Snort

snort
(http://www.snort.org/)
1,opensource入侵偵測系統,作者為Marty Roesch
2,解析封包用BPF(berkeley packet filter),可相容於tcpdump
3,由以下架構組成
 sniffer
 preprocessor
 detect engine
 alert


……………………………………………………………………………..

snort有四種mode,如下:
 packet logger
 sniffer
 NIDS
 inline mode

sniffer mode
常用option
 -d:Dump the Application Layer
 -e:Display the second layer header info
 -v:Be verbose
ex:
顯示封包內容
#snort -dev


packet logger
常用option
 -l < directory >: Log to directory
 -L < file >: Log to this tcpdump file
 -b Log packets in tcpdump format (much faster!)
 -r < file > Read and process tcpdump file
ex
將log信息輸出到/tmp/snortlog目錄下,並以binary code(二進位碼)的方式儲存封包資料
#snort -l /tmp/snortlog -b
讀取已儲存的封包記錄檔案packet.log
#snort -dvr packet.log


NIDS
常用option
 -c 指定組態檔
 -l 指定輸出警報的目錄,預設為/var/log/snort
 -h 指定網路範圍
 -D 啟動時進入背景成為daemon
ex:./snort -d -l ./log -h 192.168.1.0/24 -c snort.conf
指定輸出格式
-A < mode >
mode有以下可選
 full(預設):完整警報模式,記錄標準的alert
 fast:快速警報模式,只寫入timestamp,alert messages,來源與目地的ip及ports
 unsock:將警報訊息送至其他主機的程式
 none:關閉警報功能
 console:將fast mode格式的警報訊息送至Console(終端機)
 cmg:產生cmg style的警報

……………………………………………………………

snort 常見參數如下
顯示相關
-v 顯示完整標頭檔在console中
-d 顯示封包內容,解碼應用層
-e 顯示資料連結層內容
-a 顯示ARP包
-V 顯示版本
-C 顯示訊息用ASCII碼而不是hexdump

指定相關
-c 指定組態檔
-F 指定BPF filter,TCPDump的man內有詳細說明
-h 指定網路範圍
-i 指定網路介面
-n 指定在處理幾個封包後退出

log相關
-N 關閉LOG記錄,但保持ALERT功能
-l 指定LOG輸出目錄
-b 把LOG記錄為TCPDUMP格式,也就是被記錄為binary格式
-s 記錄到syslog中去
-o 改變記錄順序,將原本Alert->pass->Log order改成Pass->Alert->Log order
ps:Pass是允許通過的規則而不記錄和報警,ALERT是不允許通過的規則,LOG指LOG記錄 

其他
-S 設定變數,可在命令列中定義Snort rules文件中的變數
-r 讀取tcpdump方式產生的Shadow文件
-p 關閉Promiscuous mode,常用來做網路測試


ps:
alert order
預設順序如為 Pass rules > Drop rules > Alert rules > Log rules
改變順序參數有
–alert-before-pass 設定alert rules在pass rules之前
–treat-drop-as-alert
–process-all-events


……………………………………………………………………………………………………………

snort.conf 

重新讀取snort.conf
方法1,建議
重新啟動snort
方法2
自動重讀組態檔,部份組態被修改仍要重新啟動snort
1,configure時要加–enable-reload
2,組態檔修改後執行kill -SIGHUP < snortpid>

………

snort.conf設定格式

1,讀取部份組態檔格式
include < file path>

2,variable格式
有以下幾種
var < name> < value>
portvar < name> < [express]>
ipvar < name> < [express]>
ex:
var RULES_PATH rules/
portvar MY_PORTS [22,80,1024:1050]
ipvar MY_NET [192.168.1.0/24,10.1.1.0/24]
alert tcp any any->$MY_NET $MY_PORTS (flags:S;msg:”SYN packet”;)
include $RULE_PATH/example.rule

3,參數格式
config [:< value>]

…………

snort.conf常用設定

讀取多個完整組態檔
依據不同vlan讀取不同的組態檔
config binding:< path_to_snort.conf> vlan < vlanIdList>
依據不同網段讀取不同的組態檔
config binding:< path_to_snort.conf> net < ipList>


設定snort decoder
config checksum_mode: all 計算packet checksum的類型,值有none,noip,notcp,noicmp,noudp,ip,tcp,udp,icmp,all
config disable_decode_alerts 關閉在decode階段時所產生的alert
config disable_tcpopt_experimental_alerts 關閉由experimental(實驗性的)tcp option所產生的alert
config disable_tcpopt_obsolete_alerts 關閉由obsolete(過時的)tcp option所產生的alert
config disable_ttcp_alerts 關閉由tcp option所產生的alert
config disable_tcpopt_alerts 禁用option length validation alert
config disable_ipopt_alerts 禁用ip option length validation alert
config disable_decode_drops

設定detection engine
記錄event的方式
config detection: max_queue_events 5 指定每個封包event最多可進入queue的數量
config event_queue: max_queue 8 log 3 order_events content_length 調整event queue相關參數
 max_queue < n> 指定單一packet或stream的可用event queue最大size為n
 log < n> 指定單一packet或stream可記錄event的最大數量為n
 order_events < content_length|priority> 指定記錄event順序的方法,可依rule的content_length或event優先權


設定dynamic module
讀取dynamic preprocessor shared library(共享函式庫)
格式為:dynamicpreprocessor file < path>
常用的有以下
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file /usr/local/snort/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
讀取dynamic engine shared library
格式為:dynamicengine < path>
常用的有以下
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
讀取dynamic rule shared library
格式為:dynamicdetection file < path>
常用的有以下
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/bad-traffic.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/chat.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/dos.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/exploit.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/imap.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/misc.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/multimedia.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/netbios.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/nntp.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/p2p.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/smtp.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/sql.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/web-client.so
dynamicdetection file /usr/local/snort/lib/snort_dynamicrules/web-misc.so


…………….

其他config 

$snort_home/etc/generators
記錄各generators id

$snort_home/etc/gen-msg.map
記錄preprocessor的sid


$snort_home/etc/classification.config
記錄各classtype的priority


…………………………………………………………………………………………………………….

其他補充

S-CERT編號VU#196240/CVE編號CVE-2006-5276
在Sourcefire Snort DCE/RPC[遠端程序呼叫]處理器中的一項堆疊緩衝區溢位弱點可使遠端未授權的攻擊者以Snort行程的權限來執行任意程式
解決方法:
更新到Snort 2.6.1.3
關閉DCE/RPC[遠端程序呼叫]處理器:關閉處理器將保護Snort不會重組分割的SMB及DCE/RPC封包


其他參考
http://security.nknu.edu.tw/textbook/chap13.pdf
http://forum.icst.org.tw/phpbb/viewtopic.php?f=11&t=14590
http://www.ixpub.net/archiver/tid-619953-page-1.html