Week 4 Task Sheet - Napier40001507/CSN11102/Lab6.pdf · Week 4 Task Sheet Rich Macfarlane 2013 Week Date Teaching Attended 4 Feb 2013 Lab 6: Snort ... we used the combination of C#

Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 1

Week 4 Task Sheet Rich Macfarlane 2013

Week Date Teaching Attended

4 Feb 2013 Lab 6: Snort IDS on Windows

Aim: The aim of these labs is to investigate the Snort Network Intrusion Detection System

(NIDS) from a Windows platform, and how to call it from a basic C# GUI.

Time to complete:

4 hours (Two supervised hours in the lab, and two additional hours, unsupervised).

Activities:

Complete Lab 6: Snort IDS

.pdf from WebCT or http://www.dcs.napier.ac.uk/~cs342/CSN11102/Lab6.pdf

(use the IDS chapter from the module handbook for reference)

Complete End Of Unit Tutorial Questions for the IDS chapter, if not already completed.

Take some End Of Unit Online Tests for the Encryption chapter at:

http://www.asecuritysite.com/security/tests/tests?sortBy=sfc03

Learning activities:

At the end of these activities, you should understand:

How to run Snort as a packet sniffer, and an IDS from the command line.

How to create and use Snort IDS Detection Rules.

How to read and interpret Snort IDS Alerts.

How to invoke Snort from an application program.

The packet header formats for protocols such as IP, TCP, and HTTP.

Reflective statements (end-of-exercise):

Do you understand the main objectives of an IDS?

Do you understand how an application program can interface to Snort?

References:

Course Handbook - Unit 2 IDS

Background Reading: Google Books - search for “IDS” “Snort”

http://www.dcs.napier.ac.uk/~cs342/CSN11102/Lab6.pdf

http://www.asecuritysite.com/security/tests/tests?sortBy=sfc03


Lab 6: Snort IDS – Command Line Basics Rich Macfarlane, Prof. Bill Buchanan 2013

6.1 Details

Aim: To provide the foundations of using the Snort Network Intrusion Detection System

(NIDS) software from the command-line interface, to capture network traffic, and to detect

different types of traffic.

6.2 Overview

In the previous labs, we used the combination of C# .NET and the WinPCap library to create

packet filtering and basic IDS applications. While this approach allows for fine grained

control over what the application captures, the development time can be quite lengthy.

Alternatively, it is possible to use purpose built IDS systems, such as Snort, RealSecure, or

Cisco hardware IDS/IPS. These systems can be configured to detect intrusions on a

network. This can be achieved by creating detection rules, (which include detection

signatures) which are used as input to the IDS Sensors.

The IDS Sensors are placed around the network and attempt to identify unwanted or

malicious traffic and typically logs the details on the IDS Sensor itself, as well as reporting

this to an administrator centrally, as shown in the figure below.

Untrusted

Internet

Email

server

Web

server

FTP

server

Bob

Trusted Internal

Network

DMZ

Intrusion

Detection

Network-Based

Intrusion Detection

System (NIDS)

Intrusion

Detection

Eve

IDPS Monitoring/

Management

Console

IDPS Sensor

IDPS Sensor

System

Administrator

Network-Based

Intrusion Detection

System (NIDS)

Rich Macfarlane

This lab gives an introduction into using the Snort Engine as a packet sniffer, as well as

developing basic detection rules to use Snort as an IDS Sensor.


Snort documentation, including the User Guide can be found at:

http://www.snort.org/docs

6.3 Activities

6.2.1 (Optional) Download and install Snort on your Laptop

Snort® is an open source Network IDS capable of performing real-time traffic analysis and

packet logging on IP networks.

Download Snort from:

http://www.snort.org/snort-downloads

For Windows select the Snort_2_9_3_1_Installer.exe binary. Install with defaults, to the C:\Snort directory, as shown below.

. Figure 1 Snort Installation

Click the Next button on each screen, accepting all the default, when prompted.

6.2.2 Running Snort

Open a Windows Command prompt, to run Snort from the command line.

The manual page for Snort can be found using the man snort command in Linux, or

in Windows using the following command:

snort –?

