“SO” Continue

Security onion Advance

S3CuriTy B3a$t

Agenda

● Some old questions answer● Default detectable/Undetectable

attacks ● Optimization’s● Rule writing basics ● Alert (Something special here from me)● Demo ● Questions● Thanks S3CuriTy B3a$t

Some Old Questions

● Snort or suricata?● What is pf_ring,netsnif-ng?● ??

S3CuriTy B3a$t

Less Spread

OISF(Open information security foundation )

Snort Inline used with snor

Multy threaded

S3CuriTy B3a$t

● Open Source De-Facto-Standard● SourceFire● IPS Optional● Single Threaded

Test Group Priority # of tests Suricata score Snort score

Test rules 3 8 6 8

Bad Traffic (non RFC compliant) 2 4 1 1

Fragmented packets 2 2 1 3

Multiple failed logins 3 1 1 0

Evasion techniques 2 15 21 29

Malware & viruses 3 14 9 7

Shellcodes 3 11 12 7

Denial of Service (DoS) 3 3 3 3

Client-side attacks 3 257 127 157

Performance 3 0 2 1

Inline / Prevention capabilities 2 0 1 1

TOTAL (unweighted sum) 315 184 217

TOTAL (weighted sum) 528 617

What is pf_ring and netsniff-ng

S3CuriTy B3a$t

PF_RING™ is a new type of network socket that dramatically improves the packet capture speed

netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will.Its gain of performance is reached zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.

Default Detectable Attack

S3CuriTy B3a$t

S3CuriTy B3a$t

Internal Network and Threat

Server ROOM

Optimization’s

Less False positive Mature TrafficImproved LAN Cards Which support PF-RingCustomization of Snort and RuleSetAnd Many More………!

S3CuriTy B3a$t

action proto src_ip src_port direction dst_ip dst_port (options)

alert tcp 10.0.9.4 any -> any any (msg:"Traffic from 10.0.9.4”;)

Action :- alert - generate an alert using the selected alert method, and then log the packetlog - log the packetpass - ignore the packetactivate - alert and then turn on another dynamic ruledynamic - remain idle until activated by an activate rule, then act as a log rule

Write your Own Snort Rule

S3CuriTy B3a$t

Protocol :- Which protocol should be looked atTCPUDPICMPIP Addresses :- IPs,any & CIDR FashionPort Numbers :- any any, from to, from <= & to >=Ex. ip any -> IP 1:1020 -> from any port to 1-1024 any any -> ip:6000 -> from any to port less than or equal to

6000 ip:1024 -> ip:500: -> from port less than 1024 to port greater

than 500

Direction oprator -> or <>

Write your Own Snort Rule

S3CuriTy B3a$t

Options :-logto - log the packet to a user specified filename instead of the standard output filettl - test the IP header's TTL field valuetos - test the IP header's TOS field valueid - test the IP header's fragment ID field for a specific valueipoption - watch the IP option fields for specific codesfragbits - test the fragmentation bits of the IP headerdsize - test the packet's payload size against a valueflags - test the TCP flags for certain valuesseq - test the TCP sequence number field for a specific value

Write your own snort rule

S3CuriTy B3a$t

ack - test the TCP acknowledgement field for a specific valueitype - test the ICMP type field against a specific valueicode - test the ICMP code field against a specific valueicmp_id - test the ICMP ECHO ID field against a specific valueicmp_seq - test the ICMP ECHO sequence number against a specific valuecontent - search for a pattern in the packet's payloadcontent-list - search for a set of patterns in the packet's payloadnocase - match the preceeding content string with case insensitivitysession - dumps the application layer information for a given sessionrpc - watch RPC services for specific application/proceedure callsresp - active response (knock down connections, etc)

Write your own snort rule

S3CuriTy B3a$t

Questions?

S3CuriTy B3a$t

Thanks You

Contact Details:Twitter: @s3curityb3astBlog: breakthesec.comEmail: kingkaustubh@me.com