TCPdump & Snort - Intrusion Detection Systems
TCPdump & Snort - Intrusion Detection Systems
TCPdump & Snort - Intrusion Detection Systems
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>TCPdump</strong> & <strong>Snort</strong><br />
<strong>Intrusion</strong> <strong>Detection</strong> <strong>Systems</strong><br />
Thomas Fischer<br />
thomas.fischer@his.se<br />
February 3, 2010
<strong>TCPdump</strong> – Introduction<br />
Captures traffic for protocols TCP, UDP, ICMP<br />
Common use<br />
If NIDS sounded alert, analyze traffic in detail<br />
Collect traffic data going through your network<br />
<strong>TCPdump</strong> can be configured which traffic to record<br />
Filtering is based on IP, TCP, UDP, or ICMP headers<br />
Contrast <strong>TCPdump</strong> vs. NIDS<br />
<strong>TCPdump</strong> records all (filtered) traffic for a limited time<br />
NIDS records suspicious traffic only, all the time<br />
Like 24 h CCTV loop vs. glass vibration sensors<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 2
Starting with <strong>TCPdump</strong><br />
<strong>TCPdump</strong> is a command-line tool, started with tcpdump<br />
1 17:14:39.092245 IP unnamed.his.se.32980 > karon.his.se.domain:<br />
33143+ PTR? 41.96.11.193.in-addr.arpa. (43)<br />
2 17:14:39.092681 IP karon.his.se.domain > unnamed.his.se.32980:<br />
33143* 1/2/2 (142)<br />
More interesting: Hexadecimal output with tcpdump -x<br />
1 17:17:46.938001 IP unnamed.his.se.43382 > karon.his.se.domain:<br />
15453+ PTR? 57.136.178.41.in-addr.arpa. (44)<br />
2 0x0000: 4500 0048 9799 4000 4011 10b5 c10b 6029<br />
3 0x0010: c10a b017 a976 0035 0034 929c 3c5d 0100<br />
4 0x0020: 0001 0000 0000 0000 0235 3703 3133 3603<br />
5 0x0030: 3137 3802 3431 0769 6e2d 6164 6472 0461<br />
6 0x0040: 7270 6100 000c 0001<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 3
Interpreting <strong>TCPdump</strong> output<br />
Output contains IP header followed by payload<br />
Payload may be any embedded protocol: TCP, UDP, . . .<br />
Capture size is set to 96 (default, may differ)<br />
Includes 14 bytes for MAC header (Ethernet frame)<br />
Switch -s changes size (e. g. -s 1514 )<br />
Interpreting a hex dump<br />
4500 0048 9799 4000 4011 10b5 c10b 6029<br />
c10a b017 a976 0035 0034 929c 3c5d 0100<br />
0001 0000 0000 000235 3703 3133 3603<br />
3137 3802 3431 0769 6e2d 6164 6472 0461<br />
7270 6100 000c 0001<br />
Protocol<br />
IP length<br />
IP protocol version UDP destination port UDP length UDP payload start<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 4
Wireshark<br />
Previously know as Ethereal<br />
Graphical tool to read and analyze <strong>TCPdump</strong> output<br />
1. Capture and dump traffic with tcpdump -w file.dump<br />
2. Open file with Wireshark to get graphical representation<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 5
Writing <strong>TCPdump</strong> Filters I<br />
Format for filter rules<br />
protocol[offset:length] relation value<br />
Byte Array-like access to protocol headers<br />
ip[0] gives 0-th byte of IP header (version & header length)<br />
ip[2:2] gives 16-bit field of datagram length<br />
udp[2:2] gives UDP destination port<br />
tcp[16:2] gives TCP checksum (16 bit)<br />
Relations allow checking for values<br />
ip[9] = 1 checks for ICMP records<br />
ip[8] > 3 checks for Time-to-Live value<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 6
Writing <strong>TCPdump</strong> Filters II<br />
Bitmask operations allow accessing single bits/flags<br />
ip[6] & 0x20 != 0 check if MF flag is set<br />
ip[0] & 0x0f > 5 checks if packet is larger than minimum size<br />
Combining several expression<br />
tcp[0:2] > 1000 and tcp[0:2] < 10000 limits source port range<br />
not ( tcp[0:2] > 1000 and tcp[0:2] < 10000 ) inverts range<br />
Shortcuts simplify writing filters<br />
dst host www.his.se Connections to university’s webserver<br />
src port 80 Coming from webserver<br />
ip proto udp is an UDP packet<br />
port ftp or port ftp-data equals port ftp or ftp-data<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 7
Writing <strong>TCPdump</strong> Filters III<br />
Example ‘TCP shall not contain data before the three-way<br />
TCP handshake is complete.’<br />
tcp[13] & 0x3f = 2 only SYN flag is set<br />
Determine sizes in bytes<br />
ip[2:2] total IP datagram size<br />
( ip[0] & 0x0f ) * 4 IP header size<br />
( tcp[12] & 0xf0 ) / 16 * 4 TCP header size<br />
must not be larger than 0<br />
Combine filters<br />
( tcp[13] & 0x3f = 2 ) and<br />
