A nice collection of long code of the original article on SNORT.Hope to a friend or loved SNORT IDS is currently developing a friends help.
------ Mayi
1 .-- snort introduction
snort is a libpcap-based packet sniffer and can be used as a lightweight network intrusion detection system (NIDS).The so-called lightweight means of detecting low as far as possible the normal operation of the network, an excellent lightweight NIDS should have cross-platform operation, minimal impact on the system characteristics such as short period of time and the administrator can modifyreal-time security configuration response is more important is to become an important member of the overall security structure.
Snort as a typical example, the first run on multiple operating system platforms, such as UNIX series and Windows 9X. (需要 libpcap for Win32 support), compared with many commercial products, its dependence on the operating system is relatively low.Second, the user can according to their need for timely adjustment of the test strategy in a short time.To detect the type of attack is, according to the latest data show that the (2000/12/4) snort a total of 21 classes (???) 1271 detection rules, including buffer overflows, port scans and CGI attacks and so on.SNORT integrates several mechanisms to provide real-time warning alarm features, including: syslog, user specified file, UNIXSocket, by SMBClient WinPopup on Windows clients using the alarm.Practical significance to Victoria as the Snort open source software only to fill the gaps in commercial intrusion detection system to help small and medium network administrators to effectively monitor network traffic and detect intrusion.
2.snort comparison with other tools.
Snort's main purpose is to network monitoring, packet logging and intrusion detection, respectively, the following is a typical tool of these two comparison functions.
1) - snort and tcpdump comparison
Tcpdump is the most classic sniffing tools, mainly used to record the network data, network fault detection diagnostic tools.Snort and its maximum is based on libpcap in common is the BPF filter mechanism and support, so essentially call library functions to capture packets, but snort is not just to document the purpose of the packet but rathersafety point of view the starting area parse it, and tcpdump is to analyze the second tier or third tier packets for network troubleshooting, and snort are mainly targeted at the application layer analysis of the data in order to achieve intrusion detection.In addition to
Beyond this, the tcpdump traffic to quickly complete record, so it developed a special output format, fast but not easy to understand, and snort to provide a more friendly output format is conducive to the direct analysis of the system administrator.
- Figure 1 - Typical Snort telnet packet display:
--------------------------------------------------------------------------
20:59:49.153313 0:10:4 B: A9: 66 -> 0:60:97:7: C2: 8E type: 0x800 len: 0x7D
192.168.1.3:23 -> 192.168.1.4:1031 TCP TTL: 64 TOS: 0x10 DF
*** PA * Seq: 0xDF4A6536 Ack: 0xB3A6FD01 Win: 0x446A
FF FA 22 03 03 E2 03 04 82 0F 07 E2 1C 08 82 04 ..".............
09 C2 1A 0A 82 7F 0B 82 15 0F 82 11 10 82 13 FF ................
F0 0D 0A 46 72 65 65 42 53 44 20 28 65 6C 72 69 ... FreeBSD (elri
63 2E 68 6F 6D 65 2E 6E 65 74 29 20 28 74 74 79 c.home.net) (tty
70 30 29 0D 0A 0D 0A p0 )....
---------------------------------------------------------------------------
- Figure 2 - The same telnet packet as displayed by tcpdump:
---------------------------------------------------------------------------
20:59:49.153313 0:10:4 b: d: a9: 66 0:60:97:7: c2: 8e 0800 125: 192.168.1.3.23>
192.168.1.4.1031: P 76:147 (71) ack 194 win 17514 (DF) [tos 0x10] (ttl 64,
id 660)
4510 006f 0294 4000 4006 b48d c0a8 0103
c0a8 0104 0017 0407 df4a 6536 b3a6 fd01
5018 446a d2ad 0000 fffa 2203 03e2 0304
820f 07e2 1c08 8204 09c2 1a0a 827f 0b82
150f 8211 1082 13ff f00d 0a46 7265 6542
5344 2028 656c 7269 632e 686f 6d65 2e6e
6574 2920 2874 7479 7030 290d 0a0d 0a
---------------------------------------------------------------------------
2) - snort comparison with the NFR
According Denmac System Company in November 1999 of the existing commercial network intrusion detection tools, survey results show that, NFR's overall performance index was higher than ISS's RealSecure and CA's SessionWall, so it represents the IDS is currently the highest international standards, is a more mature commercial product.Many design similar to Snort NFR, but in many ways showing the inadequacies, such as the inability to achieve IPDefragmentation and other functions, the format of the detection rule language speaking, NFR uses a scripting language deep, SNORT and itscompared to slightly thin.However, the advantage of snort is that it is open source software, the world's lovers can join in its development work to upgrade, the prospects are not limited to.
