1. Snort - capturar e dissecar o tr´fego de rede
a
Ulisses Ara´jo Costa
u
ulisses@lsd.di.uminho.pt
25 Mar¸o, 2009
c
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

2. Sum´rio
a
1 NIDS
2 Snort
3 Objectivo
4 tshark
Estat´
ısticas
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

3. NIDS - Network Intrusion Detection System
Sistema de detec¸˜o de intrus˜o de rede
ca a
Tenta detectar actividade maliciosa (ataques DoS, DDos, port
scans, tentativas de cracking )
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

4. Como funciona
An´lise de todos os pacotes
a
Tenta encontrar padr˜es suspeitos
o
Exemplo - port scanners
Se um grande n´mero de pedidos de conec¸˜es TCP para um
u co
grande n´mero de portas diferentes num curto espa¸o de tempo
u c
ent˜o o NIDS conclu´ que podemos estar a ser alvo de um scan de
a ı
portos.
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

5. Sum´rio
a
1 NIDS
2 Snort
3 Objectivo
4 tshark
Estat´
ısticas
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

6. Defini¸˜o
ca
SNORT is an open source network intrusion prevention
and detection system utilizing a rule-driven language,
which combines the benefits of signature, protocol and
anomaly based inspection methods. With millions of
downloads to date, Snort is the most widely deployed
intrusion detection and prevention technology worldwide
and has become the de facto standard for the industry.
Modo passivo
Modo activo = firewall
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

7. Abordagem
Usar o Snort para capturar todo o tr´fego que conseguir em modo
a
passivo.
root@pig:# snort -u snort -g snort -D -d -l /var/log/snort -c /etc/snort/snort.debian.conf -S -i
eth0
Grava log em bin´rio (formato tcpdump)
a
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

8. Sum´rio
a
1 NIDS
2 Snort
3 Objectivo
4 tshark
Estat´
ısticas
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

9. Depois de ter o ficheiro. . .
Implementa¸˜o de filtros segundo determinadas regras
ca
Agrega¸˜o de pacotes segundo regras (onde o Snort n˜o
ca a
chega)
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

10. Problema - parsing
Fazer parsing de tcpdump
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

11. Exemplo - pacote SSH
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

12. Implementa¸˜o em Haskell
ca
getPacket :: [ Word8 ] -> InPacket
getPacket bytes = toInPack $ listArray (0 , Prelude . length bytes -1) $ bytes
-- Ethernet | IP | TCP | X
getPacketTCP :: [ Word8 ] -> Maybe ( NE . Packet ( NI4 . Packet ( NT . Packet InPacket ) ) )
getPacketTCP bytes = doParse $ getPacket bytes :: Maybe ( NE . Packet ( NI4 . Packet (
NT . Packet InPacket ) ) )
Problema
N˜o h´ parsers feitos para camada de aplica¸˜o :S
aa ca
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

13. Sum´rio
a
1 NIDS
2 Snort
3 Objectivo
4 tshark
Estat´
ısticas
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

14. Exemplos
Mostrar todas as comunica¸˜es com o IP 192.168.74.242
co
root@pig:# tshark -R quot;ip.addr == 192.168.74.242quot; -r snort.log
...
7750 6079.816123 193.136.19.96 -> 192.168.74.242 SSHv2 Client : Key Exchange Init
7751 6079.816151 192.168.74.242 -> 193.136.19.96 TCP ssh > 51919 [ ACK ] Seq =37
Ack =825 Win =7424 Len =0 TSV =131877388 TSER =1789588
7752 6079.816528 192.168.74.242 -> 193.136.19.96 SSHv2 Server : Key Exchange Init
7753 6079.817450 193.136.19.96 -> 192.168.74.242 TCP 51919 > ssh [ ACK ] Seq =825
Ack =741 Win =7264 Len =0 TSV =1789588 TSER =131877389
7754 6079.817649 193.136.19.96 -> 192.168.74.242 SSHv2 Client : Diffie - Hellman
GEX Request
7755 6079.820784 192.168.74.242 -> 193.136.19.96 SSHv2 Server : Diffie - Hellman
Key Exchange Reply
7756 6079.829495 193.136.19.96 -> 192.168.74.242 SSHv2 Client : Diffie - Hellman
GEX Init
7757 6079.857490 192.168.74.242 -> 193.136.19.96 SSHv2 Server : Diffie - Hellman
GEX Reply
7758 6079.884000 193.136.19.96 -> 192.168.74.242 SSHv2 Client : New Keys
7759 6079.922576 192.168.74.242 -> 193.136.19.96 TCP ssh > 51919 [ ACK ] Seq =1613
Ack =1009 Win =8960 Len =0 TSV =131877415 TSER =1789605
...
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

15. Exemplos
Mostrar um triplo com: (tempo,codigo http,tamanho do conte´do
u
http), separados por ’,’ e entre aspas.
root@pig:# tshark -r snort.log -R http.response -T fields -E header=y -E separator=’,’ -E
quote=d -e frame.time relative -e http.response.code -e http.content length
...
quot;128.341166000quot; ,quot;200quot; ,quot;165504quot;
quot;128.580181000quot; ,quot;200quot; ,quot;75332quot;
quot;128.711618000quot; ,quot;200quot; ,quot;1202quot;
quot;149.575548000quot; ,quot;206quot; ,quot;1quot;
quot;149.719938000quot; ,quot;304quot; ,
quot;149.882290000quot; ,quot;404quot; ,quot;338quot;
quot;150.026474000quot; ,quot;404quot; ,quot;341quot;
quot;150.026686000quot; ,quot;404quot; ,quot;342quot;
quot;150.170295000quot; ,quot;304quot; ,
quot;150.313576000quot; ,quot;304quot; ,
quot;150.456650000quot; ,quot;304quot; ,
...
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

