Calling Snort

[Click here to download of the solution]
Video: [Click here to download of the demo of this tip]
[Install Snort]

Background

[Click here to download this lab] The key foundation of most types of data packet detection is the usage of the WinPcap libraries (which have been used in the software tutorials in previous design tips). Many tools build on this including Snort [1], tcptrace ( to identity TCP sessions), tcpflow (to reconstruct TCP sessions) and Ether eal (to capture network traffic). Snort is one of the most widely-used IDS's, and can detect both signature and anomaly detection. In order not to burden the main processes on a machine, Snort runs as a background process and initially reads-in a set of rules ( filename .rules) and monitors the network traffic to produce event data and a log (Figure 1).

Figure 1 Snort

The basic format of a Snort rule header is:

ACTION PROTOCOL ADDRESS PORT DIRECTION ADDRESS PORT

which is then followed by options. A basic statement is:

alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

where the first word on the rule is the action, which is typically:

alert Generate an alert and log packet
log Log packet
pass Ignore the packet
activate Alert and activate another rule
dynamic Remain idle until activated by an activate rule

The second part of the rule defines the protocol, such as:

tcp udp
icmp ip

where TCP and UDP are transport layer protocols, while ICMP and IP are Internet (/network) layer protocols. The next few fields define the source and destination of the traffic, as illustrated in Figure 2. The source and destination address can be defined as any or with the IP address and a subnet mask. For example 192.168.1.0/24 includes a range of addresses from 192.168.1.0 to 192.168.1.255. Along with this, the TCP /UDP port can be defined as either: any ; a range of ports ( m : n which is port m to port n ); or a specified port. It should be remembered that when a client connects to a server, the client uses its own source port, and it connects, typically, to a well-known port on the server. For example, a client which connects to a Web server, would connect to a destination port of 80, and with a unique source port, such as port 1111. In this case, when the data packets leave the client, the destination port will be 80, and the source port will be 1111. When the data returns from the server, it will have a source port of 80 and a destination one of 1111. It is thus key that the -> is pointing in the correct direction, otherwise the <> can be used for both directions.

Figure 2 Example of source and destination addresses in a Snort rule

Some rules allow a payload in the data packet to be detected. An example of this is given in Figure 3.15. For this the content element is used to detect a certain sequence in the data packet. This can be defined either in hexadecimal format (between | and |) or in a plain text format. Along with this the content element can have several modifiers, such as offset , distance and within which modify the operation of the search. The end part of the rule in Figure 3 displays a message if the rule has been activated. There are also various configuration commands that can be used in the rules file, such as:

•  config decode_arp - snort -a
•  config payload
•  config decode_data_link
•  config interface
•  config nolog - Disable logging, but alerts still occur
•  config quiet - snort -q
•  config verbose - snort -v
•  config show_year
•  config min_ttl:x

Figure 3 Example Snort rule

The SID and REV represent known Snort rules:

•  Less 100 Reserved for future use.
•  Between 100 and 1,000,000 are rules included with the Snort distribution.
•  More than 1,000,000 is for local rules.

For example: sid:336; rev:7; represents an attempt to change to the system administrator's account in FTP.

Invoking Snort

First make sure you have Snort on your machine (in the c:\snort folder):

[Click here to download Snort]

If you want to download the PDF version of this lab, download from here:

[Click here to download this lab]

1. If Visual Studio is installed on your machine, download the following solution [1]:

[Click here to download of the solution]

An outline of the code is:

public void runShort( string arguments)
{
processCaller = new ProcessCaller( this );
processCaller.FileName = @"c:\snort\bin\snort.exe";
processCaller.Arguments = arguments;
processCaller.StdErrReceived += new DataReceivedHandler(writeStreamInfo);
processCaller.StdOutReceived += new DataReceivedHandler(writeStreamInfo);
processCaller.Completed += new EventHandler(processCompletedOrCanceled);
processCaller.Cancelled += new EventHandler(processCompletedOrCanceled);
this .richTextBox1.Text = "Started function. Please stand by.." + Environment.NewLine;
processCaller.Start();
}

private void btnInterface _Click( object sender, System.EventArgs e)
{
this .runShort("-W");
}

2. In the Project listing, double click on the SnortCaller.cs file, then double click on the Show interf button, and add the following highlighted code:

private void btnInterface_Click( object sender, System.EventArgs e)
{
this .runShort("-W");
}

3. Run the program, and show that the output is similar to the output in Figure 1:

What is/are your interface(s)?

Figure 1:

4. Double click on the Capture Inter button, and add the following highlighted code. Replace the c:\\bill with c:\\ yourMatricNo , and replace the value after the -i option with the interface number. This should log to the folder defined.

private void btnStart_Click(object sender, System.EventArgs e)
{
if (!Directory.Exists("c:\\bill")) Directory.CreateDirectory("c:\\bill");
this.runShort("-dev -i 1 -p -l c:\\bill -K ascii");
}

5. Run the program and get Snort to capture the packets, and then stop it with the Stop button (Figure 2). Generate some Web traffic, and view the output, and verify that it is capturing data packets, such as:

               =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
               01/12-11:11:07.410133 0:15:0:34:2:F0 -> 0:C:41:F5:23:D5 type:0x800 len:0x19A
               192.168.1.101:2735 -> 146.176.1.188:80 TCP TTL:128 TOS:0x0 ID:13141 IpLen:20 DLen:396 DF
               ***AP*** Seq: 0xCEDC79A8 Ack: 0xE2431ED3 Win: 0x4037 TcpLen: 20
               47 45 54 20 2F 68 6F 6D 65 5F 6E 65 77 2F 69 6D GET /home_new/im
               61 67 65 73 2F 70 72 6F 67 5F 66 32 2E 67 69 66 ages/prog_f2.gif
               20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 HTTP/1.1..Accep
               74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A t: */*..Referer:
               20 68 74 74 70 3A 2F 2F 77 77 77 2E 6E 61 70 69 http://www.napi
               65 72 2E 61 63 2E 75 6B 2F 0D 0A 41 63 63 65 70 er.ac.uk/..Accep
               74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 67 t-Language: en-g
               62 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 b..Accept-Encodi
               6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 ng: gzip, deflat
               65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D e..User-Agent: M
               6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp 
6. Select one of the TCP data packets, and determine the following: 

The source IP address:

The source TCP port:

The destination IP address:

The destination TCP port:

The source MAC address:

The destination MAC address:

The TCP flags:

Figure 2:

7. Double click on the View Output button, and add the following highlighted code. Replace the c:\\bill with c:\\ yourMatricNo .

private void btnView_Click( object sender, System.EventArgs e)
{
openFileDialog1.InitialDirectory="c:\\bill";
openFileDialog1.ShowDialog();
Process.Start("wordpad.exe", openFileDialog1.FileName);
}

8. Run the program, and select the View Output button, and verify that you get the output seen in Figure 3, and open one of the IDS files in the subfolders, and verify the output, as shown in Figure 4.

What are the contents of the folder:

Go into one of the folders and view the contents of the IDS file. What does it contain:

Figure 3:

Figure 4:

9. Double click on the Create IDS rule button, and add the following code:

private void btnIDSRule_Click( object sender, System.EventArgs e)
{
string rule; 
rule = "alert tcp any any -> any 80 (content:\"napier\"; msg:\"Napier detected\";)";
StreamWriter SW;
SW=File.CreateText("c:\\snort\\bin\\napier.txt");
SW.WriteLine(rule);
SW.Close();
statusIDS.Text+="IDS updated... please restart Snort";
}

which writes a Snort rule to the napier.txt file.

10. Double click on the View alert.ids button, and add the following code (remember to replace the c:\\bill with c:\\ yourMatricNo ):

private void btnViewAlert_Click( object sender, System.EventArgs e)
{
if (File.Exists("c:\\bill\\alert.ids"))
{
Process.Start("wordpad.exe", "c:\\bill\\alert.ids");
}
else statusIDS.Text+="File does not exist...";
}

also update the line:

this.runShort("-dev -i 1 -p -l c:\\bill -K ascii");

with (to allow Snort to read-in the newly created rules file):

this.runShort("-dev -i 1 -p -l c:\\bill -K ascii -c c:\\snort\\bin\\napier.txt");

11. Run the program, and capture some Web traffic with the name napier in it. Then Stop the capture, and select the View alert.ids button (Figure 5).

What are the contents of the alert.ids file:

Did it detect "napier":

12. Next download the client and server programs from:

[Click here to download of the client-server program]

13. In groups of two, one person should run the server on their computer, and the other person runs the client, and connects to the server on port 1001 . Make sure that you can chat, before going onto the next part of the tutorial (Figure 6).

14. Write a Snort rule which detects the word "napier" in the communications between the client and server.

What is the Snort rule for this:

Figure 5:

Figure 6:

Note: If you want the complete solution at any time, use:

http://www.soc.napier.ac.uk/~bill/SnortCallerComplete.zip

[1] Code is based on http://www.codeproject.com/csharp/LaunchProcess.asp.