Slashdot Mirror
Using Snort Stealthily
jukal writes "Linux Journal has an article on using Snort as stealth sniffer, a stealth NDIS probe and stealth loger -- on a network interface with no IP address. 'Snort is a versatile and powerful tool for sniffing, intrusion detection and packet logging. Configuring it to run stealthily in sniffing mode or NIDS mode is easy; incorporating it into a stealth-logging solution is only slightly less so'"
Snort is a great tool. However, the last time I used it I found it a little bit difficult to get it working just the way I want with all the parameters. In reality, I guess that is probably a good thing or every l33t hax0r would be out there using it.
:)
Regardless- has anyone made any good UI to use it? I really liked the way "sniffit" worked with interactive mode. Maybe someone could design a UI and call it "sniffles" or whatever. The stealth mode version could be called "silent sneeze"
An article like this is kinda sketchy as a feature on a site like Slashdot, which is composed largely by members who attend various colleges and universities across the world, all of which surely have Appropriate Usage Policies that clearly state that this type of network sniffing is not legal on their network.
;-D
So, kids, be smart about what "network analysis tools" you use. I know our head network administrator personally, and he sees EVERYTHING (no, really -- EVERY BIT) of traffic that he wants.
Use something like this at my school, and you'll be using a lab computer to check email by the end of the day since they'd disable your port immediately
If you celebrate Xmas, befriend me (538
Get real...firewalls are not the "end all" solution to every security problem. You're also mixing passive and active defense. Firewalls are designed to BLOCK attacks at the gateway. Snort (and all network-based IDS') are designed detect attacks that have gotten through your firewall...and they do get through, I assure you.
"Herbivores eat well cause their food never, ever runs."
Unfortunately, firewalls are not the be-all and end-all of network security... A firewall can effectively protect your network from malicious access from the outside world, however it can not prevent hack-attacks on your systems which originate from within your network.
There are two primary reasons for hack-attacks originating inside a firewalled-zone:
1. A trojaned system, usually due to poor Antivirus policy and/or poor user education.
2. A Disgruntled employee who is out to get you!
Obviously, the best solutions to these problems are to implement a good Antivirus product and virus protection policy, and to keep your employees happy!
Unfortunately, no matter how hard you try, there are always likely to be problems you have not forseen - which is where Sniffers and NIDS tools come in. Whilst these tools are also not the sole answer to anyone's prayers, they can often help as part of an overall security system implementation.
Snort is (IMHO) one of the best NIDS tools out there - I have used Snort for a couple of years as part of an integrated security solution, and the logfiles it generates, once properly parsed, have helped me track down a number of threats to network security, and plug any holes present before the problems became serious.
Firewalls are not a panacea, nor are NIDS tools, used together though, they are much more than the sum of their parts....
Disclaimer: I meant what I thought, not what I wrote! What? You can't read my Mind? Oh dear!
Funny, I can have my SNORT installation log to Oracle, MSSQL Server, MySQL, PostGreSQL, etc. And I can perform vulnerability assessments, etc. By adding on ACID (from CERT) and logsnorter, I can integrate my firewall logs and view everything through a very nice web UI. Best of all, except for the hardware I run it on, and the work, my IDS and vulnerability assessment platform hasn't cost me a dime.
And your "superior SQL Server 2000" has more holes than swiss cheese, which is why I'm using MySQL in a secured, private network, for my logs.
In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
The biggest problems are:
- A switch can mangle the packets a little before they're port-mirrored
- How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port
:) ? (dropped packets are a significant reality on a busy network)
'Course, what you REALLY need is a good, *electrically* transparent impedance matching tap, like one of these.Don't sweat the petty things. But do pet the sweaty things.
Whew, the ISS marketing guys really did a number on your mind, didn't they?
I worked on intrusion detection at a site where we had two IDS systems set up in parallel, one based on RealSecure and the other being a custom tailored solution that utilized a "sensor" machine sitting in our DMZ with a quiet NIC, similar to what's described in the linked article. It used tcpdump for data collection, and saved most of our incoming and outgoing network traffic to a fast disk array for analysis (based on tcpdump filters.) Hourly scripts would process the saved packages with Snort (and a variety of other tools, some of them free and some of them custom written for us and the other sites on our WAN.)
While RealSecure is fine for detecting bumbling script kiddies and obvious misconfigurations (like unpatched boxes becoming Nimda zombies), the tcpdump solution was far better at detecting the serious intrusion attempts, like the slow and low network probes with custom crafted packets, and telling us exactly who on our network was doing boneheaded things like using telnet across network boundaries. RealSecure's coming in a pretty box and costing a lot of money doesn't make it the end-all be-all of intrusion detection systems.
