snort in windows 7

Intrusion Detection Systems (IDS)

Snort In Windows 7

Project By: Sapan Mishra

Under Guidance of: Er. Nutan Kumar Panda


Table of ContentsTable of Contents..........................................................................................................2

Introduction..................................................................................................................3

Host-Based Intrusion Detection....................................................................................3

Network Based Intrusion Detection..............................................................................4

Approaches...................................................................................................................5

The Need for Intrusion Detection Systems...................................................................5

IDS Location...................................................................................................................7

Intrusion Tactics............................................................................................................9

Snort............................................................................................................................10

Snort Modes of Operation..........................................................................................10

Packet Sniffer..............................................................................................................10

Network Intrusion Detection Mode............................................................................11

Network Intrusion Detection Rules.............................................................................11

Snort Rule Header.......................................................................................................12

Snort Rule Options......................................................................................................13

Snort Alerts.................................................................................................................13

Conclusion...................................................................................................................14

References..................................................................................................................15


Introduction

“An intrusion detection system monitors computer systems, looking for signs

of intrusion (unauthorized users) or misuse (authorized users overstepping their

bounds).” (1) Intrusion Detection Systems (IDS) can operate on a variety of different

levels. Host-Bases IDSs reside on a host machine and execute intrusion detection

locally. Network-based Intrusion Detection Systems (NIDS) focus on network data

flow. The key to successfully identifying and preventing intrusion lies within the

various techniques. “Using intrusion detection methods, you can collect and use

information from known types of attacks and find out if someone is trying to attack

your network or particular hosts.” (3) IDSs have a series of steps that all need to be

completed before a system can be appropriately protected. These steps revolve

around the data that is being processed on the system being monitored. “Data is

collected by monitoring activities in the hosts or network. The raw data is analyzed to

classify activities as normal or suspicious. When a suspicious activity is considered

sufficiently serious, a response is triggered.” (6)

Host-Based Intrusion DetectionHost-Based Intrusion Detection is accomplished by installing software on each

individual local system. These software modules, or agents, work on the client

system to perform intrusion detection. This can be accomplished using a variety of

methods. One common method is to have the software agent monitor the system

logs, and look for irregular patterns. An example of this is when an agent watches for

unauthorized activities done by a user without adequate permissions. Essentially,

the agent will keep a running log of the users actions. If the users actions raise a red

flag (meaning that the actions of the user are suspicious), then the system

administrator is able to backtrack the actions, and investigate why a particular user

was using the system in that way. Another effective method for Host-Based IDSs is

to watch for suspicious processes that are running. Sometimes a particular process

name can mean trouble for system administrator, depending upon its purpose.

Protecting the integrity of the system files is another high priority task for Host-Based


IDSs. An IDS agent can take an inventory of system files, along with their

permissions, and report any changes to the set. The same auditing tactic can be used

to watch user accounts. An IDS that witnesses a users permissions being changed, or

unauthorized user being created can indicate problems for a systems administrator.

All of these methods are classified as agent-based software, which makes up the

largest category of Host-Based IDSs. The other major category is the host

wrappers/personal firewalls. “Host wrappers or personal firewalls can be configured

to look at all network packets, connection attempts, or login attempts to the

monitored machine.” (http://www.sans.org/resources/idfaq/host_based.php)

Examples of these are dial-in attempts, non-network related communication ports,

or software other software on the host attempting to connect to the network.

(“http://www.sans.org/resources/idfaq/host_based.php”)

Network Based Intrusion Detection“Network-based ID involves looking at the packets on the network as they pass by

some sensor.” (“http://www.sans.org/resources/idfaq/network_based.php”)

Packets are only of interest if they happen to match a particular signature. There are

three main types of signatures:

String signatures – Look for strings, or combinations of strings, that could

potentially be an intrusion. Signatures containing sensitive file names may

cause an alarm.

Port signatures – Signatures that contain port numbers that are regularly

attached (i.e. telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP

port 111), and IMAP (TCP port 143), or communications that are utilizing ports

that are not used may be reason for suspicion.

