SnorGen User Guide 2.0
-
Upload
sungho-yoon -
Category
Technology
-
view
155 -
download
0
Transcript of SnorGen User Guide 2.0
SnorGen
Contents
1. What is SnorGen?
2. Why we need SnorGen?
3. How SnorGen works?
4. How can I use SnorGen Web?
5. On going SnorGen!
6. What is next with SnorGen?
7. SUMMARY
8. Q&A
What is SnorGen?
SnorGen(http://snorgen.korea.ac.kr)
Automatic Signature Generator
Content Signature
Packet Signature
Flow Signature
Convert the generated signature to Snort rules form
Immediately applicable to Snort
※Signature
Unique pattern identifying an application in traffic.
What is SnorGen?
Content Signature Generation
A unique substring in a packet identifying an application
Packet Signature Generation
A sequence of “content signatures” in a packet
Flow Signature Generation
A sequence of “packet signatures” in a flow
Traffic DataContent
Signature
Packet
Signature
Flow
Signature
What is SnorGen?
Content Signature Maker
Packet Signature Maker
Flow Signature Maker
"GET";
"Host:youtube.com";
"UserAgent:";
"HTTP/1.1";
"http://www.youtube.com";
Content Signatures
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
"GET"; "Host:youtube.com";"UserAgent";
"HTTP/1.1";"http://www.youtube.com";
Packet Signatures
To_server; "Host:youtube.com";To_client;"http://www.youtube.com";
Flow Signatures
What is SnorGen?
Content Signature
Content Signature Generation
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;wow64)..
HTTP/1.1..303..Moved..Permanently..Date..Location:http://www.youtube.com/..Content-Length..
Application Server
alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET"; offset:0; depth:3)
alert tcp any any → 192.168.1.1 80 (sid : 5; content:"Host:youtube.com";offset:14;depth:16)
alert tcp any any → 192.168.1.1 80 (sid : 6; content:"UserAgent";offset:55;depth:9)
alert tcp 192.168.1.1 80 → any any (sid : 7; content:"HTTP/1.1"; offset:0;depth:8)
alert tcp 192.168.1.1 80 → any any (sid : 8; content:"http://www.youtube.com";offset:41;depth:22)
Content Signature Result
Packet A-2
Packet A-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow A-1
GET/HTTP/1.1..Host:youtube.com..Connection:request..UserAgent:Mozila/4.0(windowsNT7.1;wow32)..
HTTP/1.1..205..Protection..Mode..Block..ServerNTP:http://www.youtube.com/..Protocol..
Packet B-2
Packet B-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow B-1
GET
Host:youtube.com
UserAgent
HTTP/1.1
http://www.youtube.com
192.168.1.1
Host A Host B
What is SnorGen?
Packet Signature
Packet Signature Generation
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;wow64)..
HTTP/1.1..303..Moved..Permanently..Date..Location:http://www.youtube.com/..Content-Length..
Application Server
alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET"; offset:0; depth:3;
content:"Host:youtube.com";offset:14;depth:16;
content:"UserAgent";offset:55;depth:9)
alert tcp 192.168.1.1 80 → any any (sid : 5; content:"HTTP/1.1"; offset:0;depth:8;
content:"http://www.youtube.com";offset:41;depth:22)
Packet Signature Result
Packet A-2
Packet A-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow A-1
GET/HTTP/1.1..Host:youtube.com..Connection:request..UserAgent:Mozila/4.0(windowsNT7.1;wow32)..
HTTP/1.1..205..Protection..Mode..Block..ServerNTP:http://www.youtube.com/..Protocol..
Packet B-2
Packet B-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow B-1
GET
Host:youtube.com
UserAgent
HTTP/1.1
http://www.youtube.com
192.168.1.1
Host A Host B
What is SnorGen?
Flow Signature
Flow Signature Generation
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;wow64)..
