Wednesday, December 26, 2012

Securing your system with Snort

Snort—what's in a name? In the case of open source software, a powerful network-intrusion prevention and detection system. Snort was written over a weekend in 1998 by Martin Roesch. Martin wanted to write a cross-platform sniffer that used pcap, a software library for packet capturing, rather than making direct calls into the kernel for sniffing. Result: the de facto standard for intrusion detection and prevention. If you do not already have Snort installed on your system, you can download it from http://www.snort.org/dl/
Snort works by utilizing a rule-based language that combines the benefits of signature inspection, protocol inspection, and anomaly-based inspection. You can configure Snort to run in a few different modes Sniffer mode, Packet Logger mode, Network Intrusion Detection (NIDS) mode.

Sniffer mode

Sniffer mode simply reads the packets from the network and displays them in a stream on the screen. If you just want to print out the TCP/IP packet headers to the screen, run:
snort -v
This command shows the IP and TCP/UDP/ICMP headers. If you want to see the application data in transit as well as the headers, run:
snort -vd
If you want an even more descriptive display, showing the data link layer headers, run:
snort -vde
 
Example 1 shows output from "snort -vde".
11/13-20:08:02.807867 0:E0:81:2F:FE:2C -> 0:0:C:7:AC:2 type:0x800 len:0x5EA
66.179.164.20:22 -> 24.136.161.188:62456 TCP TTL:64 TOS:0x10 ID:27401 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x50692152  Ack: 0xDD1E2B42  Win: 0x2180  TcpLen: 20
AA A8 5A 92 A7 BF DF 32 7D BF F7 7B 1B 5C 35 47  ..Z....2}..{.\5G
D6 52 B3 E2 97 6D 68 41 A6 53 2B 89 92 8E 10 8D  .R...mhA.S+.....
1B E0 C9 87 A8 71 91 EA D0 F4 1C 6C B4 DC D7 C4  .....q.....l....
B5 22 84 40 E5 09 0F B5 E9 1F 4E AC 96 6C A5 9D  .".@......N..l..
D9 AF 38 88 5F 2B 4B 8D 32 FC 4C 37 AB DA E1 EA  ..8._+K.2.L7....
61 D9 23 22 FD DA 20 32 E7 6C 48 60 2C 55 CB 99  a.#".. 2.lH`,U..
74 3A F5 7D 30 77 75 58 6B AE 80 2F 48 A5 FD F4  t:.}0wuXk../H...
B5 C7 CA 9D 42 EA 9B BF B6 74 E5 19 8F EF F1 8A  ....B....t......
2D 7E D0 55 0A 92 3E 72 CF 5F 89 53 FC 85 2F 25  -~.U..>r._.S../%
72 8F B4 DD 40 BF 33 46 82 6D 21 98 8E A7 A0 A5  r...@.3F.m!.....
2E 32 54 ED 41 D4 2F C4 B6 6E BE 55 C0 95 78 7C  .2T.A./..n.U..x|
35 CA 06 4D 59 32 68 C8 3D 77 7A 73 FA 6A 78 1C  5..MY2h.=wzs.jx.
90 C7 CD 48 6D AE 0E 74 39 A0 4C F4 4E AC 49 06  ...Hm..t9.L.N.I.
A2 3F F3 BB 24 B7 05 7C B3 00 70 2E 65 E1 ED 1A  .?..$..|..p.e...
96 4C 93 CB A6 F5 68 B5 83 F8 08 F1 5C F2 9F 32  .L....h.....\..2
E1 F7 47 CF 2D 0B 35 DA 6A B5 D0 6D 49 9D 61 63  ..G.-.5.j..mI.ac
75 F2 4B 18 1F 02 C6 E4 9A 23 95 FE 21 6B A4 3E  u.K......#..!k.>
