2006.02_Snort_inline as a solution_[Programming].pdf
(
595 KB
)
Pobierz
444104376 UNPDF
Snort_inline as a solution
Programming
Pierpaolo Palazzoli, Matteo Valenza
Dificulty
Using Snort_inline in many different environments and scenarios
has proved to be a winning strategy to secure internal networks,
DMZ networks or home networks. In order to work properly in the
drop mode, it should adapt to the features of the environment it
is protecting. Therefore, we will not only present its coniguration
techniques but also the ways to add a dedicated device which is
best suited for the environment we want to protect.
system (IDS), so its native functionality
implies the use of a network card listen-
ing on the trafic of a network segment.
In order for Snort_inline to parse the traf-
ic of a network segment it should be added
in a transparent way by means of two cards
in bridge mode, the inline functionality. This
inline functionality is done by appending the
trafic through iptables (
ip _ queue
). However,
this is not enough because we need to know,
through the iptables, what trafic to append.
Thanks to this Snort_inline mode, it can
behave just like any other intrusion preven-
tion system and block the connections it
receives. To act like a intrusion prevention
system, Snort should be compiled to get lex-
response enabling it to reset the trafic that
should be blocked.
To conclude, we can say that Snort_inline is
deinitely the most effective and accurate mode
available as it drops trafic on the basis of previ-
ously loaded rules.
We will presume the LAN trafic to be main-
ly client oriented. Therefore the following LAN
trafic types can be deined:
• mail, client Web, P2P, instant messenger,
spyware, malware, virus, trojan, VPN.
A common rule to all these types of IDS/IPS is
that we cannot parse encrypted trafic, so this
means no VPNs and SSL services.
Figure 1 shows the correct solution for this
type of protection, the IPS placed between the
router and the rest of the network enables us to
analyse the trafic we want to monitor or protect.
What you will learn...
• how Snort_inline works,
• the basics of intrusion prevention systems,
• how to tune Snort_inline coniguration.
What you should know...
Snort_inline for a LAN
The irst part of this article will deal with a brief
introduction of Snort_inline for a LAN.
• basic knowledge of TCP/IP under Linux,
• the fundamental principles of how an IDS
works.
22
hakin9 2/2006
www.hakin9.org
~
t
q
w
~
S
nort is basically an intrusion detection
Setting a device for particular enviornment
The bridge mode
Setting two cards in bridge mode means connecting the functionalities of these cards
to layer two making them transparent to trafic. In this mode, packets are forwarded
from one card to another enabling the trafic to pass correctly. To do this in Linux we
need to execute the following operations:
Install the
bridge-utils
-
apt-get install bridge-utils
packet, you will
need kernel 2.6, otherwise you should compile 2.4 again using the enabled
bridge module. The bridge between two network cards can be implemented as
follows:
Once the device has been prop-
erly set, we need to know the Snort
rules and the preprocessors that we
are going to use.
Let's suppose that Snort's conig-
uration ile is snort_inline.conf – for an
example, visit
www.snortattack.org/
mambo/script/snort_inline.conf
– and that it has the preprocessors
for LANs shown in Listing 1.
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/sbin/ifconig br0 up
Preprocessors for LANs
These preprocessors are described
in Listing 1. Below, we listed a brief
description of its components and
functions.
The mac address assigned to
br0
is the same address as the irst interface it was
associated to.
Scenarios for Snort_inline
It should be noted that a system aimed at blocking intrusions should be customised
and ready to adapt to any network scenario and trafic type. Using an IPS inline does
not solve every security issue, but enables to build a central, dynamic and eficient
security system.
An IPS should detect the trafic to and from a source under protection. Through
network interfaces in bridge mode, we can add the device inside the network in a trans-
parent way and therefore collect all the necessary data. To create an inline device, we
need to know every feature of the network we are protecting (from the network layer to
the application layer).
Below we will describe some examples of network segments types for which
the implementation of an inline IPS can be advantageous thus securing the whole
environment:
ClamAV
This is a type of processor installed
only if speciied during the installation
process (
--enable-clamav
). It scans for
the viruses listed in ClamAV's data-
base and makes sure they are neither
encrypted nor compressed. This pre-
processor is extremely eficient to block
e-mails that have been infected by
phishing techniques. Its functions are:
•
ports
– the ports to scan (all, 22
except 22, 110 only 110),
•
toclientonly
– it deines the traf-
ic direction,
•
action-drop
– it tells the device
how to respond to a virus,
•
dbdir
– the directory with the
database containing ClamAV's
deinitions,
•
dbreloadtime
– how long it takes
for each deinition to reload.