Header condition signatures – Signatures that contain illogical data or well

known, dangerous content. “The most famous example is Winnuke, where a

packet is destined for a NetBIOS port and the Urgent pointer, or Out Of Band

pointer is set. This resulted in the "blue screen of death" for Windows

systems.” (“http://www.sans.org/resources/idfaq/network_based.php“)


The key to making this intrusion detection system successful lies within the

placement. Sensors need to be in a position that will exposed the sensors to the flow

of network packets.

ApproachesJust as with many other technologies today, no single approach is going to

give appropriate protection. Therefore, a combination of the two or more intrusion

detection techniques should be applied. “Within its limitations, it is useful as one

portion of a defensive posture, but should not be relied upon as a sole means of

protection.” (2) IDSs will never entirely replace the need for professional system

administrators, mainly because a large function of the IDS system is merely data

collections. Although the IDS can provide some help in data analysis, the need for

human interaction/analysis will probably never go away. Not all-suspicious behavior

should be assumed to be malicious, and IDSs would do just that.

The Need for Intrusion Detection SystemsA computer intrusion can be damaging in a variety of ways, depending on the

intent of the intrusion. If the intrusion amounts to a nuisance, then resources have

to be expended to alleviate the problem. This requires the system administrator to

divert their attention away from business, and to focus on the annoyance. Even if an

intrusion isn’t malicious, i.e. not damaging or theft related, the intrusion could bog

down the network, causing a loss of productivity among the employees. Intrusions

that are aimed at theft are particularly damaging to a company in terms of

competition. Companies go to great lengths to protect their Intellectual Property,

since it can be such a large source of income and market share. If this information

falls into the wrong hands, i.e. the competition, then the company can suffer greatly

due to lost revenue. Malicious damages may come about by a hacker who intends to

hurt a company by destroying data. This is the most damaging type of an attack

because it has a snowball effect. Not only does a company lose many records,

customer information, business contacts, etc., but they also take a huge hit in the


productivity area. Until all the information is restored, much of the staff cannot work

efficiently. A company may also lose customers due to the fact that the company has

the target of a computer hacking. Customers tend to get very nervous when they

think that their personal data has the potential to fall into the wrongs hands.

March 11, 2005 - Pleasant Hill, California Computer Hacker from "Deceptive

Duo" Guilty of Intrusions into Government Computers and Defacing Websites

($70,000)

September 9, 2004 - Ex-Official Of Local Computer Consulting Firm Pleads

Guilty To Computer Attack Charge ($100,000)

August 23, 2004 - Former Employee Of A Massachusetts High-Technology Firm

Charged With Computer Hacking ($26,400)

July 28, 2004 - Vallejo Woman Admits To Embezzling More Than $875,035 -

Not-For-Profit Organization Victim Of Computer Fraud ($875,035)

July 21, 2004 - Florida Man Charged With Breaking Into Acxiom Computer

Records - Intrusion and Theft of Data Result in Loss of More than $7 Million

($7,000,000)

May 1, 2001 - Creator of Melissa Computer Virus Sentenced to 20 Months in

Federal Prison ($80,000,000)

from http://www.usdoj.gov/criminal/cybercrime/cccases.html

Many of the attacks listed above were done by “insiders”, which are people

that had access to the company’s internal network. In the case of an insider attack, a

firewall can provide little protection. A common mistake occurs when companies

assume that a firewall will protect them from hackers. One must understand the

limitations of a firewall:

1. “Not all access to the Internet occurs through the firewall. The firewall cannot

mitigate risk associated with connections it never sees.” (5)

2. “Not all threat originates outside the firewall. Intrusion detection systems are

part of the infrastructure that is privy to the traffic on the internal network.


Therefore, they will become even more important as security infrastructures

evolve.” (5)

IDS Location

The location of a Network Intrusion Detection System can be the deciding factor

between success and failure. The type of information collected can also vary greatly

depending on where the IDS sensor is placed. For example, in the figure below:

from

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_c

hapter09186a0080104f0c.html#145)

Sensor #1: This sensor monitors the communication between a protected

network and the internet. This is the most common type of

protection that is practiced.


network and remote access servers.

Sensor #3: This sensor monitors the communication between internal sites.


network and the extranet connection with a business partner.


