Harnessing the Power of Snort

1
Harnessing the Power of Snort?

• Brian Caswell
• Principal Research Engineer
• Sourcefire Vulnerability Research Team

2
Background

• What is Snort?
• Open Source packet analysis tool
• The most widely deployed Network Intrusion
  Detection System (NIDS)
• The de facto standard in intrusion detection and
  prevention
• Who is Brian Caswell?
• Sourcefire Vulnerability Research Team -
  Principal Research Engineer
• Keeping Snort users ahead of the threat
• Snort Rules Maintainer
• Author Snort 2.1 Intrusion Detection Second
  Edition

3
Snort History

• Initial release by Marty Roesch in 1998
• Original goals of Snort
• Traffic analysis tool for home network
• Debugger for service simulators Marty was
  developing for a honeypot system
• Learning tool for libpcap
• Initial open source release in December 1998
• Just a sniffer, no rule language
• Rules implemented early 1999
• 1.0 release, June 1999
• Basic rules language, stateless

4
Snort History cont.

• Snort 1.5 released December 1999
• System was rearchitected to be modular and
  extensible
• Same basic architecture still used today!
• Snort implemented as a packet analysis pipeline

DataAquisition
Decode
Preprocess
Action
Detect
5
Snort Goes Commercial

• Sourcefire founded in January 2001
• Snort 1.7 last release before full time
  development begins
• Snort 1.7 is pitted head to head against 9
  commercial IDS offerings in a Network Computing
  test, comes in 3rd overall!
• Snort 1.8 released in mid-2001, contains high
  speed output system, enterprise grade IP
  defragmenter/TCP Stream Reassembler, etc

6
Snort Today

• Snort 2.3 available
• Highly stateful, 3000 detection rules protocol
  anomaly detection
• Recent additions include
• New portscan detector
• Target-based IP Defragmenter
• Event queuing
• Gigabit performance capabilities, etc
• 12-15000 downloads/week
• 600k rule updates per month
• Most Innovative _at_ RSA 2005

7
Snort Tomorrow

• The future
• New extensible data acquisition/decoder
  architecture
• New stream reassembler
• More application layer protocol analysis
  (SMTP/POP/IMAP, DCERPC, SNMP, Telnet/FTP, etc)
• Target-based traffic analysis

8
Getting Started
9
Getting Started

• Website - http//www.snort.org
• Stable release is always available at
  http//www.snort.org/dl
• Installable binary packages and source tarballs
  are typically available
• Also available via CVS
• http//www.snort.org/source.html

10
Building Snort

• Get the tarball from snort.org
• http//www.snort.org/dl/snort-2.3.0.tar.gz
• Make sure libpcap and PCRE are installed
• Unpack as usual
• Tar zxvf snort-2.3.0.tar.gz
• Build
• Cd snort-2.3.0 ./configure make make
  install

11
Read the Docs!

• Lots of documentation is available for Snort!
• Look in the doc directory of the tarball
• Snort manual in PDF format
• README files cover Snort features and subsystems
• Man pages available too

12
Running Snort
13
Snort Run Modes

• Three basic modes of operation
• Sniffer
• Packet logger
• NIDS
• Runtime mode is determined at run-time via
  command line switches

05/22-115011.320761 127.0.0.155786 -gt
127.0.0.1631TCP TTL64 TOS0x0 ID16546
IpLen20 DgmLen69 DFAP Seq 0xCE6183EE
Ack 0x89ECD4F2 Win 0xFFFF TcpLen 32TCP
Options (3) gt NOP NOP TS 1481027454 1481027454
50 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D
POST / HTTP/1.1.0A
.
14
NIDS Mode

• Sniffer and packet logger modes are covered in
  the first chapter of the Snort manual
• NIDS Mode is what most people think of when
  talking about Snort
• Command line switches
• -c ltconfig_filegt load NIDS config from
  ltconfig_filegt
• -A ltmodegt specify alert ltmodegt
• -s generate alerts to syslog
• Examples
• Snort -c snort.conf
• Snort -c snort.conf -d -l /pktlog -s
• Snort -c snort.conf -b -A fast

15
NIDS Mode cont

• Useful switches
• -D daemon mode
• -i ltintfgt sniff on network interface ltintfgt
• -r ltpcap_filegt read packets from ltpcap_filegt
• -g ltgidgt set group ID of Snort process
• -u ltuidgt set user ID of Snort process
• -t ltdirgt chroot Snort process to ltdirgt
• If no command line switches are specified, Snort
  looks for snort.conf in the /etc/snort and the
  local directory
• Default logging directory is /var/log/snort

16
Snort Rules
17
Rule Syntax

• Snorts rule syntax is simple and straightforward
• It is also, unfortunately, quirky
• Full rule docs in snort_manual.pdf file!

