Snort & NmapSnort & Nmap

Mike O’ConnorMike O’Connor

Eric TallmanEric Tallman

Matt YasiejkoMatt Yasiejko

OverviewOverview

SnortSnort What is it?What is it? What does it do?What does it do? FeaturesFeatures

NmapNmap What is it?What is it? What does it do?What does it do? FeaturesFeatures

What is Snort?What is Snort? IDSIDS Can also be configured Can also be configured

to be an IPSto be an IPS Software solution to Software solution to

IDS/IPSIDS/IPS To be IPS, the sniffing To be IPS, the sniffing

machine needs 2 machine needs 2 interfacesinterfaces

Network basedNetwork based Switch – port mirroringSwitch – port mirroring Hub – sniff allHub – sniff all

SnortSnort

Network intrusion detection systemNetwork intrusion detection system Real-time traffic analysisReal-time traffic analysis Packet loggingPacket logging Detects OS fingerprinting attemptsDetects OS fingerprinting attempts

Protocol implementation detailsProtocol implementation details

Components in SnortComponents in Snort

External packet – capture libraryExternal packet – capture library Packet decoder – translates protocol Packet decoder – translates protocol

elements into an internal data elements into an internal data structurestructure

Preprocessors – examine/manipulate Preprocessors – examine/manipulate packets for detection enginepackets for detection engine

Detection engine – tests single Detection engine – tests single elements of packetselements of packets

Output plugins – generates alertsOutput plugins – generates alerts

1. Capturing traffic 1. Capturing traffic (libpcap/WinPcap)(libpcap/WinPcap)

Sniffs line and gets Sniffs line and gets rawraw packets off the packets off the networknetwork

Raw packets needed to detect various Raw packets needed to detect various attacksattacks

Can only process one packet at a timeCan only process one packet at a time

We use WinPcap We use WinPcap Windows Packet Windows Packet CapturingCapturing Captures packets traveling across a networkCaptures packets traveling across a network

2. Packet decoder2. Packet decoder

Series of decoders that each decode Series of decoders that each decode specific protocol elementsspecific protocol elements

Data structure is filled up with Data structure is filled up with decoded packet datadecoded packet data

Data structures passed to Data structures passed to preprocessors and the detection preprocessors and the detection engineengine

3a. Preprocessors3a. Preprocessors

Two typesTwo types Examine packetsExamine packets

-Used for non-signature based attacks-Used for non-signature based attacks Modify packets in preparation for Modify packets in preparation for

detection enginedetection engine-Normalize traffic-Normalize traffic

Packets cycle through all preprocessorsPackets cycle through all preprocessors Keeps attackers from hiding other trafficKeeps attackers from hiding other traffic Multiple violations may be seen this wayMultiple violations may be seen this way

3b. Preprocessors3b. Preprocessors

FragmentationFragmentation Malicious trafficMalicious traffic

Modify packet headersModify packet headers DoS – Ping of DeathDoS – Ping of Death

Stateful inspectionsStateful inspections Stateless connectionsStateless connections

SYN-ACK (connection not complete)SYN-ACK (connection not complete) IP protocol checks – beyond TCPIP protocol checks – beyond TCP

4. Detection engine4. Detection engine

Uses a decision treeUses a decision tree Eg) if the packet is TCP, the packet is Eg) if the packet is TCP, the packet is

passed to the portion that deals with passed to the portion that deals with TCPTCP

The first signature that matches is The first signature that matches is applied, the next packet is analyzedapplied, the next packet is analyzed Priority is very importantPriority is very important High level attacks must be prioritized High level attacks must be prioritized

currentlycurrently

5. Output plugins5. Output plugins

Dumps alert data to a file/resourceDumps alert data to a file/resource Unified formatUnified format

One of many optionsOne of many options Fastest possibleFastest possible

Alert file – Attack summary, IPs, protocol Alert file – Attack summary, IPs, protocol used, etc listedused, etc listed

Packet file – actual packet infoPacket file – actual packet info

Database, file dumps, external Database, file dumps, external applicationsapplications

snort_inline turns Snort snort_inline turns Snort into IPSinto IPS

Set up rules to drop packetsSet up rules to drop packets Set up alerts to log attacksSet up alerts to log attacks Set up rules to cut connectionSet up rules to cut connection

TCP reset for exampleTCP reset for example drop tcp any any -> any 80 drop tcp any any -> any 80

(classtype:attempted-user; msg:"Port (classtype:attempted-user; msg:"Port 80 connection initiated";)80 connection initiated";)

General rule structureGeneral rule structure

_action _protocol _ip1 _direction _ip2 _action _protocol _ip1 _direction _ip2 (options)(options)

_action options_action options

_action_action _protocol _ip1 _direction _ip2 _protocol _ip1 _direction _ip2 (options)(options)

alert - generate an alert using the selected alert alert - generate an alert using the selected alert method, and then log the packet method, and then log the packet

log - log the packet log - log the packet pass - ignore the packet pass - ignore the packet activate - alert and then turn on another activate - alert and then turn on another

dynamic rule dynamic rule dynamic - remain idle until activated by an dynamic - remain idle until activated by an

activate rule , then act as a log rule activate rule , then act as a log rule

_protocol options_protocol options

_action _action _protocol_protocol _ip1 _direction _ip2 _ip1 _direction _ip2 (options)(options)

TCP, IP, UDP, ICMP (, TCP, IP, UDP, ICMP (, ARP, IGRP, GRE, OSPF, RIP, IPX)

_action _protocol _action _protocol _ip1_ip1 _direction _direction _ip2_ip2 (options)(options)