The output should be similar to that shown below.

Note: If tools such as snort are not on the Windows PATH, then you can find files from

the Windows command line using a command similar to the following:

http://www.snort.org/docs

http://www.snort.org/snort-downloads

http://www.snort.org/downloads/1838


dir \ /s /b | find "snort.exe"

Then change to the directory containing the Snort executable, such as:

cd c:\snort\bin

C:\Snort\bin>snort -?

,,_ -*> Snort! <*-

o" )~ Version 2.8.5-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 106)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

Copyright (C) 1998-2009 Sourcefire, Inc., et al.

Using PCRE version: 7.4 2007-09-21

USAGE: snort [-options] <filter options>

snort /SERVICE /INSTALL [-options] <filter options>

snort /SERVICE /UNINSTALL

snort /SERVICE /SHOW

Options:

-A Set alert mode: fast, full, console, test or none (alert file

alerts only)

-b Log packets in tcpdump format (much faster!)

-B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask

-c <rules> Use Rules File <rules>

-C Print out payloads with character data only (no hex)

-d Dump the Application Layer

-e Display the second layer header info

-E Log alert messages to NT Eventlog. (Win32 only)

-f Turn off fflush() calls after binary log writes

-F <bpf> Read BPF filters from file <bpf>

-G <0xid> Log Identifier (to uniquely id events for multiple snorts)

-h <hn> Home network = <hn>

-H Make hash tables deterministic.

-i <if> Listen on interface <if>

-I Add Interface name to alert output

-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)

-K <mode> Logging mode (pcap[default],ascii,none)

-l <ld> Log to directory <ld>

-L <file> Log to this tcpdump file

-n <cnt> Exit after receiving <cnt> packets

-N Turn off logging (alerts still work)

-O Obfuscate the logged IP addresses

-p Disable promiscuous mode sniffing

-P <snap> Set explicit snaplen of packet (default: 1514)

-q Quiet. Don't show banner and status report

-r <tf> Read and process tcpdump file <tf>

-R <id> Include 'id' in snort_intf<id>.pid file name

-s Log alert messages to syslog

-S <n=v> Set rules file variable n equal to value v

-T Test and report on the current Snort configuration

-U Use UTC for timestamps

-v Be verbose

-V Show version number

-W Lists available interfaces. (Win32 only)

-X Dump the raw packet data starting at the link layer

-x Exit if Snort configuration problems occur

-y Include year in timestamp in the alert and log files

To determine the network interfaces of your machine run Snort with the –W flag, as

shown below.


c:\Snort\bin> snort -W

Interface Device Description

--------------------------------------------------------------------------------

1 \Device\NPF_{E0CFG749-539A-34S8-97EA-85D6EA1C8F34} Broadcom NetXtreme Gigabit

Ethernet Driver

2 \Device\NPF_{3D8A00E4-9ED1-49B0-9393-8E3370D10F6C} VMware Virtual Ethernet Adapter

3 \Device\NPF_{F14E3854-EC26-472D-90FC-A40487A45091} VMware Virtual Ethernet Adapter

4 \Device\NPF_{B754D555-CC51-4A45-859D-8A7A69CB6F9E} VMware Virtual Ethernet Adapter

Q: What is the index number of your Internet Connected Network Interface?

Snort Modes

Snort can be used in various ways:

1. Basic Packet Sniffer (similar to tshark or tcpdump)

2. Network Intrusion Detection System (NIDS)

3. Network Intrusion Prevention System (NIPS)

Host PC

Napier

Network

Internet

Network

Traffic

DESKTOP

Windows 7

Physical Network

Card

Snort Engine

Uses WinPcap

to read network

traffic

Output to

Console

Window

and file

6.2.3 Snort as a Packet Sniffer

Run Snort as a basic packet sniffer (packet dump mode), against the interface that

you want to capture traffic on. Use the interface number of your Ethernet network

connection as shown below.

C:\Snort\bin> snort -dev -i 4

Running in packet dump mode

--== Initializing Snort ==--

Initializing Output Plugins!

...

Note: Run in this mode, Snort will capture all traffic passing through the network interface

specified, and log every packet to the console window just like a packet sniffer.