2 .-- Principle
snort as a NIDS [Note: Web-based Intrusion Detection System (NIDS), it works as a shared network-based network traffic is detected on the original data, by analyzing the captured data packets, the main work to match the characteristics of invasion or fromthe angle of detection of abnormal network activity behavior, and leads to early warning of invasion or records.Terms from the detection mode, snort is a misuse detection (misuse detection).[Note: This method is characteristic patterns of known attacks to match, including the use of work in promiscuous mode network card passive sniffer under the protocol analysis, and interpretation of data packets on a range of features.] Essentially speaking, snort detection is a rule-based intrusion detection tool, for each intrusion, are extracted from the characteristics of its value and in accordance with the specifications written in inspection rules, thus forming a rule database.Second, the packet will be captured one by one match in accordance with the rule base, if the match is successful, that the invasion was established.Currently, snort detection rules database includes the following categories of intrusion:
snort the structure is divided into three parts as shown in Figure n-1:
l - packet capture and analysis subsystem (Capture Packet Mechanism from link layer and the
packet decoder):
Function of the subsystem may transmit data to capture the network and in accordance with TCP / IP protocol packets to different levels of resolution.Snort libpcap library functions using data collection, the library functions can be provided for the application to capture data directly from the link layer packet interface functions, and can set packet filters specify the data has been captured.(Detailed description see Appendix N).Network data collection and analysis mechanism is the basis for achieving the NIDS, the most critical is to ensure high-speed and low packet loss rate, which depends not only on the efficiency of the software is also associated with the hardware processing power.For the analysis
Mechanism, the ability to handle the diversity of the type of packet is also very important, now, snort can handle Ethernet, Token Ring and SLIP links and other types of packages.
l - Detection Engine (the detect engine) to achieve detection engine is the core of a NIDS, accuracy and rapidity are important indicators to measure its performance, the former depends mainly on the extraction of intrusion signatures and rules written by the accuracysimple and practical, because the network intrusion detection
Passive role of the system itself - only the passive detection of data flowing through the network, but can not take the initiative to send packets to detect, so only the intrusion signatures attributed to the characteristics of the agreement the value of different fields, by detectingThe characteristic value to determine whether the intrusion occurred.The latter depends on the organizational structure of the engine, it can quickly match the rules.
Snort uses a flexible plug-in to organize the rule base, that is, according to the type of intrusion into the corresponding plug-in, user can select the corresponding plug-in for testing.Now includes plug-ins are as follows:
Each category, including dozens of plug-in detection rules, representing the same type of different intrusions.For the definition of rules, snort uses a simple, lightweight rule description language, has been referred to the detection of the final acts of the packet protocol is to detect the different fields, such as the invasion of the port number is an important clue.In order to more clearly illustrate this problem, we give one example:
Attack Name - NT IIS Showcode ASP
Attack Type - obtain illegal access.
Attack Description - by constructing a particular URL request can be illegal to read other files on the server: http://attackmsadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../.././ boot.ini
Intrusion signatures - IP address: IP address outside the protected network segment.
