Network Security EDA /2012. Laboratory assignment 4. Revision A/576, :13:02Z

Transcription

1 Network Security EDA /2012 Laboratory assignment 4 Revision A/576, :13:02Z

2

3 Lab 4 - Network Intrusion Detection using Snort 1 Purpose In this assignment you will be introduced to network intrusion detection by analysing suspicious network packets and configuring snort to detect and raise alerts for these packets. 2 Reporting To pass this assignment you need to demonstrate that your snort configuration successfully alerts on all suspicious packets, while not raising alerts on legitimate traffic. Also, there are questions throughout the lab PM that should be answered and discussed when the practical part of the lab is done. 3 Preparations at home Look at the reference documents as specified below before you continue reading the lab PM. It is important that you are well prepared and finish the assignment within the allocated time.! IMPORTANT! As this assignment is more open than previous laboratory assignments, it is very important that you read and understand the entire laboratory assignment before you start! A guideline on how to proceed with the assignment is provided at the end of this lab PM in Section Reference documents The Snort Manual, Important chapters (should be read): , and Layout of this assignment In the next section, Section 4, you will be introduced to the laboratory environment. Then, the netcat utility will be introduced in Section 5. First in Section 6, the exercises to be performed are presented. In the first part of those exercises (in 6.1), you will perform some tasks to become familiar with snort. In the second part (in 6.2), you will be analysing malicious traffic and write rules for snort to detect this traffic. Here, important guidelines on how to progress with the analysis for writing your snort-rules will be given. 3

4 4 Lab setup and intrusion detection with snort This lab is conducted in the Computer Engineering lab, room 4220/4225(EDIT building, south wing, floor 4). You can login as usual with your Chalmers account name and password (CID). 4.1 System overview You will use the network server theoden.ce.chalmers.se to generate malicious traffic and direct it against your host. You will use your host to capture and analyze the traffic and to create rules for Snort. You will then use Snort to detect and alert upon successive malicious packets. You log on to theoden from an X window in your lab computer with the command ssh theoden using your normal Chalmers login (CID). 4.2 Snort Snort is a signature based intrusion detection system which maintains a database of detection signatures, or detection rules. For each network packet that is captured, a comparison is made between the content of the packet and the available signatures in the database. Whenever a match is found, Snort raises an alert to notify, e.g., the systems administrator that malicious traffic is directed towards the monitored system. Figure 1 illustrates the detection concept. Figure 1: Boromir sends an attack against ce-pc15, which has snort installed The Snort configuration file snort.conf provides Snort with runtime configuration data, e.g., network variables and rule file locations. On the lab system, the configuration file is located at /chalmers/groups/eda491/lib/lab4/snort.conf. Copy this file to your home directory. The snort.conf file used in this lab contains two network variables, HOME NET and the EXTERNAL NET. If you wish to use any of these in your rules, you should uncomment and set them accordingly. Otherwise you can simply ignore them. Below the variables there is the row # Your rules start here. Below this row you are supposed to insert your own rules according to the instructions provided in the 4

5 following subsections. 5 Lab tools During this assignment you will encounter and become familiar with various network related tools, such as wireshark, Netcat and Snort. Whenever you are uncertain of how you should formulate a specific command line or how a specific feature works, you should refer to the man pages and the manual. Below follows a brief introduction to the Netcat utility, you can skip this paragraph if you are already familiar with Netcat. 5.1 The Netcat utility Netcat, or nc, is the swiss army knife for networks. It can be used for connecting two peers, either by taking the role of the server and listening on incoming connections, or as the client, initiating connections. By using some handy command line tricks you can even get it to transfer commands or files for you. Check out the manual for Netcat. On the lab system it is referred to as nc. Make sure that you figure out enough information to convince yourself that you know the basics. Then use it to retrieve something, e.g., with GET, from the local web server. A clever trick for transmitting strings is to echo the string and then pipe it to nc. Like this: echo STRING nc... Make sure that you get it, since you will be using nc later. 6 Exercises The following exercises are to be done in the lab. As you progress you encounter questions (starting with Q and written in bold font). Discuss and write down the answer to these questions, and be prepared to discuss your answers with the assistants when you have finished the lab. 6.1 Snort in sniffer and packet logger modes Snort is available on each computer in the lab and is invoked by typing sudo snort -i eth0 at the command line. Snort can be invoked in a number of ways and right now we will look at how to start Snort in the sniffer and packet logger modes. Note that the option -i eth0 is always needed when using snort at the lab machines otherwise it will choose an incorrect network interface and hang. Unfortunately snort will not be able to store logs in your NFS4 mounted home directory so you will have to store the logs under /tmp instead. To do this, first create a log directory with the following commands: >> mkdir /tmp/<mylogin> >> mkdir /tmp/<mylogin>/log After this you can give the argument -l /tmp/mylogin/log to snort, to make it use 5

