Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 1
Week 4 Task Sheet Rich Macfarlane 2013
Week Date Teaching Attended
4 Feb 2013 Lab 6: Snort IDS on Windows
Aim: The aim of these labs is to investigate the Snort Network Intrusion Detection System
(NIDS) from a Windows platform, and how to call it from a basic C# GUI.
Time to complete:
4 hours (Two supervised hours in the lab, and two additional hours, unsupervised).
Activities:
Complete Lab 6: Snort IDS
.pdf from WebCT or http://www.dcs.napier.ac.uk/~cs342/CSN11102/Lab6.pdf
(use the IDS chapter from the module handbook for reference)
Complete End Of Unit Tutorial Questions for the IDS chapter, if not already completed.
Take some End Of Unit Online Tests for the Encryption chapter at:
http://www.asecuritysite.com/security/tests/tests?sortBy=sfc03
Learning activities:
At the end of these activities, you should understand:
How to run Snort as a packet sniffer, and an IDS from the command line.
How to create and use Snort IDS Detection Rules.
How to read and interpret Snort IDS Alerts.
How to invoke Snort from an application program.
The packet header formats for protocols such as IP, TCP, and HTTP.
Reflective statements (end-of-exercise):
Do you understand the main objectives of an IDS?
Do you understand how an application program can interface to Snort?
References:
Course Handbook - Unit 2 IDS
Background Reading: Google Books - search for “IDS” “Snort”
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 2
Lab 6: Snort IDS – Command Line Basics Rich Macfarlane, Prof. Bill Buchanan 2013
6.1 Details
Aim: To provide the foundations of using the Snort Network Intrusion Detection System
(NIDS) software from the command-line interface, to capture network traffic, and to detect
different types of traffic.
6.2 Overview
In the previous labs, we used the combination of C# .NET and the WinPCap library to create
packet filtering and basic IDS applications. While this approach allows for fine grained
control over what the application captures, the development time can be quite lengthy.
Alternatively, it is possible to use purpose built IDS systems, such as Snort, RealSecure, or
Cisco hardware IDS/IPS. These systems can be configured to detect intrusions on a
network. This can be achieved by creating detection rules, (which include detection
signatures) which are used as input to the IDS Sensors.
The IDS Sensors are placed around the network and attempt to identify unwanted or
malicious traffic and typically logs the details on the IDS Sensor itself, as well as reporting
this to an administrator centrally, as shown in the figure below.
Untrusted
Internet
server
Web
server
FTP
server
Bob
Trusted Internal
Network
DMZ
Intrusion
Detection
Network-Based
Intrusion Detection
System (NIDS)
Intrusion
Detection
Eve
IDPS Monitoring/
Management
Console
IDPS Sensor
IDPS Sensor
System
Administrator
Network-Based
Intrusion Detection
System (NIDS)
Rich Macfarlane
This lab gives an introduction into using the Snort Engine as a packet sniffer, as well as
developing basic detection rules to use Snort as an IDS Sensor.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 3
Snort documentation, including the User Guide can be found at:
http://www.snort.org/docs
6.3 Activities
6.2.1 (Optional) Download and install Snort on your Laptop
Snort® is an open source Network IDS capable of performing real-time traffic analysis and
packet logging on IP networks.
Download Snort from:
http://www.snort.org/snort-downloads
For Windows select the Snort_2_9_3_1_Installer.exe binary. Install with defaults, to the C:\Snort directory, as shown below.
. Figure 1 Snort Installation
Click the Next button on each screen, accepting all the default, when prompted.
6.2.2 Running Snort
Open a Windows Command prompt, to run Snort from the command line.
The manual page for Snort can be found using the man snort command in Linux, or
in Windows using the following command:
snort –?
The output should be similar to that shown below.
Note: If tools such as snort are not on the Windows PATH, then you can find files from
the Windows command line using a command similar to the following:
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 4
dir \ /s /b | find "snort.exe"
Then change to the directory containing the Snort executable, such as:
cd c:\snort\bin
C:\Snort\bin>snort -?