06 40 CB 23 34 68 8F A1 C7 3C 98 20 14 8F 20 63  .@.#4h...<. .. c
F7 FB 37 2B CC B9 2F 97 ED 5B 92 8D 96 84 0C 08  ..7+../..[......
E5 D4 29 A1 DF 4D 5B 33 EE 68 D3 F1 29 54 DF 0C  ..)..M[3.h..)T..
F0 37 44 4A DF 2F 07 68 49 9B 09 0A C1 C7 EC 89  .7DJ./.hI.......
50 CA 40 D3 5B A5 27 69 12 7E 49 34 1A F8 26 9C  P.@.[.'i.~I4..&.
44 A0 87 C7 BC CB 46 8A 33 25 94 F6 89 72 64 E0  D.....F.3%...rd.
F0 AB 16 DB 52 A1 BE AC 3C 8B D6 CC 22 C7 0F B4  ....R...<..."...
86 6B BF EE A8 7E 1F 74 C7 34 14 AF 7C 50 BC 7F  .k...~.t.4..|P..
42 0C B8 98 8C C3 EC D6 FC 51 CE 1F B3 7D A1 48  B........Q...}.H
1D 89 96 AB 79 AA E0 A5 B8 F5 39 7C 27 4C 25 D0  ....y.....9|'L%.
5A 0C 81 13 07 19 6E 81 1C 3C 9F E5 1A 6D BA 18  Z.....n..<...m..
DC 35 51 90 A1 1D 8E 57 7A 0A 56 BB 09 CB 3D 81  .5Q....Wz.V...=.
8F C5 84 83 88 ED CD 89 DB 81 4D F6 C7 04 A9 71  ..........M....q
43 65 FB 05 A4 56 E4 91 21 B1 AB 44 85 D8 12 BA  Ce...V..!..D....
CD 65 AA BA 32 D1 B7 FA 84 0E 18 56 BF 2E A5 10  .e..2......V....
72 C8 89 B8 6A 3B 75 33 3F 5F E4 77 24 EF 0C 13  r...j;u3?_.w$...
A8 56 BB 68 E3 88 D8 AF 18 83 02 B9 B1 2A E8 83  .V.h.........*..
33 2C 72 B4 49 9C F8 F3 92 03 2A 34 FB 4B 88 D6  3,r.I.....*4.K..
A3 FC C2 3D 14 2D 40 4C 4F A6 26 9F 17 22 F9 F3  ...=.-@LO.&.."..
EE 7E 3F 5D 5E DE B5 D3 55 D7 CE 9B A5 68 DB 81  .~?]^...U....h..
C9 B1 16 96 11 59 6C D7 19 22 F1 62 D3 24 EB E1  .....Yl..".b.$..
D1 51 9F 4E 6C B9 0F 7A 61 FE 4F 00 7E 88 9B EE  .Q.Nl..za.O.~...
3E 27 7E 18 07 D9 27 F2 90 17 AA 11 7A 48 C5 57  >'~...'.....zH.W
81 62 77 B6 A1 DF 72 AF E0 43 46 12 91 F1 5C FA  .bw...r..CF...\.
86 DF 7D 45 CF FC 45 63 21 A0 F7 6D 16 79 9F 14  ..}E..Ec!..m.y..
91 92 09 FB 33 E0 89 93 EF 95 F4 35 F3 B4 32 30  ....3......5..20
9A 0C 97 EE CF 9B 5D 73 07 E9 DC 74 B8 ED 48 00  ......]s...t..H.
DF 00 0A 69 6B F3 88 30 73 ED 98 8E 7C C8 FC 2C  ...ik..0s...|..,
0E 0C 84 74 3F 7A B2 CA 93 2F 21 AF 4F 62 D7 61  ...t?z.../!.Ob.a
04 56 28 30 61 91 C2 78 2D 04 63 2A E0 86 9C 84  .V(0a..x-.c*....
72 36 49 6E B7 91 F4 43 C2 A2 4C 03 6C F4 5B 14  r6In...C..L.l.[.
99 A2 12 3C A0 E3 18 CD BA 11 DF 0F 03 E0 A7 34  ...<...........4
F9 7A 22 EE 09 62 1C 7B 24 DA 73 A8 5D 41 92 77  .z"..b.{$.s.]A.w
4A D5 ED AE 36 5C DA 65 2D BF 11 5B 5D B3 B6 08  J...6\.e-..[]...
E0 7D 44 E1 C0 27 A0 14 48 BE 5C 7B 89 39 25 34  .}D..'..H.\{.9%4
08 6E D6 0C 47 72 1B 96 DF 06 7E 9D 39 FE 3D 5E  .n..Gr....~.9.=^
04 D9 4F 96 4A E1 C8 B9 D5 33 26 AC E7 13 A2 F6  ..O.J....3&.....
F2 4C 0F 22 E5 89 45 32 7E 03 CF 3A 53 F0 0E A6  .L."..E2~..:S...
8C 01 D3 FB 5B 0A 44 BF 7A 81 78 81 D7 63 AA 5F  ....[.D.z.x..c._
23 B0 23 7A B0 5C 12 75 E5 80 CD 47 AE FF 83 AE  #.#z.\.u...G....
46 B0 E9 3B 76 44 09 43 31 22 94 FE 1E 36 F7 40  F..;vD.C1"...6.@
A7 20 A4 80 04 E1 23 25 B9 1E 63 A2 11 4C 12 57  . ....#%..c..L.W