• internal LAN, group of clients used for browsing, mailing, messenger, P2P, etc.
(Figure 1),
• DMZ, group of servers used to provide Internet-related services (SMTP, Web, FTP,
POP3, IMAP, MySQL, etc.) (Figure 2),
• LAN + DMZ (Figure 3).
First of all, we need to set Snort_inline in IDS mode (Alert) for a time which is propor-
tioned to the network size, in other words the higher the number of hosts, the more time
we have. During this period we should:
Perfmonitor
This preprocessor enables us to
write all the statistics concerning the
performance and the trafic passage
in a text ile format, and it is funda-
mental for the correct functioning
of pmgraph, a program we will talk
about later on. This preprocessor
should also be enabled during the
installation procedure (
--enable-
perfmon
). Its functions are:
• detect failures (performance, data storing, slowing down, etc.),
• analyse the trafic to detect false positives.
By observing the collected data we can therefore change the settings and optimise
the functioning of the device. It should be noted that the implementation of an open
source IPS, compared to a commercial one, may not be as simple as it seems, so
you could have problems removing many false positives found during the irst part of
tuning procedure.
We recommend installing Snort_inline on a dedicated hardware component
and organizing systems resources properly (CPU, RAM) by applying the following
simple principles: more rules require a lot of RAM space and high trafic leads to
more CPU load.
Recent network tests have proved that to secure an ADSL connection (1280/256)
it is necessary to have a Geode at 266 MHZ 128 MB RAM (one thousand rules). For
band widths of more than 1 Mbps we recommend a pentium 4 1 GHZ 512 MB RAM
(three thousand rules).
•
time –
the time necessary to
sample the data reading,
•
File
- the path of the data ile,
•
pkcnt –
the maximum amount of
records contained in the ile.
www.hakin9.org
hakin9 2/2006
~
t
q
w
~
23
Programming
•
Stream 4
– this preprocessor
gives Snort the ability to see the
basis of the packet and where it
is generated (client or server),
to quote Martin Roesch:
I imple-
mented stream4 out of the desire
to have more robust stream
reassembly capabilities and the
desire to defeat the latest state-
less attack.
Its function are:
•
disable _ evasion _ alerts
– this option is used to disable
alerts written in
stream4
,
•
midstream _ drop _ alerts
– it
tells the preprocessor to block
the connections generated
without establishing a given
low,
•
Rpc decode
– this preprocessor
reassembles a rpc low in a sin-
gle packet to make its analysis
easier, if the
stream4
preproces-
sor is present, it will parse only
the trafic coming from the client,
•
Telnet decode
– this preprocessor
normalizes the character low of
a telnet protocol in a session. We
should specify the ports to parse.
it's UDP it sends a
icmp host un-
reachable
message and logs in a
ile or database,
•
sdrop
– it
drops
the packet through
iptables and does not log in.
In this case, the purpose of this rule
is to block
miosito.com
, it is part of a
rule set written to block trafic to on-
line casino sites which do not comply
to national laws. The drop function
sets the action that the iptables
must perform as soon as the rule is
detected.
drop tcp $home_net any ->
any $http ports (
msg:"snortattack-italian-law";
low:established;content: "miosito.com";
classtype:policy-violation;
reference:url,
www.snortattack.net;
)
Figure 1.
Setting the device on a
LAN
The purpose of the settings men-
tioned in Listing 2 is to control p2p
applications, protect from inside
attacks (which amount to nearly
70% of all attacks), and especially
select the content viewed by internal
hosts.
Flow
This preprocessor is required to en-
able other preprocessors to function
such as
lowbits detection plug-in
and
low-portscan
. Basically, the Flow
preprocessor allows Snort to keep
data acquisition mechanisms. Its
functions are:
Rules for LANs
Once we deined the preprocessors,
Snort needs to set the rules in the
coniguration ile. There are many
different rules:
Snort_inline on a DMZ
The second part of this article will
deal with a brief introduction of
Snort_inline on a DMZ.
As said beforehand, the pre-
sumed traffic taken into account
in a DMZ will mainly be server ori-
ented traffic. Therefore we are able
to define the following DMZ traffic
types: mailing, server web, data-
base server, application server,
virus, VPN.
Setting a device is a possible
solution for this type of network
•
alert
– generates an alert mes-
sage and then logs it in a ile or a
database,
•
log
– it logs in a ile or database,
•
pass
– it ignores the trafic it has
found,
•
drop
– it
drops
the packet through
iptables and logs it in the ile or
database,
•
reject
– if it's TCP it
resets
the
connection through iptables, if
•
stats _ interval
– this parameter
speciies the time interval ex-
pressed in seconds in which we
want Snort to dump the statistics
in stdout,
•
Hash
– this parameter speciies the
hash method, using the value 1 we
deine a hash by byte, the value 4
we deine a hash by integer,
Listing 1.
