design and implementation of an ipv6 plugin for the snort
TRANSCRIPT
![Page 1: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/1.jpg)
Design and Implementationof an IPv6 Plugin for the
Snort Intrusion Detection System
Martin Schütte
5. November 2011
![Page 2: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/2.jpg)
IPv6 IPv6 Plugin Tests Fazit
IPv6 als Sicherheitsproblem
Snort IPv6 Plugin
Tests
Fazit
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 2 / 25
![Page 3: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/3.jpg)
IPv6 IPv6 Plugin Tests Fazit
Stand ∼ 1994
• IPv4-Internet: Forschungs-und Uni-Netze
• bekannte Design- &Implementierungs-Fehler
• wenig Erfahrung mitProtokoll-Sicherheit
• wenig Druck zur Verbesserung
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 3 / 25
![Page 4: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/4.jpg)
IPv6 IPv6 Plugin Tests Fazit
Stand ∼ 2011
• IPv6-Internet: Forschungs-und Uni-Netze
• bekannte Design- &Implementierungs-Fehler
• wenig Erfahrung mitProtokoll-Sicherheit
• wenig Druck zur Verbesserung I WANT YOUTO USE IPv6
– Vint Cerf
www.cs.brown.edu/~adf/cerf/
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 4 / 25
![Page 5: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/5.jpg)
IPv6 IPv6 Plugin Tests Fazit
IPv6 Probleme
• RFCs von 1995/1998⇒ 15 Jahre IPv4-Sicherheits-Erfahrung nachzuholen• viele Internet-Drafts (IPsec, SEND, . . . )• wenig Implementierungen• fast nichts in Endgeräten
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 5 / 25
![Page 6: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/6.jpg)
IPv6 IPv6 Plugin Tests Fazit
Angriffe auf IPv6
Das übliche:• Wertebereiche für Felder• Fragmentierung• Denial of Service• Portscans• Fehler in Anwendungsschicht
IPv6-spezifisch:• variable Header• Autokonfiguration• Multicast• Routing• v4/v6-Transition
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 6 / 25
![Page 7: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/7.jpg)
IPv6 IPv6 Plugin Tests Fazit
IPv6 Header Format0 3 4 7 8 11 12 15 16 23 24 31
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
9>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;
basicheader(40 octets)
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 7 / 25
![Page 8: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/8.jpg)
IPv6 IPv6 Plugin Tests Fazit
IPv6 Extension Header
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 8 / 25
![Page 9: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/9.jpg)
IPv6 IPv6 Plugin Tests Fazit
Destination/Hop-by-Hop Option Header
0 7 8 15 16 23 24 31
Next Header Hdr Ext Len Opt Type Opt Len
Opt Value . . .
0 7 8 15 16 23 24 31
Next Header: 0x3aICMPv6
Hdr Ext Len: 0x008 octets
Opt Type:0x05 Rtr alert
Opt Data Len:0x02 2 octets
Opt Data:0x00 0x00 MLD
Opt Type:0x01 PadN
Opt Data Len:0x00 0 octets
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 9 / 25
![Page 10: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/10.jpg)
IPv6 IPv6 Plugin Tests Fazit
Autokonfiguration und Neighbor Discovery
Design-Prämisse: sicheres und vertrauenswürdiges LAN
einfacher Denial of Service:1. Host Alice startet Duplicate Address Detection
„Benutzt jemand die IP X?“2. Host Eve antwortet „Ich benutze IP X.“3. goto 1
Routing/Man in the Middle:1. Host Eve sendet ICMPv6 Redirect
„Hier Router Bob, für google.com bitte Router Eve benutzen.“
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 10 / 25
![Page 11: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/11.jpg)
IPv6 IPv6 Plugin Tests Fazit
Routing und Transition
Routing:• Umfangreiche Spezifikation• RH0 (source routing) deprecated• RH2 für MobileIPv6 nötig
Transition:• Dual-Stack: zwei Paketfilter• Tunnelling: leichte Filter-Umgehung• Automatic Tunnel Routing Loops
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 11 / 25
![Page 12: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/12.jpg)
IPv6 IPv6 Plugin Tests Fazit
Angriffs-Sammlung: THC Toolkit
Tools/Angriffe/Tests für:• Autoconfiguration DoS• Neighbour Cache• Routing/Redirect• Flood-Attacks• Multicast Listener Discovery• DHCPv6• implementation6
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 12 / 25
![Page 13: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/13.jpg)
IPv6 IPv6 Plugin Tests Fazit
Snort IPv6 Präprozessor
Funktionsweise:• Liest ICMPv6-Nachrichten• Verfolgt Netz-Zustand, d. h. (MAC, IP) von
• Routern• Hosts• laufenden DADs
• Alert bei neuen Hosts, Router-Änderungen u. ä.
