Slashdot Mirror
Using Snort Stealthily
jukal writes "Linux Journal has an article on using Snort as stealth sniffer, a stealth NDIS probe and stealth loger -- on a network interface with no IP address. 'Snort is a versatile and powerful tool for sniffing, intrusion detection and packet logging. Configuring it to run stealthily in sniffing mode or NIDS mode is easy; incorporating it into a stealth-logging solution is only slightly less so'"
Just cut the TX on your Ethernet.
Snort is a great tool. However, the last time I used it I found it a little bit difficult to get it working just the way I want with all the parameters. In reality, I guess that is probably a good thing or every l33t hax0r would be out there using it.
:)
Regardless- has anyone made any good UI to use it? I really liked the way "sniffit" worked with interactive mode. Maybe someone could design a UI and call it "sniffles" or whatever. The stealth mode version could be called "silent sneeze"
Just one question ...
What's a loger for?
Won't tcpdump or netstat -an do basically the same thing?
If you're THAT worries about security, I have 3 words for you:
Build a firewall!!!
(and don't make your firewall similar to swiss cheese by poking lots of holes in it!)
HallmarkOrnaments.Com
Does anyone have a server call Charlie?
Charlie% Snort Charlie -1 line...
An article like this is kinda sketchy as a feature on a site like Slashdot, which is composed largely by members who attend various colleges and universities across the world, all of which surely have Appropriate Usage Policies that clearly state that this type of network sniffing is not legal on their network.
;-D
So, kids, be smart about what "network analysis tools" you use. I know our head network administrator personally, and he sees EVERYTHING (no, really -- EVERY BIT) of traffic that he wants.
Use something like this at my school, and you'll be using a lab computer to check email by the end of the day since they'd disable your port immediately
If you celebrate Xmas, befriend me (538
Also worth investigate Prelude
"Prelude is a new innovative hybrid Intrusion Detection system designed to be very modular, distributed, rock solid and fast. "
Interesting but you can do that with snort as well. The only difference is that you have to have a little more knowledge of how to accomplish it. Just like all things unix.. I hate to be an eliteist snob but all things unix requires you to have half a clue. I think that is a good thing. If you don't have that clue then you can use Microsoft Windows. Now I don't use anything Microsoft but I do use snort and log into a MySql database and use several analysis tools that interface with that database to show me information. As well I have several scripts that automatically run under certain alert conditions.
How do you automatically match up a snort signature with the appropriate nessus check? Do they both include CVE numbers (last time I checked, they didn't, but that was a while ago)? That's the real beauty of the ISS solution - they use naming convetions across all their products, which allows the software to match up an attack signature with the appropriate vulnerability check
Funny, I can have my SNORT installation log to Oracle, MSSQL Server, MySQL, PostGreSQL, etc. And I can perform vulnerability assessments, etc. By adding on ACID (from CERT) and logsnorter, I can integrate my firewall logs and view everything through a very nice web UI. Best of all, except for the hardware I run it on, and the work, my IDS and vulnerability assessment platform hasn't cost me a dime.
And your "superior SQL Server 2000" has more holes than swiss cheese, which is why I'm using MySQL in a secured, private network, for my logs.
In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
The biggest problems are:
- A switch can mangle the packets a little before they're port-mirrored
- How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port
:) ? (dropped packets are a significant reality on a busy network)
'Course, what you REALLY need is a good, *electrically* transparent impedance matching tap, like one of these.Don't sweat the petty things. But do pet the sweaty things.
Whew, the ISS marketing guys really did a number on your mind, didn't they?
I worked on intrusion detection at a site where we had two IDS systems set up in parallel, one based on RealSecure and the other being a custom tailored solution that utilized a "sensor" machine sitting in our DMZ with a quiet NIC, similar to what's described in the linked article. It used tcpdump for data collection, and saved most of our incoming and outgoing network traffic to a fast disk array for analysis (based on tcpdump filters.) Hourly scripts would process the saved packages with Snort (and a variety of other tools, some of them free and some of them custom written for us and the other sites on our WAN.)