16 AC E2 00 A1 4B C9 24 C1 60 7C 4C 5C 7A 7E F7  .....K.$.`|L\z~.
6D 99 03 26 58 B4 DB EF A7 CE BE 68 EA 5A 4C F2  m..&X......h.ZL.
0F 07 7B 2E A2 7C A3 DD 71 0A AF 96 2A 47 9D D3  ..{..|..q...*G..
54 42 5B 38 03 4A 4C CB 65 BE A2 C3 6B ED DD EB  TB[8.JL.e...k...
F6 D0 37 9D 00 66 E1 CA 8A 89 A5 03 5E A2 62 66  ..7..f......^.bf
07 EB F4 21 88 19 8C 06 44 E5 34 9D 9B 3D 6B 6E  ...!....D.4..=kn
CA 84 97 98 79 C1 EF 6A E9 7B 26 5B 03 73 61 6F  ....y..j.{&[.sao
68 D1 03 E3 D6 D9 71 4E 08 BE 16 CE 6A 27 6E BE  h.....qN....j'n.
4F 5E E4 28 61 D9 55 FA 67 26 90 C5 52 76 D6 2D  O^.(a.U.g&..Rv.-
9E 6E F5 C7 0C 87 A2 7B BA 4A 26 0C FB 4F 65 1A  .n.....{.J&..Oe.
70 2F 44 98 8C 24 B6 91 60 91 39 FB D0 B7 7A E9  p/D..$..`.9...z.
24 0D D5 51 14 49 7D 0F 11 39 94 87 5D C8 7F 63  $..Q.I}..9..]..c
7C 8D C0 C8 6E C1 C5 D5 CD 39 9F 61 4A 76 9A 07  |...n....9.aJv..
9D 7B 03 2B 80 4F 30 48 F1 F1 AF 2F AB 9B CC 88  .{.+.O0H.../....
8D 51 3B A6 A0 C3 99 77 BF 56 86 36 3F 9E D9 94  .Q;....w.V.6?...
67 17 9C B7 3E C0 B0 16 85 21 61 78 BE 2B 4C DC  g...>....!ax.+L.
71 A2 9A C9 8D 2F 60 D5 EA CD E1 D8 05 8D FA 4F  q..../`........O
D1 33 54 88 D1 73 47 AA 65 F2 30 DD 61 01 82 DC  .3T..sG.e.0.a...
2E 17 62 5D 87 F2 D7 88 4D E8 CD 50 BB 67 67 E3  ..b]....M..P.gg.
D7 D0 96 89 A2 9C 7F AB 56 F6 BF FD 88 CA 0B 95  ........V.......
3C B9 85 65 7C 0F D9 89 76 8F 74 F6 DE 1A 7B 99  <..e|...v.t...{.
06 4F 18 AF DC DE 18 D0 75 FD 80 AD 0E 8B 9A D0  .O......u.......
DD F6 A7 E3 55 95 E8 FB 5A A9 AE 17 D7 0D DA B2  ....U...Z.......
FF 1D B0 0A AD 38 6C C0 1B BB 50 2E 85 49 F3 20  .....8l...P..I.
21 C2 A8 17 EF 70 1D EA EC E4 99 C0 DC 6F A5 96  !....p.......o..
DC D9 FD 90 73 FF 22 03 F0 C1 7E 2F 75 5F 6F 36  ....s."...~/u_o6
A5 8E 1C FE C1 CB B1 CC D4 C6 2C 0E FA 51 15 43  ..........,..Q.C
B0 70 2F E9 E5 A2 23 75 63 D8 2C D5 2B AD 36 EB  .p/...#uc.,.+.6.
8A 52 7D EE FA C0 15 F5 1B 21 9C 18 D0 76 06 52  .R}......!...v.R
FC 48 E2 D2 4F FD 0E 7C 85 C8 A4 C2 8E 7A 5A 27  .H..O..|.....zZ'
37 D8 4C E5 1A E6 94 9B A6 30 A3 BB 9C EC 59 ED  7.L......0....Y.
F6 94 49 51 46 1B D8 CE 98 F2 D1 0A 2F C2 07 3C  ..IQF......./..<
87 58 FC EB                                      .X..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Example 1. Output from "snort -vde"
Of course, these switches can run in any combination, for example: "snort -vde", "snort -d -ev", and "snort -e -v -d".
Note:
Snort will run as long as you let it, capturing information all the while. To end the capture, press Ctrl-C. You will notice that when you press Ctrl-C, you are presented with a summary of the information just captured. Example 2 shows what this summary looks like after running Snort for about a minute.
===============================================================================