,,_ -*> Snort! <*-
o" )~ Version 2.8.5-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 106)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.4 2007-09-21
USAGE: snort [-options] <filter options>
snort /SERVICE /INSTALL [-options] <filter options>
snort /SERVICE /UNINSTALL
snort /SERVICE /SHOW
Options:
-A Set alert mode: fast, full, console, test or none (alert file
alerts only)
-b Log packets in tcpdump format (much faster!)
-B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c <rules> Use Rules File <rules>
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-e Display the second layer header info
-E Log alert messages to NT Eventlog. (Win32 only)
-f Turn off fflush() calls after binary log writes
-F <bpf> Read BPF filters from file <bpf>
-G <0xid> Log Identifier (to uniquely id events for multiple snorts)
-h <hn> Home network = <hn>
-H Make hash tables deterministic.
-i <if> Listen on interface <if>
-I Add Interface name to alert output
-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K <mode> Logging mode (pcap[default],ascii,none)
-l <ld> Log to directory <ld>
-L <file> Log to this tcpdump file
-n <cnt> Exit after receiving <cnt> packets
-N Turn off logging (alerts still work)
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P <snap> Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r <tf> Read and process tcpdump file <tf>
-R <id> Include 'id' in snort_intf<id>.pid file name
-s Log alert messages to syslog
-S <n=v> Set rules file variable n equal to value v
-T Test and report on the current Snort configuration
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-W Lists available interfaces. (Win32 only)
-X Dump the raw packet data starting at the link layer
-x Exit if Snort configuration problems occur
-y Include year in timestamp in the alert and log files
To determine the network interfaces of your machine run Snort with the –W flag, as
shown below.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 5
c:\Snort\bin> snort -W
Interface Device Description
--------------------------------------------------------------------------------
1 \Device\NPF_{E0CFG749-539A-34S8-97EA-85D6EA1C8F34} Broadcom NetXtreme Gigabit
Ethernet Driver
2 \Device\NPF_{3D8A00E4-9ED1-49B0-9393-8E3370D10F6C} VMware Virtual Ethernet Adapter
3 \Device\NPF_{F14E3854-EC26-472D-90FC-A40487A45091} VMware Virtual Ethernet Adapter
4 \Device\NPF_{B754D555-CC51-4A45-859D-8A7A69CB6F9E} VMware Virtual Ethernet Adapter
Q: What is the index number of your Internet Connected Network Interface?
Snort Modes
Snort can be used in various ways:
1. Basic Packet Sniffer (similar to tshark or tcpdump)
2. Network Intrusion Detection System (NIDS)
3. Network Intrusion Prevention System (NIPS)
Host PC
Napier
Network
Internet
Network
Traffic
DESKTOP
Windows 7
Physical Network
Card
Snort Engine
Uses WinPcap
to read network
traffic
Output to
Console
Window
and file
6.2.3 Snort as a Packet Sniffer
Run Snort as a basic packet sniffer (packet dump mode), against the interface that
you want to capture traffic on. Use the interface number of your Ethernet network
connection as shown below.
C:\Snort\bin> snort -dev -i 4
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
...
Note: Run in this mode, Snort will capture all traffic passing through the network interface
specified, and log every packet to the console window just like a packet sniffer.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 6
The arguments –d –e –v mean Snort output will show the IP (Layer3),
TCP/UDP/ICMP (Layer4) headers, and the packets data (Layer7).
The –i 4 argument specifies packet capture on the 4th network interface.