The arguments –d –e –v mean Snort output will show the IP (Layer3),

TCP/UDP/ICMP (Layer4) headers, and the packets data (Layer7).

The –i 4 argument specifies packet capture on the 4th network interface.

Test by generating some Web traffic, and view the output. Stop the packet capture

with CTRL-C and verify that it is capturing data packets.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/12-11:11:07.410133 0:15:0:34:2:F0 -> 0:C:41:F5:23:D5 type:0x800 len:0x19A 192.168.1.101:2735 -> 146.176.1.188:80 TCP TTL:128 TOS:0x0 ID:13141 IpLen:20 D Len:396 DF ***AP*** Seq: 0xCEDC79A8 Ack: 0xE2431ED3 Win: 0x4037 TcpLen: 20 47 45 54 20 2F 68 6F 6D 65 5F 6E 65 77 2F 69 6D GET /home_new/im 61 67 65 73 2F 70 72 6F 67 5F 66 32 2E 67 69 66 ages/prog_f2.gif 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 HTTP/1.1..Accep 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A t: */*..Referer: 20 68 74 74 70 3A 2F 2F 77 77 77 2E 6E 61 70 69 http://www.napi 65 72 2E 61 63 2E 75 6B 2F 0D 0A 41 63 63 65 70 er.ac.uk/..Accep 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 67 t-Language: en-g 62 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 b..Accept-Encodi 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp

Scroll back up to the Snort output in the console window, and select one of the TCP

packets, and determine the following:

Q: The source IP address:

Q: The source TCP port

Q: The destination IP address:

Q: The destination TCP port:

Q: The source MAC address:

Q: The destination MAC address:

Q: The TCP flags:

Scroll back down to the Packets Detected Totals, and complete the following:

Q: Received Packets Total?

Q: IPv4 Packets Total?

Q: TCP Packets Total?

Logging to a Directory

Snort can capture data packets, and log them to a folder on the hard disk.

Src MAC Dest MAC

Src TCP Port

Dest TCP Port

Src IP

Dest IP


Use mkdir c:\Snort\matricno, or Windows Explorer to create a directory for the

Snort output to be written to (replacing matricno with your matric number).

Run Snort with the –l argument to define the output log folder, and the –K ascii

argument to specify ascii format for the output:

c:\Snort\bin> snort -dev -i 4 -l c:\Snort\yourmaticno -K ascii

Test the logging by accessing a few Web sites, and then stop the program (CTRL-

C), and examine the contents of your newly created folder using Explorer:

Q: What are the contents of the folder? How are the logged packets arranged?

Q: Go into one of the folders and view the contents of the capture log file using a text

editor. What does it contain?

6.2.4 Snort as a Network Intrusion Detection System

When running in this mode the Snort sensor only reports on traffic which matches

detection rules. These rules are specified in an input file. Snort ignores all other

traffic when running in this mode.

Intrusion Detection

Prevention Sensor

IDPS

IDPS

System or Network

Activities

77 8E 4A BA 68

Logs Alerts

Detection Signatures

48 BA 5A E0 56

48 BA 5A E0 56

49 BA 5A E0 56

64 BA 5A E0 56

89 B3 DA 67 3E

77 8E 4A BA 68

6.2.5 Writing Snort Detection Rules

The format of Snort Detection Rules are as follows:

action protocol src-ip src-port > dest-ip dest-port (packet-payload-params output-msg)

[pass|log|alert] [ip|icmp|tcp|udp] [any|IP] [any|port] > [any|IP] [any|port]

([content:“searchstring”;], [nocase;], [msg:”alert message”;] sid:ruleid;)


Create a file called napier.txt in the C:\Snort\rules directory. This will be a

detection rules file (defining the detection signatures) for Snort. Create a Snort

detection rule, which will detect the word “napier” in a data packet from a web

server, such as:

alert tcp any 80 -> any any (content:"napier"; msg:"Napier detected in packet"; sid:999;)

Save the detection rules file.

