Monthly Archive: September 2017
+
Red Hat Product Security has been made aware of a vulnerability in the Linux kernel that has been assigned CVE-2016-5195. This issue was publicly disclosed on …
By Cloudi
September 27, 2017
+
Introduction Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of moderm web applications. It is free, …
By Win Stark
September 23, 2017
+
Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying …
By Cloudi
September 19, 2017
+
What is snort ? Snort is an open source network intrusion prevention system(IDS), capable of performing real-time traffic analysis and packet logging on IP networks. It …
By Win Stark
September 16, 2017
+
What happens if your network breaks up? How can you search for detailed information about bugs to evaluate for your network? In this post, I will …
By Cloudi
September 13, 2017
+
Over 1.4 million .VN domains leaked on the internet On Aug 31, 2017 at approximately 4:14AM PDT (earliest known detection), one of Vietnam’s top level nameservers …
By Win Stark
September 6, 2017
+
Hi all! Our work this week is very busy though I still try to arrange to share to you a pretty good tool. I hope it …
By Cloudi
September 5, 2017
![## What is snort ? Snort is an open source network intrusion prevention system(IDS), capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. ## Installation **Install from source** Find the appropriate package for your operating system and install. ```sh wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar xvfz daq-2.0.6.tar.gz cd daq-2.0.6 ./configure && make && sudo make install ``` On Ubuntu/Debinan: ```sh sudo apt-get install snort ``` ## Usage ```sh USAGE: snort [-options] Options: -A Set alert mode: fast, full, console, test or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -b Log packets in tcpdump format (much faster!) -B Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -f Turn off fflush() calls after binary log writes -F Read BPF filters from file -g Run snort gid as group (or gid) after initialization -G Log Identifier (to uniquely id events for multiple snorts) -h Set home network = (for use with -l or -B, does NOT change $HOME_NET in IDS mode) -H Make hash tables deterministic. -i Listen on interface -I Add Interface name to alert output -k Checksum mode (all,noip,notcp,noudp,noicmp,none) -K Logging mode (pcap[default],ascii,none) -l Log to directory -L Log to this tcpdump file -M Log messages to syslog (not alerts) -m Set umask = -n Exit after receiving packets -N Turn off logging (alerts still work) -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -Q Enable inline mode operation. -r Read and process tcpdump file -R Include 'id' in snort_intf.pid file name -s Log alert messages to syslog -S Set rules file variable n equal to value v -t Chroots process to after initialization -T Test and report on the current Snort configuration -u Run snort uid as user (or uid) after initialization -U Use UTC for timestamps -v Be verbose -V Show version number -X Dump the raw packet data starting at the link layer -x Exit if Snort configuration problems occur -y Include year in timestamp in the alert and log files -Z Set the performonitor preprocessor file path and name -? Show this information are standard BPF options, as seen in TCPDump Longname options and their corresponding single char version --logid Same as -G --perfmon-file Same as -Z --pid-path Specify the directory for the Snort PID file --snaplen Same as -P --help Same as -? --version Same as -V --alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,... --treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup --treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline. --process-all-events Process all queued events (drop, alert,...), default stops after 1st action group --enable-inline-test Enable Inline-Test Mode Operation --dynamic-engine-lib Load a dynamic detection engine --dynamic-engine-lib-dir Load all dynamic engines from directory --dynamic-detection-lib Load a dynamic rules library --dynamic-detection-lib-dir Load all dynamic rules libraries from directory --dump-dynamic-rules Creates stub rule files of all loaded rules libraries --dynamic-preprocessor-lib Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir Load all dynamic preprocessor libraries from directory --dynamic-output-lib Load a dynamic output library --dynamic-output-lib-dir Load all dynamic output libraries from directory --create-pidfile Create PID file, even when not in Daemon mode --nolock-pidfile Do not try to lock Snort PID file --no-interface-pidfile Do not include the interface name in Snort PID file --disable-attribute-reload-thread Do not create a thread to reload the attribute table --pcap-single Same as -r. --pcap-file file that contains a list of pcaps to read - read mode is implied. --pcap-list "" a space separated list of pcaps to read - read mode is implied. --pcap-dir a directory to recurse to look for pcaps - read mode is implied. --pcap-filter filter to apply when getting pcaps from file or directory. --pcap-no-filter reset to use no filter when getting pcaps from file or directory. --pcap-loop this option will read the pcaps specified on command line continuously. for times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-reload if reading multiple pcaps, reload snort config between pcaps. --pcap-show print a line saying what pcap is currently being read. --exit-check Signal termination after callbacks from DAQ_Acquire(), showing the time it takes from signaling until DAQ_Stop() is called. --conf-error-out Same as -x --enable-mpls-multicast Allow multicast MPLS --enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds --max-mpls-labelchain-len Specify the max MPLS label chain --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS --require-rule-sid Require that all snort rules have SID specified. --daq Select packet acquisition module (default is pcap). --daq-mode Select the DAQ operating mode. --daq-var Specify extra DAQ configuration variable. --daq-dir Tell snort where to find desired DAQ. --daq-list[=] List packet acquisition modules available in dir. Default is static modules only. --dirty-pig Don't flush packets and release memory on shutdown. --cs-dir Directory to use for control socket. --ha-peer Activate live high-availability state sharing with peer. --ha-out Write high-availability events to this file. --ha-in Read high-availability events from this file on startup (warm-start). --suppress-config-log Suppress configuration information output. ``` ## Features Snort can be configured to run in three modes: * **Sniffer mode**, which simply reads the packets off the network and displays them for you in a continous stream on the console(screen). An example, if you want to print out TCP/IP packet headers to the screen, try this: ```sh snort -v ``` ![]() If you want to see the application data in transit, try the following: ```sh snort -vd ``` * **Packet Logger mode**, wich logs the packets to disk. To record the packets to the disk, you need to specify a loggin directory and Snort will automatically know to go into packet logger mode: ```sh snort -dev -l ./log ``` **Others logging options:** ```sh snort -dev -l ./log -h 192.168.1.0/24 // Log relative to the home network snort -l ./log -b // Binary mode logs ``` * **Network Intrusion Detection System(NIDS) mode**, which performs detection and analysis on network traffic. This is the most complex and configurable mode. To enable Network Detection System(NIDS) mode so that your don't recorad every single packet sent down the wire, try this: ```sh snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf ``` where **snort.conf** is the name of your configuration file( default at /etc/snort/). This will applay the rules configured in the **snort.conf** file to each packet to decide if an action based upon the rule type in the file should taken. If you don't specify an output directory for the program, it will default to **/var/log/snort**. Many options we can try, but just one for start. ## Snort rules - Snort's rule engine enables custom rules to meets the needs of the network - Snort rules help in differentiating between normal internet activities and malicious activities. - Snort rules must be contained on a single line, the Snort rule parser does not handle rules on multiple lines - Snort rules come with two logical parts: **Rule heaer:** Identifies rule's cations such as alerts, log, pass, activate, dynamic, etc. **Rule options:** Indentifies rule's alert messages. Example: ![]() A real example rule for ddos: ```sh alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) ``` ## Demo So, let try an example with ping detect Open file **local.rules** to add a new rule: ```sh sudo vim /etc/snort/rules/local.rules ``` Add a new rule to detect ping: ```sh alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"You're being pinged!"; GID:1; sid: 10000001; classtype: icmp-event;) ``` Run snort IDS mode: ```sh sudo snort -A console -d -l /var/log/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf ``` 92.168.1.22 -> 192.168.1.152 Now, pring from another host: ```sh ping 192.168.1.22 ``` Here are results: ![]() Above, just is an example. Hope you can do more ! ## Conclusion Snort is the most open source IDS. In this artice, I'm trying to guide you litte bit to start with snort like: installation, snort's mode, snort's rule strucuture and an real example how we apply a new rule by your own. Cheers! ## References Snort manual: https://goo.gl/kE3HWG](https://hydrasky.com/wp-content/uploads/2017/09/snort-ids.jpg)