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 13 / 25
![Page 14: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/14.jpg)
IPv6 IPv6 Plugin Tests Fazit
Konfigurationin snort.conf
preprocessor ipv6: \net_prefix 2001:0 db8 :1::/64 \router_mac 00:16:76:07: bc :92 \host_mac ... \max_unconfirmed 32768 \max_routers 8 \expire_run 20 \keep_state 180
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 14 / 25
![Page 15: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/15.jpg)
IPv6 IPv6 Plugin Tests Fazit
IPv6 ChecksSID Message
1 RA from new router2 RA from non-router MAC address3 RA prefix changed4 RA flags changed5 RA for non-local net prefix6 RA with lifetime 07 new DAD started8 new host in network9 new host with non-allowed MAC address
10 DAD with collision11 DAD with spoofed collision12 mismatch in MAC and NDP source linkaddress option13 ipv6: extension header has only padding options (evasion?)14 ipv6: option lengths != ext length
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 15 / 25
![Page 16: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/16.jpg)
IPv6 IPv6 Plugin Tests Fazit
Snort IPv6 Regeloptionen
Ziel:• IPv6-Felder für Signaturen zugänglich machen• Basis-Header, Erweiterungs-Header, Neighbor
Discovery-Optionen
Funktionsweise:• Callbacks für Options-Schlüsselwörter• Aufruf mit Parametern und Paket• Rückgabe match/no_match
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 16 / 25
![Page 17: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/17.jpg)
IPv6 IPv6 Plugin Tests Fazit
IPv6 Regeloptionen
alert icmp any any -> any any (itype :8; ipv: 4; \msg :" ICMPv4 PING in v4 pkt "; sid :100000; rev :1;)
alert icmp any any -> any any (itype :8; ipv: 6; \msg :" ICMPv4 PING in v6 pkt "; sid :100001; rev :1;)
alert icmp any any -> any any (itype :128; ipv: 4; \msg :" ICMPv6 PING in v4 pkt "; sid :100002; rev :1;)
alert icmp any any -> any any (itype :128; ipv: 6; \msg :" ICMPv6 PING in v6 pkt "; sid :100003; rev :1;)
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 17 / 25
![Page 18: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/18.jpg)
IPv6 IPv6 Plugin Tests Fazit
IPv6 Regeloptionen
alert ip any any -> any any ( ip6_rh : !2; \msg :" invalid routing hdr "; sid :1000004; rev :1;)
event_filter gen_id 1, sig_id 1000004 , type limit , \track by_dst , count 1, seconds 60
alert icmp any any -> any any (ipv: 6; itype: 134; \detection_filter : track by_dst , count 5, seconds 1; \msg :" ICMPv6 /RA flooding "; sid :124850; rev :1;)
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 18 / 25
![Page 19: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/19.jpg)
IPv6 IPv6 Plugin Tests Fazit
Regeloptionen des IPv6-Plugins
ipv IP versionip6_tclass Traffic Class
ip6_flow Flow Labelip6_exthdr Extension Headerip6_extnum Num. of Ext Hdrs.ip6_option Destination-/HbH-Optionip6_optval Destination-/HbH-Option Value
ip6_rh Routing Headericmp6_nd Neighbor Discovery (bool)
icmp6_nd_option Neighbor Discovery Option
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 19 / 25
![Page 20: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/20.jpg)
IPv6 IPv6 Plugin Tests Fazit
Funktionaler Test
Snort-Funktionen gut zu testen:• Eingabe:
• PCAP-Datei (anstatt Netzwerk-Input)• snort.conf
• Ausgabe:• Log-Ereignisse und Alarme
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 20 / 25
![Page 21: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/21.jpg)
IPv6 IPv6 Plugin Tests Fazit
tester.pl
Test Runner(snort -c -r) logfile
Comparator
PCAP data
snort.conflines
Specification Result
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 21 / 25
![Page 22: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/22.jpg)
IPv6 IPv6 Plugin Tests Fazit
Beispiel-Tests
-test: sendpees6pcap: sendpees6_1sec .pcapconf: simple .confspec: "[1:124806:1] ,[1:124851:1] ,[248:12:1]"
-# ping with empty hbh ext (i.e. only padding )
test: ping_paddingpcap: ping_hbh_pad .pcapconf: simple .confspec: "[116:432:1] ,[248:13:1]"
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 22 / 25
![Page 23: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/23.jpg)
IPv6 IPv6 Plugin Tests Fazit
Plugin-Performance
• Zustandslose Checks sind schnell:Plugin liest struct SFSnortPacket
• Zustand verfolgen kostet Zeit und Speicher:⇒ DoS-Gefahr, daher Limits
⇒ ähnlich wie andere Plugins (SSL, SMTP, . . . )⇒ Snort-Dekoder ist Bottleneck
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 23 / 25
![Page 24: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/24.jpg)
IPv6 IPv6 Plugin Tests Fazit
Snort-Funktionen
IPv6-fertige Snort-Komponenten• Portscans (sfportscan) & Fragmentierung (frag3)• Paketfilter (Inline-Modus, je nach DAQ)• Logging (unified2)• nach und nach mehr Dekoder-Checks
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 24 / 25
![Page 25: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/25.jpg)
IPv6 IPv6 Plugin Tests Fazit
Fazit
• Plugin funktioniert• Als dynamische Bibliothek installierbar• Grundlage für neue Signaturen• Snort & Plugin erkennen THC-Angriffe• Grundproblem: unsicheres Ethernet
⇒ jetzt Praxistest in realen Netzen
Tests und Hilfe erwünscht. (Noch zu leere) Projektseite:http://mschuette.name/snortipv6/
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 25 / 25
![Page 26: Design and Implementation of an IPv6 Plugin for the Snort](https://reader030.vdocuments.us/reader030/viewer/2022020701/61f6e63973755e66bf3a4805/html5/thumbnails/26.jpg)
IPv6 IPv6 Plugin Tests Fazit
Fazit
• Plugin funktioniert• Als dynamische Bibliothek installierbar• Grundlage für neue Signaturen• Snort & Plugin erkennen THC-Angriffe• Grundproblem: unsicheres Ethernet
⇒ jetzt Praxistest in realen Netzen
Tests und Hilfe erwünscht. (Noch zu leere) Projektseite:http://mschuette.name/snortipv6/
Martin Schütte IPv6 Snort-Plugin 5. 11. 2011 25 / 25