While RealSecure is fine for detecting bumbling script kiddies and obvious misconfigurations (like unpatched boxes becoming Nimda zombies), the tcpdump solution was far better at detecting the serious intrusion attempts, like the slow and low network probes with custom crafted packets, and telling us exactly who on our network was doing boneheaded things like using telnet across network boundaries. RealSecure's coming in a pretty box and costing a lot of money doesn't make it the end-all be-all of intrusion detection systems.
I always try to snort stealthily, lest someone would walk in on my little 'habit'. ;-)
Money for nothing, pix for free
However, since it can NOT do anything about what it sees (snort's) on the wire, it is not helpfull....
By the time you've figured out the attack has happened, you MicroSloth box has already been had...
The advantage of something like RealSecure is that
it can take action in realtime as the attempts are detected. Reset the connections, modify firewall rules, AND generate an alarm.
Did I miss it, can snort (with any add on package) actually take action upon what it detects ?
This is an invitation for the taco snotting guide troll, isn't it ?
If the moderation system worked, then your comment regarding spelling and grammar would have been modded down in an instant.
These guys(and I speak for myself here too) reasing this, and talking about packet sniffing are techies. Techies dont need to advertise products, or have shiny teeth, shiny boots or slick nike jackets. Techies dont need to spell perfectly- and are more likely to deliberately mis-spell a word to save typing characters or so non-techies cant read it. We are some of the most egotistical arrogant scum of the universe and once we have accepted that we are a techie-we dont try and deny that. When I read a posting-I look for content- wether it was well researched and well thought out, if it was even on topic-and will then respond in a way that I deem suitable. If I disagree I will say so. I dont even mind normal bitching matches and stuff. But anal english teachers can go to pgce.gov.co.uk or somewhere else. Because they are not welcome here. Go away- and leave network packet sniffing conversation to people who are too interested in networking to give a monkeys uncle about the quality of their grammar and spelling.
OrionRobots.co.uk - Robots From sol
Sounds more like a church of scientology lecture than a security system. Mysql, snort and other unix/linux products also have naming conventions- just different ones. As if thats the real issue anyway...
OrionRobots.co.uk - Robots From sol
Kind of like logging snort output to a mysql db, and running nessus on anything you find thats questionable, but without the mega dollar outlay for software.
1+2+1+1 || 1+2+2+1
There's a better article about SNORT and ACID on LinuxWorld. Also, if you want to investigate SNORT, check out the following links:
In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
The wonderful tool which is less configurable than Snort, doesn't log data as well, and provides less viewable data about packets which set off alerts.
And this is better than Snort how? Snort can log to local or remote databases, text files, syslog, and probably other formats (but I haven't tried). It supports multiple output formats, so you can choose how you want to look at the data. It also supports loading a database from tcpdump files (Our training with ISS never covered how to do this with RealSecure, and I'm doubtful that it can be done).
Superior in what way? It costs more than Postgres or MySQL, has more holes than any other database out there, and costs an insane amount of money compared to what most people running Snort would use (we use MySQL here, I know many people using Postgres, or you can dump to text files).
In the world of real security grunts, we like to call such a tool Nessus (http://www.nessus.org/). It scans for more vulnerabilities than ISS (the marketing claims by ISS notwithstanding), is updated more frequently, offers more flexibility in scanning options, has a better support community, and is free.
Unfortunately for me, ISS has brainwashed many, many people in the Department of Energy. I'm forced to use their product on a day-to-day basis. On the upside, I can run Snort and Nessus to do all my real checks and detects, and the go to the ISS products I have to use, try to make them show me the data I need, and report with that. But every single site I have to deal with which uses ISS has done the same thing I've done - shoved it in a corner, set up a system with Snort and a system with Nessus, and gone about getting real work done with free, easy to use, well supported tools.
RagManX
please explain, how did you configure snort to log to a mysql database ? im currently using snorts directory structure logging system, and using a quick perl script to stick that into a database, if you know of a more elegant way, please enlighten me!
