Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Snort & ACID Low cost, highly configurable IDS by Patrick Southcott [email_address]
  2. 2. Large topic, General outline: <ul><li>What is snort? </li></ul><ul><li>Where does an IDS fit in the network? </li></ul><ul><li>Snort 2.0, Marty and </li></ul><ul><li>Snort system overview </li></ul><ul><ul><li>config file </li></ul></ul><ul><ul><li>rules (custom & public) </li></ul></ul><ul><li>ACID : opensource, web-based, simple alert management. </li></ul><ul><li>PROS & CONS of snort as an IDS. </li></ul><ul><li>Building a snort sensor on Redhat9. </li></ul>
  3. 3. What is Snort? Snort is an application which listens to network traffic and uses rules to determine if it sees particular types of traffic. It logs , alerts for and listens to network traffic. The System Architecture consists of these main parts: <ul><li>Sniffer </li></ul><ul><ul><li>“ Promiscuous Mode” NIC </li></ul></ul><ul><li>Preprocessor </li></ul><ul><ul><li>frag2, stream4, http_decode </li></ul></ul><ul><li>Detection Engine </li></ul><ul><ul><li>Using Rules </li></ul></ul><ul><li>Logging and Alerting plugins </li></ul><ul><ul><li>log mysql, alert smb </li></ul></ul>Packets on the wire Snort Detection Process Records in a SQL db
  4. 4. Snort in the larger picture <ul><li>Snort “sensors” can be placed on any network device. Hubs work best. </li></ul><ul><li>Sensors may log to a central database over secure tunnels or private media. </li></ul><ul><li>Management console using ACID. </li></ul>
  5. 5. Network Overview sensor DMZ hosts Internet Router / firewall DMZ sensor sensor Router / firewall Private LAN IDS network Management Console
  6. 6. IDS in Perspective <ul><li>Management / Executive </li></ul><ul><li>System Admin </li></ul><ul><li>Network Admin / Analyst </li></ul><ul><ul><li>low TCO (End-to-end, openness) </li></ul></ul><ul><ul><li>Wants reports which show ROE </li></ul></ul><ul><li>Configures and runs everything. Routers, firewalls, servers. </li></ul><ul><li>Endless game to keep “up-to-date”. </li></ul><ul><li>Wants to be “user” of IDS </li></ul><ul><li>High quality data </li></ul><ul><li>Auto-response to new vulnerabilities. </li></ul><ul><li>Maintains network </li></ul><ul><li>Event Correlation </li></ul><ul><li>Broad -> Specific </li></ul><ul><li>Tune rules </li></ul>
  7. 7. Marty Roesch and Sourcefire <ul><li>Created snort in 1998. </li></ul><ul><li>Sourcefire sells IDS boxes which they install, configure and support. Different security needs may involve specific tuning to customer’s network. </li></ul><ul><li>Sourcefire is the major commercial supporter of snort. </li></ul><ul><li>Gig speeds with multiprocessors and linux </li></ul><ul><ul><li>same kernel, custom drivers, minimal footprint </li></ul></ul><ul><li> </li></ul>
  8. 8. Snort Usage <ul><li>Run on Console </li></ul><ul><li>Run as Daemon </li></ul>$ ./snort –c snort.conf – l /home/snort/snort_spool/ $ ./snort –D –c snort.conf – l home/snort/snort_spool/ Snort Config File: config daemon $ ./snort –l /home/snort/snort_spool/ Running in packet logging mode Log directory = /snort/snort_spool/ Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0rc4 (Build 70) By Martin Roesch (, Shell output from snort init.:
  9. 9. Snort Console Output ================================================================ Snort analyzed 4 out of 4 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 4 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 4 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ================================================================ Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ================================================================ Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 … .
  10. 10. Snort Configuration File <ul><li>var HOME_NET </li></ul><ul><li>var EXTERNAL_NET </li></ul><ul><li>var FOO_SERVERS </li></ul><ul><li>config interface: eth0 </li></ul><ul><li>config set_uid: snort </li></ul><ul><li>config dump_payload </li></ul><ul><li>config daemon </li></ul><ul><li>preprocessor frag2 </li></ul><ul><li>preprocessor stream4 </li></ul><ul><li>preprocessor portscan2 </li></ul><ul><li>output database: log, mysql, user=snort password=foobar dbname=snort host=localhost </li></ul>Variables Configuration Preprocessor Output SQL Database Each bullet is a line in the config file. Variables are used in the files with the snort rules.