IP address/netmask, port, ! to negateIP address/netmask, port, ! to negate Any, individual ipAny, individual ip

alert tcp any any -> 192.168.1.0/24 111

_ip options_ip options

IP address

netmask

port

_direction options_direction options

_action _protocol _ip1 _action _protocol _ip1 _direction_direction _ip2 _ip2 (options)(options)

-> is from source to destination-> is from source to destination <> is from source to destination and <> is from source to destination and

destination to sourcedestination to source

Rule optionsRule options

_action _protocol _ip1 _direction _ip2 _action _protocol _ip1 _direction _ip2

((optionsoptions)) alert tcp any any -> $HOME_NET 31337 alert tcp any any -> $HOME_NET 31337

(msg: "BLEEDING-EDGE ATTACK (msg: "BLEEDING-EDGE ATTACK RESPONSE Potential root shell RESPONSE Potential root shell connection detected!"; flow: connection detected!"; flow: established,to_server; tag: session, 20, established,to_server; tag: session, 20, packets; classtype: bad-unknown; sid: packets; classtype: bad-unknown; sid: 2001545; rev:2; )2001545; rev:2; )

Rule structure for Rule structure for wirelesswireless

<action> wifi <mac> <direction> <mac> <action> wifi <mac> <direction> <mac> (<rule options>)(<rule options>)

<MAC address> Rule <MAC address> Rule optionsoptions

# Single MAC Address# Single MAC Address00:DE:AD:BE:EF:0000:DE:AD:BE:EF:00

# MAC Address List # MAC Address List [00:DE:AD:BE:EF:00, [00:DE:AD:BE:EF:00, 00:DE:AD:C0:DE:00, ....] 00:DE:AD:C0:DE:00, ....]

LogsLogs

Using syslog logsUsing syslog logs SawmillSawmill

Logs need to be converted to plaintext Logs need to be converted to plaintext to be processedto be processed

Web interface to analyze trafficWeb interface to analyze traffic Windump -r _log_ -tt > _txtFile_Windump -r _log_ -tt > _txtFile_

Snort StatusSnort Status

DB connection is problematic for DB connection is problematic for FreeBSD versionFreeBSD version

Snort currently captures traffic and Snort currently captures traffic and creates logs based on rulescreates logs based on rules

Lab3 is now the sniffer boxLab3 is now the sniffer box WinPcap and SnortWinPcap and Snort

Plugged into physical port FA0/23Plugged into physical port FA0/23 Receiving all switch trafficReceiving all switch traffic

NMAPNMAP

NmapNmap

Network MapperNetwork Mapper Discovers services available on Discovers services available on

different hosts in a networkdifferent hosts in a network Command line, GUI versionsCommand line, GUI versions

Nmap and nmapfe packages in Nmap and nmapfe packages in FreeBSDFreeBSD

FeaturesFeatures

Enumerates ports on target Enumerates ports on target machinesmachines

Identify services running on those Identify services running on those portsports

OS fingerprintingOS fingerprinting

Typical usesTypical uses

List services available on a machineList services available on a machine Run network security audit of Run network security audit of

machinesmachines Identify computers that may be Identify computers that may be

exploitedexploited Audit individual machine securityAudit individual machine security

nmapfenmapfe

Just the beginning…Just the beginning…

Nmap is one tool in an arsenal for Nmap is one tool in an arsenal for black hat hackersblack hat hackers

Prelude to exploitation toolsPrelude to exploitation tools Metasploit - used for actual exploitation Metasploit - used for actual exploitation

attemptattempt

Nmap commandNmap command

nmap –snmap –s~~ -P -P~~ -O -p 1-1024 -O -p 1-1024 134.198.161.*134.198.161.*

Scan Type

Ping Type

OS detection

Port range

IP range/address

Enumerate ports / Enumerate ports / servicesservices

““Well-known” or “Interesting” portsWell-known” or “Interesting” ports

- 1-1024- 1-1024

- 65,535 total TCP & UDP ports- 65,535 total TCP & UDP ports Port/Protocol State Service Port/Protocol State Service

NameName

Types of scansTypes of scans http://www.secguru.com/nmap_cheatsheethttp://www.secguru.com/nmap_cheatsheet sS (TCP SYN scan) – half open scan; stealthysS (TCP SYN scan) – half open scan; stealthy

SYN/ACK – listening; RST – non-listenerSYN/ACK – listening; RST – non-listener sT (TCP connect scan) – uses system call to sT (TCP connect scan) – uses system call to

make connection; easily loggedmake connection; easily logged sU (UDP scans) – sends empty UDP header sU (UDP scans) – sends empty UDP header

to targeted ports; code returned indicates to targeted ports; code returned indicates port stateport state

sN; -sF; -sX (TCP Null, FIN, and Xmas sN; -sF; -sX (TCP Null, FIN, and Xmas scans)scans) If SYN, RST, ACK bits not set (TCP RFC)If SYN, RST, ACK bits not set (TCP RFC)

Any incoming segment not containing RST causes a Any incoming segment not containing RST causes a closed port to respond with an RSTclosed port to respond with an RST

No response if port is openNo response if port is open

OS detectionOS detection

Uses TCP/IP fingerprintingUses TCP/IP fingerprinting OS particular implementation of OS particular implementation of

protocol indicates target host OSprotocol indicates target host OS Checked against DB of known DB Checked against DB of known DB

signaturessignatures Why hide OS?Why hide OS?

Black hat hackers might try OS specific Black hat hackers might try OS specific exploits if knownexploits if known

http://www.csee.umbc.edu/http://www.csee.umbc.edu/~krishna/cs491n/snort_manual.pdf~krishna/cs491n/snort_manual.pdf