Traffic Analysis 3-1
Traffic Analysis
Dr. G. A. Marin
Traffic Analysis 3-2
Packet Dissection with TCPDUMP
TCPDUMP gives most information and Ethereal also but sometimes you want to look at the Hex data directly.
Example in Chapter 7 (sidestep program)Basics:
Need right formats: IP, TCP, ICMP, etc.Use tcpdump –x to obtain Hex (or Ethereal)Ethernet header usually appears as first 14 bytes in Ethereal Output.Ethernet header must be requested from tcpdump with –e flag.
Traffic Analysis 3-3
• First six bytes (after line number) are destination mac• Next six bytes are source mac.• The 15th byte begins IP header “45.” type =4 and header length 20 bytes.• IP header described in rfc 791• Next byte “00” is ToS• Next two bytes “003c” is total length = 60• Two bytes “2a a6” = 10918 for packet ID.• Two bytes “00 00” have 3 bits for frag flags and 13 bits for offset.• One byte “80” = 128 TTL• One byte “01” = ICMP for protocol• Two bytes “5d d8” for checksum• 32-bits “co a8 00 64” = 192.168.0.100 for source address• 32-bits “84 aa 6c 8c” = 132.170.108.140 for destination address• Then ICMP Type = 8 and Code = 0 implies echo request (ping)• READ TEXT CHAPTER 7 FOR OTHER EXAMPLES AND SUGGESTIONS.
Traffic Analysis 3-4
NIDS Insertion Attack
Idea: Insert an extra packet (NIDS receives but target does not) to confuse pattern-matching algorithms on the IDS.
Do it in such a way that the target host won’t see the extra packet(s).
Good example in text: Suppose hacker has established a backdoor account (REWT) on target machine. IDS system knows to look for attempted log-in to REWT on port 23 (telnet). But hacker sends “R” in correctly formatted packet followed by “O” with invalid TCP checksum. This accepted by IDS and not by target host. Hacker then follows with “EWT” which IDS does not detect because “ROEWT” is ok. But host sees a connectiont to “REWT.”
Traffic Analysis 3-5
NIDS Evasion Attack
Same idea but insert an extra packet that target host sees but NIDS does not. For example, it is possible to include data in the opening SYN packet. Nids might not be programmed to accept it. Destination host does. In this case send “R” in SYN and “EWT” in first data packet.
Traffic Analysis 3-6
Interpreting IP Header Fields
Version number should be 4 or 6Packet should be “silently discarded” (RFC 1121) if invalid.
Hacker won’t learn anything by sending another value unless router, NIDS, or target does not comply with RFC. If one can determine that NIDS forwards these to destination, then insertion attack can use this technique.
Traffic Analysis 3-7
Protocol Number
List available at www.iana.org/assignments/protocol-numbersLater we will cover use of nmap –sO option.Note that nmap assumes protocol is listening if it does not receive an ICMP protocol unreachable.
Firewall may block this.
Traffic Analysis 3-8
DF Flag
We’ve covered the function.You may see particular TCP/IP stacks sending “discovery” frames with DF flag set (to new destination) to try to determine MTU along path. Some stacks set DF on particular packets and nmap uses this as a technique for identifying operating systems. If packet arrives at a NIDS from a network with a larger MTU, then DF flag may prevent NIDS from forwarding to target host. This technique can be used for an insertion attack.
Traffic Analysis 3-9
MF Flag
We’ve covered the function.One fingerprinting technique is to send an incomplete fragmentation to a listening port.Receipt of first fragment sets a timer. Will eventually time out if no final packet is received. Timeout response may characterize the stack.
Traffic Analysis 3-10
IP Address ConsiderationsAn internal address entering your network from an external interface is probably spoofed. (Firewall should block.)Should not see packets with private addresses arriving from outside the network:The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.
Traffic Analysis 3-11
IP ID Number
New number is generated for each datagram sent.
Usually incremented by 1 but may be 254Should wrap at 65,535
If one observes packets from seemingly unrelated sources that are following a standard increment procedure across the different sources, this may be a sign of spoofing. A string of packets with identical ID also suggests an attack.
Traffic Analysis 3-12
Time to LiveInitial values depend on the TCP/IP stack used. Values given in textbook. Interesting to estimate whether a suspicious looking packet seems to be coming from right distance.
Estimate starting value with table 8.1 and then get your own estimate of hops with traceroute.
Many different sources arriving with same TTL value may be a sign of an attack.Some tools randomize TTL. NOTE: Read the TTL&IP ID case study.