Snort received 74260 packets
    Analyzed: 5923(7.976%)
    Dropped: 68337(92.024%)
===============================================================================
Breakdown by protocol:
    TCP: 1602       (2.157%)
    UDP: 4142       (5.578%)
   ICMP: 0          (0.000%)
    ARP: 6          (0.008%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
ETHLOOP: 0          (0.000%)
    IPX: 0          (0.000%)
   FRAG: 0          (0.000%)
  OTHER: 1          (0.001%)
DISCARD: 0          (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting

Packet Logger mode

Packet Logger mode enables you to log the contiguous stream of information to disk. This is helpful when conducting analysis for a specified time period or surrounding a modification in security policy or configuration.
You will need to create and specify a logging directory, and Snort will automatically go into packet-logger mode.
Create a subdirectory called Piglet and run:
snort -dev -l ./Piglet
 
Example 3. Running Snort in Packet Logger mode
You will see the stream of packet information go by, but it will also be logged in tcpdump capture file format in the directory Piglet. In order to read back from that log file, simply run the command in Example 4. You will see the same stream of information that just flew by. If you do not specify an output directory for the program, it will default to /var/log/snort.
snort -r ./Piglet/logfile
Example 4. Reading the Snort logfile

Network Intrusion Detection (NIDS) mode

The third Snort mode is Network Intrusion Detection (NIDS) mode. You may not want to record every single packet that comes over the network, so you can specify that Snort looks only on your local network. See Example 5.
./snort -dev -l ./log -h 192.168.0.0/24 
Example 5. Network Intrusion Detection (NIDS) mode
Common use of NIDS mode employs a Snort configuration file, for example "snort... -c snort.conf," where snort.conf is the name of your rules file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. The default snort.conf references several other rules files, so read through the entire snort.conf before calling it from the command line.
If you are going to use Snort over a long period as an IDS, omit the -v switch from the command line for the sake of speed. You can write information more quickly if you do not write verbosely to the screen.
It is also not necessary to record the data-link headers for most applications, so you can usually omit the -e switch, too. See Example 6, "A typical Snort command".
./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf
Example 6. A typical Snort command
Although it is outside the scope of what Martin Roesch intended to do when he wrote Snort, Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS) capability of snort_inline into the official Snort project. Snort_inline gets packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules. This is referred to as Inline Mode.
In order for snort_inline to work properly, you have to compile the iptables code to include "make install-devel" or have the libipq library installed. This allows snort_inline to talk to iptables. You also need LibNet, which is available from http://www.packetfactory.net.