HTTP/1.1..303..Moved..Permanently..Date..Location:http://www.youtube.com/..Content-Length..
Application Server
alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET";offset:0;depth:3;
content:"Host:youtube.com";offset:14;depth:16;
content:"UserAgent";offset:14;depth:16;
flowbits:set, mark1; flowbits:noalert)
alert tcp 192.168.1.1 80 → any any (sid : 5; content:"HTTP/1.1";offset:0;depth:8;
content:"http://www.youtube.com";offset:41;depth:22;
flowbits:isset, mark1)
Flow Signature Result
Packet A-2
Packet A-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow A-1
GET/HTTP/1.1..Host:youtube.com..Connection:request..UserAgent:Mozila/4.0(windowsNT7.1;wow32)..
HTTP/1.1..205..Protection..Mode..Block..ServerNTP:http://www.youtube.com/..Protocol..
Packet B-2
Packet B-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow B-1
Host:youtube.com
http://www.youtube.com
192.168.1.1
Host A Host B
GET
UserAgent
HTTP/1.1
How SnorGen Works?
Content Signature Generator
Packet Signature Generator
FlowSignature Generator
DataProcessor
Traffic Files(pcap, cap. Libpcap, ….)
Signature list
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
To_server; "Host:youtube.com";To_client;"http://www.youtube.com";
Flow Signatures
"GET"; "Host:youtube.com";"UserAgent";
"HTTP/1.1";"http://www.youtube.com";
Packet Signatures
"GET";
"Host:youtube.com";
"UserAgent:";
"HTTP/1.1";
"http://www.youtube.com";
Content Signatures
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w
ow64)..
HTTP/1.1..303..Moved..Permanen
tly..Date..Location:http://www.youtube.com/..Content-Length:..
Traffic Data(Flow)
→
←
Why we need SnorGen?
For “Monitoring” the new application traffic
For “Blocking” unknown malicious traffic (Remote→Local)
For “Control” the overdose user (Local→Remote)
SnorGen
Local-NetworkInternet
Network
Manager
Why we need SnorGen?
“Monitoring” the new application traffic
SnorGen
Network
Manager
New application
Why we need SnorGen?
“Blocking” unknown malicious traffic
SnorGen
Network
Manager
Internet
malicious traffic
Why we need SnorGen?
“Control” the overdose user
SnorGe
n
Network
Manager
Overdose user
How can I use SnorGen Web?http://snorgen.korea.ac.kr
Input Traffic
Summary Window
Checking the statistic information of file and signature
Content Signature
Checking the generated content signature
Packet Signature
Checking the generated packet signature
Flow Signature
Constructing…
How can I use SnorGen Web?
Input Traffic
① ②
Traffic Files(pcap, cap. libpcap, ….)
How can I use SnorGen Web?
Summary
File info Input files size
Traffic info Statistic information after converting flow
Rule info Number of rule and completeness (Ratio of identified traffic)
##### File info. #####
#1 file : youtube_02.pcap - 20071 KB
#2 file : youtube_09.pcap - 23409 KB
#3 file : youtube_10.pcap - 21837 KB
##### Traffic info. #####
#1 file: youtube_02- flow:64 pkt:23039 byte:20305171 See_Detail
#2 file :youtube_09- flow : 70 pkt : 26070 byte : 23682102 See_Detail
#3 file :youtube_10- flow : 51 pkt : 25437 byte : 22076854 See_Detail
Data Process Time : Real Time: 1.88s, User Time 1.13s, System Time 0.26s
##### Rule info. #####
Content Signature : 115
Completeness: 100.00(185/185) 100.00(74546/74546) 100.00(66064127/66064127)
Content Process Time : Real Time: 2.42s, User Time 2.76s, System Time 0.04s
Packet Signature : 108
Completeness: 100.00(185/185) 100.00(74546/74546) 100.00(66064127/66064127)
Packet Process Time : Real Time: 2.24s, User Time 2.23s, System Time 0.02s
Total Process Time : Real Time: 6.76s, User Time 6.27s, System Time 0.38s
How can I use SnorGen Web?
