mercredi 21 avril 2010

basics 7 - tutorial IDS snort

This tutorial presents the IDS SNORT.
French version available on the site.


Discover the tool

install SNORT
serveur$ sudo apt-get install snort
→ 192.168.0.0/24
snort as sniffer
serveur$ sudo snort -v

03/16-14:14:53.859970 ARP who-has 192.168.0.5 tell 192.168.0.1

03/16-14:14:55.426057 192.168.0.1:51041 -> 255.255.255.255:8612
UDP TTL:128 TOS:0x0 ID:2938 IpLen:20 DgmLen:44
Len: 16
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/16-14:15:23.376800 ARP who-has 192.168.0.5 tell 192.168.0.1

03/16-14:15:24.360383 ARP who-has 192.168.0.5 tell 192.168.0.1

03/16-14:15:25.360462 ARP who-has 192.168.0.5 tell 192.168.0.1

03/16-14:15:26.420781 192.168.0.1:51047 -> 255.255.255.255:8612
UDP TTL:128 TOS:0x0 ID:2961 IpLen:20 DgmLen:44
Len: 16
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/16-14:15:28.436279 192.168.0.2 -> 192.168.0.1
ICMP TTL:64 TOS:0xC0 ID:27221 IpLen:20 DgmLen:72
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
192.168.0.1:51050 -> 192.168.0.2:8612
UDP TTL:128 TOS:0x0 ID:2965 IpLen:20 DgmLen:44
Len: 16 Csum: 30138
(16 more bytes of original packet)
** END OF DUMP

Run time prior to being shutdown was 47.990364 seconds
snort as logger
serveur$ sudo snort -v -l ~
CTRL-C
serveur$ sudo tcpdump -r ~/snort*.log

14:23:04.323224 IP serveurlinux > 192.168.0.12: ICMP echo reply, id 54035, seq 1, length 64
14:23:05.322763 IP 192.168.0.12 > serveurlinux: ICMP echo request, id 54035, seq 2, length 64
14:23:05.322915 IP serveurlinux > 192.168.0.12: ICMP echo reply, id 54035, seq 2, length 64
14:23:07.860055 ARP, Request who-has 192.168.0.5 tell 192.168.0.1, length 46
14:23:09.322504 ARP, Request who-has 192.168.0.12 tell serveurlinux, length 28
14:23:09.323849 ARP, Reply 192.168.0.12 is-at 00:0c:29:22:93:12 (oui Unknown), length 46
14:23:09.423254 IP 192.168.0.1.51122 > 255.255.255.255.8612: UDP, length 16
14:23:09.423308 IP 192.168.0.1.51122 > 255.255.255.255.8612: UDP, length 16
14:23:11.433630 IP 192.168.0.1.51125 > serveurlinux.8612: UDP, length 16
14:23:11.433735 IP serveurlinux > 192.168.0.1: ICMP serveurlinux udp port 8612 unreachable, length 52
14:23:13.032430 IP 192.168.0.1.51125 > 192.168.0.12.8612: UDP, length 16
14:23:13.032531 IP 192.168.0.12 > 192.168.0.1: ICMP 192.168.0.12 udp port 8612 unreachable, length 52
14:23:13.360310 ARP, Request who-has 192.168.0.9 tell 192.168.0.1, length 46
14:23:13.360341 ARP, Request who-has 192.168.0.10 tell 192.168.0.1, length 46
14:23:13.360348 ARP, Request who-has 192.168.0.11 tell 192.168.0.1, length 46

configuration of snort.conf

Save snort.conf:
serveur$ sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.old
personnalize snort.conf. Result:
serveur$ cat /etc/snort/snort.conf

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var RULE_PATH /etc/snort
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first
preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first

include $RULE_PATH/local.rules

in passing, some vi commands:

edit snort.conf and delete commentaries and empty lines:
serveur$ sudo vim /etc/snort/snort.conf
:g/^#/d
:g/^$/d
delete all after last declaration of var (9th line and after)
:9,$d
switch to insertion mode:
i
add rules default directory
var RULE_PATH /etc/snort
add 3 preprocessor rules:
  • frag is the preprocessor for IP fragmentation. It normalizes fragmented packets.
  • Stream maintains state of TCP flow
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first
preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first
then design local file for rules:
include $RULE_PATH/local.rules
save, exit:
ESCAPE
:wq ENTREE
create empty file /etc/snort/local.rules
serveur$ sudo touch /etc/snort/local.rules
check if snort works correctly:
serveur$ sudo snort -c /etc/snort/snort.conf

create rules

create a rule

Rules are formated as [18]:
action protocol source_address - > destination_address (info_message info)

For example:

copy this rule in local.rules
serveur$ sudo vi /etc/snort/local.rules
alert tcp any any → $HOME_NET 21 (msg: « acces ftp »;sid: 100000012;rev:1;)
start snort:
serveur$ sudo snort -c /etc/snort/snort.conf
from intrus:
intrus$ ftp 192.168.0.2
utilisateur
utilisateur
quit
quit snort. Result in alert log file:
serveur$ CTRL-C
serveur$ sudo cat ./var/log/snort/alert
[**] [1:10000001:1] acces ftp [**]
[Priority: 0]
03/17-10:28:21.734776 192.168.0.12:47238 -> 192.168.0.2:21
TCP TTL:64 TOS:0x0 ID:24632 IpLen:20 DgmLen:60 DF
******S* Seq: 0x6F35E72 Ack: 0x0 Win: 0x16D0 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 43335242 0 NOP WS: 4

To learn more informations about the IP packet which conducted to the alert, show last log file generated:
serveur$ cat /var/log/snort/snort.log.18970076
10:50:27.177443 IP 192.168.0.12.44080 > serveurlinux.ftp: Flags [P.], seq 76:82, ack 253, win 365, options [nop,nop,TS val 43666604 ecr 45118016], length 6
10:50:27.178287 IP serveurlinux.ftp > 192.168.0.12.44080: Flags [P.], seq 253:267, ack 82, win 362, options [nop,nop,TS val 45118484 ecr 43666604], length 14
10:50:27.178636 IP 192.168.0.12.44080 > serveurlinux.ftp: Flags [.], ack 267, win 365, options [nop,nop,TS val 43666604 ecr 45118484], length 0
10:50:27.178975 IP serveurlinux.ftp > 192.168.0.12.44080: Flags [F.], seq 267, ack 82, win 362, options [nop,nop,TS val 45118484 ecr 43666604], length 0
10:50:27.179684 IP 192.168.0.12.44080 > serveurlinux.ftp: Flags [F.], seq 82, ack 268, win 365, options [nop,nop,TS val 43666604 ecr 45118484], length 0
10:50:27.179744 IP serveurlinux.ftp > 192.168.0.12.44080: Flags [.], ack 83, win 362, options [nop,nop,TS val 45118484 ecr 43666604], length 0

detect PING

create a rule to detect ECHO requests. Have a look to  [19] for the syntax of this rule. Have a look to ICMP protocol, that tells us this request is type 8 and code 0 [20]. Add this line to local file:

alert icmp any any -> $HOME_NET any (msg: "requete echo"; sid: 10000002; rev: 1; itype: 8; icode: 0;)
serveur$ sudo cat /etc/snort/local.rules
alert icmp any any -> $HOME_NET any (msg: "requete echo"; sid: 10000002; rev: 1; itype: 8; icode: 0;)
Start snort:
serveur$ sudo snort -c /etc/snort/snort.conf -l ./
Ping serveur
intrus$ ping 192.168.0.2
Stop snort, edit trace file
serveur$ CTRL-C
serveur$ sudo cat ./trace
[**] [1:10000002:1] requete echo [**]
[Priority: 0]
03/17-12:21:15.613662 192.168.0.12 -> 192.168.0.2
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:14616 Seq:1 ECHO

analysis of log

From trace.log to trace.txt readable:

trace.log file is here
serveur$ snort -e -X -v -r ./trace.log > trace.txt
05/04-14:53:52.772670 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x3E
192.168.1.5 -> 192.168.10.2 ICMP TTL:123 TOS:0x18 ID:345 IpLen:20 DgmLen:48 DF
Type:3 Code:4 DESTINATION UNREACHABLE: FRAGMENTATION NEEDED, DF SET
NEXT LINK MTU: 0
** ORIGINAL DATAGRAM DUMP:
192.168.10.2 -> 192.168.1.5 ICMP TTL:123 TOS:0x18 ID:0 IpLen:20 DgmLen:20 DF
** END OF DUMP
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 18 ..K.e..P.[d[..E.
0x0010: 00 30 01 59 40 00 7B 01 72 04 C0 A8 01 05 C0 A8 .0.Y@.{.r.......
0x0020: 0A 02 03 04 32 23 00 00 00 00 45 18 00 14 00 00 ....2#....E.....
0x0030: 40 00 7B 01 00 00 C0 A8 0A 02 C0 A8 01 05 @.{...........

