TCPdump & Snort - Intrusion Detection Systems

TCPdump & Snort 

Intrusion Detection Systems 

Thomas Fischer 

thomas.fischer@his.se 

February 3, 2010

TCPdump – Introduction 

Captures traffic for protocols TCP, UDP, ICMP 

Common use 

If NIDS sounded alert, analyze traffic in detail 

Collect traffic data going through your network 

TCPdump can be configured which traffic to record 

Filtering is based on IP, TCP, UDP, or ICMP headers 

Contrast TCPdump vs. NIDS 

TCPdump records all (filtered) traffic for a limited time 

NIDS records suspicious traffic only, all the time 

Like 24 h CCTV loop vs. glass vibration sensors 

TCPdump & Snort Thomas Fischer February 3, 2010 Page 2

Starting with TCPdump 

TCPdump is a command-line tool, started with tcpdump 

1 17:14:39.092245 IP unnamed.his.se.32980 > karon.his.se.domain: 

33143+ PTR? 41.96.11.193.in-addr.arpa. (43) 

2 17:14:39.092681 IP karon.his.se.domain > unnamed.his.se.32980: 

33143* 1/2/2 (142) 

More interesting: Hexadecimal output with tcpdump -x 

1 17:17:46.938001 IP unnamed.his.se.43382 > karon.his.se.domain: 

15453+ PTR? 57.136.178.41.in-addr.arpa. (44) 

2 0x0000: 4500 0048 9799 4000 4011 10b5 c10b 6029 

3 0x0010: c10a b017 a976 0035 0034 929c 3c5d 0100 

4 0x0020: 0001 0000 0000 0000 0235 3703 3133 3603 

5 0x0030: 3137 3802 3431 0769 6e2d 6164 6472 0461 

6 0x0040: 7270 6100 000c 0001 


Interpreting TCPdump output 

Output contains IP header followed by payload 

Payload may be any embedded protocol: TCP, UDP, . . . 

Capture size is set to 96 (default, may differ) 

Includes 14 bytes for MAC header (Ethernet frame) 

Switch -s changes size (e. g. -s 1514 ) 

Interpreting a hex dump 

4500 0048 9799 4000 4011 10b5 c10b 6029 

c10a b017 a976 0035 0034 929c 3c5d 0100 

0001 0000 0000 000235 3703 3133 3603 

3137 3802 3431 0769 6e2d 6164 6472 0461 

7270 6100 000c 0001 

Protocol 

IP length 

IP protocol version UDP destination port UDP length UDP payload start 


Wireshark 

Previously know as Ethereal 

Graphical tool to read and analyze TCPdump output 

1. Capture and dump traffic with tcpdump -w file.dump 

2. Open file with Wireshark to get graphical representation 


Writing TCPdump Filters I 

Format for filter rules 

protocol[offset:length] relation value 

Byte Array-like access to protocol headers 

ip[0] gives 0-th byte of IP header (version & header length) 

ip[2:2] gives 16-bit field of datagram length 

udp[2:2] gives UDP destination port 

tcp[16:2] gives TCP checksum (16 bit) 

Relations allow checking for values 

ip[9] = 1 checks for ICMP records 

ip[8] > 3 checks for Time-to-Live value 


Writing TCPdump Filters II 

Bitmask operations allow accessing single bits/flags 

ip[6] & 0x20 != 0 check if MF flag is set 

ip[0] & 0x0f > 5 checks if packet is larger than minimum size 

Combining several expression 

tcp[0:2] > 1000 and tcp[0:2] < 10000 limits source port range 

not ( tcp[0:2] > 1000 and tcp[0:2] < 10000 ) inverts range 

Shortcuts simplify writing filters 

dst host www.his.se Connections to university’s webserver 

src port 80 Coming from webserver 

ip proto udp is an UDP packet 

port ftp or port ftp-data equals port ftp or ftp-data 


Writing TCPdump Filters III 

Example ‘TCP shall not contain data before the three-way 

TCP handshake is complete.’ 

tcp[13] & 0x3f = 2 only SYN flag is set 

Determine sizes in bytes 

ip[2:2] total IP datagram size 

( ip[0] & 0x0f ) * 4 IP header size 

( tcp[12] & 0xf0 ) / 16 * 4 TCP header size 

must not be larger than 0 

Combine filters 

( tcp[13] & 0x3f = 2 ) and 

( ( ip[2:2] - ( ( ip[0] & 0x0f ) * 4 ) 

- ( ( tcp[12] & 0xf0 ) / 4 ) ) > 0 ) 


About Snort 

Network Intrusion Detection System 

Logging and analysis of network traffic 

Open Source software 

Rule sets 

‘Official’ rules by Sourcefire (require registration) 

Community-based rules by Emerging Threats 

. . . or write your own rules 

Modes of operation 

Logging or sniffing traffic (similar to TCPdump) 

Integration with iptables 

Full NIDS with own configuration 


Processing Data 

Network 

Packet Decoders Preprocessors Filter Rules Output 

Packet Decoders interpreting packet data on several levels 

Preprocessors Data normalization, protocol analysis, 

or non-signature-matching detection 

Filter Rules describing what makes a packet suspicious 

Output writes information in system log, database, or files 

Those files can be monitored to notify administrator 


Configuring Snort 

Central configuration file /etc/snort/snort.conf 

Manually calling snort with configuration file 

snort -c /etc/snort/snort.conf 

Configuration files contains 

Variable definitions 

Modules to be loaded 

Rules to be applied 

All kinds of other configuration 

Includes to more configuration files 

var RULE_PATH /etc/snort/ruleset 

portvar DAEMON_PORTS [21:25,80] 

ipvar TRUSTED_NET [192.168.1.0/24,10.0.0.1/16,![10.0.0.15]] 

include $RULE_PATH/default.rules 


Preprocessors I 

Examine packets for suspicious activity 

Modify packets for proper rule matching 

Target-based preprocessors may occur multiple times for 

different policies 

Frag3 detects attacks related to IP fragmentation, 

target-based host modeling anti-evasion techniques 

Consists of two sub-modules 

frag3_global to set memory-relevant parameters 

preprocessor frag3_global: min_ttl 4 

frag3_engine to set fragmentation-relevant parameters 

preprocessor frag3_engine: policy linux, detect_anomalies 


Preprocessors II 

Stream5 tracks sessions for TCP and UDP, 

target-based TCP reassembly 

Consists of four sub-modules 

stream5_global to set memory-relevant parameters 

preprocessor stream5_global: track_tcp yes, track_udp no 

stream5_tcp to set TCP-specific parameters 

preprocessor stream5_tcp: policy linux, ports client 21 23 25 80 

stream5_udp to set UDP-specific parameters 

preprocessor stream5_udp: timeout 60 

stream5_icmp to set ICMP-specific parameters 

preprocessor stream5_icmp: timeout 60 


Preprocessors III 

sfPortscan designed to detect nmap scans 

Protocols TCP, UDP, IP 

Scans normal, decoy, distributed, portsweep 

preprocessor sfportscan: proto { all } scan_type { all } 

RPC Decode defragments and normalizes RPC records 

Performance Monitor logs throughput and speed 

HTTP Inspect normalizes HTTP headers and URIs, . . . 

More protocol-specific preprocessors for 

SMTP, FTP, SSH, DNS, SMB, . . . 


Snort Rules I 

General syntax of rules 

rule-action protocol src-adr-range src-port-range ⤦ 

direction-operator dst-adr-range dst-port-range ⤦ 

(options) 

rule-action similar to IPtables’ target 

alert issue alert, then log packet 

log log only, no dedicated alert 

pass ignore packet, allowing it to continue 

More actions via IPtables integration: drop , reject , sdrop 

protocol tcp , udp , icmp 

options Any number of options, separated by ; 


Snort Rules II 

src-adr-range and dst-adr-range 

List of ip addresses or ranges: [10.0.6.1/8,!10.0.52.0/16] 

ipvar variable: $TRUSTED_NET 

any covers all alternatives 

src-port-range and dst-port-range 

Numbers or ranges such as 80 or [21:25,80] 

any covers all alternatives 

direction-operator which flow direction is examined 

-> Incoming traffic 

(for outgoing traffic, switch source and destination) 

Bidirectional (direction ignored) 


Internal Rule Options 

msg: "some log message" text for logging 

reference: id-system,id reference to identification system 

id-system can be bugtraq, cve, . . . , url 

id is number, identification string or url (for url ) 

rev: revision-integer which version of rule 

sid: snort-rule-id unique id for each rule 

classtype: class-name categorizing attack 

Class names specified in classification.config 

Examples: web-application-attack , attempted-user , 

attempted-admin 


Rule Options for Payload I 

content: "text" filter for packets containing the text 

Example: content: "GET " 

For hex-strings: content: "|20 bf ff ff 20|" 

Combined & negated: content: !"GET|09|" 

uricontent "text" restrict filtering to URIs 

pcre: "regexp" use Perl-compatible regular expression 

content-list: "filename" points to list with patterns 

patterns are enclosed in " , comments start with # 


Rule Options for Payload II 

Modifiers thereafter, apply only to single preceding option 

nocase ignores case for content and uricontent 

offset: n start only n bytes into payload 

depth: m stop after m bytes 

distance: n start searching n bytes after previous content match 

within: n distance between this content match and previous is 

at most n bytes 

isdataat: n [,relative] payload data at position n, 

optionally relative to previous content match 

rawbytes look at raw bytes instead of decoded traffic 

http_client_body restrict search to HTTP body 

http_header restrict search to HTTP header 


Rule Options for Payload III 

byte_text: numbytestoconvert, [!]operator, value, offset ⤦ 

[, relative] [,endian] [,number-type, string] 

Four bytes at payload start, encoding value in big endian 

alert udp any any -> any 137 (byte_test: 4, =, 0xbaadf00d, ⤦ 

0; msg: "got bad food!";) 

Ten bytes encoding number as text ("3131961357") 

alert udp any any -> any 137 (byte_test: 10, any 137 (byte_test: 8, !>, 0xbaadf00d, ⤦ 

0, string, hex; msg: "not above bad food!";) 


Rule Options for Non-Payload I 

fragbits and fragoffset test for IP fragmentation 

fragbits: [+*!]bits and fragoffset:[>

Rule Options for Non-Payload II 

dsize: []n[]m payload size 

dsize: 5100 or dsize: 1 

flow: [⟨established∣stateless⟩] [,⟨to_client∣to_server∣ ⤦ 

from_client∣from_server⟩] 

established part of an established TCP connection 

stateless do not consider state 

to_client . . . from_server consider direction 

More options for other TCP/IP header properties 


Rule Options after Detection I 

logto: "filename" log to extra file 

session: ⟨printable∣all⟩ log printable (or all) user data from 

TCP sessions (telnet, www, . . . ) 

resp: reason to close session (graceful, like ‘reject’) 

‘reason’ can be rst_snd , rst_rcv , rst_all 

icmp_net , icmp_host , icmp_port , icmp_all 

(improper use causes infinite loop) 

replace: "text" in inline mode (IPtables) replaces match 

from content ; lengths must match 


Rule Options after Detection II 

detection_filter: track ⟨by_src∣by_dst⟩, count c, seconds s 

Rule must be triggered c times within s to activate action 

threshold: type ⟨limit∣threshold∣both⟩, ⤦ 

track ⟨by_src∣by_dst⟩, count c, seconds s 

limit activate for the first c events within each s seconds 

threshold activate for every c-th events within each s seconds 

both activate at most once if at least c events within s seconds 

occur 


Tips for Writing Rules 

Rules should look for vulnerabilities, 

not for exploits 

Be flexible in accepting data 

content: "user root" can be bypassed with user root 

Better: content: "root"; pcre: "/user\s+root/i" 

When combining rules, place ‘simple’ ones at the beginning 

dsize , flags , flow , fragbits , . . . 


Output I 

Various output modules available for flexible logging and 

alerting 

Logging to syslog 

Allows specification of facility, priority, options 

(‘official’ syslog interface, see man 3 syslog for details) 

Example output alert_syslog: log_auth, log_warning 

Logging to remote syslog daemon 

output alert_syslog: 192.168.5.2:514, log_auth, log_warning 

Logging to files 

output alert_fast: filename logs one-liners to a file 

output alert_full: filename logs full packet headers 


Output II 

Logging to Unix socket 

output alert_unixsock logs to sock /var/log/snort/snort_alert 

Perl Example 

1 #!/usr/bin/perl 

2 use IO::Socket; 

3 my $client = IO::Socket::UNIX->new(Type => SOCK_DGRAM, 

4 Local => "/var/log/snort/snort_alert") 

Logging to TCPdump file 

output log_tcpdump: filename logs to TCPdump-like logfile 

can be opened with Wireshark 

More logging modules writing to SQL databases, csv files, 

compact binary formats (unified2) 


Redirecting Output 

Log messages can be redirected to different outputs 

Overrides general output statements 

ruletype panic 

{ 

} 

type alert 

output alert_syslog: LOG_AUTH LOG_CRIT 

output log_tcpdump: panic.log 

panic ip any any -> any any (msg:"Land attack"; sameip;) 


Inline Mode with IPtables 

Inline Mode Snort uses IPtables to receive packets, 

injects new rules to IPtables to accept or drop packets 

Integration in Snort: New rule types 

drop like IPtables’ drop target 

reject like IPtables’ reject target 

sdrop like IPtables’ drop target, but silently 

Integration in IPtables 

Redirect packets to user space using QUEUE target 

Example iptables -A INPUT -p tcp --dport 25 -j QUEUE 

Start Snort with Queue flag: snort -Q 

System has to be configured/compiled accordingly 


Visual Examples 

FTP security problem with site exec command 

content:"SITE"; nocase; content:"EXEC"; nocase; distance:0; 

53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC 

20 2F 62 69 6E 2F 73 68 /bin/sh 

Checking how much and which data follows 

content:"SITE"; nocase; content:!"|0a|"; within:50; 

53 49 54 45 20 SITE 





53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC 

20 2F 62 69 6E 2F 73 68 /bin/sh 



53 49 54 45 20 SITE 





53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC 

20 2F 62 69 6E 2F 73 68 /bin/sh 



53 49 54 45 20 SITE 





53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC 

20 2F 62 69 6E 2F 73 68 /bin/sh 



53 49 54 45 20 SITE 





53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC 

20 2F 62 69 6E 2F 73 68 /bin/sh 



53 49 54 45 20 SITE 





53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC 

20 2F 62 69 6E 2F 73 68 /bin/sh 



53 49 54 45 20 SITE 





53 49 54 45 20 20 20 20 45 58 45 43 SITE EXEC 

20 2F 62 69 6E 2F 73 68 /bin/sh 


content:"SITE"; nocase; isdataat:50,relative; content:!"|0a|"; wit 

53 49 54 45 20 SITE 


Visual Example: Byte Jump 

content:"|00 00 00 00|"; offset:8; depth:4; ⤦ 

content:"|00 01 86 F3|"; offset:16; depth:4; ⤦ 

content:"|00 00 00 07|"; distance:4; within:4; ⤦ 

byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; ⤦ 

byte_test:4,>,128,0,relative; 

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 








00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02 

00 01 86 F3 00 00 00 01 00 00 00 07 00 00 00 01 

00 00 00 20 37 5E D1 6A 00 00 00 09 6C 6F 63 61 

6C 68 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F FF 


Examples I 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ⤦ 

(msg:"Suspicious User-Agent (Trojan.Hijack.IrcBot.457 ⤦ 

related)"; flow:established,to_server; content:"|0d 0a| ⤦ 

User-Agent\: Mozilla/1.0 (compatible\; MSIE 8.0\;"; ⤦ 

classtype:trojan-activity; sid:2008913; rev:4;) 

Checks for HTTP traffic with suspicious user agent string 

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"HELO ⤦ 

Non-Displayable Characters"; flow:established,to_server; ⤦ 

content:"HELO "; nocase; depth:60; pcre:"/ˆ[ˆ\n]*[\x00- ⤦ 

\x08\x0e-\x1f]/R"; reference:cve,2006-3277; sid:2098; rev:7;) 

Search for non-displayable bytes in HELO line 


Examples II 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ⤦ 

(msg:"SQL Injection Attempt"; flow:established,to_server; ⤦ 

uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; ⤦ 

uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; ⤦ 

classtype:web-application-attack; reference:cve,CVE-2007-2803; ⤦ 

sid:20996; rev:5;) 

Checks for access to web servers querying for an ASP page 

containing a SQL statement with ‘DELETE’ 

(simple rules like ‘flow’ first, complex like ‘pcre’ last) 


Examples III 

alert udp [60.191.254.251,...,61.156.8.141] any -> ⤦ 

$HOME_NET any (msg:"ET RBN Known Russian Business Network ⤦ 

IP UDP (120)"; reference:url,doc.emergingthreats.net/bin/ ⤦ 

view/Main/RussianBusinessNetwork; threshold:type limit, ⤦ 

track by_src, seconds 60, count 1; classtype:misc-attack; ⤦ 

sid:2406239; rev:164;) 

Warn for incoming packets from known bad hosts, 

but only once per minute 


Examples IV 

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: ⤦ 

"EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request ⤦ 

(possible MS06-040)"; flow:to_server,established; ⤦ 

content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; ⤦ 

offset:4; nocase; byte_test:2,ˆ,1,5,relative; content:"&|00|"; ⤦ 

within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; ⤦ 

within:9; distance:4; content:"|1f 00|"; distance:20; ⤦ 

within:2; classtype:misc-attack; sid:2003081; rev:5;) 

Checking various bytes and flags ( byte_test ) 


Several examples based on the SNORT User Manual 2.8.5 (Oct 2009) 

https://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf 

Several examples based on rules from the Emerging Threats project (Oct 2009) 

http://www.emergingthreats.net/rules/emerging.rules.tar.gz 

Some examples based on the presentation ‘Writing Snort Rules – A quick guide’ by Brian Caswell 

http://www.shmoo.com/~bmc/presentations/2004/honeynet/caswell-writing-snort-rules.ppt 

Unless otherwise noted, all materials on these slides are licensed under 

a Creative Commons Attribution-Share Alike 3.0 Unported License.

TCPdump & Snort - Intrusion Detection Systems

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?