Content Signature
Support Number of files containing the signature
Fixed Offset Flag, if the signature has fixed offset
F-COM Flow-level completeness of the signature
See_Detail Pop-up window for checking traffic identified by the signature
Support : 3/3 files; (Fixed Offset); F-Com: 1.62(3/185) 3.17(2364/74546) 2.66(175/6606);
alert tcp any any -> 173.194.120.0/24 443 (sid:1; content:"i.ytimg.com"; offset:101; depth:11;) See_Detail
Support : 3/3 files; (Fixed Offset); F-Com: 1.62(3/185) 3.25(2424/74546) 2.57(169/6606);
alert tcp any any -> 173.194.120.0/24 443 (sid:2; content:"youtube.com";offset:101; depth:15; )See_Detail
Support : 3/3 files; (Fixed Offset); F-Com: 4.86(9/185) 0.20(148/74546) 0.07(433/6606);
alert tcp any any -> any 80 (sid: 100; content:"GET /"; offset:0; depth:5; ) See_Detail
How can I use SnorGen Web?
Support : 3/3 files; F-Com: 1.62(3/185) 0.09(66/74546) 0.04(28017/66064127);
alert tcp any any -> 74.125.68.94 80 (sid: 1000272; content:"GET /accounts/Logout2"; offset:0;
depth:21; content:"service="; offset:22; depth:8; content:"ilo="; offset:38; depth:4;
content:"ils="; offset:44; depth:4; content:"ilc="; offset:53; depth:4; content:"continue="; offset:59;
depth:9; content:"zx="; offset:98; depth:3; content:"Host: www.google.co.kr"; offset:121;
depth:24; ) See_Detail
Support : 3/3 files; (Fixed Offset); F-Com: 6.49(12/185) 1.41(1050/74546) 0.61(402479/66064127);
alert tcp 173.194.120.0/24 443 -> any any (sid: 1000264; content:".google.com"; offset:335;
depth:11; content:"|1d|0|82|"; offset:488; depth:3; content:"|19||82||0c|"; offset:492; depth:3;
content:"*.goo"; offset:495; depth:5; ) See_Detail
Support Number of files containing the signature
Fixed Offset Flag, if the signature has fixed offset
F-COM Flow-level completeness of the signature
See_Detail Pop-up window for checking traffic identified by the signature
Packet Signature
Demo
Encryption application
Non-encryption application
Naver
On going SnorGen!
Flow Signature Generation
A sequence of “packet signatures” in a flow
Content Signature → Packet Signature → Flow Signature
Verification of the generated rule compared with SnorGen DB
Verification of the generated signature accuracy
Identification of the application’s traffic
On going SnorGen!
Flow Signature Generation
GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;wow64)..
HTTP/1.1..303..Moved..Permanently..Date..Location:http://www.youtube.com/..Content-Length..
Application Server
alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET";offset:0;depth:3;
content:"Host:youtube.com";offset:14;depth:16;
content:"UserAgent";offset:14;depth:16;
flowbits:set, mark1; flowbits:noalert)
alert tcp 192.168.1.1 80 → any any (sid : 5; content:"HTTP/1.1";offset:0;depth:8;
content:"http://www.youtube.com";offset:41;depth:22;
flowbits:isset, mark1)
Flow Signature Result
Packet A-2
Packet A-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow A-1
GET/HTTP/1.1..Host:youtube.com..Connection:request..UserAgent:Mozila/4.0(windowsNT7.1;wow32)..
HTTP/1.1..205..Protection..Mode..Block..ServerNTP:http://www.youtube.com/..Protocol..