  11. 11. Snort Preprocessors <ul><li>Frag2 Preprocessor </li></ul><ul><ul><li>snort.conf: “preprocessor frag2” </li></ul></ul><ul><ul><li>packet fragmentation can lead to the IDS missing packets or getting different ones than the host gets. This cleans fragmented packets. </li></ul></ul><ul><li>The stream4 Preprocessor </li></ul><ul><ul><li>snort can keep track of tcp sessions. “stateful” </li></ul></ul><ul><ul><li>detection of “stealth” scans from software like nmap. </li></ul></ul><ul><li>Portscan and portscan2 Preprocessors </li></ul><ul><ul><li>detection of single host access to many ports. </li></ul></ul>
  12. 12. Snort Rules <ul><li>. . . </li></ul><ul><li>include $RULE_PATH/local.rules </li></ul>local.rules : snort.conf : Rules to log all tcp, udp and icmp traffic. activate tcp any any -> any 23 (activates: 23; msg:”Potential Telnet Login Credentials Logged”;) dynamic tcp any any -> any 23 (activated_by: 23; count:20;) log tcp any any -> any any (msg: “tcp traffic”;) log udp any any -> any any (msg: “udp traffic”;) log icmp any any -> any any (msg: “icmp traffic”;)
  13. 13. Snort Rules web-iis.rules : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:&quot;WEB-IIS cmd.exe access&quot;; flow:to_server,established; content:&quot;cmd.exe&quot;; nocase; classtype:web-application-attack; sid:1002; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:&quot;WEB-IIS CodeRed v2 root.exe access&quot;; flow:to_server,established; uricontent:&quot;/root.exe&quot;; nocase; classtype:web-application-attack; reference:url,; sid:1256; rev:7;) # action = pass, log, alert, dynamic, activate # protocol = icmp, tcp, ip, udp action protocol source -> destination ( optional_rule_body )
  14. 14. Snort Rules <ul><li>Default rules for known bad packets. </li></ul><ul><li>attack-responses.rules </li></ul><ul><li>backdoor.rules </li></ul><ul><li>bad-traffic.rules </li></ul><ul><li>chat.rules </li></ul><ul><li>ddos.rules </li></ul><ul><li>deleted.rules </li></ul><ul><li>DMZ.rules </li></ul><ul><li>dns.rules </li></ul><ul><li>dos.rules </li></ul><ul><li>experimental.rules </li></ul><ul><li>exploit.rules </li></ul><ul><li>finger.rules </li></ul><ul><li>ftp.rules </li></ul><ul><li>icmp-info.rules </li></ul><ul><li>icmp.rules </li></ul><ul><li>imap.rules </li></ul><ul><li>info.rules </li></ul><ul><li>local.rules </li></ul><ul><li>misc.rules </li></ul><ul><li>multimedia.rules </li></ul><ul><li>mysql.rules </li></ul><ul><li>netbios.rules </li></ul><ul><li>nntp.rules </li></ul><ul><li>oracle.rules </li></ul><ul><li>other-ids.rules </li></ul><ul><li>p2p.rules </li></ul><ul><li>policy.rules </li></ul><ul><li>pop2.rules </li></ul><ul><li>pop3.rules </li></ul><ul><li>porn.rules </li></ul><ul><li>rpc.rules </li></ul><ul><li>rservices.rules </li></ul><ul><li>scan.rules </li></ul><ul><li>shellcode.rules </li></ul><ul><li>smtp.rules </li></ul><ul><li>snmp.rules </li></ul><ul><li>sql.rules </li></ul><ul><li>telnet.rules </li></ul><ul><li>tftp.rules </li></ul><ul><li>virus.rules </li></ul><ul><li>web-attacks.rules </li></ul><ul><li>web-cgi.rules </li></ul><ul><li>web-client.rules </li></ul><ul><li>web-coldfusion.rules </li></ul><ul><li>web-frontpage.rules </li></ul><ul><li>web-iis.rules </li></ul><ul><li>web-misc.rules </li></ul><ul><li>web-php.rules </li></ul><ul><li>x11.rules </li></ul>