Traffic Analysis 3-13
Embedded Protocol Headers - TCP
PortsTwo 16-bit fields ranging 1-65,535
In a scan the source port may increment regularly (like by 1). Destination port may be randomized (irregular).
If see many SYNs with constant source port, this is also likely to be a scan (nmap).
Note that scans to port 0 are immediately suspicious and likely to be looking for resets to determine if host alive at @.
Traffic Analysis 3-14
TCP and UDP Checksums
Computed including the pseudo-header, tcp(or UDP) header plus data.
Note pseudo-header in Figure 9.1.• Source and destination IP @• 1 byte zero pad• 1 byte protocol field• 2 bytes TCP length (TCP header plus data)
Uses same 1-s complement arithmetic as IP header on 16-bit fields and includes pseudo header.
• May catch an IP destination address corruption that occurs within a router.
Traffic Analysis 3-15
TCP Sequence Numbers
Represent the first byte of data in a TCP segment (except when zero bytes with initial sequence number).Nmap attempts to use for OS fingerprinting (starting numbers, increments, etc.)
Newer OS versions tend to use random numbers.Recall that guessing seq no needed for session hijacking.
Traffic Analysis 3-16
Acknowledgement numbers
Have covered the function.Value of zero (with flag set) is extremely unlikely.
Ack flag set and zero number may imply an nmap scan.
Ack flag set may generate a reset from the host (indicating host is alive).
Gets past router filtering because it looks like traffic from ongoing TCP connection.
Traffic Analysis 3-17
TCP FlagsWe’ve covered the function. Various “mutant” combinations are used for fingerprinting operating systems. Packets sometimes get corrupted so an out-of-spec packet does not NECESSARILY imply an attack.
Vern Paxson labels as crud the “innocuous implementation errors” that create traffic pattern pathologies similar to genuine attacks.
Traffic Analysis 3-18
TCP Congestion Controlend-end control (no network assistance)transmission rate limited by congestion window size, Congwin, over segments:
w segments, each with MSS bytes sent in one RTT:
throughput = w * MSSRTT Bytes/sec
Congwin
Traffic Analysis 3-19
TCP congestion control:
two “phases”slow start (exponential increase)congestion avoidance (linear increase)
• On timeout, threshold set to half congwin and congwin set to 1 MSS.
important variables:Congwinthreshold: defines threshold between two slow start phases.
“probing” for usable bandwidth:
ideally: transmit as fast as possible (Congwin as large as possible) without lossincrease Congwin until loss (congestion)loss: decrease Congwin, then begin probing (increasing) again
Traffic Analysis 3-20
TCP Slowstart
exponential increase (per RTT) in window size (not so slow!)loss event: timeout (Tahoe TCP) and/or or three duplicate ACKs (Reno TCP)
initialize: Congwin = 1for (each segment ACKed)
Congwin++until (loss event OR
CongWin > threshold)
Slowstart algorithmHost A
one segment
RTT
Host B
time
two segments
four segments
Traffic Analysis 3-21
TCP Congestion Avoidance
/* slowstart is over */ /* Congwin > threshold */Until (loss event) {every w segments ACKed:
Congwin++}
threshold = Congwin/2Congwin = 1perform slowstart
Congestion avoidance
1
1: TCP Reno skips slowstart (fast recovery) after three duplicate ACKs
Traffic Analysis 3-22
ECN Flag Bits
Top two bits of TCP flag byte have been reserved but RFC 3168 defines them for use in supporting ECN.
Use is established in 3-way handshake.If a router along the path sets ECN bits (low order in ToS field of IP header), then receiver sets ECN-echo bit in TCP flag byte. Sender notes the ECN-echo bit set and halves its current window size plus sets Congestion Window Reduced bit. Danger that existing NIDs will begin to alarm on this new use of ECN header bits.
Traffic Analysis 3-23
TCP segment structure
source port # dest port #
32 bits
applicationdata
(variable length)
sequence numberacknowledgement number
Receive windowUrg data pnterchecksum
FSRPAUheadlen
notused
Options (variable length)
URG: urgent data (generally not used)
ACK: ACK #valid
PSH: push data now(generally not used)
RST, SYN, FIN:connection estab(setup, teardown
commands)
# bytes rcvr willingto accept
Internetchecksum
(as in UDP)
countingby bytes of data(not segments!)
Traffic Analysis 3-24
IP datagram format
ver length
32 bits
data (variable length,typically a TCP
or UDP segment)
16-bit identifierInternetchecksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length(bytes)
max numberremaining hops
(decremented at each router)
forfragmentation/reassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
head.len
type ofservice
“type” of data flgs fragmentoffset
upperlayer
32 bit destination IP address
Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.
Traffic Analysis 3-25
OS Fingerprinting Example
Verbo.47322>win98.netbios-ssn: SFP861966446:861066446(0) win 3072 urg 0 <wscale 10,nop,mss 265,timestamp 1061109567[|tcp]>win98.netbios-ssn> Verbo.47322: S 49904150:49904150(0) ack 861966447 win 8215 <mss 1460> (DF)
Windows 98 responds with Syn Ack even though Syn request packet was mutant.
Other examples in text.
Traffic Analysis 3-26
Hostile Retransmissions?17:14:18.726864 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0) win 8192 <mss 1380> (DF) (ttl 17, id 15697)17:14:21:781140 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0)win 8192 <mss 1380> (DF) (ttl 17, id 33873)17:14:27.776662 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0)win 8192 <mss 1380> (DF) (ttl 17, id 46113)17:14:39:775929 1.1.1.1.62555 > 192.168.44.63.3128: S 20583734:20583734(0)win 8192 <mss 1380> (DF) (ttl 17, id 54353)
• Looks like multiple attempts to connect to a destination host (SYNs). • Id’s seem to change appropriately for normal retry.• 1st-2nd attempt separated by 3 seconds.• 2nd – 3rd attempt separated by 6 seconds.• 3rd – 4th attempt separated by 12 seconds. Looks ok.• Source port stays the same.• TCP sequence number does not change. • THIS IS NORMAL behavior for retries when destination does not respond.
Traffic Analysis 3-27
Nifty Defense: LaBrea (Tar Pit)LaBrea is installed on a local host and listens for for ARP requests from a router (that may have been hit by a scan for active IP addresses).If no host generates an ARP response within seconds, LaBrea host fakes a response ARP reply. If a SYN follows, LaBrea host fakes a SYN/ACK response.
Scanning host now completes handshake and begins sending data. LaBrea host never responds (with an ACK) to sent data.Scanning host is “stuck in the tar pit” until it times out of all retransmission attempts.
Can be critical in delaying worm propagation. Code at www.hackbusters.net.
Traffic Analysis 3-28
RFC 1122, section 4.1:The User Datagram Protocol offers only a minimal transport service --non-guaranteed datagram delivery -- and gives applications direct access to the datagram service of the IP layer. UDP is used by applications that do not require the level of service of TCP or that wish to use communications services (e.g., multicast or broadcast delivery) not available from TCP.UDP is almost a null protocol; the only services it provides over IP are checksumming of data and multiplexing by port number. Therefore, an application program running over UDP must deal directly with end-to-end communication problems that a connection-oriented protocol would have handled -- e.g., retransmission for reliable delivery, packetizationand reassembly, flow control, congestion avoidance, etc., when these are required. The fairly complex coupling between IP and TCP will bemirrored in the coupling between UDP and many applications usingUDP.
Traffic Analysis 3-29
UDP Format
MAC headerIPheader
UDP header Data :::
UDP header:
Source port: 16 bitsDestination port: 16 bitsLength: 16 bits (Includes header + data. Header = 8 bytes.)Checksum: 16 bits
Frame:
Traffic Analysis 3-30
Use of UDP Ports
Normal use does not include port 0.Valid range is 1 to 65,535.Source host initiates with a port greater than 1023. Unlike TCP, UDP does not respond to initial connection.
If host is alive, however, UDP will respond with ICMP port unreachable if port is not listening. Absence of “port unreachable” means listening?
Traffic Analysis 3-31
Analyze this
Traffic Analysis 3-32
Results
Syn connection attempts to various ports on dns.myplace.comReset from ftp only. Perhaps other responses blocked by a firewall. Other than reset, no response from the firewall.
Does not appear DNS server was compromised.
Traffic Analysis 3-33
Netbus Trojan
Looks for windows hosts listening on port 12345.Trojan allows remote access and control of a Windows host through port 12345. Next page shows an excerpt of actual scan.Scan hit 65,000 addresses in a class B network.Only one host responded – turned out not to be infected.
Traffic Analysis 3-34
Netbus Scan
Traffic Analysis 3-35
Useful Linux Commandsnetstat - show network status SYNOPSIS netstat [-Aan] [-f address_family] [-M core] [-N system] netstat[-bdghimnrs] [-f address_family] [-M core] [-N system] netstat [-bdn] [-I interface] [-M core] [-N system] [-wwait] netstat [-p protocol] [-M core] [-N system] DESCRIPTION The netstat command symbolically displays the contents of various network-related data structures. There are a number of output formats, de-pending on the options for the information presented. The first form of the command displays a list of active sockets for each protocol. The second form presents the contents of one of the other network data structures according to the option selected. Using the third form, with a wait interval specified, netstat will continuously display the informa- tion regarding packet traffic on the configured network interfaces. The fourth form displays statistics about the named protocol.
Traffic Analysis 3-36
Fuser port/tcp
NAMEfuser - identify processes using a file or file structure
SYNOPSISfuser [-[c|f]kqu] files [[-] [-[c|f]kqu] files
DESCRIPTIONfuser outputs the process IDs of the processes that are using the files specified as arguments. Each process ID is followed by one of these letter codes, which identify how the process is using the file:
If file has the form port/protocol or hostname:port/protocoland names no file or directory, fuser lists all processes using sockets bound or connected to the specified port.
This provides a process number that can be resolved with ps command.
Traffic Analysis 3-37
For windows
Netstat usually worksfport reports all open TCP/IP and UDP ports and maps them to the owning application (www.securityfocus.com).
This is the same information you would see using the 'netstat -an' command, but it also
maps those ports to running processes with the PID, process name and path. Fport can be
used to quickly identify unknown open ports and their associated applications.
Usage: C:\>fportFPort v2.0 - TCP/IP Process to Port MapperCopyright 2000 by Foundstone, Inc.http://www.foundstone.com
Traffic Analysis 3-38
Pid Process Port Proto Path392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe8 System -> 139 TCP8 System -> 445 TCP508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe8 System -> 137 UDP8 System -> 138 UDP8 System -> 445 UDP224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe212 services -> 1026 UDP C:\WINNT\system32\services.exeThe program contains five (5) switches. The switches may be utilized using either a '/' or a '-' preceding the switch. The switches are;Usage:
/? usage help/p sort by port/a sort by application/i sort by pid/ap sort by application path
Traffic Analysis 3-39
Analyze:
Traffic Analysis 3-40
Results
Fragments closely spaced in time (excerpt from large dataset).No beginning fragment seen (none was found so a firewall probably blocked initial fragment).Repeated fragments for fragments in same fragment train.No final fragment. DoS attack against the router at 192.168.133.0
Traffic Analysis 3-41
Analyze
Traffic Analysis 3-42
Results (with –vv)Three different source Ip’s attempting connections to three different internal destination IP’s. Source ports and seq numbers don’t change implies retries.
Destination is squid web proxy server (3128).Spoofed?:
Can’t tell from IP ID increments (too far apart in time)Retries on different intervals.TCP options not identical.Probably not spoofed.TTL analysis showed most had traceroute hop count credibly close to indicated hop count.
Traffic from Trojan called RingZero.
Traffic Analysis 3-43
Writing TCPdump FiltersGeneral format:
<protocol header>[offset:length] <relation> <value>Example: tcpdump ‘ip[9] = 1’ will select all IP packets that have protocol number 1 (ICMP) at byte 9 of IP header. Begin counting with byte 0.
Single quote keeps UNIX shell from trying to interpret the filter.
You can also create a file, such as /tmp/filter and put “ip[9] = 1” in it.
Then enter tcpdump –F /tmp/filter.Note that ip[12:4] specifies ip source address.
Default length is 1 byte so ip[12:1] is ip[12].
Traffic Analysis 3-44
IP datagram format
ver length
32 bits
data (variable length,typically a TCP
or UDP segment)
16-bit identifierInternetchecksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length(bytes)
max numberremaining hops
(decremented at each router)
forfragmentation/reassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
head.len
type ofservice
“type” of data flgs fragmentoffset
upperlayer
32 bit destination IP address
Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit.
Traffic Analysis 3-45
TCP segment structure
source port # dest port #
32 bits
applicationdata
(variable length)
sequence numberacknowledgement number
Receive windowUrg data pnterchecksum
FSRPAUheadlen
notused
Options (variable length)
URG: urgent data (generally not used)
ACK: ACK #valid
PSH: push data now(generally not used)
RST, SYN, FIN:connection estab(setup, teardown
commands)
# bytes rcvr willingto accept
Internetchecksum
(as in UDP)
countingby bytes of data(not segments!)
Traffic Analysis 3-46
Bit Mask
If you need to obtain values for fewer than 8 bits (byte), you can & with bit mask.
