19 Snort

Hiteishi Diwanji

epgp books

Snort architecture:

 

Download snort:

 

https://www.snort.org  Install snort. For Windows operating system, it will be installed in c:\snort.

 

To start with Snort : Change directory to c:\snort\bin.

  • Type snort
  • Type snort –WIt will show all the interfaces.type the command snort –v –i2that will start snort with 2nd interface.
  • Snort –c rules.txt –A console –l ../log –K ascii rules.txt file contains alert tcp any any -> any any (sid:1; msg:”tcp packets”;),,_ -*> Snort! <*-o” )~ Version 2.9.0.3-ODBC-MySQL FlexRESP-WIN32 GRE (Build 98)”” By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al.
  • Using PCRE version: 8.10 2010-06-25
  • Using ZLIB version: 1.2.3
  • Index Physical Address            IP Address      Device Name       Description
  • —– —————-           ———-      ———–      ———–
  • 1 00:00:00:00:00:00 disabled \Device\NPF_{1E10CABC-BB23-4F6B-
  • 2 00:00:00:00:00:00   disabled\Device\NPF_{A3F8D0FB-9E83-
  • 4353-A544-8FFD83354A46}     Marvell Yukon Ethernet Controller
  • 3 00:00:00:00:00:00 disabled \Device\NPF_{B432E026-373D-4B3E-BF70-E6D762ECE6AF} Microsoft
  • 4 00:00:00:00:00:00   disabled\Device\NPF_{8641C604-C1C1-419D-B2A7-DCF58BE9ABEC} Microsoft

Snort rules:

  • Snort uses a simple, lightweight rules description language that is flexible and quite powerful.
  • Snort rules must be completely contained on a single line.

Snort header and rule:

  • Snort rules are divided into two logical sections, the rule header and the rule options.
  • The rule header contains the rule’s action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information.
  • The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.
  • Example rule :alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”; msg: “mountd access”;).
  • The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options.
  • option keywords are the words before the colons in the rule options section.
  • The rule options section is not specifically required by any rule.
  • All of the elements in the rule must be true for the indicated rule action to be taken.
  • The elements together form a logical AND statement.
  • The various rules in a Snort rules library file form a large logical OR statement.

Rule Headers:

 

Rule Actions:

  • The rule header contains the information that defines the “who, where, and what” of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up.
  • The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria.
  • There are three available actions in Snort, alert, log, and pass

1) alert – generate an alert using the selected alert method, and then log the packet

2) log – log the packet

3) pass – drop (ignore) the packet

 

Protocols:

  • The next field in a rule is the protocol.
  • There are three IP protocols that Snort currently analyzes for suspicious behavior, tcp, udp, and icmp.

IP Addresses:

  • The next portion of the rule header deals with the IP address and port information for a given rule.
  • The keyword “any“ defines any address. Snort does not have a mechanism to provide host name lookup for the IP address fields in the rules file.
  • The addresses are formed by a straight numeric IP address and a CIDR block.
  • A CIDR block mask of /24 indicates a Class C network, /16 a Class B network, and /32 indicates a specific machine address.For example, To represent the block of addresses from 192.168.1.1 to 192.168.1.255, the address/CIDR combination 192.168.1.0/24 is used.

Address in a rule:

  • alert tcp any any -> 192.168.1.0/24 111 (content:”|00 01 86 a5|”; msg: “mountd access”;).
  • The source IP address was set to match for any computer , and the destination address was set to match on the 192.168.1.0 Class C network.

Snort rules:

  • There is an operator that can be applied to IP addresses, the negation operator. This operator tells Snort to match any IP address except the one indicated by the listed IP address. The negation operator is indicated with a “!”.
  • For example, alert on any traffic that originates outside of the local net with the negation operator.alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content: “|00 01 86 a5|”; msg: “external mountd access”;)This rule’s IP addresses indicate “any tcp packet with a source IP address not originating from the internal network and a destination address on the internal network”.

Port numbers:

 

Port numbers may be specified in following ways

1) “any” ports,

2) static port definitions,

3) ranges,

4) by negation.”Any” ports are a wildcard value, meaning any port.Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or 80 for http, etc.

  • Port ranges are indicated with the range operator “:”. Example:
  • log udp any any -> 192.168.1.0/24 1:1024log udp traffic coming from any port and destination ports ranging from 1 to  1024
  • log tcp any any -> 192.168.1.0/24 :6000 log tcp traffic from any port going to ports less than or equal to 6000
  • log tcp any :1024 -> 192.168.1.0/24 500: log tcp traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500

Negation in port:

  • Port negation is indicated by using the negation operator “!”.
  • log tcp any any -> 192.168.1.0/24 !6000:6010

Directional operator in header:

  • The Direction Operator
  • The direction operator “->” indicates the orientation, or “direction”, of the traffic that the rule applies to.
  • The IP address and port numbers on the left side of the direction operator is considered to be the traffic coming from the source host, and the address and port information on the right side of the operator is the destination host.
  • There is also a bidirectional operator, which is indicated with a “<>” symbol. Snort considers the address/port pairs in either the source or destination orientation. Used in telnet or POP3 sessions to record/analyze both sides of a conversation.
  • An example of the bidirectional operator being used to record both sides of a telnet session is log !192.168.1.0/24 any <> 192.168.1.0/24 23

Rule Options:

  • All Snort rule options are separated from each other using the semicolon “;” character.
  • Rule option keywords are separated from their arguments with a colon “:” character.
  • msg – prints a message in alerts and packet logs
  • logto – log the packet to a user specified filename instead of the standard output file
  • minfrag – set a threshold value for the smallest acceptable IP fragment size
  • ttl – test the IP header’s TTL field value
  • id – test the IP header’s fragment ID field for a specific value
  • dsize – test the packet’s payload size against a value
  • content – search for a pattern in the packet’s payload•offset – modifier for the content option, sets the offset to begin attempting a pattern match
  • depth – modifier for the content option, sets the maximum search depth for a pattern match attempt
  • flags – test the TCP flags for certain values
  • seq – test the TCP sequence number field for a specific value
  • ack – test the TCP acknowledgement field for a specific value
  • itype – test the ICMP type field against a specific value
  • icode – test the ICMP code field against a specific value
  • session – dumps the application layer information for a given session

msg:

  • The msg rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert.
  • Utilizes the “\” as an escape character to indicate a discrete character.(such as the semi-colon “;” character).
  • Format:msg: “<message text>“;

logto:

  • The logto option tells Snort to log all packets that trigger this rule to a special output log file.
  • Format:logto: “<filename>“;

minfrag:

  • Minfrag sets a minimum size threshold for a fragmented packet.
  • Used to set a boundary for the minimum fragment size that is acceptable on a network segment.
  • This detects attackers that like to break their fragments into tiny pieces before transmitting them to avoid detection mechanisms
  • Format:minfrag: “<number>“;
  • alert tcp any any -> any any (minfrag: 256; msg: “Tiny fragments detected, possible hostile activity”;)

ttl:

  • This rule option is used to set a specific time-to-live value to test against.
  • This option keyword was intended for use in the detection of traceroute attempts.
  • Format:ttl: “<number>“;

id:

  • This option keyword is used to test for an exact match in the IP header fragment ID field.
  • for example the value 31337 is very popular with some hackers.
  • Format:id: “<number>” ;

dsize:

  • The dsize option is used to test the packet payload size.
  • It may be set to any value, plus use the greater than/less than signs to indicate ranges and limits.
  • This can be used to detect buffer overflows.
  • Format:
  • dsize: [>|<] <number>; Note: The > and < operators are optional.

content:

  • It allows the user to set rules that search for specific content in the packet payload and trigger response based on that data.
  • Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the test is performed against the packet contents. If exact match of data with the argument data string is contained anywhere within the packet’s payload, the test is successful and the remainder of the rule option tests are performed.
  • this test is case sensitive. It can contain mixed text and binary data. The binary data is generally enclosed within the pipe (“|”) character and represented as bytecode. Bytecode represents binary data as hexadecimal numbers.
  • An example of mixed text and binary data in a Snort rule.
  • alert tcp any any -> 192.168.1.0/24 143 (content: “|90C8 C0FF FFFF|/bin/sh”; msg: “IMAP buffer overflow!”;)
  • Format:content: “<content string>“;

offset:

  • The offset rule option is used as a modifier to rules using the content option keyword.
  • function from the beginning of the packet payload.
  • In CGI scan detection rules where the content search string is always found after the first four bytes of the payload.This rule option keyword cannot be used without also specifying a content rule option.
  • Format:offset: <number>;

depth:

  • Depth sets the maximum search depth for the content pattern match function to search from the beginning of its search region.
  • It is useful for limiting the pattern match function from performing inefficient searches once the possible search region for a given set of content has been exceeded.
  • Searching for “cgi-bin/phf” in a web-bound packet, search need not extend beyond first 20 bytes in payload.
  • Format:depth: <number>;
  • An example of a combined content, offset, and depthalert tcp any any -> 192.168.1.0/24 80 (content: “cgi-bin/phf”; offset: 3; depth:22; msg: “CGI-PHF attack”;)

Flags:

  • This rule tests the TCP flags for an exact match. There are actually 8 flags variables available in Snort:F – FIN (LSB in TCP Flags byte)S – SYNR – RSTP – PSHA – ACKU – URG2 – Reserved bit 21 – Reserved bit 1 (MSB in TCP Flags byte) The reserved bits can be used to detect unusual behavior, such as IP stack fingerprinting attempts or other suspicious activity. All of the flags are considered as a whole for this test, they must all be “up” for this rule option to be successful.Format: flags: <flag values>;
  • alert any any -> 192.168.1.0/24 any (flags: SF; msg: “Possible SYN FIN scan”;)

seq:

  • This rule option refers to the TCP sequence number.
  • it detects if the packet has a static sequence number set.
  • Format:seq: <number>;

ack:

  • The ack rule option keyword refers to the TCP header’s acknowledge field.
  • This rule is used to detect NMAP TCP pings.
  • A NMAP TCP ping sets this field to zero and sends a packet with the TCP ACK flag set to determine if a network host is active.
  • Format:ack: <number>;
  • alert any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: “NMAP TCP ping”;)

itype:

  • This rule tests the value of the ICMP type field. It is set using the numeric value of this field.
  • The values can be set out of range to detect invalid ICMP type values that are sometimes used in denial of service and flooding attacks.
  • Format:itype: <number>;

icode:

  • The icode rule option keyword sets a numeric value and Snort will detect any traffic using that ICMP code value.
  • Out of range values can also be set to detect suspicious traffic.
  • Format:icode: <number>;
you can view video on Snort

Suggested Reading:

  1. Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
  2. Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
  3. Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
  4. The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
  5. Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
  6. Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
  7. www.snort.org
  8. https://nmap.org