EZ Snort Rules - Vorant · EZ Snort Rules Find the Truffles, Leave the Dirt David J. Bianco Vorant...
Transcript of EZ Snort Rules - Vorant · EZ Snort Rules Find the Truffles, Leave the Dirt David J. Bianco Vorant...
© 2006, Vorant Network Security, Inc.
EZ Snort RulesFind the Truffles, Leave the Dirt
David J. BiancoVorant Network Security, Inc.
Table of Contents• Intro to Snort Configuration• Anatomy of a Snort Rule• Detection Options• Rule Writing Tips
Intro to Snort Configuration• Snort follows a “Unixy” configuration
philosophy• Configuration is plaintext• Powerful & complex
• Snort configuration consists of:• Global configuration (snort.conf)• Optional *.rules file(s)• Additional files (not covered in this
presentation)
Sources of Snort Rules• Sourcefire VRT Rules
• The “gold standard”• Subscription fee applies• Free for anyone to use after 7 days
• Snort.org Community Rules• Contributed by snort users• Free for use by anyone (GPL)
http://www.snort.org/pub-bin/downloads.cgi
Sources of Snort Rules• Bleeding Edge Snort
• Contributed by snort users• Focus on quick releases with minimal testing
• Breaking threats• “experimental” detections
http://www.bleedingsnort.com/
A Peek Into snort.confvar HOME_NET 192.168.3.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS [192.168.3.1,192.168.3.10]
var HTTP_SERVERS [192.168.3.1,192.168.3.2,192.168.3.88]
var HTTP_PORTS 80
var RULE_PATH /usr/local/snortrules
[a bunch of snort engine configuration options]
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/bleeding-all.rules
Include $RULE_PATH/community-bot.rules
The Most Basic Rule
alert tcp any any -> any any (msg:”Sample alert”;)
The Rule Header
alert tcp any any -> any any (msg:”Sample alert”;)
• Header contains the following fields• Action (log, alert)• Protocol (ip, tcp, udp, icmp, any)• Src IP & Port• Dst IP & Port• Direction operator (“->”, “<>”)
The Rule Header
alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80 (msg:”Sample alert”;)
• Src or dst IP addresses can be:• Variables ($HOME_NET)• Individual IP addresses• CIDR blocks• Lists of the above
(“[192.168.3.12,192.168.3.9]”)• Ports can be
• Individual ports• Port ranges (“80:85”, “:1024”, “1025:”)
The Rule Body
alert tcp any any -> any any (msg:”Sample alert”;)
• The body is usually the complex part• Begins and ends with “()”• Series of “rule options” (keywords, with
optional parameters) separated by “;”
Types of Rule Options• Five types of options
• Metadata• Payload detection• Non-payload detection• Post-detection• Thresholding and suppression
• To keep things “EZ”, we’ll focus on the firsttwo types
Metadata Options• Metadata options provide snort with
information about the rule itself or pass oninformation to the analyst• Examples:
• “msg” specifies the human-readable alert message• “reference” includes a URL for more info• “classtype” and “priority” give some idea about the
type of attack and the severity of the event• “sid” and “rev” uniquely identify the rule (including
revisions & edits)
Metadata Example
• Use of “classtype” implies a default priorityfor each class• Defaults for each class are in the manual• Use the “priority” option to override these
• Each sid must be unique• Choose a sid range > 4,000,000 to avoid
conflicts with popular rule providers
alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)
Payload Detection Options• Look inside the packet payload (not the packet
headers)• “The meat” of IDS!
• There are many options to fit many needs, butstart with the basics• “content” looks for a string of bytes• “nocase” modified content, makes it case insensitive• “offset” skips a certain number of bytes before
searching• “pcre” allows the use of Perl-compatible regular
expressions (support must be compiled in)
Payload Example
• Looks for the case-insensitive string“http://www.vorant.com/test.cgi?id=pwn3d” in alltraffic matched by the rule header
• Skips the first 12 bytes of each packet beforestarting search, for efficiency
• Note inclusion of hex ASCII code for the “:”.• The “|3a|” notation is good for non-printable data (or
“:”, which must not be used in content match
alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”;content:”http|3a|//www.vorant.com/test.cgi?id=pwn3d”; nocase;offset:12; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)
Payload Example #2
• Alerts on all GET requests for an HTML page(.htm or .html both work)• “i” option to pcre asks for case-insensitive matching
• A simple content match could be used, butsometimes…• content is not flexible enough to match the data• a single PCRE may be more clear than a bunch of
individual content matches
alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”; pcre:”/GET.*\.htm/i”; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)
Go With the Flow• TCP is a stateful protocol
• Requires a certain setup and teardown for avalid connection
• Servers discard TCP packets not associatedwith valid sessions
• TCP data without a valid session has littlechance of harming your server, but it takesCPU time to process
• Solution: track TCP sessions and restrict rulesto established sessions
The “flow” Option
• Technically a “non-payload” option• “established” option specifies that the rule only
alerts on valid TCP sessions• “to_server” option further restricts matching to
packets going to the “server”• Snort assumes the “client” is the session initiator, so
the server is the recipient
alert tcp $EXTERNAL_NET any -> 192.168.3.0/24 80(msg:”Sample alert”; flow: to_server,established;pcre:”/GET.*\.htm/i”; classtype: web-application-activity;reference:url,http://www.vorant.com/advisories/20060405.html;sid:2000123; rev:1;)
Writing Efficient Rules• Be as specific as possible in the header
• Beware of the “any” keyword• Specify the protocol, IP addresses and ports• IP lists are fine, but use CIDR blocks when the list
gets long• Use “flow: established” for TCP sessions• Body options are evaluated in order until match
is unsuccessful, so list broad matches first• Content matches are faster than PCRE• Use a “content” match before a PCRE, to weed
out packets that can’t match• content:”GET”; nocase; pcre:”GET.*\.htm”;
Other Rule-Writing Tips• Keep your rules in the local.rules file
• Back it up!• If snort doesn’t restart after you add your
new rule, check /var/log/messages fordetails
• When writing a complex rule, start smalland build it piece-by-piece
Questions?