Run Snort, using the detection rules file from c:\Snort\rules the as input, and

logging to the c:\Snort\yourmatric folder, with the following:

c:\Snort\bin> snort -dev -i 4 -p -l c:\Snort\yourmaticno -K ascii

-c c:\Snort\rules\napier.txt –k none

Note: The –k none argument, tells Snort not to ignore checksum error packets. You

should add this parameter to all calls to Snort.

Test the detection rule

Go into your output folder and monitor the alert.ids file. (Rightclick>View>Details in

windows explorer shows when the file changes).

By browsing to the Napier web site, and viewing some pages. This should produce

an alert from the Snort Sensor, written to the alert.ids file.

Q: What is the contents of the alert.ids file?

Q: Did it detect the word Napier? YES/NO


Q: Can you identify the Napier public web server IP Address from the alert output?

The output directory should be similar to the following:

When a detection rule fires output such as the following should be written for every

packet detected:

6.2.6 Create a Detection Rule for Instant Messaging

Download a simple client and server program, from the ProfSIMS Toolkit:

http://buchananweb.co.uk/dotNetClientServer.zip

In groups of two, one person should run the server on their machine, and the other

runs the client on their machine.

The Toolkit containing both Client and Server, can be run from an icon on the

Desktop:

One person, from their server tab, should start the server on Port 1001, as shown below.

http://buchananweb.co.uk/dotNetClientServer.zip


The other person, from their client tab, should connect to the server via the Server IP Address

and Port 1001, as shown below.

Make sure that you can send messages back and forth, before going onto the next part

of the tutorial.

Write a Snort detection rule, which detects the communications between the client and

server.

Q: What is the Snort detection rule?

Test the detection rule, by using the word in a conversation between the running

Client & Server programs.


Q: Did Snort detect the communications?

YES/NO

Q: Why might an organisation use an IDS to detect these type of applications?

Write a Snort detection rule, which detects the word “hacker” in the communications

between the client and server.

Q: What is the Snort detection rule?

Test the detection rule, by using the word in a conversation between the running

Client & Server programs.

Q: Did Snort detect the word in the communications?

YES/NO


Lab 6B: Invoking Snort from Windows Application

Details

Aim: To provide a foundation in configuring and invoking a Snort Sensor, and monitoring

its output, from within a C#/.NET application.

Activities

1. If Visual Studio is installed on your machine, download the following solution

(Gal, 2010):

http://buchananweb.co.uk/SnortCaller.zip

An outline of the code is:

public void runSnort(string arguments)

{

processCaller = new ProcessCaller(this);

processCaller.FileName = @"c:\snort\bin\snort.exe";

processCaller.Arguments = arguments;

processCaller.StdErrReceived += new DataReceivedHandler(writeStreamInfo);

processCaller.StdOutReceived += new DataReceivedHandler(writeStreamInfo);

processCaller.Completed += new EventHandler(processCompletedOrCanceled);

processCaller.Cancelled += new EventHandler(processCompletedOrCanceled);

this.richTextBox1.Text = "Started function. Please stand by.."

+ Environment.NewLine;

processCaller.Start();

}

private void btnInterface_Click(object sender, System.EventArgs e)

{

this.runSnort("-W");

}

2. In the Project listing, double click on the SnortCaller.cs file, then double click on the

Show interf button, and add the following highlighted code:

private void btnInterface_Click(object sender, System.EventArgs e)

{

this.runSnort("-W");

}

This defines the Snort

arguments that are used

to run the program.


3. Run the program, and show that the output is similar to the output below.

What are your network interface(s)?

4. Double click on the Capture Inter button, and add the following highlighted code.

Replace the c:\\matricno with c:\\yourMatricNo, and replace the value after the –i

option with the interface number. This should log to the folder defined.

private void btnStart_Click(object sender, System.EventArgs e)

{

if (!Directory.Exists("c:\\ matricno")) Directory.CreateDirectory("c:\\matricno"); this.runSnort("-dev -i 1 -p -l c:\\matricno -K ascii");

}

5. Run the program and get Snort to capture the packets, and then stop it with the Stop

button.