You can use three rule types when running Snort with snort_inline: drop, reject, and sdrop. See the iptables documentation for more information.
What does that mean to system security? How do I use Snort to secure my system? The real power of Snort lies in the rules you set up for monitoring. Some rule types are more useful than others depending on the exposure your network receives. For example, a commonly used rule type is payload detection based on content. A rule might look like Example 7, "A Snort monitoring rule".
content: [!] "content_string";
Example 7. A Snort monitoring rule
Non-payload detection rules are also available. For example, Example 8, "A non-payload detection rule" shows a rule that checks against the IP protocol header, in this case icmp.
alert ip any any -> any any (ip_proto:icmp;)
Example 8. A non-payload detection rule
The key to writing good rules is in keeping them streamlined. Poorly written rules can cause Snort to duplicate checks or waste time finding information it already has. Close analysis of the protocol in use can turn up signature events. For example, a user logging into an ftp server may pass the string "user root". A rule can be written to look for that specific string on FTP's port. See Example 9, "A rule to detect a particular string".
alert tcp any any -> any any 21 (content:"user root";)
Example 9. A rule to detect a particular string
There are as many ways to secure your system as rules you can think of. Snort affords great flexibility in a powerful and open source solution. Snort's popularity is due in part to its community of support beyond the development of Snort. For more information, go to http://www.snort.org, or refer to the recommended reading.

Further reading

  • Snort Cookbook by Angela D. Orebaugh, Simon Biles, Jacob Babbin; first edition March 2005
  • Nessus, Snort, & Ethereal Power Tools: Customizing Open Source Security Applications by Brian Caswell, Gilbert Ramirez, CISSP, Jay Beale, Noam Rathaus. Publisher: Syngress, September 2005

6 comments:


  1. Tiêu Viêm hư không một điểm, thân hình mãnh liệt giải tán lúc sau lui! Hiện tại Hắc Thành đã nổi giận, lúc này nếu là đi lên cùng hắn giao lời mà nói... xác định vững chắc sẽ dữ nhiều lành ít!

    "Oanh! . . ."

    Tiêu Viêm thân hình nhanh lùi lại, Hắc Thành là được mở ra dữ tợn cự miệng, chợt, một đạo đủ có mấy trăm trượng cột sáng bắt đầu từ hắn trong miệng trong xì ra! Trong đó ẩn chứa tựa là hủy diệt lực lượng, cho dù là đỉnh phong thời kì Tiêu Viêm cũng chưa chắc tiếp ở, huống chi lúc này sdongtam
    game mu
    http://nhatroso.net/
    http://nhatroso.com/
    nhac san cuc manh
    tư vấn luật qua điện thoại
    dịch vụ thành lập công ty trọn gói
    văn phòng luật
    tổng đài tư vấn pháp luật
    thành lập công ty
    http://we-cooking.com/
    chém gió
    trung tâm ngoại ngữuy yếu hắn đâu này? Nếu là bị cái này tựa là hủy diệt cột sáng đánh trúng lời mà nói... vậy hắn Tiêu Viêm, hôm nay tránh không được vẫn lạc vận mệnh!

    Tiêu Viêm thân hình cấp tốc lui về phía sau, rốt cục khó khăn lắm đem cái này bó tựa là hủy diệt cột sáng né qua.

    Hắc Thành há miệng, chợt ba đạo chùm tia sáng lại lần nữa theo trong miệng xì ra.

