Snort - capturar e dissecar o tráfego da rede

  • 5,050 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
5,050
On Slideshare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
29
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Snort - capturar e dissecar o tr´fego de rede a Ulisses Ara´jo Costa u ulisses@lsd.di.uminho.pt 25 Mar¸o, 2009 c Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 2. Sum´rio a 1 NIDS 2 Snort 3 Objectivo 4 tshark Estat´ ısticas Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 3. NIDS - Network Intrusion Detection System Sistema de detec¸˜o de intrus˜o de rede ca a Tenta detectar actividade maliciosa (ataques DoS, DDos, port scans, tentativas de cracking ) Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 4. Como funciona An´lise de todos os pacotes a Tenta encontrar padr˜es suspeitos o Exemplo - port scanners Se um grande n´mero de pedidos de conec¸˜es TCP para um u co grande n´mero de portas diferentes num curto espa¸o de tempo u c ent˜o o NIDS conclu´ que podemos estar a ser alvo de um scan de a ı portos. Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 5. Sum´rio a 1 NIDS 2 Snort 3 Objectivo 4 tshark Estat´ ısticas Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 6. Defini¸˜o ca SNORT is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry. Modo passivo Modo activo = firewall Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 7. Abordagem Usar o Snort para capturar todo o tr´fego que conseguir em modo a passivo. root@pig:# snort -u snort -g snort -D -d -l /var/log/snort -c /etc/snort/snort.debian.conf -S -i eth0 Grava log em bin´rio (formato tcpdump) a Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 8. Sum´rio a 1 NIDS 2 Snort 3 Objectivo 4 tshark Estat´ ısticas Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 9. Depois de ter o ficheiro. . . Implementa¸˜o de filtros segundo determinadas regras ca Agrega¸˜o de pacotes segundo regras (onde o Snort n˜o ca a chega) Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 10. Problema - parsing Fazer parsing de tcpdump Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 11. Exemplo - pacote SSH Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 12. Implementa¸˜o em Haskell ca getPacket :: [ Word8 ] -> InPacket getPacket bytes = toInPack $ listArray (0 , Prelude . length bytes -1) $ bytes -- Ethernet | IP | TCP | X getPacketTCP :: [ Word8 ] -> Maybe ( NE . Packet ( NI4 . Packet ( NT . Packet InPacket ) ) ) getPacketTCP bytes = doParse $ getPacket bytes :: Maybe ( NE . Packet ( NI4 . Packet ( NT . Packet InPacket ) ) ) Problema N˜o h´ parsers feitos para camada de aplica¸˜o :S aa ca Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 13. Sum´rio a 1 NIDS 2 Snort 3 Objectivo 4 tshark Estat´ ısticas Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 14. Exemplos Mostrar todas as comunica¸˜es com o IP 192.168.74.242 co root@pig:# tshark -R quot;ip.addr == 192.168.74.242quot; -r snort.log ... 7750 6079.816123 193.136.19.96 -> 192.168.74.242 SSHv2 Client : Key Exchange Init 7751 6079.816151 192.168.74.242 -> 193.136.19.96 TCP ssh > 51919 [ ACK ] Seq =37 Ack =825 Win =7424 Len =0 TSV =131877388 TSER =1789588 7752 6079.816528 192.168.74.242 -> 193.136.19.96 SSHv2 Server : Key Exchange Init 7753 6079.817450 193.136.19.96 -> 192.168.74.242 TCP 51919 > ssh [ ACK ] Seq =825 Ack =741 Win =7264 Len =0 TSV =1789588 TSER =131877389 7754 6079.817649 193.136.19.96 -> 192.168.74.242 SSHv2 Client : Diffie - Hellman GEX Request 7755 6079.820784 192.168.74.242 -> 193.136.19.96 SSHv2 Server : Diffie - Hellman Key Exchange Reply 7756 6079.829495 193.136.19.96 -> 192.168.74.242 SSHv2 Client : Diffie - Hellman GEX Init 7757 6079.857490 192.168.74.242 -> 193.136.19.96 SSHv2 Server : Diffie - Hellman GEX Reply 7758 6079.884000 193.136.19.96 -> 192.168.74.242 SSHv2 Client : New Keys 7759 6079.922576 192.168.74.242 -> 193.136.19.96 TCP ssh > 51919 [ ACK ] Seq =1613 Ack =1009 Win =8960 Len =0 TSV =131877415 TSER =1789605 ... Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 15. Exemplos Mostrar um triplo com: (tempo,codigo http,tamanho do conte´do u http), separados por ’,’ e entre aspas. root@pig:# tshark -r snort.log -R http.response -T fields -E header=y -E separator=’,’ -E quote=d -e frame.time relative -e http.response.code -e http.content length ... quot;128.341166000quot; ,quot;200quot; ,quot;165504quot; quot;128.580181000quot; ,quot;200quot; ,quot;75332quot; quot;128.711618000quot; ,quot;200quot; ,quot;1202quot; quot;149.575548000quot; ,quot;206quot; ,quot;1quot; quot;149.719938000quot; ,quot;304quot; , quot;149.882290000quot; ,quot;404quot; ,quot;338quot; quot;150.026474000quot; ,quot;404quot; ,quot;341quot; quot;150.026686000quot; ,quot;404quot; ,quot;342quot; quot;150.170295000quot; ,quot;304quot; , quot;150.313576000quot; ,quot;304quot; , quot;150.456650000quot; ,quot;304quot; , ... Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 16. Exemplos Mostrar um tuplo de aridade 4 com: (tempo,ip origem,ip destino, tamanho do pacote tcp). root@pig:# tshark -r snort.log -R quot;tcp.len>0quot; -T fields -e frame.time relative -e ip.src -e ip.dst -e tcp.len ... 551.751252000 193.136.19.96 192.168.74.242 48 551.751377000 192.168.74.242 193.136.19.96 144 551.961545000 193.136.19.96 192.168.74.242 48 551.961715000 192.168.74.242 193.136.19.96 208 552.682260000 193.136.19.96 192.168.74.242 48 552.683955000 192.168.74.242 193.136.19.96 1448 552.683961000 192.168.74.242 193.136.19.96 1448 552.683967000 192.168.74.242 193.136.19.96 512 555.156301000 193.136.19.96 192.168.74.242 48 555.158474000 192.168.74.242 193.136.19.96 1448 555.158481000 192.168.74.242 193.136.19.96 1400 556.021205000 193.136.19.96 192.168.74.242 48 556.021405000 192.168.74.242 193.136.19.96 160 558.874202000 193.136.19.96 192.168.74.242 48 558.876027000 192.168.74.242 193.136.19.96 1448 ... Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 17. Exemplos Mostrar um triplo com: (ip origem,ip destino, porto do ip destino). root@pig:# tshark -r snort.log -Tfields -e ip.src -e ip.dst -e tcp.dstport ... 192. 168.74.242 193.136.19.96 37602 192. 168.74.242 193.136.19.96 37602 193.136.19.96 192.168.74.242 22 192. 168.74.242 193.136.19.96 37602 193.136.19.96 192.168.74.242 22 193.136.19.96 192.168.74.242 22 192. 168.74.242 193.136.19.96 37602 192. 168.74.242 193.136.19.96 37602 192. 168.74.242 193.136.19.96 37602 193.136.19.96 192.168.74.242 22 193.136.19.96 192.168.74.242 22 193.136.19.96 192.168.74.242 22 193.136.19.96 192.168.74.242 22 192. 168.74.242 193.136.19.96 37602 192. 168.74.242 193.136.19.96 37602 ... Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 18. Sum´rio a 1 NIDS 2 Snort 3 Objectivo 4 tshark Estat´ ısticas Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 19. Estat´ ısticas Hierarquia de protocolos root@pig:# tshark -r snort.log -q -z io,phs frame frames :7780 bytes :1111485 eth frames :7780 bytes :1111485 ip frames :3992 bytes :848025 tcp frames :3908 bytes :830990 ssh frames :2153 bytes :456686 http frames :55 bytes :19029 http frames :5 bytes :3559 http frames :3 bytes :2781 http frames :2 bytes :2234 http frames :2 bytes :2234 data - text - lines frames :10 bytes :5356 tcp . segments frames :3 bytes :1117 http frames :3 bytes :1117 media frames :3 bytes :1117 udp frames :84 bytes :17035 nbdgm frames :50 bytes :12525 smb frames :50 bytes :12525 mailslot frames :50 bytes :12525 browser frames :50 bytes :12525 dns frames :34 bytes :4510 llc frames :3142 bytes :224934 stp frames :3040 bytes :182400 cdp frames :102 bytes :42534 loop frames :608 bytes :36480 data frames :608 bytes :36480 arp frames :38 bytes :2046 Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 20. Estat´ ısticas - Conversations Usa-se: -z conv,<tipo>,<filtro> Tipo pode ser: eth,tr,fc,fddi,ip,ipx,tcp,udp Os filtros servem para restringir as estat´ısticas root@pig:# tshark -r snort.log -q -z conv,ip,tcp.port==80 ================================================================================ IPv4 Conversations Filter : tcp . port ==80 | <- || -> || Total | | Frames Bytes | | Frames Bytes | | Frames Bytes | 193. 136.19.148 <-> 192.168.74.242 141 13091 202 259651 343 272742 192. 168.74.242 <-> 128.31.0.36 22 6858 28 4784 50 11642 ================================================================================ Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 21. Estat´ ısticas - IO Usa-se: -z io,stat,<int>,<filtro>,. . . ,<filtro> root@pig:# tshark -r snort.log -q -z io,stat,300,’not (tcp.port=22)’ =================================================================== IO Statistics Interval : 300.000 secs Column #0: | Column #0 Time | frames | bytes 000.000 -300.000 2161 543979 300.000 -600.000 1671 264877 600.000 -900.000 508 46224 900.000 -1200.000 185 12885 1200.000 -1500.000 201 14607 1500.000 -1800.000 187 13386 1800.000 -2100.000 189 13887 2100.000 -2400.000 187 13386 2400.000 -2700.000 189 13887 2700.000 -3000.000 187 13386 3000.000 -3300.000 185 12885 3300.000 -3600.000 189 13887 3600.000 -3900.000 210 15546 3900.000 -4200.000 189 13887 4200.000 -4500.000 187 13386 4500.000 -4800.000 185 12885 4800.000 -5100.000 189 13887 =================================================================== Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a
  • 22. Fim ? Ulisses Ara´jo Costa u Snort - capturar e dissecar o tr´fego de rede a