Having sensors at these various locations is necessary for complete coverage. Each

sensor is strategically placed to collect data that could be the site of an intrusion

attempt. A sensor should be placed in front of the firewall, so that the system

administrator can start collecting data about the types of attacks that are being

attempted against the network. A sensor should also be placed to aid the firewall (at

the firewall level) in preventing attacks. In the event that an intrusion makes it past

the firewall, another IDS agent should be there to intercept/divert the intrusion, or at

least log the event. Lastly, a sensor should be placed on the local network for traffic

that does no pass through the firewall. Statistics show that the most common type

of system misuse comes from “insiders”.

Intrusion Tactics

Fending off potential attackers is must easier when the attack tactics are known.

Listed below are the common hacking tactics used by computer hackers:

Password cracking – Discovery of user’s passwords.

Trojan horses - Malicious programs that are disguised as legitimate software

Interception of Communication - Gains unauthorized access or exceeds

authorized access.

Spoofing - A program used by a cracker to trick a computer system into

thinking it is being accessed by an authorized user.

Packet Sniffer - A software or hardware tool that monitors data packets on a

network. Generally used to discover user passwords.

Hacking - Taking advantage of system weaknesses to gain access to resources

or privileges

from Intrusion Detection Systems (IDS) Part I

(http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I_

_network_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html)

These are just a few of the many types of attacks that a systems administrator may

have to face. Due to the vast size of today’s networks, many companies are far more


susceptible to attacks than they probably think. Comfort can no longer be found by

hiring experienced/over-priced system administrators to fend off all of these attacks.

Companies would go broke trying to compensate their resource pool of system

administrators.

Snort

Snort is a lightweight intrusion detection system. Martin Roesch, who was

aiming at creating an open source package that could rival the commercial systems,

developed Snort in 1998. Snort has had incredible success in the open source arena

and has been established as a true competitor to commercial solutions.

Snort Modes of Operation

Snort has two main modes of operation. This first is a packet sniffer mode,

which is similar to tcpdump. Packets are stored in a log file, which allows for later

analysis. The other mode of operation is a Network Intrusion Detection System

(NIDS). When Snort functional in this mode, rule sets are applied to packets, which

in turn, look for suspicious behavior. Both modes of operation are detailed below.

Packet Sniffer

Running Snort in packet sniffer mode will allow system administrators to

collect and store packet data. Snort can be configured to collect packet data in

varying detail, depending on how much detail is required. Although very similar to

tcpdump, Snort does have features that extend beyond the capability of tcpdump.

“The major feature that Snort has which tcpdump does not is packet payload

inspection. Snort decodes the application layer of a packet and can be given rules to

collect traffic that has specific data contained within its application layer.”

(http://www.snort.org/docs/lisapaper.txt) Snort also has a more readable display of

the packet data. One additional feature that Snort provides is that while logging to a

file, Snort will still log in a format that is compatible with tcpdump, so users can still

use tcpdump for analysis.


Network Intrusion Detection Mode

Running Snort in Network Intrusion Detection Mode is quite different than

running in packet sniffer mode. Network Intrusion Detection mode does not

capture/log the network packets. Instead, it applies a set of rules on each passing

packet. The set of rules are managed by the system administrator and should reflect

common intrusion patterns. These patterns are a lot like virus definition files in that

they show a list of common packet patterns that generally indicate an intrusion or

misuse of the system. No action is taken if the packet does not meet one of the

implemented rules. If a packet does match one of the rules, then the packet is

logged, and may also generate an alert. An alert is a notification to the system

administrator that a questionable packet has just been received (or send out) from a

particular system.

Network Intrusion Detection Rules

The rules definition files can generally be found in the

/opt/snort/etc/snort.conf and can be activated with the “-c” command line option.

Snort rules contain two basic elements: a Rule Header and Rule Options. The Rule

Header is going to contain the criteria for packet matching. It also contains

instructions on what actions need to be taken in the event of a rule match. The Rule

Options part will contain supplemental information to be used for the matching

criteria. An example of a rule is provided below:

alert ip any any -> any any (msg: "IP Packet detected";)

In this example, an alert is generated every time as IP packet is detected, either

sending of receiving. This is a good rule to test Snort, but do not leave this rule in

place. The particular rule has the ability to fill up a users hard rive because of all the

excessive logging.


