3
The life of a packet through Snort’s detection engineThe life of a packet through Snort’s detection engine
4
Overview of protocol decoding and protocol anomaly detectionOverview of protocol decoding and protocol anomaly detection
• Static Decoders• Normalization of Data
• Static Decoders• Normalization of Data
5
Recent detection improvementsRecent detection improvements
• Advanced content options (distance, within, byte_test and byte_jump)
• All purpose state engine (conversation)
• Improved message passing between components
• Advanced content options (distance, within, byte_test and byte_jump)
• All purpose state engine (conversation)
• Improved message passing between components
6
Recent detection improvementsRecent detection improvements
• Advanced content options (distance, within, byte_test and byte_jump)
• All purpose state engine (conversation)
• Improved message passing between components
• Advanced content options (distance, within, byte_test and byte_jump)
• All purpose state engine (conversation)
• Improved message passing between components
7
DistanceDistance
content:"SITE"; nocase; content:"EXEC"; distance:0; nocase;
content:"SITE"; nocase; content:"EXEC"; distance:0; nocase;
8
WithinWithin
content: "Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;
content: "Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;
9
Byte jumpByte jump
byte_jump:4,4, relative,align; byte_jump:4,4, relative,align; content: "|00 01 86 A5|"; within:4;
byte_jump:4,4, relative,align; byte_jump:4,4, relative,align; content: "|00 01 86 A5|"; within:4;
11
Advantages and Disadvantages of static preprocessorsAdvantages and Disadvantages of static preprocessors
Advantages• Relatively Fast• State-based
implementations
Advantages• Relatively Fast• State-based
implementations
Disadvantages• Users are not
programmers• Requires
recompilation of the entire system
• Requires specific knowledge of the protocol (in addition to Snort)
Disadvantages• Users are not
programmers• Requires
recompilation of the entire system
• Requires specific knowledge of the protocol (in addition to Snort)
12
The promise of advanced rulesThe promise of advanced rules
• A quicker development cycle for discrete protocol anomaly detection
• Only requires knowledge of Snort’s rule language and the protocol itself
• NO NEED TO LEARN C
• A quicker development cycle for discrete protocol anomaly detection
• Only requires knowledge of Snort’s rule language and the protocol itself
• NO NEED TO LEARN C
13
Where existing advanced rules and preprocessors fall shortWhere existing advanced rules and preprocessors fall short
• New preprocessors can require significant development time
• Preprocessors rely on Snort’s pattern matching for detection of normalized data
• No advanced constructs (loops, regex, and data munging)
• Not all vulnerabilities can be covered with advanced rules and existing preprocessors
• New preprocessors can require significant development time
• Preprocessors rely on Snort’s pattern matching for detection of normalized data
• No advanced constructs (loops, regex, and data munging)
• Not all vulnerabilities can be covered with advanced rules and existing preprocessors
15
A new solution: sp_perlA new solution: sp_perl
Two new detection keywords:
• “perlre” provides real regular expressions
• “perl” provides runtime evaluation of virtually any perl code
Two new detection keywords:
• “perlre” provides real regular expressions
• “perl” provides runtime evaluation of virtually any perl code
16
sp_perl, are we nuts?sp_perl, are we nuts?
• Extensibility through perl• No additional CPU cost for non-perl
rules• Rapid updates to Snort’s detection
capabilities without re-implementing N-CODE
(And since you asked, we are nuts, but not because we added perl to Snort)
• Extensibility through perl• No additional CPU cost for non-perl
rules• Rapid updates to Snort’s detection
capabilities without re-implementing N-CODE
(And since you asked, we are nuts, but not because we added perl to Snort)
17
OK, so we’re nuts. How does this actually work? OK, so we’re nuts. How does this actually work?
• Create an embedded perl interpreter• Parse all the rules and store perl data for
later• When a perl rule option is triggered:– Convert the Payload, IPs, and Ports to
perl scalars– Pass perl scalars to perl– Evaluate packet data and persistent
data• On exit, destroy the runtime interpreter
• Create an embedded perl interpreter• Parse all the rules and store perl data for
later• When a perl rule option is triggered:– Convert the Payload, IPs, and Ports to
perl scalars– Pass perl scalars to perl– Evaluate packet data and persistent
data• On exit, destroy the runtime interpreter
18
Embedded perlEmbedded perl
PerlInterpreter *my_perl = perl_alloc();
perl_construct(my_perl);perl_parse(my_perl, NULL, 2,
perl_cmdline_opts, NULL)perl_run(my_perl);perl_destruct(my_perl);perl_free(my_perl);
PerlInterpreter *my_perl = perl_alloc();
perl_construct(my_perl);perl_parse(my_perl, NULL, 2,
perl_cmdline_opts, NULL)perl_run(my_perl);perl_destruct(my_perl);perl_free(my_perl);
19
OK, but how does that work inside of Snort?OK, but how does that work inside of Snort?