18
Rule format
alert tcp BAD any -gt GOOD any (flags SF msg
SYN-FIN scan)
Rule Header
Rule Options
Rule Options - variable definition - not always
necessary - 50 options available
Rule Header - static definition - has to be in
every rule
19
Rule Headers
alert tcp BAD any -gt GOOD any
Dest. Port
Rule action
Protocol
Dest. CIDR
Direction
Src. CIDR
Src. Port
20
Rule Options
(flags SF msg SYN-FIN scan)
Option start/finish
Option Detail
flags SF
Delimiter
Keyword
Argument
Separator
21
Fun with Snort Rules

• Basic detection is fun and easy with Snort rules
• To detect a basic string on the network (network
  grep) you just need the content keyword
• Detecting basic strings is easy but can result in
  false positives
• Better method is to define more constraints under
  which the rule may fire

alert tcp any any -gt any any \ (content foo
msg detected foo!)
22
Getting Stateful with Snort Rules

• Two options available for Snort rules
• Flow check TCP session state, direction
• Flowbits set/test/clear application state info
• Stream4 preprocessor must be running for the flow
  keyword to work
• Flow preprocessor must be running to enable
  flowbits
• This rule will only fire for TCP sessions that
  are in the ESTABLISHED state and for traffic
  headed to the server

alert tcp any any -gt any any \ (flow
established, to_server \ Content foo msg
detected foo)
23
Stateful Snort Rules

• There is another type of state that can be used,
  cross-rule state
• Uses the new flowbits keyword to set/test/clear
  bits in Snort rules
• We can track application protocol state with
  Snort!
• Example

alert tcp any any -gt SMTP 25 \ (pcre
/DATA\n/i \ flowbits set,smtp.client.mod
e.data flowbits noalert)alert tcp any
any -gt SMTP 25 \ (msg"SMTP expn decode"
flow established, to_server flowbits
isnotset,smtp.client.mode.data ...
24
Regular Expressions

• Snort supports PCRE - powerful regular expression
  payload analysis
• Use with care
• Maintainability, performance issues

alert tcp HOME_NET any -gt EXTERNAL_NET
25 (msg"VIRUS OUTBOUND bad file attachment"
\ flowto_server,established \ content"Content-D
isposition3A" nocase \ pcre"/filename\s\s.
?\.(?abcdehijlmnoprsvwx)(a(depsdfx)c(ho
mlimdpp)d(izllot)e(mflxe)h(lpsqta)j
se?m(dabewsip)p(pstiflmot)r(egtf)
s(crhyswf)v(bes?cfxd)w(mdfszpdmszs
cfh)xlstwbatinilnknwsocx)\x27\x22\n\r\s
/iR" \ classtypesuspicious-filename-detect
\ sid721 rev7)
25
Managing Output
26
Snort Output

• Two basic types
• Alert are for real-time notification
• Logs are for forensics
• Several alert/log output types available
• Alert syslog, text, database, unified
• Log text, pcap, database, unified, CSV
• Performance is a big deal in the output subsystem
• Low performance dropped packets
• Snorts unified format was designed specifically
  for high-performance output
• Pcap format is for cross-platform analysis

27
Unified Output

• Unified output is setup for high performance and
  flexibility
• Unified format can be converted to any of the
  other formats (DB, pcap, XML, etc)
• Barnyard is used to process unified files
• http//www.snort.org/dl/barnyard/barnyard-0.2.0.ta
  r.gz
• Input/output plugins
• Input Alert, log, stream (flow data)
• Output DB, CSV, syslog, pcap, SGUIL, text, XML

28
Output Futures

• Unified/Barnyard are the future of Snort output
  generation
• Performance is the number one concern of the
  sensor process
• Unfied2 coming soon, barnyard will change to suit
• Most complex post-processing should move into
  Barnyard

29
Current Future Developments

• New portscan detector
• Uses rate-based and backscatter methods to detect
  portscans
• New IP defragmenter (frag3)
• Target-based, very hard to evade or confuse, high
  performance
• New TCP Stream Reassembler (stream5)
• Target-based, high performance
• New data acquisition frontend
• Modular, extensible
• New decoder architecture
• Modular, extensible, easier to add protocols to
  Snort
• Additional layer-7 preprocessing
• Better protocol anomaly detection, more protocols
  normalized, enable new protocol-specific
  detection keywords
• Target-base detection engine

30
Questions Answers
www.sourcefire.com 800 917 4134