Test by generating some Web traffic, and view the output. Stop the packet capture
with CTRL-C and verify that it is capturing data packets.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/12-11:11:07.410133 0:15:0:34:2:F0 -> 0:C:41:F5:23:D5 type:0x800 len:0x19A 192.168.1.101:2735 -> 146.176.1.188:80 TCP TTL:128 TOS:0x0 ID:13141 IpLen:20 D Len:396 DF ***AP*** Seq: 0xCEDC79A8 Ack: 0xE2431ED3 Win: 0x4037 TcpLen: 20 47 45 54 20 2F 68 6F 6D 65 5F 6E 65 77 2F 69 6D GET /home_new/im 61 67 65 73 2F 70 72 6F 67 5F 66 32 2E 67 69 66 ages/prog_f2.gif 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 HTTP/1.1..Accep 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A t: */*..Referer: 20 68 74 74 70 3A 2F 2F 77 77 77 2E 6E 61 70 69 http://www.napi 65 72 2E 61 63 2E 75 6B 2F 0D 0A 41 63 63 65 70 er.ac.uk/..Accep 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 67 t-Language: en-g 62 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 b..Accept-Encodi 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp
Scroll back up to the Snort output in the console window, and select one of the TCP
packets, and determine the following:
Q: The source IP address:
Q: The source TCP port
Q: The destination IP address:
Q: The destination TCP port:
Q: The source MAC address:
Q: The destination MAC address:
Q: The TCP flags:
Scroll back down to the Packets Detected Totals, and complete the following:
Q: Received Packets Total?
Q: IPv4 Packets Total?
Q: TCP Packets Total?
Logging to a Directory
Snort can capture data packets, and log them to a folder on the hard disk.
Src MAC Dest MAC
Src TCP Port
Dest TCP Port
Src IP
Dest IP
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 7
Use mkdir c:\Snort\matricno, or Windows Explorer to create a directory for the
Snort output to be written to (replacing matricno with your matric number).
Run Snort with the –l argument to define the output log folder, and the –K ascii
argument to specify ascii format for the output:
c:\Snort\bin> snort -dev -i 4 -l c:\Snort\yourmaticno -K ascii
Test the logging by accessing a few Web sites, and then stop the program (CTRL-
C), and examine the contents of your newly created folder using Explorer:
Q: What are the contents of the folder? How are the logged packets arranged?
Q: Go into one of the folders and view the contents of the capture log file using a text
editor. What does it contain?
6.2.4 Snort as a Network Intrusion Detection System
When running in this mode the Snort sensor only reports on traffic which matches
detection rules. These rules are specified in an input file. Snort ignores all other
traffic when running in this mode.
Intrusion Detection
Prevention Sensor
IDPS
IDPS
System or Network
Activities
77 8E 4A BA 68
Logs Alerts
Detection Signatures
48 BA 5A E0 56
48 BA 5A E0 56
49 BA 5A E0 56
64 BA 5A E0 56
89 B3 DA 67 3E
77 8E 4A BA 68
6.2.5 Writing Snort Detection Rules
The format of Snort Detection Rules are as follows:
action protocol src-ip src-port > dest-ip dest-port (packet-payload-params output-msg)
[pass|log|alert] [ip|icmp|tcp|udp] [any|IP] [any|port] > [any|IP] [any|port]
([content:“searchstring”;], [nocase;], [msg:”alert message”;] sid:ruleid;)
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 8
Create a file called napier.txt in the C:\Snort\rules directory. This will be a
detection rules file (defining the detection signatures) for Snort. Create a Snort
detection rule, which will detect the word “napier” in a data packet from a web
server, such as:
alert tcp any 80 -> any any (content:"napier"; msg:"Napier detected in packet"; sid:999;)
Save the detection rules file.
Run Snort, using the detection rules file from c:\Snort\rules the as input, and
logging to the c:\Snort\yourmatric folder, with the following:
c:\Snort\bin> snort -dev -i 4 -p -l c:\Snort\yourmaticno -K ascii
-c c:\Snort\rules\napier.txt –k none
Note: The –k none argument, tells Snort not to ignore checksum error packets. You
should add this parameter to all calls to Snort.
