Friday, December 29, 2006

Snort Report 1 Posted

SearchSecurityChannel.com (SSC) has posted my first Snort Report. This is a new monthly series I'm writing for SSC that is starting at ground zero with Snort and working towards greater levels of complexity.

I thought it would be helpful to begin by explaining how to install Snort in a manner that allows easy testing of new versions while running older versions. I also discuss the modes Snort supports. Next month I describe the snort.conf file and show how to get Snort to perform useful work in IDS mode without using a single rule.

Is there some aspect of Snort you'd like to know more about? I may not have all the answers tumbling around in my head, but I can do research and ask some of the best Snort minds around if necessary.

10 comments:

Anonymous said...

Exciting, will follow this series *every* month.. Good work!

/Niklas

Btw, just stumbled onto this app.
"BGPlay is a Java application which displays animated graphs of the routing activity of a certain prefix within a specified time interval"
http://www.ris.ripe.net/bgplay/

beast said...

Hm. I'm unable to read that. I've tried to search in site. Site search system found the article and then I've got 404.

Richard Bejtlich said...

beast, I just accessed it at the link provided.

cseifert said...

Richard, very nice article. Looking forward to the follow on articles.

I assume you will be covering Snort in IDS mode more in a future article. I ran into some issues using Snort in this mode when I attempted to inspect web traffic with the web-client rules that might be worth mentioning when you go into configuration and rules:

Out of the box, Snort is not optimally configured to inspect web traffic due to performance optimizations. In particular, it doesn’t seem to inspect the http response and it only inspects the first few hundred bytes of the payload (which usually covers the uri, headers, but not the content of the http response). In order to “turn on” full inspection of web traffic, one needs to tell the stream 4 preprocessor to reassemble both the traffic on the client as well as server side (preprocessor stream4_reassemble: both) and tell the http inspect preprocessor to inspect to consider the entire payload (preprocessor http_inspect_server one needs to add option flow_depth 0).

Once Snort is configured to inspect all web traffic, doesn’t necessarily mean that its rule matching will work. First, it will be blind to encrypted traffic. Second, it will be blind to compressed traffic (e.g. gzip compression, which is supported by IE and many web servers). I suppose one could work around some of these issues by forcing all web traffic over a proxy and configuring the proxy not to use compression…haven’t confirmed this yet.

Well, I am sure there are many more pitfalls like these that are not obvious from the snort quick start guide. If you ran into some similar issues, I would be interested in learning about those.

Also, since you ask for further interests in Snort, I have some more ideas: Signature matching is prone to obfuscation, insertion and evasion attacks. The preprocessors are trying to do their part here to improve the situation. However, in particular in the area of web based attacks, there still seems to be the door wide open to work around detection. (See vomm). I have attempted to address these obfuscation attempts by permutating rules using different encoding schemes (snort rule permutator – still evaluating the effectiveness of these techniques on the false negative rate). I was wondering whether you have any suggestion on how to further counter obfuscation, insertion and evasion attacks?

Cheers – Greetings from New Zealand.

Christian

Adam said...

Richard, I'd like to see you cover both hardware and software performance issues.

Anonymous said...

Look forward to this series of articles and hope to see benchmarks on Snort running on various OS's (FreeBSD, RH, Gentoo, etc)and hardware.

Anonymous said...

When I tried installing Snort-2.6.1.2 on OpenBSD 4.0 with
./configure --enable-dynamicplugin --prefix=/usr/local/stow/snort-2.6.1.2
it seemed to work fine. However, I got the following error when trying to run Snort in IDS mode.

Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
Warning: No dynamic libraries found in directory /usr/local/lib/snort_dynamicpreprocessor/!
Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
/etc/snort/snort.conf(573) unknown dynamic preprocessor "ftp_telnet"
/etc/snort/snort.conf(577) unknown dynamic preprocessor "ftp_telnet_protocol"
/etc/snort/snort.conf(591) unknown dynamic preprocessor "ftp_telnet_protocol"
/etc/snort/snort.conf(596) unknown dynamic preprocessor "ftp_telnet_protocol"
/etc/snort/snort.conf(622) unknown dynamic preprocessor "smtp"
/etc/snort/snort.conf(777) unknown dynamic preprocessor "dcerpc"
/etc/snort/snort.conf(795) unknown dynamic preprocessor "dns"
ERROR: Misconfigured dynamic preprocessor(s)
Fatal Error, Quitting..


# ls /usr/local/lib/snort_dynamicpreprocessor/
libsf_dcerpc_preproc.a libsf_ftptelnet_preproc.so.0.0
libsf_dcerpc_preproc.la libsf_smtp_preproc.a
libsf_dcerpc_preproc.so.0.0 libsf_smtp_preproc.la
libsf_dns_preproc.a libsf_smtp_preproc.so.0.0
libsf_dns_preproc.la libsf_ssh_preproc.a
libsf_dns_preproc.so.0.0 libsf_ssh_preproc.la
libsf_ftptelnet_preproc.a libsf_ssh_preproc.so.0.0
libsf_ftptelnet_preproc.la

I'm trying to learn *nix and IDSs at the same time. I got pretty far in the Sguil installation but am stuck here. Do you have any ideas on what I can do to fix this?

Richard Bejtlich said...

OpenBSD user: my fourth article will cover the dynamic preprocessors. Until then you might want to post your question and your snort.conf to the snort-users mailing list.

Anonymous said...

Working on that now Richard, thanks for the quick reply.

korkusuzlar said...
This comment has been removed by a blog administrator.