Cost of an ISS RealSecure Deployment for a mid-sized business: $100,000
Cost of a Snort Deployment for a mid-sized business: $0.00
Hmmm...decisions, decisions...
Obviously written by a corporate junkie with no real knowledge. You can do the same thing with Snort. Though it does take coding a few scripts/programs. Also you don't have to use closed source products. How do I know this? I have a few managed Snort IDS systems that sit on clients networks that log to a SQL db over an encrypted link where the client can log into a Managed services portal and pull up their data. See statistical trends and even run "basic" auditing with Nessus.
Is that anything like Stealth Lager?
'Cause I would try some of that.
Or was he trying sooo hard to spell Logger, only to come up soooo short?
You killed Linux Journal! You bastards! I figured it was time for an alternative South Park joke.
Why not fork?
Gentlemen, please stop feeding the troll.
It may be well written, but it's a troll. Why else the use of the "superior" in conjunction with "MS SQL 2000"?
Check the snort page for some good, detailed information on how to do this (mySQL logging) and much more.
Here's one way: Snort Installation Manual
Lee
So can Snort. It is not built in, so you'll have to load an additional plugin. But then again, the makes of Snort understand that it is an Intrusion Dectection System. If you want more than detection use the plugins that are available to react on certain alerts. You can set up Snort to send resets, just like ISS does. But that slows down the other work that Snort does, so you won't find that feature integrated into the package.
RagManX
For the cost of one NIC and some existing obsolete hardware, I now have a hardened Snort sensor outside my firewall. I can see all inbound and outbound traffic, which is logged to MySQL and viewed thru ACID. Not bad for about $30.
Sourcefire (founded by Marty Roesch - creator of Snort) is releasing a rack-mount device that can manage freeware Snort sensors. Cost is about $15K. Hell of a lot cheaper than the alternatives! I'll be getting one of those soon... If you run Bastille security, with a little know-how, you can stealthify your Snort sensors to the point where they become invisible. I get scanned regularly, and nobody has yet found the IDS box. Me == happy!
***
This is my Sig. This is my Glock, this is my Walther, and this is my Beretta.
Any questions?
>Did I miss it, can snort (with any add on package) actually take action upon what it detects ?
Yes, it can. You missed it.
There's a great add-in that allows dynamic updating of Firewall-1 rules called SnortSAM. There are others as well.
If those programs don't suit you, if you have skill with Perl you could also craft a program to send the RST (reset) packets based on certain alerts.
Or you could always pay me to do it. (shameless plug)
You can do all that, and more.
The question is whether your organization has the time and resources to set it up and support it. If you've got the money, but not the time, perhaps a commercial solution is better.
Lee
Amen, brother!
Trolling, agreed.
But sometimes you must respond, so that the uninitiated and unwary will not be taken in by the trolling.
Snort most certainly can do something about what it sees, just like the $$$ sensors out there.
Snort has a "FlexResponse" option that allows you to reset a connection, just like your ISS box. In realtime.
I'm also using my snort alerts (which, BTW, I can send to MySQL, Postgresql, MS-SQL, Oracle, syslog, or text files - how many alerting/logging options do you have...?) to trigger scripts written in Expect that can add/remove/modify rules on my Cisco Pix firewall. With a little modification and know how, I can modify the rules on pretty much any firewall out there.
Who'd've thought Slashdot, of all places, would be giving me tips on my secret drug habit? Thanks, /.!
I always go in to the bathroom before I snort, but that kind of depends on where you are. Basically anywhere where no one will see you snorting is good, and if you use a rolled up dollar bill, I would hide that as well.
Moon Macrosystems. Sun's biggest competitor.
The best way to use snort stealthily would be to snort in a dark alleyway, preferably away from all cop shops and majorly populated areas.
I have had a lot of fun with snort. Perhaps
/etc/passwd file will
the greatest thing it does is deter would-be
bad guys from even looking at your machine
twice... as soon as they find you've got snort
running they go away in most cases.