The best analogy for defending your networks is a castle. Castles have moats, walls and an inner keep, all to protect the treasures of the kingdom (jewels, the princess, etc.). But, none of that does you any good without sentries watching the moat and walls who can report to the Captain of the Watch anything out of the norm. Your network defense should consist of a hardened router(the moat), firewall and DMZ (walls), and your private networks (the keep). You should have intrusion detection systems, syslogs from routers and firewalls and regular system monitoring (sentries). All of this should be parsed by a system that provides alerts for key events (report to the Captain of the Watch) and is also checked regularly by humans.
In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
There's a better article about SNORT and ACID on LinuxWorld. Also, if you want to investigate SNORT, check out the following links:
In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
The wonderful tool which is less configurable than Snort, doesn't log data as well, and provides less viewable data about packets which set off alerts.
And this is better than Snort how? Snort can log to local or remote databases, text files, syslog, and probably other formats (but I haven't tried). It supports multiple output formats, so you can choose how you want to look at the data. It also supports loading a database from tcpdump files (Our training with ISS never covered how to do this with RealSecure, and I'm doubtful that it can be done).
Superior in what way? It costs more than Postgres or MySQL, has more holes than any other database out there, and costs an insane amount of money compared to what most people running Snort would use (we use MySQL here, I know many people using Postgres, or you can dump to text files).
In the world of real security grunts, we like to call such a tool Nessus (http://www.nessus.org/). It scans for more vulnerabilities than ISS (the marketing claims by ISS notwithstanding), is updated more frequently, offers more flexibility in scanning options, has a better support community, and is free.
Unfortunately for me, ISS has brainwashed many, many people in the Department of Energy. I'm forced to use their product on a day-to-day basis. On the upside, I can run Snort and Nessus to do all my real checks and detects, and the go to the ISS products I have to use, try to make them show me the data I need, and report with that. But every single site I have to deal with which uses ISS has done the same thing I've done - shoved it in a corner, set up a system with Snort and a system with Nessus, and gone about getting real work done with free, easy to use, well supported tools.
RagManX
You probably should work in the security world before making statements about things you clearly don't understand. tcpdump is a tool for watching all or select traffic. It dumps raw packets, and you have to figure out what to make of them. Snort is a tool for analyzing those packets and alerting on suspicious data. It provides the information you need to help you find potentially dangerous traffic.
Where I work, we have a T-3 'net connection. We typically run about 40% available bandwidth. You'll have just a *TINY* bit of trouble keeping up with that traffic if you manually analyze tcpdump logs. If you run Snort, it will do the bulk of the work, and alert you on things it thinks bear further investigation. It makes mistakes. But having it help focus your traffic checks makes the day a lot easier.
As for using a firewall, too many people have the mistaken impression that once they install a firewall, all their worries will go away. If you have an insider attacking one of your corporate servers, a firewall doesn't help with that at all. An intrusion detection system like Snort will. If you users bring in discs from home that contain trojan programs with call home features, your firewall probably won't catch that, but an intrusion detection system probably will. If your users are surfing to pr0n sites, your firewall might catch that, but an intrusion detection system has a much greater chance.
A firewall is a good thing to have, but everyone working in the security field is going to tell you that it is not enough. We have a concept which we frequently preach to newbs - defense in depth. Put as many systems in place for securing your network as you can realistically manage and track. If you have only a single security device, once an exploit comes out for that device, your network is wide open. And every single security system out there has bugs, so depending on one greatly increases your chances of getting 0wnzerized. Put in multiple systems, and you are likely to catch attacks on at least one of them, in the event that a way to avoid one part of your defense is found.
RagManX
I always go in to the bathroom before I snort, but that kind of depends on where you are. Basically anywhere where no one will see you snorting is good, and if you use a rolled up dollar bill, I would hide that as well.
Moon Macrosystems. Sun's biggest competitor.
Just a little story. At my previous job (an e-commerce .com site, where our database contained probably several million credit-card#'s and email addresses), we hired a few consultants to do some Java coding...
About a week later, because of our security tools, we discovered one of the consultants port-scanning our network. The director went and asked him why he was port scanning, with no good reply, and told him to stop doing it.
About 2 weeks later, yet again, the *same* consultant was found port-scanning the network again, this time hitting our production website boxes at our offsite co-location (which includes the database boxes, loaded with data that only a handful of people had access to). He was promptly walked out the door, and the consulting company was asked to replace him with someone else.
While a firewall will protect you from attacks from the outside, attacks from the inside are just as dangerous.
Score: -17, bad security.