( ( ip[2:2] - ( ( ip[0] & 0x0f ) * 4 )<br />
- ( ( tcp[12] & 0xf0 ) / 4 ) ) > 0 )<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 8
About <strong>Snort</strong><br />
Network <strong>Intrusion</strong> <strong>Detection</strong> System<br />
Logging and analysis of network traffic<br />
Open Source software<br />
Rule sets<br />
‘Official’ rules by Sourcefire (require registration)<br />
Community-based rules by Emerging Threats<br />
. . . or write your own rules<br />
Modes of operation<br />
Logging or sniffing traffic (similar to <strong>TCPdump</strong>)<br />
Integration with iptables<br />
Full NIDS with own configuration<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 9
Processing Data<br />
Network<br />
Packet Decoders Preprocessors Filter Rules Output<br />
Packet Decoders interpreting packet data on several levels<br />
Preprocessors Data normalization, protocol analysis,<br />
or non-signature-matching detection<br />
Filter Rules describing what makes a packet suspicious<br />
Output writes information in system log, database, or files<br />
Those files can be monitored to notify administrator<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 10
Configuring <strong>Snort</strong><br />
Central configuration file /etc/snort/snort.conf<br />
Manually calling snort with configuration file<br />
snort -c /etc/snort/snort.conf<br />
Configuration files contains<br />
Variable definitions<br />
Modules to be loaded<br />
Rules to be applied<br />
All kinds of other configuration<br />
Includes to more configuration files<br />
var RULE_PATH /etc/snort/ruleset<br />
portvar DAEMON_PORTS [21:25,80]<br />
ipvar TRUSTED_NET [192.168.1.0/24,10.0.0.1/16,![10.0.0.15]]<br />
include $RULE_PATH/default.rules<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 11
Preprocessors I<br />
Examine packets for suspicious activity<br />
Modify packets for proper rule matching<br />
Target-based preprocessors may occur multiple times for<br />
different policies<br />
Frag3 detects attacks related to IP fragmentation,<br />
target-based host modeling anti-evasion techniques<br />
Consists of two sub-modules<br />
frag3_global to set memory-relevant parameters<br />
preprocessor frag3_global: min_ttl 4<br />
frag3_engine to set fragmentation-relevant parameters<br />
preprocessor frag3_engine: policy linux, detect_anomalies<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 12
Preprocessors II<br />
Stream5 tracks sessions for TCP and UDP,<br />
target-based TCP reassembly<br />
Consists of four sub-modules<br />
stream5_global to set memory-relevant parameters<br />
preprocessor stream5_global: track_tcp yes, track_udp no<br />
stream5_tcp to set TCP-specific parameters<br />
preprocessor stream5_tcp: policy linux, ports client 21 23 25 80<br />
stream5_udp to set UDP-specific parameters<br />
preprocessor stream5_udp: timeout 60<br />
stream5_icmp to set ICMP-specific parameters<br />
preprocessor stream5_icmp: timeout 60<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 13
Preprocessors III<br />
sfPortscan designed to detect nmap scans<br />
Protocols TCP, UDP, IP<br />
Scans normal, decoy, distributed, portsweep<br />
preprocessor sfportscan: proto { all } scan_type { all }<br />
RPC Decode defragments and normalizes RPC records<br />
Performance Monitor logs throughput and speed<br />
HTTP Inspect normalizes HTTP headers and URIs, . . .<br />
More protocol-specific preprocessors for<br />
SMTP, FTP, SSH, DNS, SMB, . . .<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 14
<strong>Snort</strong> Rules I<br />
General syntax of rules<br />
rule-action protocol src-adr-range src-port-range ⤦<br />
direction-operator dst-adr-range dst-port-range ⤦<br />
(options)<br />
rule-action similar to IPtables’ target<br />
alert issue alert, then log packet<br />
log log only, no dedicated alert<br />
pass ignore packet, allowing it to continue<br />
More actions via IPtables integration: drop , reject , sdrop<br />
protocol tcp , udp , icmp<br />
options Any number of options, separated by ;<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 15
<strong>Snort</strong> Rules II<br />
src-adr-range and dst-adr-range<br />
List of ip addresses or ranges: [10.0.6.1/8,!10.0.52.0/16]<br />
ipvar variable: $TRUSTED_NET<br />
any covers all alternatives<br />
src-port-range and dst-port-range<br />
Numbers or ranges such as 80 or [21:25,80]<br />
any covers all alternatives<br />
direction-operator which flow direction is examined<br />