    ReplyDelete
  2. RAJABANDARQ Adalah website yang paling digemari saat ini oleh para pecinta judi online
    Dengan adanya 8 game terbaik yang disediakan oleh pihak website RajaBandarQ , akan banyak mengundang para pecinta judi poker online untuk bermain diwebsite RajaBandarQ

    8 Game Yang disediakan oleh pihak RajaBandarQ diantaranya adalah :

    * AduQ
    * BandaarQ
    * Bandar Poker
    * Bandar 66 ( New Games )
    * Capsa Susun
    * Domino QQ
    * Poker
    * Sakong

    Keunggulan jika bergabung di website RajaBandarQ :

    - 100% Mudah Menang & Fairplay Game
    - Minimal Deposit & Withdraw Rp 20.000,-
    - Bonus Rollingan 0.3% (Tanpa Syarat)
    - Bonus Referral 15% (Seumur Hidup)
    - Sistem keamanan terbaru
    - Support 6 Bank Local ( BCA , BNI , BRI , CIMB NIAGA , DANAMON , MANDIRI )

    Contact Us
    BBM : D887A35F
    WA : +6281314872594
    Line : rajabandarq

    Link Official :
    Rajabandarqq,com
    Rajabandarqq,net
    Rajabandarqq,org
    Rajabandarqq,info

    Tunggu apalagi ? Daftarkan diri anda segera juga dan menangkan jackpot jutaan rupiah hanya dengan modal Rp 20.000,-
    Hanya Di RAJABANDARQ

    ReplyDelete
  3. Hello! , I like your writing so much! share we keep up a correspondence extra about your article on AOL? I require an expert in this area to solve my problem. Maybe that is you! Taking a look ahead to look you. Sites: How To Password Protect Folder With Minimum Effort And Still Leave People Amazed

    ReplyDelete
  4. افضل شركة تسليك مجاري بالرياض https://wp.me/Pa9yzo-GG الشركة متخصصة في تنظيف وتسليك المجاري وحل كل مشاكلها وإزالة الروائح الكريهة وتخليصك منها ,فلدى الشركة خبرة طويلة عبر السنين الماضية في هذا النوع من الأعمال كمان أنها مسئولة عن التنظيف و التسليك بما تمتلكه من أدوات ومعدات حديثة تنظف وتسلك وتحل المشكلة التي تسبب انسداد المجرى مما تسبب التعطيل وانبعاث الروائح الكريهة ,
    لدى الشركة خبرة في تسليك كل ما يتعلق بالصرف الصحي
    لا تقلق بانسداد المجاري أو طفحها مجددا نحن نضمن لك أعلى مستوى من الخدمة . .… اقرأ المزيد

    المصدر: شركة تسليك مجاري بالرياض

    شركة مكافحة النمل الابيض بالرياض https://wp.me/Pa9yzo-f5 أفضل وأسهل الطرق التي تساعدهم في كيفية التخلص من الحشرات المزعجة وعلى رأسهم حشرة النمل الأبيض، من المعروف أن مكافحة الحشرة بالمبيد الحشري ليسهل عليكِ، يقوم فريق العمل به بكل سهولة كما يعتقد الكثير من الأشخاص، فلا يضرك الكثير أن الاستخدام الخاطئ للمبيد، قد ينتج عنه إصابة الإنسان بالعديد من الأمراض الوخيمة.

    فشركتنا حريصة على أن توفر أجود أنواع المبيدات الحشرية المصرح بها من قبل وزاره الصحة والبيئة التي تملك الفعالية الكبيرة للقضاء نهائياً على هذه الحشرة دون أن تسبب أي ضرر على حياة الإنسان ولا الأيدي العاملة، وفريق عمل الشركة لديه خبرة كبيرة قد اكتسبها عبر السنين، مما أصبح من السهل عليه أن يتعامل مع هذه الحشرة المقززة مهما كانت تختبئ في أماكن دقيقة أو مهما كان عددها كثير، وفريق العمل الخاص بالشركة بعون الله قادر على إبادتها نهائياً فور وصوله إلى المنزل مع ضمان عدم العودة من مكان مرة أخرى، كما أن لدى الشركة فريق عمل خاص لتحصين منزلك من دخول حشرة النمل الأبيض قبل البناء من خلال الأرض قبل وضع الأساس بالمبيد الحشري من هنا عدم وصولها إلى منزلك في أي وقت. … اقرأ المزيد

    المصدر: شركة مكافحة النمل الابيض بالرياض

    ReplyDelete
  5. Avail the best convection microwave oven under 15000 with buyers guide and review. best microwave convection oven in india

    ReplyDelete