Installing a firewall is not a magic solution. Suppose you run a website. You WILL be permitting 80/tcp through your firewall, probably also 443/tcp. Along comes the next worm that uses only http to gain entry to a system (Think CodeRed, Nimda && friends). How exactly is your firewall going to stop that sort of traffic? The answer you're searching for is, "it won't."
In addition to firewalling, running a NIDS sensor will help abate these threats. Most NIDS products support the notion of killing a connection (rskill, for RealSecure, flexresp for Snort, etc.) - this is how you can stop the threat of CR, CR-II, Nimda, et al.
Another way to abate these kinds of threats is to use something like Hogwash (which strangely enough is based on Snort), or a reverse-proxy that can inspect HTTP requests. Of course, those only help for HTTP traffic - there's a lot more out there besides HTTP. Remember sendmail, uw-imap, old qpopper, bind, and friends? They've all had remote-rootables that blew right through firewalls, since they only used the designated "proper" port(s) for the vulnerable daemon.
Use your head. There is no security magic bullet. It's a process, not a single product.
The unsig!
Use the right tool for the right job. In this case, switch out that fiber GBIC for a Cu GBIC and use a Cu-Gig card in the sensor.
The unsig!
No offense to our open-source IDS friends, but the commercial IDS world realized this exact thing at least 5 years ago. I used to work on the network based IDS products at ISS, and we started recommending this back in 1997 (when I started working there). Here is a link (PDF) to a document that describes (among other things) running RealSecure in "stealth mode" and it dates from 1998.
Suppose you run a website. You WILL be permitting 80/tcp through your firewall, probably also 443/tcp. Along comes the next worm that uses only http to gain entry to a system (Think CodeRed, Nimda && friends). How exactly is your firewall going to stop that sort of traffic? The answer you're searching for is, "it won't."
Ahh but if you are allowing 443/tcp, how exactly is your IDS going to detect that sort of traffic? Seeing how the session is encrypted. The answer you're searching for is, "it won't."
Most people would probably call it Network Intrusion Detection System though. The same people would probably call the computer storing information a "logger" as well. Generally these people are know as "those who can spell".
What would a "Network Detection Intruder System" be BTW? An intrusion system which detects networks?
Not familiar with dsniff, ettercap, and the like, eh? Or how about large-scale SSL-based websites? Most of those actually terminate the SSL connections on some sort of SSL acceleration device, spitting out plain old http traffic out the back side.
The unsig!
I'm familiar with dsniff, but I think you'll agree it's use is silly in an IDS/commercial web context (MITM with user getting cert doesn't match pop ups). I hadn't considered the SSL acceleration device though, that's a good point.
If you're going to do this, make sure you put two interfaces (or use 802.1q) in the box so you can monitor it via a management network. The importance of knowing your IDS is working is more valuable than its being undetectable to intruders. Two interfaces also obviates the need for the tortured fake IP traffic syslogging mentioned in the article. Oh, and one more thing - management network != general LAN.
Snort will also catch bad traffic buried in protocols that are allowed through your firewall.
For instance, http is probably something that you're going to allow through your firewall. Snort can detect nimda signatures in the http traffic. You're firewall won't.
I'll admit to not having read the article, mostly because the description seems very close to what we do at my job. We use Snort on an interface that has no ip address, and plug it into a port on the switch that mirrors the traffic from the router. This is done at every entry point into our network, and a few internal points as well. The logs are sent through a second ethernet card (with ip) to a mysql database using ACID (Analysis Console for Intrusion Detection.) Once we got the rules tweaked, it became a fairly useful and easy tool to use.
Hot Damn! It's the Soggy Bottom Boys!
>CAT5 and snip the write cables
you mean clip the #1 and #2 wires at the computer end ?
I'll have to try that
The IPCop Firewall Distro comes with snort and has an easy-to-understand web interface and a decent set of default rulesets. Unfortunately, tuning the rules cannot be done through the web interface, but you can log in and tweak with a text editor.
Cheers,
Jim
-- My Weblog.
All that snort does is *watch* for stuff, not prevent it - It's up to the admin to read the logs and decide then what to block, using some other tool.
If you set it up and get familiar with it, you'll see that this is a good thing, due to the nature of it - it is sometimes overly-paranoid and the level of false-positives is very high. If it blocked all of the stuff it thought was an intrusion, you'd never get too much done.
That said, I have heard of tools that use Snort to trigger the insertion of firewall rules based upon certain types of 'intrusions'.
Snort's a great learning tool, but don't think it's actually *protecting* anything.
If you don't read its logs, it's like a security camera that nobody watches...
Cheers,
Jim
-- My Weblog.
Since it's a *Packet* sniffer, you just need to tear open the packets to snort them - no dollar bill required.
Cheers,
Jim
-- My Weblog.