-> Incoming traffic<br />
(for outgoing traffic, switch source and destination)<br />
Bidirectional (direction ignored)<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 16
Internal Rule Options<br />
msg: "some log message" text for logging<br />
reference: id-system,id reference to identification system<br />
id-system can be bugtraq, cve, . . . , url<br />
id is number, identification string or url (for url )<br />
rev: revision-integer which version of rule<br />
sid: snort-rule-id unique id for each rule<br />
classtype: class-name categorizing attack<br />
Class names specified in classification.config<br />
Examples: web-application-attack , attempted-user ,<br />
attempted-admin<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 17
Rule Options for Payload I<br />
content: "text" filter for packets containing the text<br />
Example: content: "GET "<br />
For hex-strings: content: "|20 bf ff ff 20|"<br />
Combined & negated: content: !"GET|09|"<br />
uricontent "text" restrict filtering to URIs<br />
pcre: "regexp" use Perl-compatible regular expression<br />
content-list: "filename" points to list with patterns<br />
patterns are enclosed in " , comments start with #<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 18
Rule Options for Payload II<br />
Modifiers thereafter, apply only to single preceding option<br />
nocase ignores case for content and uricontent<br />
offset: n start only n bytes into payload<br />
depth: m stop after m bytes<br />
distance: n start searching n bytes after previous content match<br />
within: n distance between this content match and previous is<br />
at most n bytes<br />
isdataat: n [,relative] payload data at position n,<br />
optionally relative to previous content match<br />
rawbytes look at raw bytes instead of decoded traffic<br />
http_client_body restrict search to HTTP body<br />
http_header restrict search to HTTP header<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 19
Rule Options for Payload III<br />
byte_text: numbytestoconvert, [!]operator, value, offset ⤦<br />
[, relative] [,endian] [,number-type, string]<br />
Four bytes at payload start, encoding value in big endian<br />
alert udp any any -> any 137 (byte_test: 4, =, 0xbaadf00d, ⤦<br />
0; msg: "got bad food!";)<br />
Ten bytes encoding number as text ("3131961357")<br />
alert udp any any -> any 137 (byte_test: 10, any 137 (byte_test: 8, !>, 0xbaadf00d, ⤦<br />
0, string, hex; msg: "not above bad food!";)<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 20
Rule Options for Non-Payload I<br />
fragbits and fragoffset test for IP fragmentation<br />
fragbits: [+*!]bits and fragoffset:[>
Rule Options for Non-Payload II<br />
dsize: []n[]m payload size<br />
dsize: 5100 or dsize: 1<br />
flow: [⟨established∣stateless⟩] [,⟨to_client∣to_server∣ ⤦<br />
from_client∣from_server⟩]<br />
established part of an established TCP connection<br />
stateless do not consider state<br />
to_client . . . from_server consider direction<br />
More options for other TCP/IP header properties<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 22
Rule Options after <strong>Detection</strong> I<br />
logto: "filename" log to extra file<br />
session: ⟨printable∣all⟩ log printable (or all) user data from<br />
TCP sessions (telnet, www, . . . )<br />
resp: reason to close session (graceful, like ‘reject’)<br />
‘reason’ can be rst_snd , rst_rcv , rst_all<br />
icmp_net , icmp_host , icmp_port , icmp_all<br />
(improper use causes infinite loop)<br />
replace: "text" in inline mode (IPtables) replaces match<br />
from content ; lengths must match<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 23
Rule Options after <strong>Detection</strong> II<br />
detection_filter: track ⟨by_src∣by_dst⟩, count c, seconds s<br />
Rule must be triggered c times within s to activate action<br />
threshold: type ⟨limit∣threshold∣both⟩, ⤦<br />
track ⟨by_src∣by_dst⟩, count c, seconds s<br />
limit activate for the first c events within each s seconds<br />
threshold activate for every c-th events within each s seconds<br />
both activate at most once if at least c events within s seconds<br />
occur<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 24
Tips for Writing Rules<br />
Rules should look for vulnerabilities,<br />
not for exploits<br />
Be flexible in accepting data<br />
content: "user root" can be bypassed with user root<br />
Better: content: "root"; pcre: "/user\s+root/i"<br />
When combining rules, place ‘simple’ ones at the beginning<br />