SetupPerlKungFoo()• Verifies the file with our perl functions is
there• Registers our keywords as valid detection
options• Allocates a runtime perl interpreter• Initializes the perl stack for our runtime
interpreter• Parses our perl file to get our functions into
the runtime environment • Stores the persistent data specific to
sp_perl in the OptTreeNode(s)
SetupPerlKungFoo()• Verifies the file with our perl functions is
there• Registers our keywords as valid detection
options• Allocates a runtime perl interpreter• Initializes the perl stack for our runtime
interpreter• Parses our perl file to get our functions into
the runtime environment • Stores the persistent data specific to
sp_perl in the OptTreeNode(s)
20
sp_perl, what the ugly C doessp_perl, what the ugly C does
• Calls perl_regex with the pattern, type of test (perl vs perlre), along with the IP addresses and ports
• Pushes args onto a local copy of the perl stack, then replace the global perl stack with our stack
• Calls the appropriate perl function using the new global perl stack
• Pops the return code from the perl stack, convert to an integer
• Returns the next test on the OptTreeNode on success, otherwise 0
• Calls perl_regex with the pattern, type of test (perl vs perlre), along with the IP addresses and ports
• Pushes args onto a local copy of the perl stack, then replace the global perl stack with our stack
• Calls the appropriate perl function using the new global perl stack
• Pops the return code from the perl stack, convert to an integer
• Returns the next test on the OptTreeNode on success, otherwise 0
22
IMAP LSUB Buffer OverflowIMAP LSUB Buffer Overflow
CAN-2000-028411/11-10:45:41.482210 172.16.2.130:33012 -> 10.2.2.250:143***AP*** Seq: 0x6F578C60 Ack: 0xFE6E84A1 Win: 0x16D0 TcpLen: 3231 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}0D 0A ..
11/11-10:45:41.482699 10.2.2.250:143 -> 172.16.2.130:33012***AP*** Seq: 0xFE6E84A1 Ack: 0x6F578C72 Win: 0x7BFC TcpLen: 32TCP Options (3) => NOP NOP TS: 26213694 3382889872B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75 + Ready for argu6D 65 6E 74 0D 0A ment..
11/11-10:45:41.483459 172.16.2.130:33012 -> 10.2.2.250:143***AP*** Seq: 0x6F578C72 Ack: 0xFE6E84B7 Win: 0x16D0 TcpLen: 3290 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
CAN-2000-028411/11-10:45:41.482210 172.16.2.130:33012 -> 10.2.2.250:143***AP*** Seq: 0x6F578C60 Ack: 0xFE6E84A1 Win: 0x16D0 TcpLen: 3231 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}0D 0A ..
11/11-10:45:41.482699 10.2.2.250:143 -> 172.16.2.130:33012***AP*** Seq: 0xFE6E84A1 Ack: 0x6F578C72 Win: 0x7BFC TcpLen: 32TCP Options (3) => NOP NOP TS: 26213694 3382889872B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75 + Ready for argu6D 65 6E 74 0D 0A ment..
11/11-10:45:41.483459 172.16.2.130:33012 -> 10.2.2.250:143***AP*** Seq: 0x6F578C72 Ack: 0xFE6E84B7 Win: 0x16D0 TcpLen: 3290 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
23
IMAP LSUB Buffer Overflow, continuedIMAP LSUB Buffer Overflow, continued
• Our content:
1 LSUB “” {1064}\r\nSHELLCODEHERE
• So how do we detect this?– Regex– Regex and some math
• Our content:
1 LSUB “” {1064}\r\nSHELLCODEHERE
• So how do we detect this?– Regex– Regex and some math
24
IMAP LSUB Buffer Overflow, regexIMAP LSUB Buffer Overflow, regex
1 LSUB “” {1064}\r\nSHELLCODEHERE
• Regex
^\d+\s+LSUB\s+""\s+{\d{4,}}
1 LSUB “” {1064}\r\nSHELLCODEHERE
• Regex
^\d+\s+LSUB\s+""\s+{\d{4,}}
25
IMAP LSUB Buffer Overflow, regex and some mathIMAP LSUB Buffer Overflow, regex and some math
1 LSUB “” {1064}\r\nSHELLCODEHERE
• Regex
^\d+\s+LSUB\s+""\s+{(\d+)}
• Math
$1 > 1000
1 LSUB “” {1064}\r\nSHELLCODEHERE
• Regex
^\d+\s+LSUB\s+""\s+{(\d+)}
• Math
$1 > 1000
26
IMAP LSUB Buffer Overflow, the rulesIMAP LSUB Buffer Overflow, the rules
alert ip any any -> any any (perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;)
alert ip any any -> any any (perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)
alert ip any any -> any any (perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;)
alert ip any any -> any any (perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)
27
IMAP LSUB Buffer Overflow, the optimized rulesIMAP LSUB Buffer Overflow, the optimized rules
alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;)
alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)
alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;)
alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)
28
FTP Port BounceFTP Port Bounce
CVE-1999-001712/31--5:00:00.007051 10.1.1.254:3161 -> 10.1.1.113:21
***AP*** Seq: 0x4FE9C1C4 Ack: 0x1E001761 Win: 0x7D78 TcpLen: 32
70 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32 port 172,16,0,32
2C 31 32 2C 37 32 0A ,12,72.