  15. 15. ACID to manage Alerts <ul><li>Sort and display alerts based on ip, port, date, unique alerts. </li></ul><ul><li>Search alerts </li></ul><ul><li>Display layer 3 and 4 packet data </li></ul><ul><li>Graphs and statistics for alert frequency. </li></ul><ul><li>Alert grouping, archiving, managing </li></ul>
  16. 16. Connecting mysql with stunnel <ul><li>Generate foo.pem for tunnel. </li></ul>openssl req -new -out stunnel.pem -keyout stunnel.pem -nodes -x509 -days 365 Cert = /foobar/stunnel.pem [mysqls] accept = 3307 connect = 3306 #!/bin/sh /usr/local/sbin/stunnel -c -d 3306 -r <ul><li>stunnel 4 with config ( stunnel.conf) </li></ul><ul><li>stunnel 3.22 from shell prompt. </li></ul>
  17. 17. Snort IDS: PROs and CONs <ul><li>Powerful, specific rules to match packets. </li></ul><ul><li>No backdoors </li></ul><ul><li>Weakness quickly found & published. </li></ul><ul><li>Rules actively published for detection of new worms etc. </li></ul><ul><li>Open Source software developers know code will be checked. Fewer hacks. </li></ul><ul><li>Snort/ACID is only part of a secure network. </li></ul><ul><li>Does not record the success or failure of a detected intrusion </li></ul><ul><li>Does nothing to stop an intrusion in progress. </li></ul><ul><li>False sense of security. </li></ul>PROs CONs
  18. 18. Installing snort on RedHat 9
  19. 19. IDS component overview <ul><li>Open Source Network Intrusion Detection System (Snort) </li></ul><ul><ul><li>snort-2.0.0rc4.tar.gz </li></ul></ul><ul><ul><li>mysql-4.0.12.tar.gz </li></ul></ul><ul><li>Analysis Console for Intrusion Databases (ACID) </li></ul><ul><ul><li>apache_1.3.27.tar.gz </li></ul></ul><ul><ul><li>php-4.3.1.tar.gz </li></ul></ul><ul><ul><li>acid-0.9.6b23.tar.gz </li></ul></ul>
  20. 20. Apache & php Setup <ul><li>./configure --prefix=/home/apache/apache_prefix/ --activate-module=src/modules/php4/libphp4.a </li></ul><ul><li>make && make install </li></ul><ul><li>./configure --prefix=/home/apache/php_prefix --with-mysql --enable-bcmath --with-gd --enable-sockets --with-zlib-dir=/home/apache/php-4.3.1/zlib-1.1.4/ --with-apache=../apache_1.3.27 </li></ul><ul><li>Php needs graphics libs: </li></ul><ul><ul><li>zlib-1.1.4, libpng-1.2.5, gd-1.8.4, phplot-4.4.6 </li></ul></ul>
  21. 21. Snort System Setup <ul><li>mysql-4.0.12 </li></ul><ul><li>./configure --prefix=/home/snort/snort_prefix --enable-smbalerts --with-mysql </li></ul><ul><li>Make && make check && make install; </li></ul><ul><li>Webmin </li></ul><ul><ul><li>snort-1.0.wbm </li></ul></ul>
  22. 22. Create snort database & tables <ul><li>CREATE DATABASE snort;&quot; | mysql -u root –p </li></ul><ul><li>grant INSERT,SELECT on snort.* to [email_address] ; </li></ul><ul><li>mysql -D snort -u root -p < ./contrib/create_mysql </li></ul>
  23. 23. Snort Config Setup <ul><li>output database: log, mysql, user=snortusr password=foobar dbname=snort host=localhost </li></ul><ul><li>Modify alert rules to personal taste </li></ul>
  24. 24. ACID Setup <ul><li> in www_root </li></ul><ul><li>tar zxfp acid-0.9.6b23.tar.gz </li></ul><ul><ul><li>mv acid /var/www/html </li></ul></ul><ul><li>edit acid/acid_conf.php </li></ul><ul><ul><li>$DBlib_path = &quot;/var/www/html/adodb&quot;; </li></ul></ul><ul><ul><li>$aler_dbname = &quot;snort“ </li></ul></ul><ul><li> </li></ul>