dsize , flags , flow , fragbits , . . .<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 25
Output I<br />
Various output modules available for flexible logging and<br />
alerting<br />
Logging to syslog<br />
Allows specification of facility, priority, options<br />
(‘official’ syslog interface, see man 3 syslog for details)<br />
Example output alert_syslog: log_auth, log_warning<br />
Logging to remote syslog daemon<br />
output alert_syslog: 192.168.5.2:514, log_auth, log_warning<br />
Logging to files<br />
output alert_fast: filename logs one-liners to a file<br />
output alert_full: filename logs full packet headers<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 26
Output II<br />
Logging to Unix socket<br />
output alert_unixsock logs to sock /var/log/snort/snort_alert<br />
Perl Example<br />
1 #!/usr/bin/perl<br />
2 use IO::Socket;<br />
3 my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM,<br />
4 Local => "/var/log/snort/snort_alert")<br />
Logging to <strong>TCPdump</strong> file<br />
output log_tcpdump: filename logs to <strong>TCPdump</strong>-like logfile<br />
can be opened with Wireshark<br />
More logging modules writing to SQL databases, csv files,<br />
compact binary formats (unified2)<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 27
Redirecting Output<br />
Log messages can be redirected to different outputs<br />
Overrides general output statements<br />
ruletype panic<br />
{<br />
}<br />
type alert<br />
output alert_syslog: LOG_AUTH LOG_CRIT<br />
output log_tcpdump: panic.log<br />
panic ip any any -> any any (msg:"Land attack"; sameip;)<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 28
Inline Mode with IPtables<br />
Inline Mode <strong>Snort</strong> uses IPtables to receive packets,<br />
injects new rules to IPtables to accept or drop packets<br />
Integration in <strong>Snort</strong>: New rule types<br />
drop like IPtables’ drop target<br />
reject like IPtables’ reject target<br />
sdrop like IPtables’ drop target, but silently<br />
Integration in IPtables<br />
Redirect packets to user space using QUEUE target<br />
Example iptables -A INPUT -p tcp --dport 25 -j QUEUE<br />
Start <strong>Snort</strong> with Queue flag: snort -Q<br />
System has to be configured/compiled accordingly<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 29
Visual Examples<br />
FTP security problem with site exec command<br />
content:"SITE"; nocase; content:"EXEC"; nocase; distance:0;<br />
53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC<br />
20 2F 62 69 6E 2F 73 68 /bin/sh<br />
Checking how much and which data follows<br />
content:"SITE"; nocase; content:!"|0a|"; within:50;<br />
53 49 54 45 20 SITE<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 30
Visual Examples<br />
FTP security problem with site exec command<br />
content:"SITE"; nocase; content:"EXEC"; nocase; distance:0;<br />
53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC<br />
20 2F 62 69 6E 2F 73 68 /bin/sh<br />
Checking how much and which data follows<br />
content:"SITE"; nocase; content:!"|0a|"; within:50;<br />
53 49 54 45 20 SITE<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 30
Visual Examples<br />
FTP security problem with site exec command<br />
content:"SITE"; nocase; content:"EXEC"; nocase; distance:0;<br />
53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC<br />
20 2F 62 69 6E 2F 73 68 /bin/sh<br />
Checking how much and which data follows<br />
content:"SITE"; nocase; content:!"|0a|"; within:50;<br />
53 49 54 45 20 SITE<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 30
Visual Examples<br />
FTP security problem with site exec command<br />
content:"SITE"; nocase; content:"EXEC"; nocase; distance:0;<br />
53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC<br />
20 2F 62 69 6E 2F 73 68 /bin/sh<br />
Checking how much and which data follows<br />
content:"SITE"; nocase; content:!"|0a|"; within:50;<br />
53 49 54 45 20 SITE<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 30
Visual Examples<br />
FTP security problem with site exec command<br />
content:"SITE"; nocase; content:"EXEC"; nocase; distance:0;<br />
53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC<br />
20 2F 62 69 6E 2F 73 68 /bin/sh<br />
Checking how much and which data follows<br />
content:"SITE"; nocase; content:!"|0a|"; within:50;<br />
53 49 54 45 20 SITE<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 30
Visual Examples<br />
FTP security problem with site exec command<br />