Test the detection rule
Go into your output folder and monitor the alert.ids file. (Rightclick>View>Details in
windows explorer shows when the file changes).
By browsing to the Napier web site, and viewing some pages. This should produce
an alert from the Snort Sensor, written to the alert.ids file.
Q: What is the contents of the alert.ids file?
Q: Did it detect the word Napier? YES/NO
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 9
Q: Can you identify the Napier public web server IP Address from the alert output?
The output directory should be similar to the following:
When a detection rule fires output such as the following should be written for every
packet detected:
6.2.6 Create a Detection Rule for Instant Messaging
Download a simple client and server program, from the ProfSIMS Toolkit:
http://buchananweb.co.uk/dotNetClientServer.zip
In groups of two, one person should run the server on their machine, and the other
runs the client on their machine.
The Toolkit containing both Client and Server, can be run from an icon on the
Desktop:
One person, from their server tab, should start the server on Port 1001, as shown below.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 10
The other person, from their client tab, should connect to the server via the Server IP Address
and Port 1001, as shown below.
Make sure that you can send messages back and forth, before going onto the next part
of the tutorial.
Write a Snort detection rule, which detects the communications between the client and
server.
Q: What is the Snort detection rule?
Test the detection rule, by using the word in a conversation between the running
Client & Server programs.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 11
Q: Did Snort detect the communications?
YES/NO
Q: Why might an organisation use an IDS to detect these type of applications?
Write a Snort detection rule, which detects the word “hacker” in the communications
between the client and server.
Q: What is the Snort detection rule?
Test the detection rule, by using the word in a conversation between the running
Client & Server programs.
Q: Did Snort detect the word in the communications?
YES/NO
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 12
Lab 6B: Invoking Snort from Windows Application
Details
Aim: To provide a foundation in configuring and invoking a Snort Sensor, and monitoring
its output, from within a C#/.NET application.
Activities
1. If Visual Studio is installed on your machine, download the following solution
(Gal, 2010):
http://buchananweb.co.uk/SnortCaller.zip
An outline of the code is:
public void runSnort(string arguments)
{
processCaller = new ProcessCaller(this);
processCaller.FileName = @"c:\snort\bin\snort.exe";
processCaller.Arguments = arguments;
processCaller.StdErrReceived += new DataReceivedHandler(writeStreamInfo);
processCaller.StdOutReceived += new DataReceivedHandler(writeStreamInfo);
processCaller.Completed += new EventHandler(processCompletedOrCanceled);
processCaller.Cancelled += new EventHandler(processCompletedOrCanceled);
this.richTextBox1.Text = "Started function. Please stand by.."
+ Environment.NewLine;
processCaller.Start();
}
private void btnInterface_Click(object sender, System.EventArgs e)
{
this.runSnort("-W");
}
2. In the Project listing, double click on the SnortCaller.cs file, then double click on the
Show interf button, and add the following highlighted code:
private void btnInterface_Click(object sender, System.EventArgs e)
{
this.runSnort("-W");
}
This defines the Snort
arguments that are used
to run the program.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 13
3. Run the program, and show that the output is similar to the output below.
What are your network interface(s)?
4. Double click on the Capture Inter button, and add the following highlighted code.
Replace the c:\\matricno with c:\\yourMatricNo, and replace the value after the –i
option with the interface number. This should log to the folder defined.
