[Debian]:Fwd: [lugbe] software tip des tages - snort
lilo,
im rahmen eines artikels über snort an meine lokale LUG, hab ich einen
kleinen artikel verfasst, der einige von euch die sich für security
interessieren sicherlich interessant sein könnte. schaut mal rein!
----- Forwarded message from Mathias Gygax <buzz@eniac.ch.eu.org> -----
Date: Fri, 26 Nov 1999 17:18:17 +0100
From: Mathias Gygax <buzz@eniac.ch.eu.org>
To: linux@eniac.ch.eu.org, lugbe@lugbe.ch
Subject: [lugbe] software tip des tages - snort
Organization: ENIAC
lilo,
der software tip des tages geht an <trommel> SNORT!
das tool ist ein network analyzer mit eingbauten regel support. damit
ist er einfach zu bedienen und macht sich wunderbar als leichgewichtiges
NIDS (network intrusion detection system). basierend auf der libpcap
(packet capture) ist er einfach in ein bestehendes OpenBSD/GNU Linux
system zu integrieren, kann tcpdump output lesen und analisieren. er ist
besonders sparsam mit resourcen, kann dafür natürlich nichts alles
bieten was ein ausgewachsenen IDS kann. logging/alerts auf file- und
syslog-basis. tonnweise optionen lassen jedem tcp/ip freak das wasser im
mund zusammen laufen.
nach einigen anpassungen an der regel library (in meinem falle
snort-lib) um div. back-door programme nicht zu entdecken (da die
vordefinierten regeln sehr grob sind und in real-world umgebungen
zuviele falsche alarms auslösen) läuft das tool absolut prächtig!
zu den entdeckten "intrusions" in der mitgelieferten regel bibliothek
gehören:
o stealth port scans/sweeps (natürlich auch normale connect()s)
o tcp fingerprinting (os detection)
o windows und unix traceroutes
o wingate scans
o div. buffer overflows
o SMB netbios probes
o cgi probes für alle gängigen webserver (IIS und apache)
o tonnenweise backdoors (vorsicht: sehr grob nach dst.ports gefiltert)
o usw.
-[ fazit: ein muss für alle netzwerk administratoren die noch kein IDS
haben und ein einfaches, leichtes tool dafür suchen. läuft hier auf
einem 486'er mit 4.1 %CPU und 2.3 %MEM! für packet traces benütze ich
zwar immer noch tcpdump, die regeln von snort sind aber kool^2 . bei
problemen stehe ich jederzeit als ansprechpartner zur verfügung. ]-
zu finden ist das programm unter:
Distribution Site:
http://www.clark.net/~roesch/security.html
Alternate Sites:
http://www.technotronic.com
http://packetstorm.securify.com
http://www.whitehats.com
Distributed with:
Trinux <http://www.trinux.org>
Debian Linux <http://www.debian.org> (jaaaaawooooooohl!)
NetBSD <http://www.netbsd.org>
hier ein auszug aus der readme:
******************************************************************************
DESCRIPTION
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules based logging
and can perform content searching/matching in addition to being used to detect
a variety of other attacks and probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting
capabilty, with alerts being sent to syslog, a seperate "alert" file, or even
to a Windows computer via Samba.
Packets are logged in their decoded form to directories which are generated
based upon the IP address of the remote peer. This allows Snort to be used as
a sort of "poor man's intrusion detection system" if you specify what traffic
you want to record and what to let through.
For instance, I use it to record traffic of interest to the six computers in
my office at work while I'm away on travel or gone for the weekend. It's
also nice for debugging network code since it shows you most of the Important
Stuff(TM) about your packets (as I see it anyway). The code is pretty easy
to modify to provide more complete packet decoding, so feel free to make
suggestions.
******************************************************************************
[*][USAGE]
Command line:
snort -[options] <filters>
Options:
-A <alert> Set <alert> mode to full, fast or none. Full mode
does normal "classic Snort"-style alerts to the alert
file. Fast mode just writes the timestamp, message,
IPs, and ports to the file. None turns off alerting.
-a Display ARP packets (very basic decoding right now)
-b Log packets in tcpdump format. All packets are logged
in their native binary state to a tcpdump formatted
log file called "snort.log". This option results in
much faster operation of the program since it doesn't
have to spend time in the packet binary->text
converters. Snort can effectively keep up with 100Mbps
networks in "-b" mode.
-c <cf> Use configuration file <cf>. This is the rules file
which tells the system what to log, alert on, or pass!