content:"SITE"; nocase; content:"EXEC"; nocase; distance:0;<br />
53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC<br />
20 2F 62 69 6E 2F 73 68 /bin/sh<br />
Checking how much and which data follows<br />
content:"SITE"; nocase; content:!"|0a|"; within:50;<br />
53 49 54 45 20 SITE<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 30
Visual Examples<br />
FTP security problem with site exec command<br />
content:"SITE"; nocase; content:"EXEC"; nocase; distance:0;<br />
53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC<br />
20 2F 62 69 6E 2F 73 68 /bin/sh<br />
Checking how much and which data follows<br />
content:"SITE"; nocase; isdataat:50,relative; content:!"|0a|"; wit<br />
53 49 54 45 20 SITE<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 30
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Visual Example: Byte Jump<br />
content:"|00 00 00 00|"; offset:8; depth:4; ⤦<br />
content:"|00 01 86 F3|"; offset:16; depth:4; ⤦<br />
content:"|00 00 00 07|"; distance:4; within:4; ⤦<br />
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦<br />
byte_test:4,>,128,0,relative;<br />
00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02<br />
00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01<br />
00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61<br />
6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 31
Examples I<br />
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ⤦<br />
(msg:"Suspicious User-Agent (Trojan.Hijack.IrcBot.457 ⤦<br />
related)"; flow:established,to_server; content:"|0d 0a| ⤦<br />
User-Agent\: Mozilla/1.0 (compatible\; MSIE 8.0\;"; ⤦<br />
classtype:trojan-activity; sid:2008913; rev:4;)<br />
Checks for HTTP traffic with suspicious user agent string<br />
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"HELO ⤦<br />
Non-Displayable Characters"; flow:established,to_server; ⤦<br />
content:"HELO "; nocase; depth:60; pcre:"/ˆ[ˆ\n]*[\x00- ⤦<br />
\x08\x0e-\x1f]/R"; reference:cve,2006-3277; sid:2098; rev:7;)<br />
Search for non-displayable bytes in HELO line<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 32
Examples II<br />
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ⤦<br />
(msg:"SQL Injection Attempt"; flow:established,to_server; ⤦<br />
uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; ⤦<br />
uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; ⤦<br />
classtype:web-application-attack; reference:cve,CVE-2007-2803; ⤦<br />
sid:20996; rev:5;)<br />
Checks for access to web servers querying for an ASP page<br />
containing a SQL statement with ‘DELETE’<br />
(simple rules like ‘flow’ first, complex like ‘pcre’ last)<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 33
Examples III<br />
alert udp [60.191.254.251,...,61.156.8.141] any -> ⤦<br />
$HOME_NET any (msg:"ET RBN Known Russian Business Network ⤦<br />
IP UDP (120)"; reference:url,doc.emergingthreats.net/bin/ ⤦<br />
view/Main/RussianBusinessNetwork; threshold:type limit, ⤦<br />
track by_src, seconds 60, count 1; classtype:misc-attack; ⤦<br />
sid:2406239; rev:164;)<br />
Warn for incoming packets from known bad hosts,<br />
but only once per minute<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 34
Examples IV<br />
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: ⤦<br />
"EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request ⤦<br />
(possible MS06-040)"; flow:to_server,established; ⤦<br />
content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; ⤦<br />
offset:4; nocase; byte_test:2,ˆ,1,5,relative; content:"&|00|"; ⤦<br />
within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; ⤦<br />
within:9; distance:4; content:"|1f 00|"; distance:20; ⤦<br />
within:2; classtype:misc-attack; sid:2003081; rev:5;)<br />
Checking various bytes and flags ( byte_test )<br />
<strong>TCPdump</strong> & <strong>Snort</strong> Thomas Fischer February 3, 2010 Page 35
Several examples based on the SNORT User Manual 2.8.5 (Oct 2009)<br />
https://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf<br />
Several examples based on rules from the Emerging Threats project (Oct 2009)<br />
http://www.emergingthreats.net/rules/emerging.rules.tar.gz<br />
Some examples based on the presentation ‘Writing <strong>Snort</strong> Rules – A quick guide’ by Brian Caswell<br />
http://www.shmoo.com/~bmc/presentations/2004/honeynet/caswell-writing-snort-rules.ppt<br />
Unless otherwise noted, all materials on these slides are licensed under<br />
a Creative Commons Attribution-Share Alike 3.0 Unported License.