Test by generating some Web traffic, and view the output, and verify that it is

capturing data packets, such as the following:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/12-11:11:07.410133 0:15:0:34:2:F0 -> 0:C:41:F5:23:D5 type:0x800 len:0x19A

192.168.1.101:2735 -> 146.176.1.188:80 TCP TTL:128 TOS:0x0 ID:13141 IpLen:20 D

Len:396 DF

***AP*** Seq: 0xCEDC79A8 Ack: 0xE2431ED3 Win: 0x4037 TcpLen: 20

47 45 54 20 2F 68 6F 6D 65 5F 6E 65 77 2F 69 6D GET /home_new/im

61 67 65 73 2F 70 72 6F 67 5F 66 32 2E 67 69 66 ages/prog_f2.gif

20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 HTTP/1.1..Accep

74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A t: */*..Referer:

20 68 74 74 70 3A 2F 2F 77 77 77 2E 6E 61 70 69 http://www.napi

65 72 2E 61 63 2E 75 6B 2F 0D 0A 41 63 63 65 70 er.ac.uk/..Accep

74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 67 t-Language: en-g

62 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 b..Accept-Encodi

6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat

65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M

6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp

6. Select one of the TCP data packets, and determine the following:

The source IP address:

The source TCP port:

The destination IP address:

The destination TCP port:

Src MAC Dest MAC

Src TCP

Dest TCP

Src IP

Dest IP


The source MAC address:

The destination MAC address:

The TCP flags:

7. Double click on the View Output button, and add the following highlighted code. private void btnView_Click(object sender, System.EventArgs e)

{

openFileDialog1.InitialDirectory=" c:\\matricno ";

openFileDialog1.ShowDialog();

Process.Start("wordpad.exe", openFileDialog1.FileName);

}

8. Run the program, and select the View Output button, and verify that you get the

output seen below.

What are the contents of the folder:

Open one of the IDS files in the subfolders, and verify the output, as shown below.


Go into one of the folders and view the contents of the alert.ids file. What does it contain:

9. Double click on the Create IDS rule button, and add the following code:

private void btnIDSRule_Click(object sender, System.EventArgs e)

{

string rule;

rule = "alert tcp any any -> any 80 (content:\"napier\"; msg:\"Napier detected\";)";

StreamWriter SW;

SW=File.CreateText("c:\\snort\\bin\\napier.txt");

SW.WriteLine(rule);

SW.Close();

statusIDS.Text+="IDS updated... please restart Snort";

}

which writes a Snort rule to the napier.txt file.

10. Double click on the View alert.ids button, and add the following code:

private void btnViewAlert_Click(object sender, System.EventArgs e)

{

if (File.Exists("c:\\matricno\\alert.ids"))

{

Process.Start("wordpad.exe", " c:\\matricno\\alert.ids");

}

else statusIDS.Text+="File does not exist...";

}

also update the line:

this.runSnort("-dev -i 1 -p -l c:\\matricno -K ascii");


with (to allow Snort to read-in the newly created rules file):

this.runSnort("-dev -i 1 -p -l c:\\matricno -K ascii –c c:\\snort\\bin\\napier.txt");

11. Run the program, and capture some Web traffic with the name napier in it. Then

Stop the capture, and select the View alert.ids button as shown below.

What are the contents of the alert.ids file:

Did it detect “napier”:


12. Next download the client and server programs from:

http://buchananweb.co.uk/ dotNetClientServer.zip

13. In groups of two, one person should run the server on their computer, and the other

person runs the client, and connects to the server on port 1001. Make sure that you

can chat, before going onto the next part of the tutorial, as shown.

14. Write a Snort rule which detects the word “virus” in the communications between

the client and server.

What is the Snort rule for this:

Note: If you want the complete solution at any time, use:

http://buchananweb.co.uk/ SnortCallerComplete.zip

References Gal, T. (2010, Jan). SharpPcap - A Packet Capture Framework for .NET. Retrieved Jan 2011, from

The Code Project: http://www.codeproject.com/KB/IP/sharppcap.aspx

Documents

Week 4 Task Sheet - Napier40001507/CSN11102/Lab6.pdf · Week 4 Task Sheet Rich Macfarlane 2013 Week Date Teaching Attended 4 Feb 2013 Lab 6: Snort ... we used the combination of C#