Snort Rule Header

The rule header contains a lot of information that need to be broken down

into different sections. Below is a listing of the Snort Rule Header architecture:

Action Protocol Address Port Direction Address Port

Action: The action part of the rule determines the type of action taken

when criteria are met and a rule is exactly matched against a data packet.

Protocol: The protocol part is used to apply the rule on packets for a

particular protocol only.

Address: The address parts define source and destination addresses.

Port: In case of TCP or UDP protocol, the port parts determine the source

and destination ports of a packet on which the rule is applied. In case of

network layer protocols like IP and ICMP, port numbers have no

significance.

Direction: The direction part of the rule actually determines which address

and port number is used as source and which as destination. (3)

Snort Rule Options

Snort Rule Options can be found within the set of parenthesis contain in a Snort Rule.

Options generally follow the format of having a keyword (i.e. ACK, CLASSTYPE,

CONTENT, OFFSET, DEPTH, CONTENT-LIST, DSIZE, FLAGS, FRAGBITS, ICMP_ID,

ICMP_SEQ, ITYPE, ICODE, ID, IPOPTS, IP_PROTO, LOGTO, MSG, PRIORITY, REACT,

REFERENCE, RESP, REV, RPC, SAMEIP, SEQ, FLOW, SESSION, SID, TAG, TOS, TTL,

URICONTENT), followed by an argument. The options portion of the rules is capable

of AND logical. The options supplement the rule header’s matching criteria. With all

of these option available to the users, the search capability of Snort sets itself apart

from the competition.


Snort Alerts

When a packet does meet the criteria of a rule, then Snort can either log the entry to

a log file, or it can send out an alert. Snort has a variety of alert modes, which are all

detailed below:

Fast Mode (“-A fast”) – This mode reports Timestamp, Alert message, Source

and destination IP addresses, and Source and destination ports. The actual

packet is not logged while using this mode.

Full Mode (“-A full”) – This mode reports the same information as in Fast

Mode, but it also includes the packet’s header.

UNIX Socket Mode (“-A unsock”) – This mode will allow a system

administrator to send alerts to other programs using a UNIX socket.

Alerts to Syslog (“-s”) – This mode will store the alert is the syslog, which is

where system level events are recorded.

SNMP Mode – Alerts can also be sent as SNMP messages, where Network

Management Systems can help system administrators identify and correct the

problem.

Installing Snort in Windows 7

Requirement for Snort in Window 7

Microsoft Windows 7 Professional:

http://store.microsoft.com/microsoft/Windows-7-Professional/product/B985134B?

WT.mc_id=winonlinetest_shop3_PROfull_r3

Mozilla Firefox 3.6:

http://www.mozilla.com/en-US/products/download.html?product=firefox-

3.6&os=win&lang=en-US

Microsoft Security Essentials:

http://www.microsoft.com/security_essentials/

COMODO Firewall 3.14:

http://www.comodo.com/home/download/download.php?prod=firewall

Microsoft Baseline Security Analyzer 2.1.1:


http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-

8b52-

c871d012ba78&displaylang=en

ActivePerl 5.10.1.1006:

http://www.activestate.com/activeperl/

Notepad++ 5.6.6

http://sourceforge.net/projects/notepad-plus/files/notepad%2B%2B%20releases

%20binary/npp

%205.6.6%20bin/npp.5.6.6.Installer.exe/download

Foxit Reader 3.1.4:

http://download.cnet.com/Foxit-Reader/3000-10743_4-10313206.html?part=dl-

116442&subj=dl&tag=button

Kiwi Syslog Server 9.0.3:

http://kiwisyslog.com/kiwi-syslog-server-download/

7-Zip 4.65:

http://sourceforge.net/projects/sevenzip/files/7-Zip/4.65/7z465.exe/download

WinPcap 4.1.1:

http://www.winpcap.org/install/default.htm

Snort 2.8.5.2

http://dl.snort.org/snort-current/Snort_2_8_5_2_Installer.exe

Oinkmaster 2.0

http://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-

2.0.tar.gz/download

1) After installing the Operating System and downloading all of the software

listed above, I would advise both copying of the software to an external drive

as well as creating a System Restore Point. This will shorten reinstall times

should something not work as expected.