CVE-1999-001712/31--5:00:00.007051 10.1.1.254:3161 -> 10.1.1.113:21
***AP*** Seq: 0x4FE9C1C4 Ack: 0x1E001761 Win: 0x7D78 TcpLen: 32
70 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32 port 172,16,0,32
2C 31 32 2C 37 32 0A ,12,72.
29
FTP Port Bounce, continuedFTP Port Bounce, continued
• Our content:
port 172,16,0,32,12,72\n• So how do we detect this?– Regex and some perl
• Our content:
port 172,16,0,32,12,72\n• So how do we detect this?– Regex and some perl
30
FTP Port Bounce, regex and some perlFTP Port Bounce, regex and some perl
port 172,16,0,32,12,72
• Regex
$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/
• The Perl
$srcip ne $1.'.'.$2.'.'.$3.'.'.$4
port 172,16,0,32,12,72
• Regex
$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/
• The Perl
$srcip ne $1.'.'.$2.'.'.$3.'.'.$4
31
FTP Port Bounce, the rulesFTP Port Bounce, the rules
alert ip any any -> any any (perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)
alert ip any any -> any any (perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)
32
FTP Port Bounce, the optimized rulesFTP Port Bounce, the optimized rules
alert tcp any any -> any 21 ( flow:to_server,established; content:”port”; nocase; perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)
alert tcp any any -> any 21 ( flow:to_server,established; content:”port”; nocase; perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)
33
HTTP Unknown VersionHTTP Unknown Version
04/06-20:04:12.457297 10.200.1.100:33599 -> 66.35.250.150:80
TCP TTL:64 TOS:0x0 ID:58321 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0xDD594D3E Ack: 0xAEE Win: 0x1490 TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A GET / HTTP/0.2..
04/06-20:04:12.457297 10.200.1.100:33599 -> 66.35.250.150:80
TCP TTL:64 TOS:0x0 ID:58321 IpLen:20 DgmLen:56 DF
***AP*** Seq: 0xDD594D3E Ack: 0xAEE Win: 0x1490 TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A GET / HTTP/0.2..
34
HTTP Unknown Version, continuedHTTP Unknown Version, continued
• Our content:GET / HTTP/0.2\n\n
• So how do we detect this?– Regex– Regex and some perl
• Our content:GET / HTTP/0.2\n\n
• So how do we detect this?– Regex– Regex and some perl
35
HTTP Unknown Version, regexHTTP Unknown Version, regex
GET / HTTP/0.2\n\n
• Regex
\s+HTTP/(0\.9|1\.1|1\.0)[\r]\n
GET / HTTP/0.2\n\n
• Regex
\s+HTTP/(0\.9|1\.1|1\.0)[\r]\n
36
HTTP Unknown Version, regex and some perlHTTP Unknown Version, regex and some perl
GET / HTTP/0.2\n\n
• Regex
\s+HTTP/([^\n]*)\n
• Perl
$1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'
GET / HTTP/0.2\n\n
• Regex
\s+HTTP/([^\n]*)\n
• Perl
$1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'
37
HTTP Unknown Version, building the rulesHTTP Unknown Version, building the rules
alert ip any any -> any any (perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;)
alert ip any any -> any any (perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)
alert ip any any -> any any (perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;)
alert ip any any -> any any (perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)
38
HTTP Unknown Version, the optimized rulesHTTP Unknown Version, the optimized rules
alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;)
alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)
alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;)
alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)
39
Even more advanced fooEven more advanced foo
• So, you want one or two specific rules to email you when they fire.
• Add this to snort.plsub insane {
my ($srcip,$content) = @_; use Net::SMTP; my $server = "mail.server.com"; my $email = "perlfoo\@snort.org"; my $smtp = Net::SMTP->new($server) || die "Can't connect to mail server";$smtp->mail($from); $smtp->to($to); $smtp->data();$smtp->datasend("To: $email\nFrom: $email\n");$smtp->datasend("Subject: perl alert - srcip = $srcip\n\n$content\n");$smtp->dataend(); $smtp->quit();
}
• Then use it in your rule:insane($srcip,$content)
• So, you want one or two specific rules to email you when they fire.
• Add this to snort.plsub insane {
my ($srcip,$content) = @_; use Net::SMTP; my $server = "mail.server.com"; my $email = "perlfoo\@snort.org"; my $smtp = Net::SMTP->new($server) || die "Can't connect to mail server";$smtp->mail($from); $smtp->to($to); $smtp->data();$smtp->datasend("To: $email\nFrom: $email\n");$smtp->datasend("Subject: perl alert - srcip = $srcip\n\n$content\n");$smtp->dataend(); $smtp->quit();
}
• Then use it in your rule:insane($srcip,$content)
40
Future WorkFuture Work
• Cache any perl specific data in the Packet struct
• Figure out how to pass struct and pass *p directly with pack/unpack foo in perl
• Instead of raw perl, use swig• Buy flak jackets to save us from the
rest of the Snort developers
• Cache any perl specific data in the Packet struct
• Figure out how to pass struct and pass *p directly with pack/unpack foo in perl
• Instead of raw perl, use swig• Buy flak jackets to save us from the
rest of the Snort developers