- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
this cannot be considered very robust in terms of rule or packet granularity. The rule options form the core of Snort's intrusion-detection capabilities.
Format of Snort Options
The rule options are separated from the rule header via required parentheses ( ). Look at the following rule:
alert tcp !$HOME_NET any -> $HOME_NET any (flags: SF; \ msg: "SYN-FIN scan";)
The options portion is as follows:
(flags: SF; msg: "SYN-FIN scan";)
Each option is made up of an option keyword, and possibly a value for the particular option keyword. In the preceding example, you find the option keyword flags paired with a value of SF and an option keyword of msg paired with a value of SYN-FIN scan. The value that is associated with a given option keyword depends on the option. Some options require numeric values and others require text. Option keywords are separated from the associated value via the colon (:), and individual options are delimited by a semi-colon (;). A semi-colon must follow the final option as well or an error will be generated. Although most option keywords are usually followed by a value, there are some options that require no value. One such example is the option nocase that indicates a search for content in the packet's payload is to be case insensitive.
Snort is pretty unconcerned and forgiving about the lack or abundance of whitespace between delimiters such as ; and :. You don't have to supply spaces, or you can supply multiple spaces between options, values, and delimiters. For instance, the two following options should both work:
(flags:SF;msg:"SYN-FIN scan";)
(flags: SF ; msg : "SYN-FIN scan" ;)
The backslash (\) is a rule continuation character; rules can be continued on separate lines if this character is supplied at the end of any unfinished line. Speaking of special characters, the pound sign (#) is used as the comment character for Snort rules.
Rule Options
Some of the most important and commonly used options will be discussed now to convince you of the power of Snort rules. The entire list of burgeoning options will not be covered, but descriptions of all of them can be found at www.snort.org by examining the online Snort
Users Manual under the documentation link.
Msg Option
The msg option allows the user or analyst to assign an appropriate message to the output of a triggered rule. When you examine an alert or logged entry for the triggered rule, you will see the offending packet. You will not see the actual rule that triggered the alert in the output itself, so you need some descriptive way of associating the alert with the rule. If you assign an msg option value, it will appear before the offending packet output to give you a better idea of why the rule triggered.
Look at the following format, rule, and an associated alert that triggered from the rule:
Format:
msg: "<message text>";
Sample rule:
alert udp any any -> 192.168.5.0/24 31337 \ (msg:"Back Orifice";)
Sample output:
[**] Back Orifice [**]
04/24-08:49:21.318567 192.168.143.15:60256 -> 192.168.5.16:31337 UDP TTL:41 TOS:0x0 ID:49951
Len: 8
The Snort rule says to alert (and log) when a UDP packet from any source IP address or port goes to subnet 192.168.5 destination port 31337 and to assign it a message of "Back Orifice". When the rule is triggered, the alert is recorded with "[**] Back Orifice [**]" to
describe the activity.
Logto Option
The logto option allows you to specify a filename to which to log the activity. This applies to rules with the alert or log action in the rule header only. A rule that is triggered with the alert or log action will normally write to a default directory (either /var/log/snort for UNIX hosts or, on a Windows machine, a subdirectory named log from wherever Snort is launched) or a directory specified using the –l filename option on the command line. This assumes that the user hasn't changed the default logging to binary output (-b commandline option), to send the output to the syslog daemon (-s command-line option), or disabled logging altogether (-N command-line option).
The logto option can be used to send the output for a specific rule or class of user-chosen rules to a given file. Why might you want to use this option? Well, this is an excellent way to separate the truly dangerous or harmful kinds of alerts from those that are the garden variety. In the case shown in the example, if you suspect that you have some kind of trinoo distributed denial-of-service (DDoS) infestation or any other DDoS activity on the network, you can look directly at the DDoS file for signs of this. This will also be logged to the default alert file as well because the following sample rule uses the action alert.
Format:
logto: "<filename>";
The supplied filename should not include a path, only a filename. Including a path causes Snort to display an error message. You should place the filename in quotes, otherwise an initial space is sometimes added before the name.
Sample rule:
alert udp any any -> 192.168.5.0/24 31335 \ (msg: "trinoo port"; logto: "DDoS";)
Sample output:
If the rule is triggered, the output on this UNIX host will be found in /var/log/snort/DDoS:
[**] trinoo port [**]
04/24-09:07:41.320938 192.168.143.15:56881 -> 192.168.5.16:31335 UDP TTL:42 TOS:0x0 ID:4011
Len: 8
Ttl Option
The ttl option allows you to examine the arriving time-to-live field for a specific value. This option could be used for a variety of reasons. One reason to examine this field would be to look for a packet with a low arriving TTL value, which can be indicative of a UNIX host performing a traceroute or a Windows host performing a tracert. When the protocol is UDP and the port ranges are 33000 through 34000, it is most likely a UNIX traceroute. A Windows tracert is done via ICMP echo requests.
The following rule looks for UNIX traceroute traffic to the 192.168.5 network with a UDP port in the range 33000 through 34000 inclusive and an arriving TTL value of 1.
Format:
ttl: <number>;
Sample rule:
alert udp any any -> 192.168.5.0/24 33000:34000 \ (msg: "Unix traceroute"; ttl: 1;)
Sample output:
[**] Unix traceroute [**]
04/24-09:29:37.971353 192.168.143.15:40920 -> 192.168.5.16:33437 UDP TTL:1 TOS:0x0 ID:40923
Len: 18
Id Option
As you recall, the IP identification value is a 16-bit value that is found in the IP header of each datagram. Each new datagram is assigned a unique IP ID number that is typically incremented by 1 for each packet. This number becomes the fragment ID, which assists the destination host in reassembling fragments. The sample rule looks for an unusual IP ID value of 0. It now appears that Linux 2.4 kernels set the IP ID value to 0 when the Don't Fragment (DF) flag is set in the packet. The reasoning for this is that if the packet will never become fragmented, why bother to assign it a fragment ID?
Format:
id: <number>;
Sample rule:
alert icmp any any -> 192.168.5.0/24 any \ (msg: "Suspect IP Identification #"; ID:0;)
Sample output:
[**] Suspect IP Identification # [**] 04/25-09:21:36.371005 192.168.143.15 -> 192.168.5.16 ICMP TTL:64 TOS:0x0 ID:00
Dsize Option
The dsize option allows Snort to examine the size of the payload. You can inspect the payload size for an exact value, or a value less than or greater than a particular number. This can come in handy when you are creating a rule for buffer overflow attacks. These attacks might have a telltale signature of having a larger payload than expected. The following sample rule looks for ICMP packets with a payload size greater than 1,024 bytes.
Format:
dsize: [<|>] number
Sample rule:
alert icmp any any -> 192.168.5.0/24 any \ (msg: "Large ICMP payload"; dsize: >1024;)
Sample output:
[**] Large ICMP payload [**]
04/24-11:10:24.110169 192.168.143.100 -> 192.168.5.16 ICMP TTL:255 TOS:0x0 ID:5487 DF
ID:7564 Seq:0 ECHO
Sequence Option
The sequence option checks the value of the TCP sequence number. The Shaft distributed denial-of-service software is known to assign a fixed sequence number—hexadecimal 28374839—when a TCP flood is directed to a victim site. No doubt, this is something that is configurable in the source code, so this is not a failsafe method of identifying Shaft. Of course, a benign packet could coincidentally be using the same sequence number, too.
Format:
seq: <number>;
Sample rule:
alert tcp any any -> any any \
(msg: "Possible Shaft DDoS"; seq: 0x28374839;)
Sample output:
[**]Possible Shaft DDoS [**]
04/25-07:19:58.582562 192.168.143.100:35680 -> 192.168.143.15:23 TCP TTL:255 TOS:0x0 ID:7705 DF
******S* Seq: 0x28374839 |
Ack: 0x0 Win: 0x2238 |
TCP Options => MSS: 1460 |
|
Acknowledgement Option |
|
The acknowledgement option examines the value of a TCP acknowledgement number. The primary use for this currently is to detect nmap pings. As you discovered in the previous chapter, nmap sends a unique signature when it tries to assess if a host is alive. It sets the ACK flag on, and it sets the acknowledgement value of 0. This would be a rare setting to find in normal traffic because it would be indicative of an already established connection acknowledging that the previous TCP sequence number received was 232 – 1, and now the acknowledgement number is wrapping back to 0.
Format:
ack: <number>;
Sample rule:
alert tcp any any -> any any \
(msg: "nmap TCP ping"; flags: A; ack: 0;)
Sample output:
[**] nmap TCP ping [**]
04/25-07:27:13.578488 192.168.143.15:63367 -> 192.168.143.16:80 TCP TTL:42 TOS:0x0 ID:26253
***A**** Seq: 0x16680003 |
Ack: 0x0 |
Win: 0xC00 |
Itype and Icode Options |
|
|
The itype option is used to select a particular ICMP message type. The message type field is found in the zero byte offset of the ICMP message.Valid values for this and its partner option icode, which is used to represent the ICMP message code, can be found at www.iana.org/assignments/icmp-parameters. The icode option is often used in conjunction with the itype option. The ICMP message code is found in the first byte offset of the ICMP message. Many ICMP messages share the same type but are further delineated using the ICMP code