This does not apply to the script-kiddies running
the NT http directory traversals every 15 minutes
against your Linux box. I have found that even a
good solid dos does not stop THEM.
Oh yeah while I am here, why haven't the lords of
slashdot run my story on the current bitchx
source tarball trojan? You could save an awful
lot of folks grief by just running the damn story
and not worrying about the fact that you ran the
same story months ago. This is a new, different
incarnation of the thing and it is quite bad;
giving paz.bakunin.net a root shell on the system
of anybody running the configure script from the
bitchx source tarball downloaded from
ftp.bitchx.org.
The md5sum of the trojanned bitchx is:
a9d6bb266c503a09d46cef679fce8320
The md5sum of the clean bitchx is:
79431ff0880e7317049045981fac8adc
The name of the bitchx source tarball is:
ircii-pana-1.0c19.tar.gz
If you run the configure script from the trojanned
tarball, you will wind up with a connection to
port 6667 on paz.bakunin.net with a shell on your
end. Also, a copy of your
be sent to that port.
I can state with 100% certainty that the BitchX
package that is part of slackware 8.1 is totally
clean and safe. The BitchX source tarball from
ftp.irc.org is also clean.
Just a little story. At my previous job (an e-commerce .com site, where our database contained probably several million credit-card#'s and email addresses), we hired a few consultants to do some Java coding...
About a week later, because of our security tools, we discovered one of the consultants port-scanning our network. The director went and asked him why he was port scanning, with no good reply, and told him to stop doing it.
About 2 weeks later, yet again, the *same* consultant was found port-scanning the network again, this time hitting our production website boxes at our offsite co-location (which includes the database boxes, loaded with data that only a handful of people had access to). He was promptly walked out the door, and the consulting company was asked to replace him with someone else.
While a firewall will protect you from attacks from the outside, attacks from the inside are just as dangerous.
I was employed at a place that did the same thing with OpenBSD about a year ago. Our methods required knocking out IPv4 support from the kernel and recompiling it. Only then did we think it safe enough to use in the DMZ.
The main problem with this approach was grabbing the Alerts and such once you had it up and running. This was solved using a JAZ drive no one wanted. A definite kludge but it worked at the time...
No offense to our open-source IDS friends, but the commercial IDS world realized this exact thing at least 5 years ago. I used to work on the network based IDS products at ISS, and we started recommending this back in 1997 (when I started working there). Here is a link (PDF) to a document that describes (among other things) running RealSecure in "stealth mode" and it dates from 1998.
Well obviously a nice GUI helps. However after reading over some snort documentation, one of the problems I see is caused by the fact that snort is a rules-based IDS. That makes it retro-active in nature. Can't stop what isn't in your rules (kind of like stopping viruses). So how does the security community overcome such an obstacle?
PATCRP: I would mod you up, but don't have moderator access now.
Somebody should do it though.
+ Informative
Hogwash already does this I thought.
This is really cool. Until someone spoofs an attack from AOL, Yahoo, and Hotmail SMTP servers.
When the CEO can't get email from his daughter at college, this cool sounding autoresponse thingamajig doesn't look so smart all of a sudden.
Actually that rasies the question of the "comfort-level"[1] that companies would have with IDS systems. At the level these systems work a lot of sensitive information is gathered.
[1] Remember even people from IT departments have gotten in trouble doing port-scanning just for the purposes of internal security.
If you're going to do this, make sure you put two interfaces (or use 802.1q) in the box so you can monitor it via a management network. The importance of knowing your IDS is working is more valuable than its being undetectable to intruders. Two interfaces also obviates the need for the tortured fake IP traffic syslogging mentioned in the article. Oh, and one more thing - management network != general LAN.
I have been using Snort for several years now and really like it. I have seen a few people make references to "Stealth Cables", basically you put a capicitor on the transmit pairs so it can only receive and Snort should keep on working. I found a few how-tos but so far haven't managed to get it working as advertised. Anyone out there have any luck with something like this?
