Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Defcon Presentation

advertisement 
Passive Host Auditing
Using Snort And Other Free Tools
by John Ives aka. jives
The Importance Of Auditing

Identify assets to better protect

Inventory of what you have and where it is on
your network
The State Of Auditing Today

Relies primarily on active network scanning

Makes heavy usage of client agents

Difficult to impossible in chaotic
decentralized environments
What Is Passive Auditing

Uses packets on the network to answer the
question about the hosts

Does not affect end system logging

Uses black hat scans for white hat purposes

Aids policy enforcement

Ultimately its using event correlation to
profile a host.
What Can Be Monitored Passively








OS
OS updates
Antivirus/firewall/spyware updates
Network services (e.g. telnet, ftp, http, etc.)
Open Ports
Service versions
Network Application Versions
Policies
What are its Downsides?





Getting started can be labor intensive.
It requires a lot of Data to build an accurate
picture
It requires a commitment of time and money
It can be bypassed, but most end users won’t
It actually benefits from an ugly network!
Example Rule (AV/Firewall update)
Symantec LiveUpdate
---------------------------------------------------------------------------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"PHA - user-agent Symantec liveupdate"; \
flow:to_server,established; \
content:"|0d0a|User-Agent\: Symantec LiveUpdate"; nocase; \
content:"|0d0a|Host\: liveupdate.symantecliveupdate.com"; nocase; \
threshold: type limit, track by_src, count 1, seconds 1800; )
Example packets (AV/Firewall update)
Symantec LiveUpdate
--------------------------------------------------------------------------IP:
10.10.29.25 -> 38.113.220.7 hlen=20 TOS=00 dgramlen=283 id=946B
MF/DF=0/1 frag=0 TTL=126 proto=TCP cksum=CC44
TCP:
port 1694 -> 80 seq=3152470340 ack=3992596721
hlen=20 (data=243) UAPRSF=011000 wnd=65535 cksum=74B4 urg=0
DATA:
GET
/symantec$20antivirus$20corporate$20client$20nt_9.0_english_livetri.zip
HTTP/1.0.
Accept: */*.
Cache-Control: max-age=0.
User-Agent: Symantec LiveUpdate.
Host: liveupdate.symantecliveupdate.com.
----------: ----------.
Pragma: no-cache.
.
Example Rule (OS Update)
Windows updating for KB896358 (MS05-026)
---------------------------------------------------------------------------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"PHA - Windows Update download KB896358 MS05-026";\
content:"GET |2F|"; depth:5; nocase; \
content:"kb896358"; nocase; \
content:".exe HTTP|2F|1.1|0d0a|"; nocase;)
Example packets (OS Update)
Windows ME updating for KB896358 (MS05-026)
--------------------------------------------------------------------------IP:
10.11.19.24 -> 207.46.249.25 hlen=20 TOS=00 dgramlen=282 id=2498
MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=EE37
TCP:
port 1493 -> 80 seq=0370010218 ack=2679330397
hlen=20 (data=242) UAPRSF=011000 wnd=17520 cksum=8456 urg=0
DATA:
GET /msdownload/update/v3-19990518/cabpool/WindowsME-KB896358ENU_7e9ddccce2504c0ee808dffaf52c841.EXE HTTP/1.1.
Accept: */*.
Range: bytes=0-16384.
User-Agent: Progressive Download.
Host: download.windowsupdate.com.
Cache-Control: no-cache.
Example Rule (Anti-Spyware Detection)
Microsoft Windows Malicious Software Removal Tool
---------------------------------------------------------------------------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"PHA - Windows Spyware Tool KB890830";\
content:"GET |2F|"; depth:5; nocase; \
content:"kb890830"; nocase; \
content:".exe HTTP|2F|1.1|0d0a|"; nocase;\
Content:"|0d0a|User-Agent: Microsoft BITS"; nocase;)
Example packets (Spyware Detection)
Microsoft Windows Malicious Software Removal Tool
--------------------------------------------------------------------------IP:
10.11.60.7 -> 65.59.184.62 hlen=20 TOS=00 dgramlen=326 id=0611
MF/DF=0/1 frag=0 TTL=125 proto=TCP cksum=4CFC
TCP:
port 1078 -> 80 seq=0643000275 ack=3277861441
hlen=20 (data=286) UAPRSF=011000 wnd=65535 cksum=0FBC urg=0
DATA:
GET /msdownload/update/v3-19990518/cabpool/windows-kb890830-v1.5delta-enu_21d25af37346306a6b2dee41479b947829a529db.exe HTTP/1.1.
Accept: */*.
Accept-Encoding: identity.
Range: bytes=0-5622.
User-Agent: Microsoft BITS/6.6.
Host: au.download.windowsupdate.com.
Connection: Keep-Alive.
Example Rule (OS Update Check-In)
RedHat looking for updates via up2date
---------------------------------------------------------------------------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"PHA - RedHat Update Up2Date check-in"; flow:to_server,established; \
content:"GET |2F|"; depth:5; nocase; \
content:"header.info HTTP/1.1|0d0a|"; nocase;\
content:"|0d0a|User\-agent\: Up2date\/"; nocase;)
Example packets (OS Update Check-In)
RedHat updating via up2date
--------------------------------------------------------------------------IP:
TCP:
DATA:
10.11.26.94 -> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11
MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667
port 36102 -> 80 seq=0480187150 ack=3321205591
hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0
GET /pub/fedora/linux/core/3/i386/os/headers/header.info HTTP/1.1.
Host: download.fedora.redhat.com.
Accept-Encoding: identity.
If-Modified-Since: Wed, 03 Nov 2004 23:16:42 GMT.
User-Agent: RHN-Applet/2.1.16.
Example Rule (another OS update)
RedHat updating via up2date
---------------------------------------------------------------------------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 \
(msg:"PHA - RedHat Update Up2Date check-in"; flow:to_server,established; \
content:"GET |2F|"; depth:5; nocase; \
content:“.rpm HTTP/1.1|0d0a|"; nocase;\
content:"|0d0a|User\-agent\: Up2date\/"; nocase;)
Example packets (another OS update)
RedHat updating via up2date
--------------------------------------------------------------------------IP:
10.11.26.94 -> 209.132.176.221 hlen=20 TOS=00 dgramlen=263 id=1C11
MF/DF=0/1 frag=0 TTL=61 proto=TCP cksum=B667
TCP:
port 36102 -> 80 seq=0480187150 ack=3321205591
hlen=32 (data=211) UAPRSF=011000 wnd=1460 cksum=F466 urg=0
DATA:
GET /pub/fedora/linux/core/updates/4/i386//kernel-2.6.121.1398_FC4.i686.rpm HTTP/1.1
Accept-Encoding: identity
Host: download.fedora.redhat.com
Connection: close
User-agent: Up2date 4.4.23-4/Yum
Misc. Example Rules
Syn Packets for p0f
---------------------------------------------------------------------------
alert tcp $HOME_NET any -> any any (msg:"PHA syn packet capture for p0f"; \
flags:s; threshold: type limit, track by_src, count 1, seconds 1800; )
---------------------------------------------------------------------------
IIS 5.1 on Windows XP
---------------------------------------------------------------------------
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any \
(msg:"PHA - IIS 5.1 running on Windows XP"; flow: from_server; \
content:"|0D 0A|Server\: Microsoft-IIS/5.1|0D 0A|"; nocase; \
threshold: type limit, track by_src, count 1, seconds 1800;)
Tools







Snort
p0f
tcpdump
tcpshow and/or ngrep
Bro IDS
Custom Scripts
Database
Thank You
Thank you for coming today
If you are interested in getting more information or
volunteering to help out, you can email me at
jives@passiveaudit.org
Updated scripts, rules, etc will be available at
http://www.passiveaudit.org
Related documents
上課要求(Network Requirement)
上課要求(Network Requirement)
TCP/IP introduction
TCP/IP introduction
How to Send e-mail
How to Send e-mail
CCENT 640-822 ICND1 Exam Topics Review
CCENT 640-822 ICND1 Exam Topics Review
OSI Model Pyramid - Redbird Internet Services
OSI Model Pyramid - Redbird Internet Services
Fixing TCP in Datacenters
Fixing TCP in Datacenters
TCP/IP Protocol Architecture
TCP/IP Protocol Architecture
History - Networking Research Group
History - Networking Research Group
Data Communication
Data Communication
Download
advertisement