SnorGen User Guide 2.0

SnorGen

Contents

1. What is SnorGen?

2. Why we need SnorGen?

3. How SnorGen works?

4. How can I use SnorGen Web?

5. On going SnorGen!

6. What is next with SnorGen?

7. SUMMARY

8. Q&A

What is SnorGen?

SnorGen(http://snorgen.korea.ac.kr)

Automatic Signature Generator

Content Signature

Packet Signature

Flow Signature

Convert the generated signature to Snort rules form

Immediately applicable to Snort

※Signature

Unique pattern identifying an application in traffic.

http://snorgen.korea.ac.kr/Snorgen-2.0

What is SnorGen?

Content Signature Generation

A unique substring in a packet identifying an application

Packet Signature Generation

A sequence of “content signatures” in a packet

Flow Signature Generation

A sequence of “packet signatures” in a flow

Traffic DataContent

Signature

Packet

Signature

Flow

Signature

What is SnorGen?

Content Signature Maker

Packet Signature Maker

Flow Signature Maker

"GET";

"Host:youtube.com";

"UserAgent:";

"HTTP/1.1";

"http://www.youtube.com";

Content Signatures

GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;w

ow64)..

HTTP/1.1..303..Moved..Permanen

tly..Date..Location:http://www.youtube.com/..Content-Length:..

Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←

"GET"; "Host:youtube.com";"UserAgent";

"HTTP/1.1";"http://www.youtube.com";

Packet Signatures

To_server; "Host:youtube.com";To_client;"http://www.youtube.com";

Flow Signatures

What is SnorGen?

Content Signature

Content Signature Generation

GET/HTTP/1.1..Host:youtube.com..Connection:keepalive..UserAgent:Mozila/5.0(windowsNT6.1;wow64)..

HTTP/1.1..303..Moved..Permanently..Date..Location:http://www.youtube.com/..Content-Length..

Application Server

alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET"; offset:0; depth:3)

alert tcp any any → 192.168.1.1 80 (sid : 5; content:"Host:youtube.com";offset:14;depth:16)

alert tcp any any → 192.168.1.1 80 (sid : 6; content:"UserAgent";offset:55;depth:9)

alert tcp 192.168.1.1 80 → any any (sid : 7; content:"HTTP/1.1"; offset:0;depth:8)

alert tcp 192.168.1.1 80 → any any (sid : 8; content:"http://www.youtube.com";offset:41;depth:22)

Content Signature Result

Packet A-2

Packet A-1

GET Host:youtube.comUserAgent

HTTP/1.1http://www.youtube.com

Flow A-1

GET/HTTP/1.1..Host:youtube.com..Connection:request..UserAgent:Mozila/4.0(windowsNT7.1;wow32)..

HTTP/1.1..205..Protection..Mode..Block..ServerNTP:http://www.youtube.com/..Protocol..

Packet B-2

Packet B-1



Flow B-1

GET

Host:youtube.com

UserAgent

HTTP/1.1

http://www.youtube.com

192.168.1.1

Host A Host B

What is SnorGen?

Packet Signature

Packet Signature Generation



Application Server

alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET"; offset:0; depth:3;

content:"Host:youtube.com";offset:14;depth:16;

content:"UserAgent";offset:55;depth:9)

alert tcp 192.168.1.1 80 → any any (sid : 5; content:"HTTP/1.1"; offset:0;depth:8;

content:"http://www.youtube.com";offset:41;depth:22)

Packet Signature Result

Packet A-2

Packet A-1



Flow A-1



Packet B-2

Packet B-1



Flow B-1

GET

Host:youtube.com

UserAgent

HTTP/1.1


192.168.1.1

Host A Host B

What is SnorGen?

Flow Signature




Application Server

alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET";offset:0;depth:3;


content:"UserAgent";offset:14;depth:16;

flowbits:set, mark1; flowbits:noalert)

alert tcp 192.168.1.1 80 → any any (sid : 5; content:"HTTP/1.1";offset:0;depth:8;

content:"http://www.youtube.com";offset:41;depth:22;

flowbits:isset, mark1)

Flow Signature Result

Packet A-2

Packet A-1



Flow A-1



Packet B-2

Packet B-1



Flow B-1

Host:youtube.com


192.168.1.1

Host A Host B

GET

UserAgent

HTTP/1.1

How SnorGen Works?