2) With the exception of Oinkmaster, you should now systematically install all of

the downloaded software. Note that you may substitute some of the software


(ex. Use IE instead of Firefox or skip installing the Foxit Reader), however

some software such as WinPcap are integral to running Snort in the method

used in this guide.

a) When installing the software, take note of the following:

1) I would recommend using the default options and allow the

applicable components to be run as a service/at startup.

2) When installing Kiwi, uncheck the Web Access, as it will expire after

30 days.

3) During the installation and running of software, the COMODO

Firewall will be triggered multiple times and you will need to Allow Kiwi

access.

b) I would now ensure that the Operating System and all software are

patched and updated. I would also run the Microsoft Baseline Security Analyzer and

correct any anomalies as you see fit. It is also recommended that you search the

Internet for guides on hardening the Windows 7 Operating System.

Acquiring updated Rules and an Oinkcode:

If you haven't already done so, you will need to become a Registered member

on the Snort website.


This is needed in order to download and use the Sourcefire VRT Certified

Rules. Snort will not be operating up to date without them (and Oinkmaster will not

work).

https://www.snort.org/signup

After you have created an account, log in to the Snort website and copy your

personalized Oinkcode (to be used by Oinkmaster). Also, download the Sourcefire

VRT Certified Rules (registered-user release) – be sure to grab the “snapshot”

version, as shown below.


Applying our updated Rules:

**BEFORE APPLYING THESE UPDATED RULES, COPY THE FILE

C:\SNORT\ETC\SNORT.CONF TO YOUR DESKTOP**

Right-click on the snortrules-snapshot-2.8.tar.gz file that we downloaded and choose

“Extract Here”:

Right-click on the newly extracted file (snortrules-snapshot-2.8_s.tar) and choose

“Extract files...”.

Change the Path to C:\Snort and check “Overwrite without prompt”:

Configuring the snort.conf File:


Edit the file you copied to your Desktop (snort.conf) with Notepad++ and perform

the following:

Change lines 120-121 to read:

Change line 204 to read:






Change (uncomment) line 863 to read:


Now save and close this file. Copy this file to c:\snort\etc and overwrite the existing

one.

Keep in mind that you will need to tailor this file (especially the rule set section) and

any other configuration files to further suit your IDS/IPS needs.

Verifying Snort Operation:

Open a Command Prompt and run c:\snort\bin\snort -W (be sure to use a capital

“W”)

Now run c:\snort\bin\snort -v -iX (replace X with your Device Interface number found

from running the previous line)

After a couple of seconds you will see “Not Using PCAP_FRAMES”. Snort is

now running and will alert you if a Rule is triggered. If you have suspicious network

traffic going across your interface, the command prompt window will rapidly scroll

text.


While still leaving the Snort command prompt window open, launch a second

command prompt window. From the new window, run the command ping

google.com If it hasn't occurred already, this ping command will trigger a Snort alert!

you can now close both command prompt windows, as we have verified that Snort is

installed and alerting correctly in verbose mode. To test that our configuration file is

correct, open a new command prompt window and type:

c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf (replace X with

your Device Interface number)


If you have correctly entered all information, you should receive a graceful exit such

as the screen shot below. If you receive a fatal error, you should first verify that you

have typed all modifications correctly into the snort.conf file and then search

through the file for entries matching your fatal error message.

Verifying Kiwi Operation and Tying it to Snort:

Now open the Kiwi Syslog Server Console and type CTRL-T (you should see a test

message appear, which indicates Kiwi is working)

Using Notepad++, create a file on your Desktop called Snortstart.bat and place the

following line of code in it:

c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf (replace X with

your Device Interface number)

Also create a shortcut on your Desktop for the Kiwi Syslog Server Console Open the

Kiwi Syslog Server Console (if it isn't already) Now right-click and run Snortstart.bat


as an Administrator. Wait (about thirty seconds) until you see the familiar line “Not

Using PCAP_FRAMES” at the end.