- Protocol type: TCP
- Port: 80
- TCP flag: PUS, ACK
- Data paragraph: / selector / showcode.asp
CVE ID - CAN-1999-0736
Bugtraq ID - 167
Over the invasion of example, we can see that in fact, intrusion detection is the key to the port number and data segments to determine the content, IP address, protocol type and TCP flags is supporting signatures.But when the start of the original packet, should directly match the port and the data segment of the content?No doubt this practice against the intrusion of the matching efficiency is the highest.But in fact this would reduce the overall detection efficiency, because of the huge invasion of the system of network data to detect one by one, the first test should follow a common feature of all intrusions followed by the individual characteristics of the original
Is, for example, if the IP address of the first test, if it is found does not belong within the scope of testing to detect the next packet immediately rather than continue to test the package in other fields.This will ensure the rapid detection, but also improves the real-time alarm.
Snort is defined in accordance with the rules of the above principle, the test rules is divided into two parts: the rule header and rule options.
The former is common to all rules, including IP address, protocol type, port number, which according to different rules including the corresponding keyword fields, such as TCP flags, or window size.In addition to including the above detection rules on "what to test" should also define "test to do", snort defined three types of treatment - alert (send a warning message), log (record of the packet) and pass (ignoringthe packet) and is defined as the rule of the first matched keyword, the purpose of this design is very simple program designed to organize the whole rule base, about all the rules in accordance with the
Approach organized into three lists to be used to match more quickly and accurately reflects the designer's trick.
Below we give an example to specify the definition of the rules:
alert tcp! $ HOME_NET any -> $ HOME_NET 80 (msg: "CAN-1999-0736 - IIS-showcode"; flagsA; content: "/ selector / showcode.asp"; nocase
Official for the instance table (N) are shown in the definition of intrusion detection rules can be seen through the cases of simple and practical snort rules language, the basic format:
Rule action protocol type IP address port number -> IP address port number protocol type (purpose of Rule Options sender recipient source
Written specifications on the specific rules will not go into, the following key and its special to illustrate:
1 .-- snort variables and operators as a NIDS, the main purpose is to protect this site section is the timely detection of external network attacks on the internal network
, So the rules defined in the IP address of the network mainly for external and internal network address of two.Snort the introduction of this variable mechanism, that can be used in the rule variable that IP address field, users can run before the actual subnet address to define the variable, so that when parsing snort detection rules automatically replace variable valueincrease the flexibility of the rules, but only as the IP address suitable for all rules that have the same basic values.
In order to more accurately convey the rules and accurately represent the detection range, snort also defined three types of operators:
l - negation operator - "!"
For that snort also increased the negative character "!" To distinguish between internal network and external network.For example, cases of n,! $ HOME_NET.
l - the direction of the operator --"->" and "<>"
Used to indicate the direction of transmission, respectively, one-way and two-way transmission.
l - Port descriptor - ":"
Used to represent the range of ports.For example: "600:" The port number that is greater than 600.
2. Rule Options
Rule option as an important criterion for detection formed the core of snort intrusion detection engines, both easy to use and very flexible and powerful.First, flexibility is the different behavior can be developed according to different options for the content of the corresponding test, followed by the powerful is not only the detection of a certain breadth and depth and defines what to do when detected.snort rule options in 15 keywords, which keywords are detected after as a response:
msg - the alarm and packet logs to print a message logto - log the packet to a user specified file to standard output rather than recorded
resp - active reaction (cut off the connection, etc.) Resp keyword matches a Snort rule can be flexible in response to the flow (flexible reponse
-FlexResp).FlexResp code allows Snort to actively close the malicious connection.Legal parameters of the module are as follows:
rst_snd - will send TCP-RST packets
rst_rcv - sent to the receiving party TCP-RST packets
rst_all - both to send and receive data packets sent TCP_RST
icmp_net - will send ICMP_NET_UNREACH
icmp_host - will send ICMP_HOST_UNREACH
icmp_port - will send ICMP_PORT_UNREACH
icmp_all - will send all of the above ICMP packets.
As intrusion detection systems, intrusion detection theory only and does not need to respond to intrusion.So the function should be as SNORT additional features, but it is worth mentioning that, sending RST and ICMP UNREACH packets to the attacking side may suspend its attacks on the target host, we studied a tool called dsniff is the use of tcpkillThe principle of cutting off illegal connections, but for the general denial of service attacks, the role of the method to less obvious.For the SNORT, the realization of this function will inevitably reduce the efficiency of detection especially in particularly when the network traffic.
Another 12 are in the key fields for the different protocol settings:
Keywords - test content - mainly for aggressive behavior ttl - test the value of ttl ip header - used to detect traceroute test id - ip header patch test id value - fixed hacker attacksFor example, set to 31337dsize - test packet payload size of the value of the - buffer overflow attacks ent - packet payload in the style specified in the search - the single most important option for the data segment in the data packetSearch for a specified content and the data trigger response, you can search contains a mixture of text and binary data.And set the three auxiliary keyword: offset, dsize, nocaseFlags - test tcp flags value - illegal port scans or other illegal detecting host operating system types.
Seq - tcp sequence number of the value of testing - testing the host sends the serial number is a fixed set is a collection of.Intruders can use this value to be intruders posing as legitimate users to send data, camouflage normal communication to steal information or other illegal activities.
Ack - test tcp response (acknowledgement) value - Nmap 的 TCP PING will set the value of 0, and thus might be judged illegal by Nmap scans.
Itype - test icmp type values - a denial of service attacks.Note: only as one of them features.
Icode - the value of detection icmp code - suspicious traffic.
Session - the session's application layer records the information specified in the content - recorded in the TCP session, the session data.
Icmp_id - test ICMP ECHO ID value -
Icmp_seq - test sequence number value of ICMP ECHO -
Ipoption - monitor IP option of the specific code -
Rpc - monitoring specific application / process calls RPC services - testing RPC request illegal, see RPC request, and automatically the application (Application), process (procedure) and the version of the program (program version) decoding, if all threevalues match, then the rule to show success.
3. Preprocessor
Preprocessor introduced from the Snort version 1.5, the code is invoked before the detection engine is run, pave the way for the test to improve detection accuracy and speed.Pretreatment system and the use of plug-in, users and programmers can easily be integrated into the modular plug into Snort.Currently available snort preprocessor module has the following three:
l - Minfrag
Minfrag preprocessor check of a given size restriction fragment packets.Packet is fragmented by the source and destination is usually a router between the hosts caused.In general, commercial network equipment does not produce less than 512 bytes of packet fragmentation.This fact can be used to monitor the flow containing small fragments.
l - HTTP DecodeHTTP Decode for handling HTTP URI strings, the string of data into readable ASCII string, the data used to detect HTTP to deal with hidden WebURL scanners and malicious intruders.
l - Portscan Detector
Snort Portscan preprocessor use:
Standard recording device to record the source IP address from a port scan to the beginning and end.
If you specify a log file, scan type, while the record also documented the purpose of IP address and port.Port scanning is defined as the time T (seconds) of more than P ports within the TCP connection attempts, or in the time T (seconds), within more than P ports to send UDP packets.Port scan can be of any one IP address, multiple ports, it can be multiple IP addresses on the same port.Now this version can handle one to one and one to many port scanning methods, the next full version will be able to handle distributed port scanning (many or many to many).Port scan scan also includes a single secret (stealthscan) packets, such as NULL, FIN, SYNFIN, XMAS and so on.If you include the words of a secret scanner, port scanner will scan the data packet for each alarm.
network to monitor - monitor port scan the target network to network / CIDR that number of ports - in detecting the number of ports visited during the detection period - the second count of the port access time limit logdir / filename - alarm information is stored in the directory / file namewarning alarm can also be written to standard files.
l - log and alarm subsystem (logging / alerting subsystem)
The output of intrusion detection system is characterized by real-time system is necessary and diversity, the former refers to detect intrusions in a timely manner while recording and alarm, which is able to select from a variety of ways according to records and police.A good NIDS, the output should provide a friendly interface, or sound the alarm and so on.
Snort is a lightweight NIDS, it is another important function of a packet logger, so the main subsystems provided by:
1 .-- fast model: TCPDUMP format to record information
2. Readable model: According to the agreement format recording, easy-to-user to view.
3.alert to syslog: syslog to send alert messages.
