Snort. A practical NIDS

Transcription

1 Snort A practical NIDS

2 What is SNORT Snort is a packet logger/analyzer, which can be used to implement a NIDS. It can based be used in 4 modes: Sniffer mode Packet Logger mode Network Intrusion Detection System (NIDS) mode Inline Mode

3 Example: logging packets The command snort -dev -l./log -h /24 results in packets being logged. Flag -d tells to log the data, as well as header portion of packets Flag -v is visual, causing Snort to display information in the screen Flag -e tells to log extended header information (e.g., data link layer headers) Flag -l indicates a location (directory) to use for logging purposes (subdirectory log of current directory in the above example) Flag -h indicates how to create subdirectories. Each packet will be stored in a log file with a name that matches either source or destination addresses in a datagram. By specifying the prefix x, it indicates you want the packets logged under the local host in the communication

4 Using binary mode storage Alternatively, you can use the compact binary storage form to store packets snort -l./log -b This causes Snort to log all packets in binary form (tcpdump storage). No flags are needed, because all the packet is stored. You can then read them back in playback mode---useful to experiment with new rules../snort -dv -r packet.log You can also playback only packets of a particular type./snort -dvr packet.log icmp

5 NIDS mode NIDS mode enables modification of Snort basic behavior (i.e., log everything) and have it first apply a set of rules, taking the appropriate action when a packet matches the rule. snort -dev -l./log -h /24 -c snort.conf Results in Snort logging only packets that matches the rules specified in snort.conf Don t use -v or -e when using as NIDS, for the sake of speed (otherwise Snort may loose packets)

6 Alerts in NIDS mode Using the flag -A will add alerting behavior to Snort -A can be followed by the keywords full (default), fast, unsock, none, console, and cmg. To use syslog for remote logging, of alerts, use the flag -s Example: snort -b -A fast -c snort.conf

7 Inline Snort Obtain packets from IPTables instead of libpcap and uses Snort rules to instruct IPtables whether to drop or pass packets In order for snort_inline to work properly, you must download and compile the iptables code to include make install-devel. This will install the libipq library that allows snort_inline to interface with iptables. Also, you must build and install LibNet.

8 Running Snort Inline The QUEUE target should be specified in IPtables for interfacing with Snort iptables -A OUTPUT -p tcp --dport 80 -j QUEUE Then run Snort inline snort_inline -QDc../etc/drop.conf -l /var/log/snort The flags mean: -Q: Obtain input from iptables QUEUE target -D: Run in daemon mode (i.e., continuously in the background) -c: Use the configuration file -l: Use the log file

9 Snort configuration Snort configuration is highly customizable, in order to achieve high performance and full flexibility of use. config checksum_mode: none, noip, notcp, noicmp, noudp, ip, tcp, udp, icmp, all An important feature of Snort is the use of preprocessors. For instance, the de-fragmentation pre-processor frag3 allows you to use different policies to re-produced the defragmentation policies of various operating systems. Or, you can define your own policy. Similarly, the stream4_reassemble pre-processor enables you to choose your policies with overlapping packets.

10 Detecting port scans sfportscan processor Detects NMAP-style port scans, as well as decoy and distributed port scans Can detect port sweeps as well as port scans Can be tuned for sensitivity/ accuracy

11 Application layer preprocessors Telnet_decode RPC_decode HTTP_inspect Apache profile IIS profile many customizable options