Friday, April 06, 2007

Snort 3.0 Alpha and IPv6

For the past few days I've been playing with alpha code for Snort 3.0, recently announced. One of the most interesting aspects of Snort 3.0 is the fact that operation is controlled by a Lua interpreter. It's a little like logging into a Cisco router and it's going to change the way everyone uses and interacts with Snort.

I tested snort-03.0.0.a1.4 on a FreeBSD box 6.x box with the lua-5.1.1_2 package installed. I compiled it:

$ ./configure --with-lua-includes=/usr/local/include/lua51/
--with-lua-libraries=/usr/local/lib/lua51/
--prefix=/usr/local/snort-03.0.0.a1.4/
$ make
$ make install

The alpha code does not have a detection engine yet. It's like the original Snort -- it's only a packet decoder. I thought you might like to see what it looks like when Snort 3.0 decodes IPv6 packets. I'm using this IPv6-only FreeBSD scenario.

When you start Snort, it activates but does nothing until you tell it.

cel433:/usr/local/snort-03.0.0.a1.4/bin# ./snort
[*] DAQ Modules Loaded...
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded raw
[*] Decoder initialized...
[*] Flow manager initialized...
[*] Data source subsystem loaded
[*] Engine manager initialized
[*] Loading command interface
[!] Loading sfips command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
,,_ -*> Snort! <*-
o" )~ Version 03.0.0.a1.4 (Build 7) [PRE-ALPHA]
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 2006 Sourcefire Inc.

You tell Snort to begin sniffing using these commands.

> dofile("/usr/local/src/snort-03.0.0.a1.4/etc/snort.lua")
snort> fsniff("fxp0")
Creating new data source
Engine "e2" created
Linking engine "e2" to data source "src2"
init_pcap: Initializing network interface fxp0
init_pcap: netmask lookup for device fxp0: fxp0: no IPv4 address assigned
Device type is Ethernet on interface fxp0
Flow manager "a5a891c4-e448-11db-b5e1-00045a7822bf" created with 16384 flow capacity
[*] Data Source Config:
Name: src2
Type: pcap
Interface: fxp0
Filename:
Snaplen: 1514
Flags: 0x00000002
Display: ethernet (4)
Filter command:
DAQ: 0x807e400
User Context: 0x808f3c0
User Data: 0x0
Max flows: 16384
Max idle: 10
Memcap: 10000000
[*] Flow Manager Config:
Max flows: 16384
Max idle: 10
Memcap: 10000000
[*] DAQ config:
Interface: fxp0
Snaplen: 1514
Datalink: 1
Count: 0
Packet Count: 0
Promisc flag: 1
File flag: 0
pcap ptr: 0x80ac400
analysis context ptr: 0x80a9600
[*] Spawning engine thread!

I generate ICMPv6 traffic that Snort can see.

mwmicro:/home/string$ ping6 -c 1 p200
PING6(56=40+8+8 bytes) fe80::200:d1ff:feed:8c74%sf3 --> fe80::204:5aff:fe79:43a7%sf3
16 bytes from fe80::204:5aff:fe79:43a7%sf3, icmp_seq=0 hlim=64 time=1.131 ms

--- p200 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.131/1.131/1.131/0.000 ms

Here is what Snort reports.

snort> [*] Packet on interface fxp0
[*] Packet Info
Serial: 1
Packet Time: 04/06-14:11:13.098377
Packet Bytes: 70
Captured Bytes: 70
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:00:D1:ED:8C:74
Dest MAC Address: 00:04:5A:79:43:A7
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 16
Next Header: ipv6-icmp
Hop Limit: 64
Src Addr: fe80::200:d1ff:feed:8c74
Dst Addr: fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
Type: 128 (Echo Request)
Code: 0
Id: 11124
Seq: 0
Checksum: 22822 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 46 16 55 0E 00 0A 64 63 F.U...dc

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 2
Packet Time: 04/06-14:11:13.098802
Packet Bytes: 70
Captured Bytes: 70
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:04:5A:79:43:A7
Dest MAC Address: 00:00:D1:ED:8C:74
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 16
Next Header: ipv6-icmp
Hop Limit: 64
Src Addr: fe80::204:5aff:fe79:43a7
Dst Addr: fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
Type: 129 (Echo Reply)
Code: 0
Id: 11124
Seq: 0
Checksum: 22566 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 46 16 55 0E 00 0A 64 63 F.U...dc

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 3
Packet Time: 04/06-14:11:18.096779
Packet Bytes: 86
Captured Bytes: 86
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:00:D1:ED:8C:74
Dest MAC Address: 00:04:5A:79:43:A7
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 32
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::200:d1ff:feed:8c74
Dst Addr: fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
Type: 135 (ND Neighbor Solicitation)
Code: 0
Checksum: 32787 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 01 01 00 00 D1 ED 8C 74 .......t

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 4
Packet Time: 04/06-14:11:18.097203
Packet Bytes: 78
Captured Bytes: 78
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:04:5A:79:43:A7
Dest MAC Address: 00:00:D1:ED:8C:74
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 24
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::204:5aff:fe79:43a7
Dst Addr: fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
Type: 136 (ND Neighbor Advertisement)
Code: 0
Checksum: 40574 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 02 04 5A FF FE 79 43 A7 ..Z..yC.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 5
Packet Time: 04/06-14:11:18.097456
Packet Bytes: 86
Captured Bytes: 86
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:04:5A:79:43:A7
Dest MAC Address: 00:00:D1:ED:8C:74
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 32
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::204:5aff:fe79:43a7
Dst Addr: fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
Type: 135 (ND Neighbor Solicitation)
Code: 0
Checksum: 32787 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 01 01 00 04 5A 79 43 A7 ....ZyC.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
Serial: 6
Packet Time: 04/06-14:11:18.097744
Packet Bytes: 78
Captured Bytes: 78
Layers: 4
[*] Ethernet (14 bytes)
Source MAC Address: 00:00:D1:ED:8C:74
Dest MAC Address: 00:04:5A:79:43:A7
Encapsulated Protocol: IPv6
[*] Internet Protocol version 6 (40 bytes)
Version: 6
Class: 0 (0x0)
Flow Tag: 96 (0x60)
Packet Length: 24
Next Header: ipv6-icmp
Hop Limit: 255
Src Addr: fe80::200:d1ff:feed:8c74
Dst Addr: fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
Type: 136 (ND Neighbor Advertisement)
Code: 0
Checksum: 24128 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 02 00 D1 FF FE ED 8C 74 .......t

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Finally I tell Snort to shut down.

sfips.shutdown()
[*] SFIPS ACTIVE data source src2 received 6 packets on fxp0
Analyzed: 6 (100.000%)
Dropped: 0 (0.000%)
[-] Ethernet Stats:
Count: 6
[-] IPv6 Stats:
Count: 6
[-] ICMPv6 Stats:
Count: 6
Bad Csum: 6
[-] Raw Stats:
Count: 6
Bytes: 48

This is obviously only the beginning. I plan to learn more about Lua to take advantage of the power in Snort 3.0.

1 comment:

Stephen Reese said...

Have you implemented any IPv6 Snort sensors using the 2.8.x branch? I've got IPv6 running internally and Snort 2.8.4 installed but I haven't found any rule sets or configuration examples...