-d Dump the application layer data
-D Run Snort in daemon mode. Alerts are sent to
/var/log/snort.alert
-e Display/log the ethernet packet header data
-F <bpf> Read BPF filters from file <bpf>. Handy for those of
you running Snort as a SHADOW replacement or with a
love of super complex BPF filters.
-h <hn> Set the "home network" to <hn>, which is a class C IP
address something like 192.168.1.0 or whatever. If you
use this switch, traffic coming from external networks
will be formatted with the directional arrow of the
packet dump pointing right for incoming external
traffic, and left for outgoing internal traffic. Kind
of silly, but it looks nice.
-i <if> Use interface <if>. Defaults to eth0 on Linux, hme0 on
Solaris, and xl0 on FreeBSD.
-l <ld> Log packets to directory <ld>. Sets up a hierarchical
directory structure with the log directory as the base
starting directory, and the IP address of the remote
peer generating traffic as the directory which packets
packets from that adress are stored in.
-M <wkstn> Send WinPopup messages to the list of workstations
contained in the <wkstn> file. This option requires
Samba to be resident and in the path of the machine
running Snort. The workstation file is simple: each
line of the file containes the SMB name of the box to
send the message to (no \\'s needed).
-n <num> Exit after processing <num> packets.
-N Turn off logging. Alerts still function normally.
-o Change the order in which the rules are applied to
packets. Instead of being applied in the standard
Alert->Pass->Log order, this will apply them in
Pass->Alert->Log order, allowing people to avoid having
to make huge BPF command line arguments to filter their
alert rules. User requested.
-p Turn off promiscuous mode sniffing. Useful for places
where that can screw up your network severely.
-r <tf> Read the tcpdump-generated file <tf>. This will cause
Snort to read and process the file fed to it. This is
useful if, for instance, you've got a bunch of Shadow
files that you want to process for content, or even if
you've got a bunch of reassembled packet fragments
which have been written into a tcpdump formatted file.
Now, I wonder where you might get one of those....?
-s Log alert messages to the syslog. On linux boxen, they
will appear in /var/log/secure.
-v Be verbose. Prints packets out to the console. There
is one big problem with verbose mode: it's still kind
of slow. If you are doing IDS work with Snort, don't
use the -v switch, you WILL drop packets (not many, but
some).
-V Show the version number and exit.
-? Show the usage summary and exit.
[*][FILTERS]:
The "filters" are standard BPF style filters as seen in TCPDump. Look
at the man page for TCPDump for docs on how to use it properly. In general,
you can give it a host, net or protocol to filter on and some logical statements
to tie it together and get the specific traffic you're interested in. For
example:
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1
records the traffic to and from host 192.168.1.1.
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1
records all traffic on the 192.168.1.0/24 class C subnet, but not traffic
to/from 192.168.1.1. Notice that the command line data specified after the
"-h" switch is formated differently from the BPF commands provided at the end
of the command line. Sorry for the confusion, but I like the CIDR notation and
I'm not rewriting libpcap to make it consistent! Anyway, you get the picture.
Mail me if you have trouble with it.
As of version 1.3, you can use the -F switch to read your BPF filters in from
a file.
[*][RULES]:
New as of version 0.98 is the concept of rules. Now you can start to use
Snort as a real live intrusion detection system, albeit not quite as good as
commercial systems. The rules formats are fairly simple for now and are
covered in the "RULES.SAMPLE" file included in the distribution. Please look
there for complete explainations of how the rules system works.
The Alerts which are generated by the system are logged to a file named
(suprisingly enough) "alert". You can use something like "rt" or just "tail -f"
it to give a running display of system alerts. Alerts can also be sent to
syslog (and monitored with something like swatch), or they can be sent out as
WinPopup messages with smbclient. Check out the "INSTALL" file for information
on enabling the SMB alerting option.
Note that the system requires the use of the "-l" flag to redirect rules
based logging to a specific directory. If you don't specify a place for it to
go, it goes into /var/log/snort.
Rules are applied in the order in which they're entered in their class. In
other words, the Alert rules are applied in the order they're read out of the
rules file, and so on for Log and Pass rules.
******************************************************************************
--
chiba:~# for BILL in 6 6 6; do nuke; done
It took 124 years to destroy the world.
It took 42 years to destroy the world.
You win! 500 years without destruction!
----- End forwarded message -----
------------------------------------------------
Um sich aus der Liste auszutragen schicken Sie
bitte eine E-Mail an majordomo@jfl.de die im Body
"unsubscribe debian-user-de <deine emailadresse>"
enthaelt.
Bei Problemen bitte eine Mail an: Jan.Otto@jfl.de
------------------------------------------------
Anzahl der eingetragenen Mitglieder: 768
Reply to: