|
|
|
|
Sniff your network with Snort, a lightweight IDSCopyright © 1999 CyberPsychoticThe original ARPANET was a clubby network, unconcerned with security. Then the famous Morris Worm incident revealed serious vulnerabilities. Security has since become very important not only for large enterprises but also for small organizations and even home systems. In a busy Moscow bar, surly doormen keep the undesirables out if they don't like their looks. The Internet doesn't have any such "face control" and unwanted guests at the party want to break into your computers, bring down your services or just get on your nerves. Then again, this is no different than with any crowd in a big city. You can use a variety of tools to protect yourself. Building firewalls is a good start, but in certain cases you want to keep an eye on people poking around your system and trying to bypass your protection mechanisms. This is where an intrusion detection system (IDS) can help. There are currently several dozen commercial and open source intrusion detections systems. It's common practice to run several of them together to monitor network traffic, filesystem integrity, unusual events in log files and so on. In this short overview I would like to introduce Snort, a lightweight network intrusion detection system. For attack detection Snort, uses signature recognition techniques. It analyzes network traffic for common patterns of network scans and possible exploits, and can flag suspicious behavior via standard syslogd or its own logging mechanism. Snort features flexible rule-based logging specification, which allow you to perform protocol analysis and pattern matching on contents. The source code comes with a huge library of attack patterns, so you can set up a working system "out of the box". Snort's network monitoring mechanism is based on the infamous pcap packet capture library, which makes Snort's code quite portable among various UNIX platforms. Currently Snort is known to run on Net/Open/FreeBSD (x86/mk86/sparc), Linux (i386), MkLinux (mk86k), S/Linux(sparc), SunOS 4, Solaris (SunOS 5), HP-UX, MacOS X. Basic Snort syntax is a very simple and looks very much like the one used in the ipf packet filter. Using Snort rules you describe what sort of traffic you want the system to pay attention to, based on packet source, destination, port numbers, tcp flags, or packet content. You also can specify the pattern of packets to be logged, along with the corresponding message to be recorded in the log. Currently Snort has two levels of logging: plain logging with "log" keyword and alerting with "alert" keyword. Soon to come is a "kill" feature, which will make Snort a pro-active system that can kill connections based on pattern matching. These sample rules show how you can specify which packets generate alert messages, and the message to be logged. The first group looks for various stealth scans on your network, as commonly used by nmap. alert tcp any any -> 192.168.160.0/24 any (msg:"SYN FIN Scan"; flags: SF;) This second group looks for backdoor probes: alert udp any any -> 192.168.160.0/24 31337 (msg:"Possible Back Orifice access";) This last example shows how you can trigger an alert based on the packet content: alert tcp any any -> 192.168.160.0/24 143 (msg:"IMAP buffer overflow!";content:"|E8 C0FF FFFF|/bin/sh";) If you're interested in giving Snort a try or joining the development team, have a look at Martin Roesch's website <http://www.clark.net/~roesch/security.html> for source code and several precompiled binaries in tarballs and rpm packages. The team also runs several mailing lists for Snort-related discussions: snort - general mailing list for discussions and development The mailing lists are available at majordomo@bofh.kyrnet.kg, send the usual "subscribe listname" email to get connected. References: Snort primary site: http://www.clark.net/~roesch/security.htmlIDS FAQ: http://www.ticm.com/kb/faq/idsfaq.htmlMost complete list of currently developed IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html Fyodor (aka CyberPsychotic), fygrave@tigerteam.net
|
||