Pre processors. Detection Engine

Transcription

1 Packet Decoder Pre processors Detection Engine Logging and Alerting System Output Modules Filesystem Syslog Database XML Firewall config

2 You should know how the rules are constructed in order to fully understand the alerts tune and adapted rules to the local site write your own rules

3 [**] [1:2189:3] BAD-TRAFFIC IP Proto 103 PIM [**] 1 Generator ID, what component of Snort generated this alert (1 = rule) 2189 Snort ID, sid Rule-based SIDs are written directly into the rules with the sid option. 3 Revision ID. When writing signatures, each rule increments this number with the rev option.

4 # cat /etc/snort/gen-msg.map # $Id$ # GENERATORS -> msg map # Format: generatorid alertid MSG 1 1 snort general alert 2 1 tag: Tagged Packet 3 1 snort dynamic alert spp_can: Portscan Detected spp_can: Portscan Status spp_can: Portscan Ended spp_minfrag: minfrag alert http_decode: Unicode Attack

5 is made of a rule header and rule options Action Protocol IP port -> IP port (rule options) Action Protocol IP port <> IP port (rule options) where the arrows specifies one-directional or bi-directional. alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"exploit ssh CRC32 over NOOP"; :to_server,established; content:" "; reference:bugtraq,2347; reference:cve, ; reference:cve, ; classtype:shellcode-detect; sid:1326; rev:6;)

6 Action Protocol IP port -> IP port Action Protocol IP port <> IP port Action field What to do with the packet. alert Write an entry in the alert file and log the packet log Just log the packet pass Drop this packet from further inspection activate Alert and turn on other (dynamic) rules dynamic Idle until triggered by an activate rule; then start logging

7 Snort IPS action Snort field Snort needs help from Iptables drop Tell iptables to drop the packet and log it via usual Snort means reject Tell iptables to drop the packet, log it via usual Snort means, and send a TCP reset if the protocol is TCP or an icmp port unreachable if the protocol is UDP sdrop The sdrop rule type will tell iptables to drop the packet. Nothing is logged

8 Action Protocol IP port -> IP port Action Protocol IP port <> IP port Protocol field TCP, UDP, IP or ICMP IP IP address fields One or more single IP s or subnets given by CIDR notation any any host A single host [ /24] All the hosts to (the 24 first bits) [ , /24] list of IP s! Not this address

9 Action Protocol IP port -> IP port Action Protocol IP port <> IP port Direction Indicator Specifies destination and source IP an one-directional -> : src-ip src-port -> dest-ip dest-port bi-directional <> : IP port <> IP port Port fields Source and destination port fields represented as static port 21 any any port 21:25 21, 22, 23, 24 and 25!80 not port 80 :1023 less than or equal : greater than or equal 1024

10 alert tcp any any -> /24 any (content: "HTTP"; offset: 4; msg: "HTTP matched";) alert icmp $HOME_NET any -> any any (msg:"icmp PING CyberKit 2.2 Windows"; content:" aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; rev:2;) content Matches ASCII-text within and binary patterns in hexadecimal form 00 FA within a pair of bar symbols. The options offset, depth, regex and nocase relates to content. uricontent Like content, but matches the content of the uri only. The options offset, depth, regex and nocase then relates to uricontent only. (run snort with -k none if no alerts) msg Writes an alert message (msg: Trouble! ;) depth:x Specifies how far into a packet Snort should search for the specified pattern offset:x Ignore x first characters pcre: /REGEXP/ Perl Compatible Regular Expression

11 alert tcp any any -> /24 any (content: "HTTP"; offset: 4; msg: "HTTP matched";) alert icmp $HOME_NET any -> any any (msg:"icmp PING CyberKit 2.2 Windows"; content:" aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; rev:2;) flags Matches flags. SF = just S and F. SF+ = S and F and any others. SF = any combination of SF set (flags: SF;) dsize Size of data (dsize: > 6000;) resp Active respons, must be used with care! (resp: rst_all;) resets the connection in both directions.