16. Exemplos
Mostrar um tuplo de aridade 4 com: (tempo,ip origem,ip destino,
tamanho do pacote tcp).
root@pig:# tshark -r snort.log -R quot;tcp.len>0quot; -T fields -e frame.time relative -e ip.src -e
ip.dst -e tcp.len
...
551.751252000 193.136.19.96 192.168.74.242 48
551.751377000 192.168.74.242 193.136.19.96 144
551.961545000 193.136.19.96 192.168.74.242 48
551.961715000 192.168.74.242 193.136.19.96 208
552.682260000 193.136.19.96 192.168.74.242 48
552.683955000 192.168.74.242 193.136.19.96 1448
552.683961000 192.168.74.242 193.136.19.96 1448
552.683967000 192.168.74.242 193.136.19.96 512
555.156301000 193.136.19.96 192.168.74.242 48
555.158474000 192.168.74.242 193.136.19.96 1448
555.158481000 192.168.74.242 193.136.19.96 1400
556.021205000 193.136.19.96 192.168.74.242 48
556.021405000 192.168.74.242 193.136.19.96 160
558.874202000 193.136.19.96 192.168.74.242 48
558.876027000 192.168.74.242 193.136.19.96 1448
...
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

17. Exemplos
Mostrar um triplo com: (ip origem,ip destino, porto do ip destino).
root@pig:# tshark -r snort.log -Tfields -e ip.src -e ip.dst -e tcp.dstport
...
192. 168.74.242 193.136.19.96 37602
192. 168.74.242 193.136.19.96 37602
193.136.19.96 192.168.74.242 22
192. 168.74.242 193.136.19.96 37602
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
192. 168.74.242 193.136.19.96 37602
192. 168.74.242 193.136.19.96 37602
192. 168.74.242 193.136.19.96 37602
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
193.136.19.96 192.168.74.242 22
192. 168.74.242 193.136.19.96 37602
192. 168.74.242 193.136.19.96 37602
...
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

18. Sum´rio
a
1 NIDS
2 Snort
3 Objectivo
4 tshark
Estat´
ısticas
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

19. Estat´
ısticas
Hierarquia de protocolos
root@pig:# tshark -r snort.log -q -z io,phs
frame frames :7780 bytes :1111485
eth frames :7780 bytes :1111485
ip frames :3992 bytes :848025
tcp frames :3908 bytes :830990
ssh frames :2153 bytes :456686
http frames :55 bytes :19029
http frames :5 bytes :3559
http frames :3 bytes :2781
http frames :2 bytes :2234
http frames :2 bytes :2234
data - text - lines frames :10 bytes :5356
tcp . segments frames :3 bytes :1117
http frames :3 bytes :1117
media frames :3 bytes :1117
udp frames :84 bytes :17035
nbdgm frames :50 bytes :12525
smb frames :50 bytes :12525
mailslot frames :50 bytes :12525
browser frames :50 bytes :12525
dns frames :34 bytes :4510
llc frames :3142 bytes :224934
stp frames :3040 bytes :182400
cdp frames :102 bytes :42534
loop frames :608 bytes :36480
data frames :608 bytes :36480
arp frames :38 bytes :2046
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

20. Estat´
ısticas - Conversations
Usa-se: -z conv,<tipo>,<filtro>
Tipo pode ser: eth,tr,fc,fddi,ip,ipx,tcp,udp
Os filtros servem para restringir as estat´ısticas
root@pig:# tshark -r snort.log -q -z conv,ip,tcp.port==80
================================================================================
IPv4 Conversations
Filter : tcp . port ==80
| <- || -> || Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
193. 136.19.148 <-> 192.168.74.242 141 13091 202 259651 343 272742
192. 168.74.242 <-> 128.31.0.36 22 6858 28 4784 50 11642
================================================================================
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

21. Estat´
ısticas - IO
Usa-se: -z io,stat,<int>,<filtro>,. . . ,<filtro>
root@pig:# tshark -r snort.log -q -z io,stat,300,’not (tcp.port=22)’
===================================================================
IO Statistics
Interval : 300.000 secs
Column #0:
| Column #0
Time | frames | bytes
000.000 -300.000 2161 543979
300.000 -600.000 1671 264877
600.000 -900.000 508 46224
900.000 -1200.000 185 12885
1200.000 -1500.000 201 14607
1500.000 -1800.000 187 13386
1800.000 -2100.000 189 13887
2100.000 -2400.000 187 13386
2400.000 -2700.000 189 13887
2700.000 -3000.000 187 13386
3000.000 -3300.000 185 12885
3300.000 -3600.000 189 13887
3600.000 -3900.000 210 15546
3900.000 -4200.000 189 13887
4200.000 -4500.000 187 13386
4500.000 -4800.000 185 12885
4800.000 -5100.000 189 13887
===================================================================
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a

22. Fim
?
Ulisses Ara´jo Costa
u Snort - capturar e dissecar o tr´fego de rede
a