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
(...)

Apply our own rules to trace.log

Now, look for PING requests PING in the file trace.log:
serveur$ snort -A console -c /etc/snort/snort.conf -r ./trace.log > icmp.txt

05/04-14:53:52.772670 [**] [116:253:1] (snort_decoder) WARNING: ICMP Original IP Payload < 64 bits! [**] [Priority: 3] {ICMP} 192.168.1.5 -> 192.168.10.2
05/04-14:53:52.824985 [**] [116:151:1] (snort decoder) Bad Traffic Same Src/Dst IP [**] [Priority: 3] {UDP} 192.168.10.2:0 -> 192.168.10.2:0
05/04-14:53:52.830835 [**] [1:10000002:1] requete echo [**] [Priority: 0] {ICMP} 192.168.1.255 -> 192.168.10.2
05/04-14:53:52.840259 [**] [116:253:1] (snort_decoder) WARNING: ICMP Original IP Payload < 64 bits! [**] [Priority: 3] {ICMP} 192.168.1.5 -> 192.168.10.2
05/04-14:53:52.695596 [**] [116:151:1] (snort decoder) Bad Traffic Same Src/Dst IP [**] [Priority: 3] {UDP} 192.168.10.2:0 -> 192.168.10.2:0
05/04-14:53:52.701466 [**] [1:10000002:1] requete echo [**] [Priority: 0] {ICMP} 192.168.1.255 -> 192.168.10.2
05/04-14:53:52.710795 [**] [116:253:1] (snort_decoder) WARNING: ICMP Original IP Payload < 64 bits! [**] [Priority: 3] {ICMP} 192.168.1.5 -> 192.168.10.2
05/04-14:53:52.958304 [**] [116:151:1] (snort decoder) Bad Traffic Same Src/Dst IP [**] [Priority: 3] {UDP} 192.168.10.2:0 -> 192.168.10.2:0
05/04-14:53:52.965429 [**] [1:10000002:1] requete echo [**] [Priority: 0] {ICMP} 192.168.1.255 -> 192.168.10.2
Analyse the file trace.txt we previously generated. It contains 30 packets, with 8 different signatures:

1) ICMP code 3 type 4: information message: destinataire unreachable, fragmentation needed but impossible, because of DF flag
05/04-14:53:52.772670 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x3E
192.168.1.5 -> 192.168.10.2 ICMP TTL:123 TOS:0x18 ID:345 IpLen:20 DgmLen:48 DF
Type:3 Code:4 DESTINATION UNREACHABLE: FRAGMENTATION NEEDED, DF SET
NEXT LINK MTU: 0
** ORIGINAL DATAGRAM DUMP:
192.168.10.2 -> 192.168.1.5 ICMP TTL:123 TOS:0x18 ID:0 IpLen:20 DgmLen:20 DF
** END OF DUMP
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 18 ..K.e..P.[d[..E.
0x0010: 00 30 01 59 40 00 7B 01 72 04 C0 A8 01 05 C0 A8 .0.Y@.{.r.......
0x0020: 0A 02 03 04 32 23 00 00 00 00 45 18 00 14 00 00 ....2#....E.....
0x0030: 40 00 7B 01 00 00 C0 A8 0A 02 C0 A8 01 05 @.{...........
2) DNS request (UDP,53) with /bin/sh
05/04-14:53:52.777745 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x40
192.168.1.5:53 -> 192.168.10.2:53 UDP TTL:254 TOS:0x0 ID:82 IpLen:20 DgmLen:50 DF
Len: 22
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 00 ..K.e..P.[d[..E.
0x0010: 00 32 00 52 40 00 FE 11 F0 10 C0 A8 01 05 C0 A8 .2.R@...........
0x0020: 0A 02 00 35 00 35 00 1E 1D 18 7F 01 01 01 70 A0 ...5.5........p.
0x0030: 04 08 34 F0 D1 04 04 08 13 2F 62 69 6E 2F 73 68 ..4....../bin/sh
3) http GET request with « /../root/.rhosts »
05/04-14:53:52.784584 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x5C
192.168.1.5:42069 -> 192.168.10.2:80 TCP TTL:254 TOS:0x0 ID:666 IpLen:20 DgmLen:78 DF
***A**** Seq: 0x29A Ack: 0x29A Win: 0x29A TcpLen: 20
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 00 ..K.e..P.[d[..E.
0x0010: 00 4E 02 9A 40 00 FE 06 ED B7 C0 A8 01 05 C0 A8 .N..@...........
0x0020: 0A 02 A4 55 00 50 00 00 02 9A 00 00 02 9A 50 10 ...U.P........P.
0x0030: 02 9A 5A 1D 00 08 47 45 54 20 2F 2E 2E 2F 2E 2E ..Z...GET /../..
0x0040: 2F 2E 2E 2F 72 6F 6F 74 2F 2E 72 68 6F 73 74 73 /../root/.rhosts
0x0050: 20 48 54 54 50 2F 31 2E 31 0A 0A 0A HTTP/1.1...
14) DNS request on 192.168.10.2:53
05/04-14:53:52.790472 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x52
192.168.1.5:32569 -> 192.168.10.2:53 TCP TTL:254 TOS:0x0 ID:420 IpLen:20 DgmLen:68 DF
******** Seq: 0x1A4 Ack: 0x1A4 Win: 0x200 TcpLen: 20
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 00 ..K.e..P.[d[..E.
0x0010: 00 44 01 A4 40 00 FE 06 EE B7 C0 A8 01 05 C0 A8 .D..@...........
0x0020: 0A 02 7F 39 00 35 00 00 01 A4 00 00 01 A4 50 00 ...9.5........P.
0x0030: 02 00 A2 80 00 08 00 00 00 00 04 00 00 00 00 64 ...............d
0x0040: 00 00 61 78 66 72 20 64 6F 6D 61 69 6E 2E 63 6F ..axfr domain.co
0x0050: 6D 0A m.
5) SSH request with buffer overflow attempt (AAAAA)
05/04-14:53:52.800369 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x23B
192.168.1.5:42069 -> 192.168.10.2:22 TCP TTL:254 TOS:0x0 ID:83 IpLen:20 DgmLen:557 DF
****PR** Seq: 0x201F Ack: 0x3992 Win: 0x200 TcpLen: 20
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 00 ..K.e..P.[d[..E.
0x0010: 02 2D 00 53 40 00 FE 06 EE 1F C0 A8 01 05 C0 A8 .-.S@...........
0x0020: 0A 02 A4 55 00 16 00 00 20 1F 00 00 39 92 50 0C ...U.... ...9.P.
0x0030: 02 00 FF AB 00 08 41 41 41 41 41 41 41 41 41 41 ......AAAAAAAAAA
0x0040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0050: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0060: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x00A0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x00B0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x00C0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x00D0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x00E0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x00F0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0100: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0110: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0120: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0130: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0140: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0150: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0160: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0170: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0180: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0190: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x01A0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x01B0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x01C0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x01D0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x01E0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x01F0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0200: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0210: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0220: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0x0230: 41 41 41 41 41 41 CB 29 03 40 12 AAAAAA.).@.
8) spoofed IP message from 192.168.10.2 to itself.
05/04-14:53:52.824985 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x3C
192.168.10.2:0 -> 192.168.10.2:0 UDP TTL:254 TOS:0x0 ID:14733 IpLen:20 DgmLen:33 DF
0x0000: EE B7 1F 2F 00 0A 73 C7 70 69 6E 67 0A .../..s.ping.

0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 00 ..K.e..P.[d[..E.
0x0010: 00 21 39 8D 40 00 FE 11 AD E9 C0 A8 0A 02 C0 A8 .!9.@...........
0x0020: 0A 02 EE B7 1F 2F 00 0A 73 C7 70 69 6E 67 0A 00 ...../..s.ping..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
20) packet from IP FF.FF.FF.FF
05/04-14:53:52.706591 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x3C
255.255.255.255:68 -> 192.168.10.2:67 UDP TTL:1 TOS:0x0 ID:2513 IpLen:20 DgmLen:41 DF
Len: 13
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 00 ..K.e..P.[d[..E.
0x0010: 00 29 09 D1 40 00 01 11 A5 49 FF FF FF FF C0 A8 .)..@....I......
0x0020: 0A 02 00 44 00 43 00 15 57 CE 44 48 43 50 20 44 ...D.C..W.DHCP D
0x0030: 49 53 43 4F 56 45 52 00 00 00 00 00 ISCOVER.....
19) message echo
05/04-14:53:52.701466 0:50:4:5B:64:5B -> 0:10:4B:E2:65:8E type:0x800 len:0x88
192.168.1.255 -> 192.168.10.2 ICMP TTL:254 TOS:0x0 ID:11122 IpLen:20 DgmLen:122 DF
Type:8 Code:0 ID:11122 Seq:0 ECHO
0x0000: 00 10 4B E2 65 8E 00 50 04 5B 64 5B 08 00 45 00 ..K.e..P.[d[..E.
0x0010: 00 7A 2B 72 40 00 FE 01 C3 BE C0 A8 01 FF C0 A8 .z+r@...........
0x0020: 0A 02 08 00 02 C4 2B 72 00 00 21 21 21 21 21 21 ......+r..!!!!!!
0x0030: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 !!!!!!!!!!!!!!!!
0x0040: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 !!!!!!!!!!!!!!!!
0x0050: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 !!!!!!!!!!!!!!!!
0x0060: 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 21 !!!!!!!!!!!!!!!!
0x0070: 21 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 !!!!............
0x0080: 00 00 00 00 00 00 00 00 ........

Here are some rules, we can define, to detect these packets:
serveur$ sudo cat /etc/snort/local.rules

alert icmp any any -> $HOME_NET any (msg: "requete echo"; sid: 10000002; rev: 1; itype: 8; icode: 0;)
alert icmp any any -> $HOME_NET any (msg: "icmp ip fragment"; sid: 10000003; rev: 1; itype: 3; icode:4;)
alert udp any any -> $HOME_NET any (msg: "/bin/sh"; sid: 10000004; rev: 1; content: "/bin/sh"; nocase;)
alert tcp any any -> $HOME_NET any (msg: "/../root/.rhosts"; sid: 10000005; rev: 1; content: "/../root/.rhosts"; nocase;)
alert udp any any -> 192.168.10.2 53 (msg: "requete DNS sur 10.2"; sid: 10000006; rev: 1;)
alert tcp any any -> $HOME_NET 22 (msg:"buf overflow"; sid: 10000007; rev: 1; dsize: >200;)
alert udp 192.168.10.2 any -> 192.168.10.2 any (msg:"IP spoof 192.168.10.2 vers 192.168.10.2"; sid: 10000008; rev: 1;)
alert udp 255.255.255.255 any -> $HOME_NET any (msg: "paquet provenant de IP FF.FF.FF.FF"; sid: 10000009; rev: 1;)
Then, result:
serveur$ sudo snort -A console -r trace.log -c /etc/snort/snort.conf

05/04-14:53:52.772670 [**] [116:253:1] (snort_decoder) WARNING: ICMP Original IP Payload < 64 bits! [**] [Priority: 3] {ICMP} 192.168.1.5 -> 192.168.10.2
05/04-14:53:52.777745 [**] [1:10000004:1] /bin/sh [**] [Priority: 0] {UDP} 192.168.1.5:53 -> 192.168.10.2:53
05/04-14:53:52.777745 [**] [1:10000006:1] requete DNS sur 10.2 [**] [Priority: 0] {UDP} 192.168.1.5:53 -> 192.168.10.2:53
05/04-14:53:52.784584 [**] [1:10000005:1] /../root/.rhosts [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:80
05/04-14:53:52.800369 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.809583 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.819774 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.824985 [**] [116:151:1] (snort decoder) Bad Traffic Same Src/Dst IP [**] [Priority: 3] {UDP} 192.168.10.2:0 -> 192.168.10.2:0
05/04-14:53:52.830835 [**] [1:10000002:1] requete echo [**] [Priority: 0] {ICMP} 192.168.1.255 -> 192.168.10.2
05/04-14:53:52.836019 [**] [1:10000009:1] paquet provenant de IP FF.FF.FF.FF [**] [Priority: 0] {UDP} 255.255.255.255:68 -> 192.168.10.2:67
05/04-14:53:52.840259 [**] [116:253:1] (snort_decoder) WARNING: ICMP Original IP Payload < 64 bits! [**] [Priority: 3] {ICMP} 192.168.1.5 -> 192.168.10.2
05/04-14:53:52.845315 [**] [1:10000004:1] /bin/sh [**] [Priority: 0] {UDP} 192.168.1.5:53 -> 192.168.10.2:53
05/04-14:53:52.845315 [**] [1:10000006:1] requete DNS sur 10.2 [**] [Priority: 0] {UDP} 192.168.1.5:53 -> 192.168.10.2:53
05/04-14:53:52.670939 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.680196 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.690413 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.695596 [**] [116:151:1] (snort decoder) Bad Traffic Same Src/Dst IP [**] [Priority: 3] {UDP} 192.168.10.2:0 -> 192.168.10.2:0
05/04-14:53:52.701466 [**] [1:10000002:1] requete echo [**] [Priority: 0] {ICMP} 192.168.1.255 -> 192.168.10.2
05/04-14:53:52.706591 [**] [1:10000009:1] paquet provenant de IP FF.FF.FF.FF [**] [Priority: 0] {UDP} 255.255.255.255:68 -> 192.168.10.2:67
05/04-14:53:52.710795 [**] [116:253:1] (snort_decoder) WARNING: ICMP Original IP Payload < 64 bits! [**] [Priority: 3] {ICMP} 192.168.1.5 -> 192.168.10.2
05/04-14:53:52.715830 [**] [1:10000004:1] /bin/sh [**] [Priority: 0] {UDP} 192.168.1.5:53 -> 192.168.10.2:53
05/04-14:53:52.715830 [**] [1:10000006:1] requete DNS sur 10.2 [**] [Priority: 0] {UDP} 192.168.1.5:53 -> 192.168.10.2:53
05/04-14:53:52.934930 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.944089 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.953160 [**] [1:10000007:1] buf overflow [**] [Priority: 0] {TCP} 192.168.1.5:42069 -> 192.168.10.2:22
05/04-14:53:52.958304 [**] [116:151:1] (snort decoder) Bad Traffic Same Src/Dst IP [**] [Priority: 3] {UDP} 192.168.10.2:0 -> 192.168.10.2:0
05/04-14:53:52.965429 [**] [1:10000002:1] requete echo [**] [Priority: 0] {ICMP} 192.168.1.255 -> 192.168.10.2
05/04-14:53:52.970570 [**] [1:10000009:1] paquet provenant de IP FF.FF.FF.FF [**] [Priority: 0] {UDP} 255.255.255.255:68 -> 192.168.10.2:67

analysis of some rules provided with Snort

Here are a few rules taken from rules file of Snort:

TCP packets with NULL fields (ack, flags et seq), stateless
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0;)
typical NMAP packet: null sized ping:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8;)
Root connexion attempt on telnet server:
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root";)
FTP request with retr and passwd words:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; )
HTTP request with « /viewsource » and « ../ ». facilitate access to up directories
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; )
little IP packets (DDOS attack)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M;)
typical linux shellcode
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 DC FF FF FF|/bin/sh"; )
packets with ip protocol  field > 134:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; )
packets sent to port 23 with typical linux rootkit string:
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x";)
typical emule string:
alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule";)
known virus signature:
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx]) (a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR";)

references

18) manuel snort – créer des règles p118-119 - http://www.snort.org/docs
19) écrire des règles snort - http://www.groar.org/trad/snort/snort-faq/writing_snort_rules.html
20) le protocole ICMP - http://www.commentcamarche.net/contents/internet/icmp.php3

1 commentaire:

  1. J'avais justement besoin de me rappeler de quelques règles ;)

    Merci bien pour ce tutoriel !

    RépondreSupprimer