Intrusion Detection using Snort Session E6 Contact Information z Matthew Hicks CISSP GCIA z Senior Information Security Analyst z Children s National Medical Center z Washington DC z mhicks cnmc org Responsibilities z z z z Intrusion Detection Analysis Security Investigations Maintain Security Perimeter Firewall IDS VPN Anything and everything else Agenda z Quick Survey z Introduction to Intrusion Detection z Snort Overview z Using Snort z Live Demo A Quick Survey z How many consider themselves Intrusion Analysts Training Reviewing data packets on a regular basis z Does anyone currently Review of logs Update signatures Dedicated staff support a IDS Food for Thought z z z z z You would be surprised at the number of organizations who have installed an IDS but do not monitor it Staff supporting the IDS are not trained as Intrusion Analyst Some Organizations have installed an IDS but do not update it or add signatures The result is the organization claims the IDS is not working and will shut it off DO NOT LET THE IDS BECOME OBSOLETE AN SELFWARE OR FLOORWARE What do you think From www infosecuritymag com articles august01 cover shtml an IDS is like a Christmas puppy says Pete Lindstrom senior security analyst at Hurwitz Group at first it sounds like a great idea but then once you get the thing your are thinking like oh my god I have got to care for this and it s a lot more work then I thought Introduction to Intrusion Detection Intrusion Detection Not just one Piece You must have the support staff URL Filtering IDS Firewall Email Filtering Virus Scanning Procedures and Policies Audit and Monitoring The firewall stopped 3100 hits of the SQL Slammer worm on Jan 25th Intrusion Analysis Tools z Ethereal www ethereal com Sniffs the network to show and capture traffic z Windump or Tcpdump windump polito it www tcpdump org Dumps data packets based on a set of filters and parameters for future analysis z Snort IDS www snort org SQL Slammer worm Real Life Story z z z z z The SQL Slammer worm was released on Jan 24th The worm begins to swamp the internet affecting one bank s ATM system and an online reservation system My firewall recorded 3100 hits in 5 hours My systems were not affected by this worm because I had configured the firewall against unauthorized traffic The SQL Server Resolution Service which operates on UDP port 1434 provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance Slammer Worm z How to tell what is a bad packet or not z How to tell if the IDS alert is a false positive or not z The key here is Intrusion Analysis z Capture and look at the data packet z We will look at the example of the SQL Slammer Worm SQL Slammer Worm Kernel32 dll Ws2 32 dll 02 04 14 46 04 168266 xxx xxx 0 210 1115 xxx xxx 72 29 1434 UDP TTL 111 TOS 0x0 ID 16303 IpLen 20 DgmLen 404 Len 384 0x0000 00 04 9A D0 DA 24 00 30 94 CB 73 E1 08 00 45 00 0 s E 0x0010 01 94 3F AF 00 00 6F 11 63 FA 8E B0 00 D2 CF 10 o c 0x0020 48 1D 04 5B 05 9A 01 80 8A 40 04 01 01 01 01 01 H 0x0030 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 0x0040 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 0x0050 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 0x0060 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 0x0070 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 0x0080 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB B 0x0090 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 p B p B 0x00A0 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 h B 0x00B0 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 1 P 5 P 0x00C0 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh dllhel32hkern 0x00D0 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT 0x00E0 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f llQh32 dhws2 f 0x00F0 B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 etQhsockf toQhs 0x0100 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end B E P P SQL Slammer Worm z Causes SQL server to stop responding by using a buffer overflow See the 04 in the previous slide z Writes garbage data to the buffer See the 01010101010101010101010 in previous slide z Access kernel32 dll and ws2 32 dll See previous slide z z z 100 memory resident no files written to hard drive Remove infection by rebooting server but easily infected if not patched Must load Win2K SP3 to protect against this worm Some SQL applications are not cert for SP3 SQL Slammer Worm SQL Slammer Worm z Snort rule to detect the Slammer worm alert udp EXTERNAL NET any HOME NET 1434 msg MS SQL Worm propagation attempt content 04 depth 1 content 81 F1 03 01 04 9B 81 F1 01 content sock content send Your challenge is to find the above data following the Content option in the previous packet trace We will discuss Snort rules shortly What Is an IDS Basic components z Traditional software Input Processing Output design z IDS components Collection Input Analysis Processing Reporting Output IDS Data Flowchart COLLECTION 1 to n Sensors ANALYSIS 1 2 3 4 n REPORTING Overview of Snort Snort Is z z z A lightweight Network Intrusion Detection System NIDS Compact efficient code Light load on the system running it Fast execution Flexible Highly Configurable Broadly Scalable Multi platform There are performance problems running under windows z Most important of all Free More about Snort z Winpcap or Libpcap based packet sniffing A system independent interface for packet capture It provides a portable framework for low level network monitoring in the form of a include files and a library that be linked against as is done with the Tcpdump package z Rules based detection engine Completely user programmable and configurable z Plug in based extensibility Pre processors detection output plug ins Snort Data Flow SNORT Packet Decoder Pre Processor Plug Ins Data Flow Packet Stream Sniffing Detection Engine Plug Ins Post Processor Output Stage Plug Ins Alerts Logs Snort Packet Decoder worm Protocol IP header Ethernet packet network Snort Packet Decoder 2 worm Protocol IP header Ethernet tcpdump binary file Introduction to Snort …