COEN 252: Computer ForensicsSnortSlide 3Slide 4Intrusion Detection BasicsSlide 6Slide 7Slide 8Slide 9Snort: ArchitectureSnort ArchitectureSNORT ArchitectureSlide 13Slide 14Slide 15Slide 16Snort Rules: ExampleSnort RulesSlide 19Slide 20Slide 21Slide 22Using SnortSlide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Snort analysis exampleSlide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50COEN 252: Computer ForensicsNetwork Analysis and Intrusion Detection with SnortSnortFreeware.Designed as a network sniffer.Useful for traffic analysis.Useful for intrusion detection.Warning: Has become a target of attackers!What’s more fun for them than to find a vulnerability in security software.SnortSnort is a good sniffer.Snort uses a detection engine, based on rules.Packets that do not match any rule are discarded.Otherwise, they are logged.Rule matching packets can also trigger an alert.SnortForensic Use:Filter logs of large size quickly.Snort filters are very sophisticated.Intrusion Detection BasicsIntrusions have “signatures”ExamplesDirectory Traversal VulnerabilitySolaris Sadmind/IIS worm (2001)Allowed HTTP GET requests to change to root directory with “../../”. Allowed to copy cmd.exe into the Scripts directory.Gained control usually at admin levelGET/ scripts/../../winnt/system32/cmd.exe /c+copy+\wint\system32\CMD.exe+root.exeIntrusion Detection BasicsCode Red Worm 2001Exploited vulnerability in IIS 4.0 and 5.0Buffer overflow vulnerabilityFootprint:/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbcd3%7801%u9090%u6805%ucbd3%u7801Intrusion Detection BasicsMost known attacks have an attack signature.Sequence of bytes that characterize an attack packet almost for sure.Intrusion Detection System can look for footprints, drop the packet, and raise an alert.Intrusion Detection BasicsIDS  FirewallFirewall needs to process all packets.Filtering capacity at firewall limited by need to deliver packets in timely manner.IDS can take its time.IDS does not drop packets, but sends alerts and logs.Intrusion Detection BasicsIntrusion Detection System can be deployedNetwork IDS (behind the firewall and internal router.)Host based IDS (at all hosts)Distributed IDS (throughout the local network at strategic locations)Snort: ArchitectureSnifferPreprocessorDetection EngineAlert LoggingSnort ArchitectureSNORT ArchitecturePacket SnifferTaps into networkPreprocessorChecks against plug-insRPC plug-inPort scanner plug-in…SNORT ArchitectureDetection EngineSnort is a signature-based IDSImplemented via rule-setsRulesConsists of rule header Action to takeType of packetSource, destination IP address …And rule optionContent of package that should make the packet match the ruleSNORT ArchitectureSnort AlertingIncoming “interesting packets” are sent to log files.Also sent to various Add-onsSnortSnarf (diagnostics with html output)SnortPlot (Perl script that plots attacks)Swatch (provides email alerts).…Snort: ArchitecturePacket Decode EngineUses the libpcap packagePackages are decoded for link-level protocols, then for higher protocols.Preprocessor Plug-insEach preprocessors examines and manipulates packages, e.g. for alerts.Detection EngineChecks packages against the various options in the snort rules files.Detection Plug-InsAllow additional examinationsOutput Plug-InsSnort: ArchitecturePackage View:NIC in promiscuous mode.Grab packages from the network card.Decode packagesRun through various rule sets.Output logs and alerts.Snort Rules: ExampleRule Headeralert tcp $External_NET any -> $Home_Net21Rule Options(msg: “ftp Exploit”; flow_to_server, established; content: “|31c031db 41c9b046 cd80 31c031db|”; reference: bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)Snort RulesRule HeaderAlert / log / pass / dynamic / activatetcp: Protocol being used. UDP / IP / ICMP $External_NET: This is the source IP, default is any.any: This is the source port set to “any”->: Direction of conversation. $Home_Net: This is a variable that Snort will replace with 21: Port to be monitored.The header concerns all tcp packages coming from any port from the outside to port 21 on the inside.Snort RulesRule Options( ): Rule option is placed in parentheses.msg: “ftp Exploit”; flow_to_server, established; content: “|31c031db 41c9b046 cd80 31c031db|”; Snort will look whether the package contains this string, the dangerous payload.reference: bugtraq,1387; Snorts allow links to third-party warnings.classtype:attempted-admin; Class Types allow users to quickly scan for attack typessid 344; Snort rule unique identifier. Can be checked against www.snort.org/snort-db.rev4; All rules are part of a revision process to limit false positives and detect new attacks.Snort RulesActivation: Alert and then turn on another dynamic rule.Dynamic: Log the traffic when called by the above activation rule.Pass: Ignore the traffic.Log: Log the traffic, but do not alert.Snort RulesTCP: TCP protocol, for example SMTP, HTTP, FTPUDP: For example DNS trafficICMP: For example ping, traceroute.IP: For example IPSec, IGMPSnort RulesContent: Content checked by the Boyer Moore pattern matching algorithm.Flow: Link to the detection plug-ins.Using SnortInstall with libcap / wincap.Move config / rule files to correct directory and alter them.Use Snort from the commandline.Snort can be used to sniff or to decode.Using SnortSniffer ModeRun-time switches:-v verbose-d dump package payloads-x dump entire package in hex-a display arp packages //does not work on your version.-e display link layer datasnort -dvaeUsing SnortPacket Logger ModeTell snort to output packages to a log file.Command line options:-l dump packages into log directory-b log packages in binary (tcpdump) formatExample: snort –b –l /temp/snortUsing SnortBinary log files are in tcpdump formatCan be read by snort with the –r