[]..Ks";) Samples Rules (2) z Note the ‘flags’ option: alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint attempt"; flags: S12;) z All of the above: alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"/msads/Samples/SELECTOR/showcode.asp"; flags: PA;) z And there are many, many other options, and combinations of options Writing Snort Rulesets z Snort rules are simple and extremely flexible. For a more in-depth treatment of writing rulesets, it is more than worth your while to look at docs at www.snort.org Snort with filters z Snort can accept tcpdump-style filters – These filters work at the “front end” of Snort – Only packets passed by the filters will be processed by the rules – Example: snort -v ‘tcp[13] &3 != 0’ z Accepts only packets that either have the SYN or the FIN bit set (or both) Snort with filters (2) z Filters can be put at the end of Snort commands (see previous example) z Filters can also reside in a file z Command line option: -F <filter file> – Reads filters into the Snort process from <filter file> Snort Plug-Ins z Snort allows you to add new modules and to activate existing ones that come with the distribution – Additions are compiled as object code and activated as usual – Activation takes place in the rules file z A wide variety of modules are available – One nifty module searches the packet stream for scanning behavior Snort Plug-In Types z Preprocessor – Packets are examined/manipulated before being handed to the detection engine z Detection – Perform single, simple tests on a single aspect/field of the packet z Output – Report results from the other plug-ins Ways to use Snort z Real-time traffic analysis – Watching the packets go by live (do you have a quiet, peaceful network?) How Fast Can You Read? z Packet logging – Collecting packets in raw form for later analysis – Creating logs of decoded packets for later analysis z Stored log analysis – Reading raw packet files for in-depth analysis What Can Come Out of Snort z z z z Standard output (decoded packets) Binary dump (raw packets) Snort default logging scheme Text messages going to text files – Syslog-based logging – Other log files (like alert) z Notifications – Samba-based pop-up windows – Other alerting modules (e.g. paging) z Responses – Auto-responses (e.g. dropping connections) Do It Yourself Building a Larger Framework Very Simple tcpdump Packet Stream Sniffing Filter file tcpdump process To Log File Less Simple To Em ail Cron Report Generator Packet Stream Sniffing SNORT Rules file To Alert File Alert File Even Less Simple To Em ail Cron Report Generator Packet Stream Sniffing SNORT Rules file To Alert File Alert File Correlation z z z Network traffic logs can be used to correlate with data in other records (system logs, authentication logs) If inappropriate or illegal activity is suspected, network log correlation can be used to justify closer scrutiny of things like e-mail and network session content On hearing the description of “correlation”, a Maryland State trooper replied that he called it “probable cause”. Correlation: Examples z z z z Daily report from system logs identifies any user with more than 10 authentication failures in one day from external site Network Traffic Logs may show other questionable activity from that site BlackIce on desktop NT shows DNS probe from external site Network Traffic Logs show complete scan of internal network, port 53 Resources Resources z z z z All things Snort (Marty Roesch’s Snort homepage): http://www.snort.org Snort database support: http://www.incident.org/snortdb Snort plug-ins http://spyjurenet.com/linuxrc.org/projects/snort Attack signatures database (arachNIDS): http://www.whitehats.com Resources (2) z z Other Snort tools: – Statistics: http://xanadu.rem.cmu.edu/snort – Snort report → HTML converter: http://www.silicondefense.com/snortsnarf Libpcap packet capture library: – ftp.ee.lbl.gov Demo z http://localhost/acid/index.html