Cheat Sheet : Snort
Snort
is a free/paid intrusion detection system, which also does packet
logging and packet sniffing as well. Snort comes with built in rules and
community rules that the security industry has submitted. The paid
version gives you more of these and more up to date:
* SNORT: there are 3 modes, packet sniffer, packet logger and ids
* .To start snort in sniffer mode, start the snort service then open a terminal and type snort –v
* .Ping another computer and see it captures that icmp traffic
* SNORT RULES:
a.A very simple one to start with is: log tcp any any -> 192.168.3.0/24 23 , this states to: log any tcp packets from any ip and any port to destination network 192.168.3.0/24 and destination port 23
b.You can add messages too, so lets say someone is trying to get to telnet on your network: alert tcp any any -> any 23 (msg: “hey this fools trying to use telnet!”;)
c.It can also be bi-directional as in any leaving or coming for telnet : log tcp any any <> any 23
d.DEMO: so lets write a simple youtube rule which states that any incoming or outgoing connection to www.youtube.com results in a flag that states “your on youtube”: alert tcp any any -> any any (content:”www.youtube.com”; msg:”your on youtube!”; sid:1000002;rev:1;) and save it under the rules folder as youtube.rules. Now go to your snort.conf file and scroll down to find all the includes and include the youtube one and save it. Now start the snort service, then bring up a terminal and type snort –q –A console –i eth0 –c /etc/snort/snort.conf and hit enter. Now bring up a browser and go to youtube and see the alert.
Demo for the students in the ilabs: have them make a new rule called testrule.rules: alert tcp 10.10.10.7 any -> any any (msg:”hey this is traffic from 10.10.10.7”;sid:1000006;rev:1;) and save it in the rules folder. Then run the command above to start snort up. Then start the apache server on bt5 and go over to win7 and bring up a webpage and go to 10.10.10.55 (bt5 website). Now go over and look at the snort output
* Alert generates an alert, and then logs the packet
* .Log logs the packet
* .Pass drops (ignores) the packet
* .Sid stands for snort rule id. Its recommended to start your custom ones at 1000001 and higher to prevent any overlap with existing rules.
* You can write a pass rule to get rid of false positives. Ex. Pass 192.168.3.13 any -> any any, will ignore traffic from 192.168.3.13
* Some general snort rules options:
* .Msg (msg:”the message”;)
* .Reference : (reference:<id system>, <id>;)
An example would be reference:arachnids,IDS411;
these can come from:
1.Bugtrac (securityfocus.com)
2.Cve (cve.mitre)
3.Nessus
4.Mcafee
5.Arachnids (currently down)
6.Osvdb
7.url (http://....)
iii.sid : (sid:1000002,rev:1;) uniquely identifies snort rules
iv.rev: the revision of snort rule, look above
v.classtype: (classtype:attempted-recon;) consult http://manual.snort.org/node31.html
vi.priority (priority:10)
k.snort payload rules options:
i.content: (content:”|5000|45e0| etc…”;)
ii.offset : tells snort where to start analyzing the payload contents for a signature (offset:4; depth:20;) . A depth of 5 will tell snort to look for the specified pattern within the first 5 bytes of the payload, whereas an offset of 5 tells snort to look for the specified pattern after the first 5 bytes of the payload.
l.Snort non-payload rules options:
i.ttl
* .More snort examples:
i.Log udp traffic coming from any port and destination ports ranging from 1-1024: log udp any any -> 192.168.3.0/24 1:1024
ii.Log TCP traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500: log tcp any :1024 -> 192.168.1.0/24 500:
iii.Alert tcp !192.168.3.5 any -> basically says alert all ip addresses here except for 192.168.3.5
Detecting a simple signature
alert tcp 192.168.1.6 any -> 192.168.1.5 139 \
(msg: “Possible SMBDie Attempt"; content:”|5c 50 49 50 45|”; sid:1000000;)
* SNORT: there are 3 modes, packet sniffer, packet logger and ids
* .To start snort in sniffer mode, start the snort service then open a terminal and type snort –v
* .Ping another computer and see it captures that icmp traffic
* SNORT RULES:
a.A very simple one to start with is: log tcp any any -> 192.168.3.0/24 23 , this states to: log any tcp packets from any ip and any port to destination network 192.168.3.0/24 and destination port 23
b.You can add messages too, so lets say someone is trying to get to telnet on your network: alert tcp any any -> any 23 (msg: “hey this fools trying to use telnet!”;)
c.It can also be bi-directional as in any leaving or coming for telnet : log tcp any any <> any 23
d.DEMO: so lets write a simple youtube rule which states that any incoming or outgoing connection to www.youtube.com results in a flag that states “your on youtube”: alert tcp any any -> any any (content:”www.youtube.com”; msg:”your on youtube!”; sid:1000002;rev:1;) and save it under the rules folder as youtube.rules. Now go to your snort.conf file and scroll down to find all the includes and include the youtube one and save it. Now start the snort service, then bring up a terminal and type snort –q –A console –i eth0 –c /etc/snort/snort.conf and hit enter. Now bring up a browser and go to youtube and see the alert.
Demo for the students in the ilabs: have them make a new rule called testrule.rules: alert tcp 10.10.10.7 any -> any any (msg:”hey this is traffic from 10.10.10.7”;sid:1000006;rev:1;) and save it in the rules folder. Then run the command above to start snort up. Then start the apache server on bt5 and go over to win7 and bring up a webpage and go to 10.10.10.55 (bt5 website). Now go over and look at the snort output
* Alert generates an alert, and then logs the packet
* .Log logs the packet
* .Pass drops (ignores) the packet
* .Sid stands for snort rule id. Its recommended to start your custom ones at 1000001 and higher to prevent any overlap with existing rules.
* You can write a pass rule to get rid of false positives. Ex. Pass 192.168.3.13 any -> any any, will ignore traffic from 192.168.3.13
* Some general snort rules options:
* .Msg (msg:”the message”;)
* .Reference : (reference:<id system>, <id>;)
An example would be reference:arachnids,IDS411;
these can come from:
1.Bugtrac (securityfocus.com)
2.Cve (cve.mitre)
3.Nessus
4.Mcafee
5.Arachnids (currently down)
6.Osvdb
7.url (http://....)
iii.sid : (sid:1000002,rev:1;) uniquely identifies snort rules
iv.rev: the revision of snort rule, look above
v.classtype: (classtype:attempted-recon;) consult http://manual.snort.org/node31.html
vi.priority (priority:10)
k.snort payload rules options:
i.content: (content:”|5000|45e0| etc…”;)
ii.offset : tells snort where to start analyzing the payload contents for a signature (offset:4; depth:20;) . A depth of 5 will tell snort to look for the specified pattern within the first 5 bytes of the payload, whereas an offset of 5 tells snort to look for the specified pattern after the first 5 bytes of the payload.
l.Snort non-payload rules options:
i.ttl
* .More snort examples:
i.Log udp traffic coming from any port and destination ports ranging from 1-1024: log udp any any -> 192.168.3.0/24 1:1024
ii.Log TCP traffic from privileged ports less than or equal to 1024 going to ports greater than or equal to 500: log tcp any :1024 -> 192.168.1.0/24 500:
iii.Alert tcp !192.168.3.5 any -> basically says alert all ip addresses here except for 192.168.3.5
Detecting a simple signature
alert tcp 192.168.1.6 any -> 192.168.1.5 139 \
(msg: “Possible SMBDie Attempt"; content:”|5c 50 49 50 45|”; sid:1000000;)
Comments
Post a Comment