What is an Intrusion Detection System?

• Works by packet sniffing
• Passively detects attacks or probes
• E.g. buffer overflow, port scans etc
• Used to correct configuration errors/failures
• May prevent intrusions by dropping packets

Deploying an IDS on switched networks

• Switches, unlike hubs, don't send all traffic on segment
• ...implies, no packet sniffing!
• Solutions
  1. Revert to hubs? Not optimal, adds failure points
  2. Smart switches with port spanning/mirroring capabilities? Expensive
  3. Using cable 'taps'? Challenge to set up with IDS

Deploying an IDS : where to place it

• Outside the firewall to analyse neighbourhood but waste of resources
• Inside firewall for optimal use : more precise policy

Snort : some history

• Dec 1998 : Created by Martin Roesch
• Developed by Sourcefire (founded in 2001 by Roesch)
• Snort used in Sourcefire in conjuction with other tools for IDS

Snort's modes

1. Packet sniffer
2. Packet logger
3. NIDS (Network Intrusion Detection System) mode
4. Inline mode

Snort decomposed

1. Packet sniffer decoder using pcap library
2. Preprocessor plugins which check for malformations, anomalies, and non-compliance
3. Detection engine which inspects traffic against rules base
4. Output and alert module

Snort's preprocessors

• frag2

  • Used against fragmentation attacks
  • Typically DoS attacks
  • Ping of Death attack (no longer a risk)

• stream4

  • Maintains state of TCP streams
  • Detects exploit strings broken down into multiple packets
  • Prevents TCP (half-open) scan

• stream4_reassemble

  • Attackers create packets with wrong checksums
  • ...which are dropped by target
  • ...and IDS might miss attack, if not for reassemble

• HTTP_decode

  • Converts unicode, hex etc to be readable by snort

• TELNET_decode

  • Decodes/removes binary Telnet control codes on a stream
  • E.g SITE EXEC FTP to execute system commands

• ARPspoof

  • Address Resolution Protocol (ARP) used on ethernet networks to map @IP to @MAC
  • ARP spoofing for misdirecting traffic = sniffing possible on switched networks
  • ARPspoof detects spoofing attempts : source address != message address

• converstion and portscan

  • Detect port scans vertically (range of ports on 1 host)
  • Detect port scans horizontally (1 port on many hosts)

• fnord

  • Used against polymorphic shell code evasion attempts
  • Detects a large amount of no-effect instructions grouped together for Intel, Sparc, or HP hw
  • Downside : computationally intensive

Snort's rules set : where to get them

• Snort.org

  • Official rules, tested and certified
  • Developed by Sourcefire's Vulnerability Research Team

• Bleeding Snort Rules

  • Bleeding edge, and up-to-the-minute
  • Experimental, rather used in test enviroments

• Oinkmaster

  • Automatized tool to keep up to date
  • Highly configurable

Example : Shelob

• Developed by Shawn Austin, Matt Wilson, and Steve Corbin from University of Indianapolis
• Used to trap PCs infected with virus/spyware on a closed VLAN

• Shelob bundle composed of

  1. Snort
  2. Amavisd (interface between message transfer agents and content checking programs)
  3. NMAP (network scanner)

Conclusion

Snort is :

• Highly modular (preprocessors)
• Flexible thanks to its policy based rules
• Relatively rapid to put in place
• Lightweight

But :

• Requires a lot of time to maintatin