Intrusion Detection and Malware AnalysisSignature-based IDS
Pavel LaskovWilhelm Schickard Institute for Computer Science
Misuse detection systems
Expert systems (NIDES, Emerald): rule-based decisions,rather slow, binary decisions only.Signature matching (Snort, Bro, Cisco Secure IDS, ISSRealSecure): pattern matching, policy scripting.State transitions (STAT suite): description of attacks byassertions over a state transition diagram.Data mining: automatic extraction of attack description rulesfrom labeled examples.Machine learning: automatic extraction of “black-box”classifiers from labeled examples.
Snort highlights
Initial open source release (December 1998):plain sniffer, no rules
1.0 release (June 1999)basic rules language, stateless packet processing
1.5 release (December 1999)packet pipeline architecture used up-to-date
1.8 release developed by Sourcefire (mid-2001):IP fragmentation and TCP reassembly
Current release (2.8):highly stateful, 3000+ rules, protocol anomaly detection
Snort design criteria
A lightweight intrusion detection toolcross-platform portabilitysmall footprinteasy installation and configuration
A simple language for rulesHigh efficiency and low memory and CPU consumption
packet-level detection (with no support for TCP streamreassembly in early versions)packet filtering using BPF and rule hierarchy
An open source alternative to expensive commercial IDS
Snort architecture2. Then it sends them through a chute to determine if they are coins and how they should
roll (the preprocessor).
3. Next, it sorts the coins according to the coin type.This is for storage of quarters, nickels,dimes, and pennies (on the IDS this is the detection engine).
4. Finally, it is the administrator’s task to decide what to do with the coins—usually you’ll rollthem and store them (logging and database storage).
Figure 4.1 Snort Architecture
The preprocessor, the detection engine, and the alert components of Snort are all plug-ins. Plug-ins are programs that are written to conform to Snort’s plug-in API.These programs used to be partof the core Snort code, but they were separated to make modifications to the core source code morereliable and easier to accomplish.
Packet SnifferA packet sniffer is a device (either hardware or software) used to tap into networks. It works in a sim-ilar fashion to a telephone wiretap, but it’s used for data networks instead of voice networks.A net-work sniffer allows an application or a hardware device to eavesdrop on data network traffic. In thecase of the Internet, this usually consists of IP traffic, but in local LANs and legacy networks, it canbe other protocol suites, such as IPX and AppleTalk traffic.
Because IP traffic consists of many different higher-level protocols (including TCP, UDP, ICMP,routing protocols, and IPSec), many sniffers analyze the various network protocols to interpret thepackets into something human-readable.
Packet sniffers have various uses:
■ Network analysis and troubleshooting
■ Performance analysis and benchmarking
■ Eavesdropping for clear-text passwords and other interesting tidbits of data
Encrypting your network traffic can prevent people from being able to sniff your packets intosomething readable. Like any network tool, packet sniffers can be used for good and evil.
www.syngress.com
Introducing Snort • Chapter 4 189
PreprocessorSniffer DetectionEngine
Alerts/Logging
Rulesets
Network Backbone
PacketsLog Files/Database
441_HTC_OS_04.qxd 4/12/07 9:45 AM Page 189
Packet sniffer interacts directly with a network card usinglibpcap.Preprocessing, detection and alert components areimplemented as plugins.Various front-ends are available for logging (DB, Preludemeta-IDS, GUI).
Snort sniffer
Operates in promiscuous mode: passes all traffic to OS.Performs basic packet filtering using BPF.Decodes packet headers using pointer casts.typedef struct _EtherHdr {
u_int8_t ether_dst[6];
u_int8_t ether_src[6];
u_int16_t ether_type;
} EtherHdr;
/* lay the ethernet structure over the packet data */
p->eh = (EtherHdr *) pkt;
Snort preprocessors
Plugin architecture enablesdynamic plugin configuration.Preprocessor functions:
Stream reassembly (stream4)Packet defragmentation (frag2)Protocol decoding/normalization(HTTP, RPC, telnet)Alternative (non-rule) detectionmodes (portscan, arpspoof)
Figure 4.3 Snort’s Preprocessor
Earlier in this chapter, we described Snort as a signature-based IDS.The signature-based IDSfunction is accomplished by using various rulesets.The rulesets are grouped by category (Trojanhorses, buffer overflows, access to various applications) and are updated regularly.
The rules themselves consist of two parts:
■ The rule header The rule header is basically the action to take (log or alert), type ofnetwork packet (TCP, UDP, ICMP, and so forth), source and destination IP addresses, andports
■ The rule option The option is the content in the packet that should make the packetmatch the rule.