Finally, open another command prompt window and run: ping google.com and........

At this point you should see the Snort Alert outputting into Kiwi!!!!

Note that the reason why we have to run our batch file as an Administrator is that, in

our current configuration, we need to maintain rights to not only output our alerts to

Kiwi, but to write them to a log file.

At this point we have successfully installed Snort and have our Alerts being output to

two sources. Our final step will be to configure Oinkmaster to help us update and

manage our Rules.


Configuring Oinkmaster and Verifying its Operation:

Right-click on the oinkmaster-2.0.tar.gz file that we downloaded and choose “Extract

Here”

Right-click on this new file (oinkmaster-2.0.tar) and choose “Extract Here”

Now we have a new folder called oinkmaster-2.0. Move this new folder into c:\snort

Go to c:\snort and create a folder named: temp

Go to c:\snort\oinkmaster-2.0\contrib and copy the oinkgui file to your Desktop.

Rename this file to:

Update Snort Rules

Now we have an additional module we need to download and install:

Once the file has been downloaded, open a command prompt window and type the

line as shown

below (note that your path name might be different. Once the installation has been

complete, you can close the command prompt window.


Now double-click on our Update Snort Rules file we have on the desktop and

configure Oinkmaster to match the screen shots shown:


Note that your “Editor” path may be different than that shown.

Now go back to the “Required files and directories” tab and click “Edit” (to the right

of the oinkmaster.conf file entry).


Where <oinkcode> is equal to the personal Oinkcode you downloaded from

Snort.org earlier in this guide.

Now save your oinkmaster.conf file and close Notepad++

You are now back at the main Oinkmaster GUI page

Click “Save current settings”

Click “Update rules!”

After a few minutes of watching the rule update process, it will read: done.

Click “Exit” to close out of the Oinkmaster GUI.


Conclusion

Intrusion Detection Systems place a lot of emphasis on network-based attacks,

although statistics have shown that “insider” attacks are far more common. IDS

development should work towards addressing this attack trend. One possible

suggestion is to adopt a more “neighborhood” type of protection. By this I mean

that each computer on a network should look out for one another. If a system is

monitoring another system, and it look like it’s under attack, then the monitoring

system can draw the attention of other systems to help monitor the activity, and try

and catch the intruder. Hackers will often attack the IDS, causing it to report

incorrect status, allowing the hackers to get away without being caught.

Implementing the “neighborhood” type architecture would make it very difficult to

succeed using this tactic. ID systems could also benefit from standards. This was

being said in 1999, when there was a lot of buzz about ID systems, and it’s still being

said today.


References

1. Bace, Becky, “An Introduction to Intrusion Detection and Assessment

for System and Network Security Management,” ICSA, Inc.

http://downloads.securityfocus.com/library/intrusion.pdf, 2002.

2. John McHugh , Alan Christie , Julia Allen, “Defending Yourself: The Role

of Intrusion Detection Systems”, IEEE Software, v.17 n.5, p.42-51,

September 2000

3. Rehman, Rafeeq Ur, “Intrusion Detection Systems with Snort: Advanced

IDS Techniques with Snort, Apache, MySQL, PHP, and ACID”, Prentice

Hall PTR,

http://www.mialug.org/downloads/static/documentation/security/Intr

usion%20Detection%20with%20Snort.pdf, 2003.

4. Riordan, James, “Intrusion Detection”, Global Security Analysis Lab

Global Security Analysis Lab,

http://www.cnec.org/CONFERENCES/cnec10/praesentationen/riordan.

pdf, 2001.

5. Rosendahl, Mauri, “Deploying Intrusion Detection in large networks”,

Helsinki University of Technology,

http://www.helsinki.fi/~mrosenda/netsec_2002_IDS.pdf, 2002.

6. T. Chen, "Intrusion detection for viruses and worms," chapter in IEC

Annual Review of Communications, vol. 57, Fall 2004

snort in windows 7

Technology

intrusion detection

intrusion tactics

hostbased idss

system administrator

agentbased software

port signatures signatures

network data flow

flow of network packets