I had a stealth loger yesterday, but I discretely picked my nose until I finally got it.
Anyone eant it? It's now on ebay.
Speaking of better.
http://www.nss.co.uk/
There latest report on IDS products is available. All they require is a little info.
I can smell blue!
yoo soh tyred? me so sawree: leeve sucka,
The IPCop Firewall Distro comes with snort and has an easy-to-understand web interface and a decent set of default rulesets. Unfortunately, tuning the rules cannot be done through the web interface, but you can log in and tweak with a text editor.
Cheers,
Jim
-- My Weblog.
All that snort does is *watch* for stuff, not prevent it - It's up to the admin to read the logs and decide then what to block, using some other tool.
If you set it up and get familiar with it, you'll see that this is a good thing, due to the nature of it - it is sometimes overly-paranoid and the level of false-positives is very high. If it blocked all of the stuff it thought was an intrusion, you'd never get too much done.
That said, I have heard of tools that use Snort to trigger the insertion of firewall rules based upon certain types of 'intrusions'.
Snort's a great learning tool, but don't think it's actually *protecting* anything.
If you don't read its logs, it's like a security camera that nobody watches...
Cheers,
Jim
-- My Weblog.
Hello, I am the Network Systems Administrator for a very large Company. Last week one of the employees at my location used Snort (or somthing else) on the internal network on a company computer (with a operating system that was not suppost to be installed on it). Being a company that does projects that are of a secure nature (DOD etc). I caught this person (using my anti-sniffer) and I had to hand him over to the proper authorities, (His bosses's). I had to inform them that this is action and was a network NO-NO. This person did not need to have this computer (that is used for testing electrical circuits) connected to the network. They said in responce that they wanted to keep this computer on the network.(For what reason I do not know.) But now I am watching any and all traffic coming or going from that machine. I personaly think that this person will get a slap on the hand for this. I should also say that the person in question has no reason in his job (electrial technician) to scan my network.
m l
/.ed...
Now I will be buying the t-shirt that says..
just click on the link to a slashdot owned site www dot thinkgeek dot com OR here is the link below.
http://www.thinkgeek.com/stuff/apparel/38df.sht
P.S. You have just been
Since it's a *Packet* sniffer, you just need to tear open the packets to snort them - no dollar bill required.
Cheers,
Jim
-- My Weblog.
Moderation Totals: Offtopic=2, Funny=3, Overrated=2, Total=7.
How is this still -1 funny?
WTF is wrong with the slashcode? Shouldn't it show the last moderation, and if so, why is it still -1?
You may want to take a look at the Finisar Century Tap. There used to be a lot of information on the taps on the website when they were made by Shotmiti. Once Shomiti was bought by Finisar, a lot of the information disappeared. The tap allows you to "tap in" to a link. I have one installed between the firewall and switch. I use two interfaces, one is on the inside network for management, and the is connected to the tap in promiscuous mode without an IP address. The tap is pretty much invisible.
u ct _id=110&product_category_id=98
http://www.finisar.com/product/product.php?prod
Here is a PDF showing how to setup the tap with your Snort sensor. The only problem is the tap is really overpriced -- about $500. But, making a custom cable is a PITA.
If a daemon listens on a port that is open for incoming internet connections (eg. Apache), firewalls can only detect DoS type attacks. Firewalls aren't virus scanners for network sockets, there's no way a firewall would be able to reject an incoming packet as it arrives that it may contain malicious data.
Your Apache log files can probly tell u a lot more about exploit attempts.
while working at a .edu, i have the chance to admin what i was told was the world largest implementation of snort, whether thats true or not, i have no clue, i will say i had ALOT of sensors though. the general configuration was that we set a sparc netra out in front of the different departments, or in area's we thought it would be useful, and then all on the gateway. each one had 2 nic's, one with an ip address one without, and then the nonstealth part was logging, as the article mentions. we logged to a central database. in my time there though, none of the censors were comprimised, nor the database.
EOF
Hey Randy,
Matthew