SnortA practical NIDSBreno de Medeiros Florida State UniversityFall 2005What is SNORTSnort is a packet logger/analyzer, whichcan be used to implement a NIDS.It can based be used in 4 modes:Sniffer modePacket Logger modeNetwork Intrusion Detection System(NIDS) modeInline ModeBreno de Medeiros Florida State UniversityFall 2005Example: logging packets The command snort -dev -l ./log -h 192.168.1.0/24 results in packets being logged. Flag -d tells to log the data, as well as header portion of packets Flag -v is visual, causing Snort to display information in the screen Flag -e tells to log extended header information (e.g., data link layerheaders) Flag -l indicates a location (directory) to use for logging purposes(subdirectory log of current directory in the above example) Flag -h indicates how to create subdirectories. Each packet will be stored in a log file with a name that matches either source ordestination addresses in a datagram. By specifying the prefix 192.168.1.x, itindicates you want the packets logged under the local host in the communicationBreno de Medeiros Florida State UniversityFall 2005Using binary mode storage Alternatively, you can use the compact binary storage form tostore packets snort -l ./log -b This causes Snort to log all packets in binary form (tcpdumpstorage). No flags are needed, because all the packet is stored. You can then read them back in playback mode---useful toexperiment with new rules. ./snort -dv -r packet.log You can also playback only packets of a particular type ./snort -dvr packet.log icmpBreno de Medeiros Florida State UniversityFall 2005NIDS mode NIDS mode enables modification of Snort basicbehavior (i.e., log everything) and have it first apply aset of rules, taking the appropriate action when apacket matches the rule. snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf Results in Snort logging only packets that matchesthe rules specified in snort.conf Don’t use -v or -e when using as NIDS, for the sakeof speed (otherwise Snort may loose packets)Breno de Medeiros Florida State UniversityFall 2005Alerts in NIDS modeUsing the flag -A will add alerting behavior toSnort-A can be followed by the keywords full(default), fast, unsock, none, console,and cmg.To use syslog for remote logging, of alerts,use the flag -sExample:snort -b -A fast -c snort.confBreno de Medeiros Florida State UniversityFall 2005Inline SnortObtain packets from IPTables instead oflibpcap and uses Snort rules to instructIPtables whether to drop or pass packets In order for snort_inline to work properly, you mustdownload and compile the iptables code to include “makeinstall-devel.” This will install the libipq library thatallows snort_inline to interface with iptables. Also, youmust build and install LibNet. http://www.iptables.org http://www.packetfactory.net.Breno de Medeiros Florida State UniversityFall 2005Running Snort Inline The QUEUE target should be specified in IPtables for interfacingwith Snort iptables -A OUTPUT -p tcp --dport 80 -j QUEUE Then run Snort inline snort_inline -QDc ../etc/drop.conf -l /var/log/snort The flags mean: -Q: Obtain input from iptables QUEUE target -D: Run in daemon mode (i.e., continuously in the background) -c: Use the configuration file -l: Use the log fileBreno de Medeiros Florida State UniversityFall 2005Snort configuration Snort configuration is highly customizable, in order toachieve high performance and full flexibility of use. config checksum_mode: none, noip, notcp,noicmp, noudp, ip, tcp, udp, icmp, all An important feature of Snort is the use of pre-processors. For instance, the de-fragmentation pre-processor frag3allows you to use different policies to re-produced the de-fragmentation policies of various operating systems. Or, youcan define your own policy. Similarly, the stream4_reassemble pre-processor enablesyou to choose your policies with overlapping packets.Breno de Medeiros Florida State UniversityFall 2005Detecting port scanssfPortscan processorDetects NMAP-style port scans, as wellas “decoy” and distributed port scansCan detect port sweeps as well as portscansCan be tuned for sensitivity/ accuracyBreno de Medeiros Florida State UniversityFall 2005Application layer pre-processorsTelnet_decodeRPC_decodeHTTP_inspectApache profileIIS profilemany customizable
View Full Document