Penetration Testing

Security Analysis and Advanced Tools:

Snort

Introduction to Snort Analysis

• Snort– Widely used, open-source, network-based

intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks

– Performs protocol analysis and content matching to detect a variety of attacks and probes such as: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more

Modes of Operation• Snort can be configured to run in the following

modes:– Packet Sniffer– Packet Logger– Network Intrusion Detection System– Inline

Features of Snort

• Features of Snort:– Protocol analysis– Content searching/matching– Real-time alerting capability– Can read a Tcpdump trace and run it against a rule set– Flexible rules language

• Snort can be configured to watch a network for a particular type of attack profile– It can alert the incident response team as soon as the

attack takes place

Configuring Snort• Snort is configured using the text file snort.conf– include keyword allows other rules files to be included

within the rules file• Variables– Used to define parameters for detection, specifically those

of the local network or specific servers or ports for inclusion or exclusion in the rules

• Snort Preprocessors– Offer additional detection capabilities– Port scan: TCP connection that attempts to send to more

than P ports in T seconds or as UDP packets sent to more than P ports in T seconds

Configuring Snort (cont’d.)

These are the different directives that can be used with the config command

Configuring Snort (cont’d.)

• Output Plug-ins– Allow Snort to be much more flexible in the

formatting and presentation of output to its users– Snort has nine output plug-ins:

• alert_syslog• alert_fast• alert_full• alert_unixsock• log_tcpdump• database• csv• unified• log_null

How Snort Works• Initializing Snort– Starting Up– Parsing the Configuration File

• Decoding– Execution begins at the ProcessPacket() function

when a new packet is received• Preprocessing– ProcessPacket() function tests to see the mode in

which Snort is running• Detection– Detection phase begins in the Detect() function

Content Matching• Snort uses a series of string matching and parsing

functions– Contained in the src/mstring.c and src/mstring.h files

in the Snort source tree• Detection engine slightly changes the way Snort

works by having the first phase be a setwise pattern match

• Some detection options, such as pcre and byte test, perform detection in the payload section of the packet, rather than using the setwise pattern-matching engine

The Stream4 Preprocessor

• stream4 module– Provides TCP stream reassembly and stateful analysis

capabilities to Snort– Gives large-scale users the ability to track many

simultaneous TCP streams– Set to handle 8,192 simultaneous TCP connections in

its default configuration• Stream4 contains two configurable modules:– Global Stream4 preprocessor– Stream4 reassemble preprocessor

Inline Functionality

• Implemented utilizing the iptables or ipfw firewall option to provide the functionality for a new set of rule types: drop, reject, and sdrop

• Inline Initialization– inline_flag variable is used to toggle the use of inline

functionality in Snort• Inline Detection– To receive packets from ipqueue or ipfw, calls to the

IpqLoop() and IpfwLoop() functions are added to the SnortMain() function

Writing Snort Rules• Snort uses a simple, lightweight rules description

language that is both flexible and powerful• The Rule Header (fields)– Rule action– Protocol– IP address– Port information– Directional operator

• Rule Options– Specify exactly what to match and what to display

after a successful match

Writing Snort Rules (cont’d.)

These are all available Snort rule options.

Writing Snort Rules (cont’d.)

• Writing Good Snort Rules– Develop effective content-matching strings– Catch the vulnerability, not the exploit– Catch the oddities of the protocol in the rule– Optimize the rules

Snort Tools

• IDS Policy Manager– Written to manage Snort IDS sensors in a distributed

environment• Snort Rules Subscription– Sourcefire, the company behind Snort, uses a

registration and subscription model for distribution of new rules

• Honeynet Security Console– Analysis tool to view events on a personal network or

honeynet

Snort Tools (cont’d.)

IDS Policy Manager configures Snort with a graphical user interface.

Snort Tools (cont’d.)

Honeynet Security Console displays and analyzes events from several IDS programs.

Summary

• Snort is a powerful intrusion detection system (IDS) and traffic analyzer

• A Snort configuration file has four major components:– Variables– Preprocessors– Output plug-ins– Rules

• A Snort rule contains a rule header and rule options• Users can write their own Snort rules either manually

or with the assistance of tools

Summary (cont’d.)• A three-homed firewall DMZ handles the traffic

between the internal network and firewall, as well as the traffic between the firewall and DMZ

• A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN

• Authentication may not be desired if a network is publicly accessible

• An access point is a layer-2 device that serves as an interface between the wireless network and the wired network