Content Signature Generator

Packet Signature Generator

FlowSignature Generator

DataProcessor

Traffic Files(pcap, cap. Libpcap, ….)

Signature list


ow64)..



Traffic Data(Flow)

→

←

To_server; "Host:youtube.com";To_client;"http://www.youtube.com";

Flow Signatures

"GET"; "Host:youtube.com";"UserAgent";

"HTTP/1.1";"http://www.youtube.com";

Packet Signatures

"GET";

"Host:youtube.com";

"UserAgent:";

"HTTP/1.1";

"http://www.youtube.com";

Content Signatures


ow64)..



Traffic Data(Flow)

→

←


ow64)..



Traffic Data(Flow)

→

←

Why we need SnorGen?

For “Monitoring” the new application traffic

For “Blocking” unknown malicious traffic (Remote→Local)

For “Control” the overdose user (Local→Remote)

SnorGen

Local-NetworkInternet

Network

Manager


“Monitoring” the new application traffic

SnorGen

Network

Manager

New application


“Blocking” unknown malicious traffic

SnorGen

Network

Manager

Internet

malicious traffic


“Control” the overdose user

SnorGe

n

Network

Manager

Overdose user

How can I use SnorGen Web?http://snorgen.korea.ac.kr

Input Traffic

Summary Window

Checking the statistic information of file and signature

Content Signature

Checking the generated content signature

Packet Signature

Checking the generated packet signature

Flow Signature

Constructing…

How can I use SnorGen Web?

Input Traffic

① ②

Traffic Files(pcap, cap. libpcap, ….)


Summary

File info Input files size

Traffic info Statistic information after converting flow

Rule info Number of rule and completeness (Ratio of identified traffic)

##### File info. #####

#1 file : youtube_02.pcap - 20071 KB



##### Traffic info. #####

#1 file: youtube_02- flow:64 pkt:23039 byte:20305171 See_Detail

#2 file :youtube_09- flow : 70 pkt : 26070 byte : 23682102 See_Detail

#3 file :youtube_10- flow : 51 pkt : 25437 byte : 22076854 See_Detail

Data Process Time : Real Time: 1.88s, User Time 1.13s, System Time 0.26s

##### Rule info. #####

Content Signature : 115

Completeness: 100.00(185/185) 100.00(74546/74546) 100.00(66064127/66064127)

Content Process Time : Real Time: 2.42s, User Time 2.76s, System Time 0.04s

Packet Signature : 108

Completeness: 100.00(185/185) 100.00(74546/74546) 100.00(66064127/66064127)

Packet Process Time : Real Time: 2.24s, User Time 2.23s, System Time 0.02s

Total Process Time : Real Time: 6.76s, User Time 6.27s, System Time 0.38s


Content Signature

Support Number of files containing the signature

Fixed Offset Flag, if the signature has fixed offset

F-COM Flow-level completeness of the signature

See_Detail Pop-up window for checking traffic identified by the signature

Support : 3/3 files; (Fixed Offset); F-Com: 1.62(3/185) 3.17(2364/74546) 2.66(175/6606);

alert tcp any any -> 173.194.120.0/24 443 (sid:1; content:"i.ytimg.com"; offset:101; depth:11;) See_Detail


alert tcp any any -> 173.194.120.0/24 443 (sid:2; content:"youtube.com";offset:101; depth:15; )See_Detail


alert tcp any any -> any 80 (sid: 100; content:"GET /"; offset:0; depth:5; ) See_Detail


Support : 3/3 files; F-Com: 1.62(3/185) 0.09(66/74546) 0.04(28017/66064127);

alert tcp any any -> 74.125.68.94 80 (sid: 1000272; content:"GET /accounts/Logout2"; offset:0;

depth:21; content:"service="; offset:22; depth:8; content:"ilo="; offset:38; depth:4;

content:"ils="; offset:44; depth:4; content:"ilc="; offset:53; depth:4; content:"continue="; offset:59;

depth:9; content:"zx="; offset:98; depth:3; content:"Host: www.google.co.kr"; offset:121;

depth:24; ) See_Detail


alert tcp 173.194.120.0/24 443 -> any any (sid: 1000264; content:".google.com"; offset:335;

depth:11; content:"|1d|0|82|"; offset:488; depth:3; content:"|19||82||0c|"; offset:492; depth:3;

content:"*.goo"; offset:495; depth:5; ) See_Detail

Support Number of files containing the signature

Fixed Offset Flag, if the signature has fixed offset

F-COM Flow-level completeness of the signature

See_Detail Pop-up window for checking traffic identified by the signature

Packet Signature

Demo

Encryption application

Facebook

Non-encryption application

Naver

On going SnorGen!