Packet B-2
Packet B-1
GET Host:youtube.comUserAgent
HTTP/1.1http://www.youtube.com
Flow B-1
Host:youtube.com
http://www.youtube.com
192.168.1.1
Host A Host B
GET
UserAgent
HTTP/1.1
YoutubeTraffic
Verifier
YotubeSignatures
SnorGen Traffic Databases
On going SnorGen!
Verification of the generated rule compared with SnorGen DB
0
20
40
60
80
100
NateOn Google Naver Facebook Torrent Youtube
(%)
Completeness
What is next with SnorGen?
SnorGen Crawler
Automatic collect web traffic
Deploy on real-network with monitoring agent (TMA)
Automatic generate signature of Internet application
Install SnorGen at end-host
What is next with SnorGen?
SnorGen Crawler
Automatic System from traffic capture to signature generation
Crawler
Crawler
Crawler
NetworkManager
www.youtube.com
Signatures
Youtube Servers
Request
Response
www.youtube.com RUN
What is next with SnorGen?
Deploy on real-network with monitoring agent (TMA)
INTERNET
TMA
TMA
TMS
TMA
Signatures Signatures Signatures Signatures
...
Signatures for each applications
TMA : Traffic Measurement AgentTMS : Traffic Measurement Server
TMA information
Process name IP address Port number State Protocol Path
Chrome.exe 123.12.15.. 80 start tcp Path
NateOn 142.15.78.. 443 server tls Path
Chrome.exe 123.12.15.. 80 start tcp Path
NateOn 142.15.78.. 443 server tls Path
SUMMARY
SnorGen
Automatic payload signature Generator
Three types of signature
Content Signature
Packet Signature
Flow Signature
SnorGen Web
Can be used anywhere, anyone an Internet connection
QnA
1. 시그니쳐자동생성시간
2. 생성시그니쳐의완성도
3. 실망에연결하여실시간으로시그니쳐를자동생성하는것이가능한가?
1. 시그니쳐자동생성시간 How Long SnorGen Run? (We are considering parallel and distributed processing)
ApplicationNaver
(Portal)
(SNS)
Afreeca
(P2P Stream)
Utorrent
(P2P File}
File Size8,189KB
(5 files)
109,972KB
(5 files)
234,297KB
(5 files)
244,140KB
(5 files)
SignatureCtt : 236
Pkt : 259
Ctt : 35
Pkt : 35
Ctt : 285
Pkt : 299
Ctt : 1,616
Pkt : 2,283
Total Process
Time
12.23s
(5.23Mbps)
10.53s
(81.59Mbps)
159.64s
(11.46Mbps)
351.14s
(5.43Mbps)
Detail
Time
Data
Content
Packet
7.77s
3.24s
4.07s
2.61s
2.76s
76.67s
67.75s
160.64s
179.21
1.05s 14.53s 9.55s
2. 생성시그니쳐의완성도
현재시그니쳐완성도검증
Support
Fixed Offset
Completeness
See_Detail
2. 생성시그니쳐의완성도
향후시그니쳐완성도
Verification the generated rule compared with SnorGen DB
시그니쳐의검증을거쳐완성된시그니쳐추출
YoutubeTraffic
Verifier
YotubeSignatures
SnorGen Traffic Databases
0
20
40
60
80
100
NateOn Google Naver Facebook Torrent Youtube
3. 실망에연결
현재 SnorGen환경
사용자가직접특정응용트래픽수집
향후 Snorgen환경
Deploy on real-network with monitoring agent (TMA)
TMA 의정보를이용하여실망에서연결가능
INTERNET
TMA
TMA
TMS
TMA
Signatures Signatures Signatures Signatures
...
Signatures for each applications
TMA : Traffic Measurement AgentTMS : Traffic Measurement Server
TMA information
Process name IP address Port number State Protocol Path
Chrome.exe 123.12.15.. 80 start tcp Path
NateOn 142.15.78.. 443 server tls Path
Chrome.exe 123.12.15.. 80 start tcp Path
NateOn 142.15.78.. 443 server tls Path