The detection engine and its rules are the largest portion (and steepest learning curve) of newinformation to learn and understand with Snort. Snort has a particular syntax that it uses with itsrules. Rule syntax can involve the type of protocol, the content, the length, the header, and other var-ious elements, including garbage characters for defining butter overflow rules.
Once you get it working and learn how to write Snort rules, you can fine-tune and customizeSnort’s IDS functionality.You can define rules that are particular to your environment and customizehowever you want.
The detection engine is the part of the coin sorter that actually rolls the coins based on the type.The most common American coins are the quarter, dime, nickel, and penny. However, you might geta coin that doesn’t match, like the Kennedy half-dollar, and discard it.This is illustrated in Figure 4.4.
www.syngress.com
Introducing Snort • Chapter 4 191
Preprocessor Detection Engine
Packets
HHTP Encoding Plug-in
Port Scanning Plug-in
441_HTC_OS_04.qxd 4/12/07 9:45 AM Page 191
Snort detection engine
Rules are parsed into internal datastructure.Rule matching is prioritizedaccording to matching complexity:
IP header rulesTCP header rulesApplication protocol header rulesContent rules
Multiple matches are possible: thehighest priority alert is reported.
Figure 4.4 Snort’s Detection Engine
Alerting/Logging ComponentAfter the Snort data goes through the detection engine, it needs to go out somewhere. If the datamatches a rule in the detection engine, an alert is triggered.Alerts can be sent to a log file, through anetwork connection, through UNIX sockets or Windows Popup (SMB), or SNMP traps.The alertscan also be stored in an SQL database such as MySQL and Postgres.
You can also use additional tools with Snort, including various plug-ins for Perl, PHP, and Webservers to display the logs through a Web interface. Logs are stored in either text files (by default in/var/log/snort) or in a database such as MySQL and Postgres.
Like the detection engine and the preprocessor, the alert component uses plug-ins to send thealerts to databases and through networking protocols such as SNMP traps and WinPopup messages.See Figure 4.5 for an illustration of how this works.
Additionally, with syslog tools such as Swatch, Snort alerts can be sent via e-mail to notify asystem administrator in real time so no one has to monitor the Snort output all day and night.
Table 4.1 lists a few examples of various useful third-party programs and tools.
www.syngress.com
192 Chapter 4 • Introducing Snort
Detection Engine
Packets
Rule
PacketsMatch?
No
Discard
If Yes, Send to Logging/Alerting
Logging/Alert
Do the
441_HTC_OS_04.qxd 4/12/07 9:45 AM Page 192
Snort rules
General format: header (options)
Header:fixed formatpresent in every rule
Options:variable formatnot always necessary
Example:alert tcp $BAD any -> $GOOD any
(flags: SF; msg �SYN-FIN scan�;)
Snort rules: header
General format: action proto srcaddr srcport dir dst
addr dstport
Example: alert tcp $BAD any -> $GOOD any
Actionsalert, pass, log
Protocolstcp, udp, icmp, ip
Directions-> (unidirectional), <> (bidirectional)
Variables, wildcards and expressions can be used, e.g.!$HOME, any, etc.
Snort rules: options
General format: ( keyword: value; )
Example: (flags: SF; msg �SYN-FIN scan�;)
Basic options:content: pattern matcherpcre: Perl-compatible regular expressionmsg: alert messageflow: test for TCP connection state, traffic direction
Content options can be combined using the conjunction.
Snort rules: advanced options
Informational optionssid (Snort ID), priority, ref (reference, usually to CVE’s)
Advanced payload optionsbyte_jump, byte_test, distance, within, depth, offset, nocase,rawbytes, uricontent
Protocol analysis optionsKeywords for IP, TCP, ICMP protocols
Stateful rulesflowbits, threshold, flow
Regular expressionsuse with care: expensive!
Snort rule examples
alert tcp any any -> any any \
(flow: established, to_server; \
content: "foo"; msg: "detected foo";)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 \
(msg:"SMTP exchange mime DOS"; flow:to_server,established; \
content:"charset = |22 22|"; nocase; reference:bugtraq,1869; \
reference:cve,2000-1006; reference:nessus,10558; \
reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; \
classtype:attempted-dos; sid:658; rev:11;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
(msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; \
content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; \
reference:arachnids,215; reference:bugtraq,822; \
reference:cve,1999-1189; reference:cve,2000-1187; \
classtype:attempted-user; sid:283; rev:10;)
Snort summary
A de-facto standard IDS in the practical security communityMore than 3,000,000 downloadsAbout 200,000 users
A light-weight, easily configurable IDSGood performance and reliabilityModerate expressivity of rule languageNumerous appliances available
Database, logging and alert interfacesGUI toolsIntrusion prevention and firewall interfacesShared object rules: more complex functionality