A sequence of “packet signatures” in a flow

Content Signature → Packet Signature → Flow Signature

Verification of the generated rule compared with SnorGen DB

Verification of the generated signature accuracy

Identification of the application’s traffic

On going SnorGen!




Application Server

alert tcp any any → 192.168.1.1 80 (sid : 4; content:"GET";offset:0;depth:3;


content:"UserAgent";offset:14;depth:16;

flowbits:set, mark1; flowbits:noalert)

alert tcp 192.168.1.1 80 → any any (sid : 5; content:"HTTP/1.1";offset:0;depth:8;

content:"http://www.youtube.com";offset:41;depth:22;

flowbits:isset, mark1)

Flow Signature Result

Packet A-2

Packet A-1



Flow A-1



Packet B-2

Packet B-1



Flow B-1

Host:youtube.com


192.168.1.1

Host A Host B

GET

UserAgent

HTTP/1.1

YoutubeTraffic

Verifier

YotubeSignatures

SnorGen Traffic Databases

On going SnorGen!

Verification of the generated rule compared with SnorGen DB

0

20

40

60

80

100

NateOn Google Naver Facebook Torrent Youtube

(%)

Completeness

What is next with SnorGen?

SnorGen Crawler

Automatic collect web traffic

Deploy on real-network with monitoring agent (TMA)

Automatic generate signature of Internet application

Install SnorGen at end-host


SnorGen Crawler

Automatic System from traffic capture to signature generation

Crawler

Crawler

Crawler

NetworkManager

www.youtube.com

Signatures

Youtube Servers

Request

Response

www.youtube.com RUN



INTERNET

TMA

TMA

TMS

TMA

Signatures Signatures Signatures Signatures

...

Signatures for each applications

TMA : Traffic Measurement AgentTMS : Traffic Measurement Server

TMA information

Process name IP address Port number State Protocol Path

Chrome.exe 123.12.15.. 80 start tcp Path

NateOn 142.15.78.. 443 server tls Path



SUMMARY

SnorGen

Automatic payload signature Generator

Three types of signature

Content Signature

Packet Signature

Flow Signature

SnorGen Web

Can be used anywhere, anyone an Internet connection

QnA

1. 시그니쳐자동생성시간

2. 생성시그니쳐의완성도

3. 실망에연결하여실시간으로시그니쳐를자동생성하는것이가능한가?

1. 시그니쳐자동생성시간 How Long SnorGen Run? (We are considering parallel and distributed processing)

ApplicationNaver

(Portal)

FaceBook

(SNS)

Afreeca

(P2P Stream)

Utorrent

(P2P File}

File Size8,189KB

(5 files)

109,972KB

(5 files)

234,297KB

(5 files)

244,140KB

(5 files)

SignatureCtt : 236

Pkt : 259

Ctt : 35

Pkt : 35

Ctt : 285

Pkt : 299

Ctt : 1,616

Pkt : 2,283

Total Process

Time

12.23s

(5.23Mbps)

10.53s

(81.59Mbps)

159.64s

(11.46Mbps)

351.14s

(5.43Mbps)

Detail

Time

Data

Content

Packet

7.77s

3.24s

4.07s

2.61s

2.76s

76.67s

67.75s

160.64s

179.21

1.05s 14.53s 9.55s


현재시그니쳐완성도검증

Support

Fixed Offset

Completeness

See_Detail


향후시그니쳐완성도

Verification the generated rule compared with SnorGen DB

시그니쳐의검증을거쳐완성된시그니쳐추출

YoutubeTraffic

Verifier

YotubeSignatures

SnorGen Traffic Databases

0

20

40

60

80

100

NateOn Google Naver Facebook Torrent Youtube

3. 실망에연결

현재 SnorGen환경

사용자가직접특정응용트래픽수집

향후 Snorgen환경


TMA 의정보를이용하여실망에서연결가능

INTERNET

TMA

TMA

TMS

TMA

Signatures Signatures Signatures Signatures

...

Signatures for each applications

TMA : Traffic Measurement AgentTMS : Traffic Measurement Server

TMA information

Process name IP address Port number State Protocol Path





SnorGen User Guide 2.0

Technology

Transcript of SnorGen User Guide 2.0