Example: ip[0] & 0x0f will zero out the first 4 bits of byte 0 (the IP version) and yield the IP header length. Thus ‘ip[0] & 0x0f = 5’ will select all datagramsin which header length is 5 32-bit words or 20 bytes.‘ip[0] & 0x0f > 5’ will select all datagramshaving IP options.
Traffic Analysis 3-47
Filter ExamplesCatch all packets to broadcast address of *.*.*.0 or *.*.*.255
‘ip[19] = 0x00 or ip[19] = 0xff’Alternatively ‘ip[19] = 0 or ip[19] = 255’ (decimal)
‘Not src net 192.168 and (ip[19] = 0x00 or ip[19] = 0xff)’ will catch all broadcast packets except those from 192.168.0.0 network.
Not is negation operatorSrc is a macro indicating traffic from specified source.Net is a macro indicating subnet.
Traffic Analysis 3-48
Filter Examples (continued)To specify that “more flag” is set (so fragmentation used) write either
Also, ‘udp and dst port 31337’ will retrieve UDP packets with destination port 31337.
www.snort.org/port.html has pointers on which ports to examine.
If you need a range of values, you must use the offset notation:
udp[2:2] >= 3300 and udp[2:2] < 34000 will find UDP packets for which destination port is in the specified range.
‘Ip[6] & 0x20 != 0’ or ip[6] & 0x20 = 32’ because Byte 6: 00(mf)00000 and mask will be 00100000.
Traffic Analysis 3-49
Try these:
Detect echo replyDetect the router reply “destination port unreachable.”
Use next slide.
Traffic Analysis 3-50
ICMP: Internet Control Message Protocolused by hosts, routers, gateways to communication network-level information
error reporting: unreachable host, network, port, protocolecho request/reply (used by ping)
network-layer “above” IP:ICMP msgs carried in IP datagrams
More at www.iana.org/assignments/icmp-parameters
Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion
control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header
Note: ICMP is often used for “mapping.”
Traffic Analysis 3-51
Answers
An echo reply is ICMP type 0, code 0 (icmp[0] = 0) and (icmp[1] = 0)
Destination port unreachable is type 3, code 3
(icmp[0] = 3) and (icmp[1] = 3)
Traffic Analysis 3-52
TCP examples:
Only SYN flag is set:
Reserved urg ack psh rst syn fin
13th byte offset:
Traffic Analysis 3-53
TCP examples:
Only SYN flag is set:
Reserved urg ack psh rst syn fin
13th byte offset:
tcp[13] & 0xff = 2Ortcp[13] = 2 (because exact numeric value)
Traffic Analysis 3-54
TCP examples:
Both SYN and FIN flags set:
Reserved urg ack psh rst syn fin
13th byte offset:
Traffic Analysis 3-55
TCP examples:
Both SYN and FIN flags set:
Reserved urg ack psh rst syn fin
13th byte offset:
tcp[13] =3Note: you must be certain that the reserved bits are not being used. What if you are not?
tcp[13] & 0x3f = 3
Traffic Analysis 3-56
TCP examples:
Ack flag set but ack field is zero:
Reserved urg ack psh rst syn fin
13th byte offset:
Traffic Analysis 3-57
TCP examples:
Ack flag set but ack field is zero:
Reserved urg ack psh rst syn fin
13th byte offset:
(tcp[13] & 0x10=16) and (tcp[8:4] = 0)
Note: this catches certain NMAP fingerprinting scans.
Traffic Analysis 3-58
Look for: legitimate syn packets carrying data.
First: syn flag alone is set tcp[13] = 2.Second: total length of ip datagram in bytes: ip[2:2]Third: ip header length in bytes: (ip[0]&0x0f)*4. Multiply to convert from 4-byte words to bytes.Fourth: TCP header length in bytes: (tcp[12]&0xf0)/4 (must be divided by 16 because 4 bits are in upper nibble and then multiplied by 4 to convert from words to bits – net is divide by 4.Result: (tcp[13] = 2) and (ip[2:2] - (ip[0]&0x0f)*4 –(tcp[12]&0xf0)/4) != 0.
Traffic Analysis 3-59
SNORT
Marty Roesch (Sourcefire) developed SNORT (1998) to be a NIDS that
Works on multiple operating systemsIncludes a hex dumpDisplays all network packets in same format.Includes flexible filter rules.
Now includes 75,000+ lines of code.Supports Linux, FreeBSD, NetBSD, OpenBSD, Windows, Sparc Solaris, …
Traffic Analysis 3-60
Snort ArchitecturePacket SnifferPreprocessor
Identifies packet types, does initial screeningPreprocessor plug-ins can be added and deleted
Detection EngineTakes data from preprocessor and checks against rule setRules updated frequently by community at large and can be downloaded. Grouped: Trojans, Buffer Overflows, Application specific, …
Alerting and LoggingLog files, transmitted, Windows Popups, Databases…
Traffic Analysis 3-61
Some of the available add-ons.
Traffic Analysis 3-62
Traffic Analysis 3-63
Basic SNORT Sniffing• Snort –dev
•-v put snort in packet sniffing mode•-d include IP, TCP, UDP, ICMP headers•-e include data link layer headers
•Format of output similar to tcpdump:
Traffic Analysis 3-64
Add Logging and alerts
Snort –dev –l {logging-directory} –h {home- subnet-in-slash-notation}Ex: snort –dev –l /var/adm/snort/logs –h 10.10.1.0/24To collect in binary mode (faster): snort –b –L {logfile}.
Can read with Snort, or with TCPDUMP, or with Ethereal…Can filter with any of these.
For example, to ignore all traffic coming from host 10.10.1.15 on port 21:
Snort –vd –r {file} not host 10.10.1.15 and src port 22.To create a NIDS one adds rules in a configuration file:
Snort –dev –l /var/adm/snort/logs –h 10.10.1.0/24–c /var/adm/snort/rules.conf
Traffic Analysis 3-65
Positioning SNORT
Traffic Analysis 3-66
SNORT ConcernsSnort may miss packets.Snort may generate false positives or false negatives.May be painful to upgrade (changes in format of rulesets, for example).Snort may be the target of attacks.
System on which Snort resides may be vulnerable because of other applications like SSH, HTTP, HTTPS, MySQL…which are useful with Snort. Need good system administration!
Snort core code is relatively secure.
Traffic Analysis 3-67
Snort Rules
Alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags:SF; msg: “SYN-FIN scan”;)
Rule header followed by rule optionsThis rule triggers when tcp traffic is not from the 10.1.1 net (any src port) and is destined to 10.1.1 net (any dest port) and has the SYN and FIN flags set. If a match, generates the message.
Alert represents the action field. Options include alert, log, pass, activate dynamic.
Traffic Analysis 3-68
Action Field
Alert – instructs Snort to create an entry in the alert file and create entry in the log file.Log – instructs Snort only to make a log entry.Pass – instructs Snort to drop any matching packet.Activate – instructs Snort to alert on a match and to turn on dynamic rules.Dynamic – instructs Snort that rule is dormant unless/until turned on by an activate. It is also possible to define your own rules (www.snort.org).
Traffic Analysis 3-69
Protocol Field
Snort currently supports four protocolsIP (V4)TCPUDPICMP
ARP, RARP, GRE, OSPF, RIP, IPX being considered.
Traffic Analysis 3-70
Source/Destination IP Address
May specify one (or multiple) host(s) or subnet(s).Use CIDR notation: x.y.z.w/nnFormat: address/netmask or any or [address/netmask,address/netmask…]
Note: leave no spaces in list.Variables can be defined and certain key variables exist such as $HOME_NET (used in existing Snort rules).
Traffic Analysis 3-71
Source & destination ports
Specific number, range of numbers or keyword any.Examples:
Static port: 111All ports: anyRange: 33000:34000Negation: !80Less than or equal :1023Greater or equal 1024:
Quirk: Must specify a port with ICMP –usually any.
Traffic Analysis 3-72
Direction Indication
-> Must be traveling from source to destination in order to trigger on rule.<> May be traveling in either direction to trigger on rule.
Traffic Analysis 3-73
Selected rule options
Msg – assign an appropriate message to the outcome of a triggered rule.Logto – specify a filename to which to log the activty
Alert udp any any -> 192.168.5.0/24 31335 \(msg: “Trinoo port”; logto: “DDOS”;)
If the above rule is triggered, the output on a typical UNIX host will go to /var/log/snort/DDOS.
Traffic Analysis 3-74
Rule Options (Study chapt 14)Ttl – examines the time-to-live field for a specific value. Id – examines the identification field for a specific value.Dsize – looks for data equal-to, less-than, or greater-than specified value. Sequence – checks value of TCP sequence number for specific value. Ack – checks value of ack number for specific value.Flags – can check for specified flags.Content – look for specific payload content.
Be careful because of performance implications.