Recommended preprocessors for LANs
preprocessor perfmonitor: time 60 ile/var/log/snort/perfmon.txt pktcnt 500
preprocessor low:stats_interval 0 hash 2
preprocessor stream4_reassemble: both
preprocessor stream4: disable_evasion_alerts
midstream_drop_alerts
preprocessor clamav:ports all !22 !443,toclientonly, action-drop,dbdir /var/lib/clamav,dbreload-time 43200
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
24
hakin9 2/2006
www.hakin9.org
~
t
q
w
~
Setting a device for particular enviornment
segment. This time, the IPS is placed
between the router and the DMZ.
Listing 2.
List of useful rules to protect a LAN:
Preprocessors for DMZ
networks
The only preprocessor that changes
its settings is Clamav, it is important
you deine the
toserveronly
parame-
ter to select only the trafic addressed
to the servers. See Listing 3.
The preprocessor
frag3
replaces
the
frag2
required to reconstruct the
data low due to transmission frag-
mentation.
#General
include
/
etc
/
snort_inline
/
rules
/
bleeding
.
rules
#Mostly Spyware
include
$
RULE_PATH
/
bleeding
-
malware
.
rules
include
$
RULE_PATH
/
malware
.
rules
include
$
RULE_PATH
/
spyware
-
put
.
rules
#Exploits and direct attacks
include
$
RULE_PATH
/
exploit
.
rules
include
$
RULE_PATH
/
bleeding
-
exploit
.
rules
include
$
RULE_PATH
/
community
-
exploit
.
rules
#DOS
include
$
RULE_PATH
/
dos
.
rules
include
$
RULE_PATH
/
ddos
.
rules
include
$
RULE_PATH
/
bleeding
-
dos
.
rules
#Web issues
include
$
RULE_PATH
/
web
-
client
.
rules
include
$
RULE_PATH
/
community
-
web
-
client
.
rules
#Mail sigs
include
$
RULE_PATH
/
community
-
mail
-
client
.
rules
#Trojans, Viruses, and spyware
include
$
RULE_PATH
/
virus
.
rules
include
$
RULE_PATH
/
bleeding
-
virus
.
rules
include
$
RULE_PATH
/
community
-
virus
.
rules
#Peer to peer
include
$
RULE_PATH
/
p2p
.
rules
include
$
RULE_PATH
/
bleeding
-
p2p
.
rules
Rules for DMZ networks
Once all preprocessors have been
deined, Snort needs some rules and
below you will ind some of their ap-
plications:
•
max _ frags
– the maximum
number of traceable fragments,
•
policy
– it selects the fragmen-
tation method, the methods
available are irst, AST, BSD,
BSD-right, Linux. It uses bsd as
its default method,
•
detect _ anomalies
– it detects
fragmentation failures.
Postgres, etc. These tools are differ
from one another and are written in
different languages but they basical-
ly do the same thing. They are ACID,
BASE, PLACID, SNORT REPORT,
SGUIL etc.
The rules recommended for a DMZ
network are shown in Listing 4.
Snort on a mixed
network
As for adding a device on a mixed
network shown in Figure 3, we sug-
gest the following settings.
Preprocessors for a mixed net-
work are shown in Listing 5 and its
rules are listed in Listing 6a and 6b.
The purpose of these settings is
to control viruses, protect the ma-
chine from external attacks aimed
at blocking exploits targeted to
services.
We will explain the different at-
tack techniques using practical ex-
amples later.
Attack monitoring and
rule management
The front ends we will analyse and
describe are database-based, in fact
all Snort results will be stored in a
different type of databases: MySQL,
Figure 2.
An example of a DMZ network
www.hakin9.org
hakin9 2/2006
~
t
q
w
~
25
Programming
Listing 3.
A list of preprocessors for a DMZ network
will guide you in the creation of the
required tables and allow you to use
the application.