4.alert to text file: Record alarm messages in clear text.
It is noteworthy that, snort taking into account the time users need high-performance, network traffic is very large, can compress the data packets of information to practice the alarm quickly.
3 .-- Program Structure
1) - snort the overall structure
snort as a good example of open source intrusion detection system, the entire program structure clear, ingenious, version 1.6.3 we have the source code for its in-depth analysis.Snort total of 64 h c files and documents, first introduced the program's overall structure, its flow chart is as follows:
One of the most critical function is ProcessPacket (),-- its flow chart is as follows:
2) - data structure -
snort a few main data structure is linked, has been mentioned above, snort rule base organized trick is to follow the rules of processing actions to be divided into three lists, each list and in accordance with the protocol type: TCP, IP and ICMPdivided into three lists, all of the rules will be assigned to the three in the list.Members of the list is the description of the structure of each rule - RuleTreeNode, the structure is an important member of a function to record the rules of the list - RuleFpList, a rule sometimes need to call multiple processing function analysis.The structure is an important member of the other rules of the options structure, which also includes the option of the rules of information and its processing function list.
It is noteworthy that not every rule is assigned a RuleTreeNode structure, because many of the rules of the first part of the former option is the same, only different rules need to take different options options chain function processing list.The basic structure of the whole as shown in Figure n, all the initialization list are conducted before the packet capture.
In addition to these lists outside, snort also defines the pretreatment, the output list of keywords and processing functions, the design intent is to list the main ideas to achieve plug-ins that add and delete users how to demand pre-function modules.The data structure as long as the following:
typedef struct _PreprocessKeywordNode
{
char * keyword;
void (* func) (char *);
} PreprocessKeywordNode;
/ / Pre-keyword information structure.
typedef struct _PreprocessKeywordList
{
PreprocessKeywordNode entry;
struct _PreprocessKeywordList * next;
} PreprocessKeywordList;
file / / preprocessing keyword list.
typedef struct _PreprocessFuncNode
{
void (* func) (Packet *);
struct _PreprocessFuncNode * next;
} PreprocessFuncNode;
file / / pre-function list.
All the initialization list are initialized before the packet capture, and once established the list have been completed and started catching packets, each packet will now receive a first call the function preprocessor for processing the list, the second by default order traversal AlertList, PassList and LogList three lists.When the first data packet traverses the protocol type based on rules positioning the list, followed by a recursive function call to the rules of each match, the first header matching rules, if the matching rules match the recursive option is to continue, if not match, a direct match the next rule.To speed up the rate of traversal, snort rule options in the "content" content match called Boyer-Moore algorithm.
4 .-- Improved
1 .-- Background
We believe that the NIDS snort already have the basic functions of positioning itself as a lightweight intrusion detection tool, despite the intrusion detection tools and business compared to its slightly rough rule language, in the alarm mode and graphical userthe interface also revealed the shortcomings, but the program overall structure of the clear, practical and simple language the rules to provide plug-in functionality, users can add their own detection rules and processing functions, this update for the rule base has a very real sense.
Through analysis, compared with the commercial NIDS, SNORT 1.6.3 patch is not set to the IP packet processing functions, that is, for example, "Teardrop" and "Ping of Death" two types of use of illegal IP packet fragmentation attacks can not be detected:
? - Teadrop - the attack against many of the operating system TCP / IP protocol stack does not correctly handle fragmented IP packets have been reorganized.The feature is to send two or more specific sub-IP datagrams.The first package is the segment offset 0, the data segment (segment length) bytes is N, and the MF bit is set, the second package is the last segment (MF == 0), but its partialshift is less than N, all caused by the two segments overlap.In order to restructure the package, there are weaknesses in the system will be in the TCP / IP stack allocation of very large space, leading to the depletion of the target system to stop responding because of memory or restart.
? - Ping of Death - the characteristics of the attack target is to send a large amount of ICMP fragmented packets, when the reorganization of the packets of its data segment has been greater than 65535 bytes, the system can not handle this becausepackets caused by denial of service or restart.
? -
2 .-- program
3 .-- achieve