6 this directory for logging. Note: The network card can differ between different hosts. To find the network card in use, issue the command /sbin/ip addr list. A list of network cards and IP-numbers will be presented. The network card with an IP-address in the range of /23 is the one to use. Note: In parallel with your packet capturing session you will have at least one SSH session running. The SSH-traffic is not relevant to the lab, and one way to remove this informationwhenusingwiresharkistosetupafilterthateliminatespacketsforport22. Note: When starting Snort, always start it in foreground mode, i.e., without the &: If there are errors in your rules, Snort will refuse to start and you will be able to see this on the terminal window. If you start Snort as a daemon, it will die silently, and you will probably be confused as of why no alerts are produced. Also, if Snort is running and it does not die when hitting Ctrl-C, you will need to use the kill command instead. Read the manual to figure out how to start Snort in sniffer mode, be sure to test the different options for capturing link, network and transport headers, and payload. To generate some traffic for you to check, you should log into theoden and transmit a the message "TESTMESSAGE SNORTLAB EDA491" between theoden and your computer. Use the hints in Section 5.1. Also be sure that Snort is running before you transmit the string. Q1: To see the string, you had to add the payload option, but when the payload is captured, the log item increased in size. Elaborate briefly on whether payload data should be captured or not with respect to log sizes, attack coverage and amount of traffic passing the detection system. The sniffer mode is seldom useful unless you are looking for a very specific string and use heavy filtering to discard all other traffic. A more useful mode is therefore the packet logger mode, where the packets are captured to file and can thus be inspected after the fact. Note: When running in packet logger or detection mode, you need to use specific options for snort. Add to the command line the options -i eth0, -u username, and -k none. -u sets the permissions on the log- and alert files to yourself so that you can read them, and -k disregards checksum issues, which otherwise will be a problem for you. In addition, use the -l option to denote a directory where you want to store your logs. Example: snort -i eth1 -l <log dir> -u <username> -k none -K <log format>, where log dir is a directory you should create with the mkdir command. Try out snort s packet logger mode and be sure to store packets as both ASCII text and in pcap format (in separate runs). Then, inspect both the ASCII and the pcap files. Only one kind of logging is supported at the same time. 6

7 Q2: Elaborate briefly on storing log files in ASCII and pcap format. When would it be more suitable to store the files in ASCII, and when would it be more suitable to store the files in pcap format. What differences do you find regarding the creation and naming of files. So far we have looked at the sniffer and packet logger modes. The real power of Snort, however, lies in its ability to use a set of rules denoting known malicious network traffic and to raise alerts whenever a rule is matched by a packet. To be able to detect attacks and raise alerts, Snort must be run in intrusion detection mode. 6.2 Snort in intrusion detection mode Before you begin working with this section, there are a few files that need to be present on your system. Therefore you should first retrieve the server1, server2, execute and snort.conf files from the directory /chalmers/groups/eda491/lib/lab4/ and put them in your home directory. Now, make sure you currently is located in your home directory in the lab machine and that the following three files are there server1, server2, and snort.conf. Also make sure that you have the file execute in your home directory on theoden. This section is all about writing Snort rules. Remember that in order for your rules to be effective, you need to restart Snort and provide the path to the configuration file as an option. Note: This part of the lab is quite open and you may solve it in the way you find best. To aid you, an action list is provided in Section The following scenario defines this part of the lab On theoden there are five attacks denoted suspect1...suspect5. Each attack will launch one or more packets towards your system. Each execution of an attack contains exactly one attack, regardless of the number of packets sent by the attack. In our lab, Snort has no memory of previous packets so you need to find common denominators betweenthepacketsandthencreateyourrulesothatonealertisissuedforeachpacket. To launch the attacks, you use the execute program, that you recently downloaded. The syntax for using execute is as follows:./execute <attack name> <IP-address>, where IP-address is the address of your computer. You can check your IP-address with the command /sbin/ifconfig or /sbin/ip addr list. Some of the attacks need a listening service to perform a connection before transmitting its data. Therefore, before you begin, you should start the server1 and server2 programs as follows: >>./server & >>./server & 7

8 >>./server & You should leave these services running since they are needed by the attack scripts to work properly Lab flow You begin with an empty rule set which incrementally should be expanded to contain the rules that you find necessary to prevent the attack packets from entering your system unnoticed. To your help, you have the previously discussed tools (i.e. Snort and Wireshark) to capture what is sent over the network when the attack scripts are run. When the attack data has been captured, you should perform an analysis of the contents in the log and try to identify what parts of the packets that should be included in a rule that will reveal the presence of the packet(s). Try to be as specific as possible, since false alerts will be issued otherwise. Rules should be named according to the attack script that they will match, and they should also include your group number, i.e., when writing a rule for attack script 1, the msg: clause of the rule must have the text "ATTACK 1 nsecnyyy" (where YYY is your lab group number). To assess your rules you can manually inspect (or tail -F) the snort alert file to see if an alert is registered when the packets generated by the script have been received by your host. If nothing is registered in the alert file, you need to tune your script. When you have written rules that will alert on all the attacks, you should validate your rules by running./execute mixed <IP-address>. Using mixed as argument will launch a traffic mix of attacks and legitimate traffic against your system. A script that will inspect your alert file and let you know if you passed or not is located at theoden at /chalmers/groups/eda491/lib/lab4/checkalerts.pl. Copy this script to your home directory on your local machine and execute it. When you see an output that tells you to fetch the supervisor, you are finished, and should contact the supervisor for approval. If you see something else, it means that you missed some attacks, or that your rules are too general. Check your rules and then try again. Q3: In this assignment, you have written specific rules to discover attacks. This paradigm is known as signature based detection. Another detection paradigm is the anomaly detection paradigm, which detects abnormal behaviour. Elaborate on the advantages and disadvantages of the two paradigms. Remember: This is an open assignment, thus you may solve it in the way you find best. The alert file is located in the same directory as your logs, and appropriately called alert. 8

9 To aid you, an action list is provided in the next subsection. Note: Be really sure that you have read chapter three in the snort manual. Otherwise this might be quite difficult Lab progress action list This section will provide an action list for how to proceed when creating your rules. Effectively, this section is a summary of the previous section. 1. Unless already started, start server1 and server2. 2. Start a packet capturer. 3. Launch one attack from theoden against your host with the execute program. 4. Stop the packet capturer. 5. Inspect the produced log file or the content written to screen, and try to identify what constitutes the attack. 6. Input the corresponding rule to the snort.conf file and start/restart snort. 7. Re-launch the attack and inspect the alert file, if there is an alert for the attack, you can move on to the next attack. When all attacks have been executed and the corresponding rules have been created: 1. Create a new alert file. Then run the traffic mix while snort is running. 2. Check the alerts with the checkalerts.sh script. If you pass, contact the instructor, if you fail, rewrite one or more rules and try again. Finally, if you have answered all the questions, report the lab: 1. Make sure all students in the group have understood (and are able to answer to) all the questions. 2. Contact a lab supervisor to check your results. 9