Preprocessors for a DMZ
preprocessor perfmonitor: time 60 ile /var/log/snort/perfmon.txt pktcnt 500
preprocessor low: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy irst detect_anomalies
preprocessor stream4: disable_evasion_alerts detect_scans inline_state
preprocessor stream4_reassemble: both
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor clamav: ports 25 80, toserveronly, action-drop, dbdir /var/lib/
clamav, dbreload-time 43200
tar -zxvf base-1.2.4.tar.gz
mv base-1.2.4 base
mv base /var/www
chown apache. /var/www/base
PLACID
Just like BASE, PLACID is written
in Python and is a database-based
event viewer. It performs the same
functions as BASE but it has been
proved to be faster with larger da-
tabases. Installing PLACID is not
so simple, you will need to install
Python 2.3 and specify some fun-
damental parameters in the Apache
coniguration ile to make it work
properly:
Developed in PHP or Python,
these tools are fundamental for a
good IPS/IDS as it is fundamental
to know what is happening to our
device and our network. These front
ends are very simple to install, all
you have to do is to unpack and edit
the related coniguration ile with the
parameter to connect to the Snort
database.
Here, we decided to take a look
into BASE and PLACID.
The former is a derivation of
ACID (Analysis Console for Intrusion
Database), BASE stands for Basic
Analysis and Security Engine project
(see Figure 4). It is a tool to browse
and parse the contents of Snort's
database, which is written in PHP.
The strength of this tool relies on
the many research options and the
ability to group alerts based on their
IP addresses and other parameters
such as time or rule.
The basic implementation is
semi-automated, all you need to
do is extract the contents in
tar.gz
in the Apache default directory (
/
var/www/
) change the owner of the
Apache folder and go to the irst
level of the directory using your
browser. An automated procedure
Addheandler cgi-script .cgi .sh .pl .py
<Directory /var/www/placid>
Options ExecCGI
</Directory>
Also, edit PLACID's coniguration ile
for the parameters to connect to the
database:
tar -zxvf placid-2.0.3.tar.gz
mv placid-2.0.3 placid
mv placid /var/www
chmod +x /var/www/
placid/placid.py
vi /var/www/placid/
placid.cfg
dbhost=localhost
db=snort
passwd=password
user=snort
port=3306
resolvedns=yes
entrieslimit=300
debug=no
eventaltviews=yes
Listing 4.
List of rules recommended for a DMZ
include
$
RULE_PATH
/
bad
-
trafic
.
rules
include
$
RULE_PATH
/
exploit
.
rules
include
$
RULE_PATH
/
scan
.
rules
include
$
RULE_PATH
/
dos
.
rules
include
$
RULE_PATH
/
ddos
.
rules
include
$
RULE_PATH
/
dns
.
rules
include
$
RULE_PATH
/
web
-
cgi
.
rules
include
$
RULE_PATH
/
web
-
iis
.
rules
include
$
RULE_PATH
/
web
-
misc
.
rules
include
$
RULE_PATH
/
web
-
php
.
rules
include
$
RULE_PATH
/
community
-
web
-
php
.
rules
include
$
RULE_PATH
/
netbios
.
rules
include
$
RULE_PATH
/
attack
-
responses
.
rules
include
$
RULE_PATH
/
mysql
.
rules
include
$
RULE_PATH
/
virus
.
rules
include
$
RULE_PATH
/
web
-
attacks
.
rules
include
$
RULE_PATH
/
backdoor
.
rules
include
$
RULE_PATH
/
bleeding
-
virus
.
rules
include
$
RULE_PATH
/
bleeding
-
attack_response
.
rules
include
$
RULE_PATH
/
bleeding
-
dos
.
rules
include
$
RULE_PATH
/
bleeding
-
exploit
.
rules
include
$
RULE_PATH
/
bleeding
-
malware
.
rules
include
$
RULE_PATH
/
bleeding
-
scan
.
rules
include
$
RULE_PATH
/
bleeding
-
web
.
rules
include
$
RULE_PATH
/
community
-
exploit
.
rules
include
$
RULE_PATH
/
community
-
ftp
.
rules
include
$
RULE_PATH
/
community
-
web
-
misc
.
rules
include
$
RULE_PATH
/
community
-
smtp
.
rules
In order to update the rules automati-
cally we recommend using Oinkmas-
ter, a program written in Perl, which
enables us to keep our rules updated
by downloading its source codes:
Snort VRT, Snort community, bleed-
ing-snort community, third party and
own (local) rules.
Below are the coniguration in-
structions for Oinkmaster:
26
hakin9 2/2006
www.hakin9.org
~
t
q
w
~
Plik z chomika:
Kapy97
Inne pliki z tego folderu:
2006.02_Snort_inline as a solution_[Programming].pdf
(595 KB)
2005.05_Linux shellcode optimisation_[Programming].pdf
(1339 KB)
Inne foldery tego chomika:
Atak
Cisco
Consumer test
eMail
Exploits
Zgłoś jeśli
naruszono regulamin