private void btnStart_Click(object sender, System.EventArgs e)
{
if (!Directory.Exists("c:\\ matricno")) Directory.CreateDirectory("c:\\matricno"); this.runSnort("-dev -i 1 -p -l c:\\matricno -K ascii");
}
5. Run the program and get Snort to capture the packets, and then stop it with the Stop
button.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 14
Test by generating some Web traffic, and view the output, and verify that it is
capturing data packets, such as the following:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/12-11:11:07.410133 0:15:0:34:2:F0 -> 0:C:41:F5:23:D5 type:0x800 len:0x19A
192.168.1.101:2735 -> 146.176.1.188:80 TCP TTL:128 TOS:0x0 ID:13141 IpLen:20 D
Len:396 DF
***AP*** Seq: 0xCEDC79A8 Ack: 0xE2431ED3 Win: 0x4037 TcpLen: 20
47 45 54 20 2F 68 6F 6D 65 5F 6E 65 77 2F 69 6D GET /home_new/im
61 67 65 73 2F 70 72 6F 67 5F 66 32 2E 67 69 66 ages/prog_f2.gif
20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 HTTP/1.1..Accep
74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A t: */*..Referer:
20 68 74 74 70 3A 2F 2F 77 77 77 2E 6E 61 70 69 http://www.napi
65 72 2E 61 63 2E 75 6B 2F 0D 0A 41 63 63 65 70 er.ac.uk/..Accep
74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 67 t-Language: en-g
62 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 b..Accept-Encodi
6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat
65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M
6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp
6. Select one of the TCP data packets, and determine the following:
The source IP address:
The source TCP port:
The destination IP address:
The destination TCP port:
Src MAC Dest MAC
Src TCP
Dest TCP
Src IP
Dest IP
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 15
The source MAC address:
The destination MAC address:
The TCP flags:
7. Double click on the View Output button, and add the following highlighted code. private void btnView_Click(object sender, System.EventArgs e)
{
openFileDialog1.InitialDirectory=" c:\\matricno ";
openFileDialog1.ShowDialog();
Process.Start("wordpad.exe", openFileDialog1.FileName);
}
8. Run the program, and select the View Output button, and verify that you get the
output seen below.
What are the contents of the folder:
Open one of the IDS files in the subfolders, and verify the output, as shown below.
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 16
Go into one of the folders and view the contents of the alert.ids file. What does it contain:
9. Double click on the Create IDS rule button, and add the following code:
private void btnIDSRule_Click(object sender, System.EventArgs e)
{
string rule;
rule = "alert tcp any any -> any 80 (content:\"napier\"; msg:\"Napier detected\";)";
StreamWriter SW;
SW=File.CreateText("c:\\snort\\bin\\napier.txt");
SW.WriteLine(rule);
SW.Close();
statusIDS.Text+="IDS updated... please restart Snort";
}
which writes a Snort rule to the napier.txt file.
10. Double click on the View alert.ids button, and add the following code:
private void btnViewAlert_Click(object sender, System.EventArgs e)
{
if (File.Exists("c:\\matricno\\alert.ids"))
{
Process.Start("wordpad.exe", " c:\\matricno\\alert.ids");
}
else statusIDS.Text+="File does not exist...";
}
also update the line:
this.runSnort("-dev -i 1 -p -l c:\\matricno -K ascii");
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 17
with (to allow Snort to read-in the newly created rules file):
this.runSnort("-dev -i 1 -p -l c:\\matricno -K ascii –c c:\\snort\\bin\\napier.txt");
11. Run the program, and capture some Web traffic with the name napier in it. Then
Stop the capture, and select the View alert.ids button as shown below.
What are the contents of the alert.ids file:
Did it detect “napier”:
Security & Forensics Snort IDS - Rich Macfarlane, Bill Buchanan 18
12. Next download the client and server programs from:
http://buchananweb.co.uk/ dotNetClientServer.zip
13. In groups of two, one person should run the server on their computer, and the other
person runs the client, and connects to the server on port 1001. Make sure that you
can chat, before going onto the next part of the tutorial, as shown.
14. Write a Snort rule which detects the word “virus” in the communications between
the client and server.
What is the Snort rule for this:
Note: If you want the complete solution at any time, use:
http://buchananweb.co.uk/ SnortCallerComplete.zip
References Gal, T. (2010, Jan). SharpPcap - A Packet Capture Framework for .NET. Retrieved Jan 2011, from
The Code Project: http://www.codeproject.com/KB/IP/sharppcap.aspx