Snort¶
from tryhackme.com and manual snort
Kemampuan Snort¶
- Live traffic analysis
- Attack and probe detection
- Packet logging
- Protocol analysis
- Real-time alerting
- Modules & plugins
- Pre-processors
- Cross-platform support! (Linux & Windows)
Tiga model penggunaan utama¶
- Mode Sniffer - Membaca paket IP dan memintanya di aplikasi konsol.
- Packet Logger Mode - Catat semua paket IP (masuk dan keluar) yang mengunjungi jaringan.
- Mode NIDS (Network Intrusion Detection System) dan NIPS (Network Intrusion Prevention System) - Log/drop paket yang dianggap berbahaya menurut aturan yang ditentukan pengguna.
Basic Syntax¶
,,_ -*> Snort! <*-
o" )~ Version 2.9.15.1 GRE (Build 15125)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.10.1 (with TPACKET_V3)
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.11
USAGE: snort [-options] <filter options>
Options:
-A Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
-B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c <rules> Use Rules File <rules>
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
-F <bpf> Read BPF filters from file <bpf>
-g <gname> Run snort gid as <gname> group (or gid) after initialization
-G <0xid> Log Identifier (to uniquely id events for multiple snorts)
-h <hn> Set home network = <hn>
(for use with -l or -B, does NOT change $HOME_NET in IDS mode)
-H Make hash tables deterministic.
-i <if> Listen on interface <if>
-I Add Interface name to alert output
-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K <mode> Logging mode (pcap[default],ascii,none)
-l <ld> Log to directory <ld>
-L <file> Log to this tcpdump file
-M Log messages to syslog (not alerts)
-m <umask> Set umask = <umask>
-n <cnt> Exit after receiving <cnt> packets
-N Turn off logging (alerts still work)
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P <snap> Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-Q Enable inline mode operation.
-r <tf> Read and process tcpdump file <tf>
-R <id> Include 'id' in snort_intf<id>.pid file name
-s Log alert messages to syslog
-S <n=v> Set rules file variable n equal to value v
-t <dir> Chroots process to <dir> after initialization
-T Test and report on the current Snort configuration
-u <uname> Run snort uid as <uname> user (or uid) after initialization
-U Use UTC for timestamps
-v Be verbose
-V Show version number
-X Dump the raw packet data starting at the link layer
-x Exit if Snort configuration problems occur
-y Include year in timestamp in the alert and log files
-Z <file> Set the performonitor preprocessor file path and name
-? Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid> Same as -G
--perfmon-file <file> Same as -Z
--pid-path <dir> Specify the directory for the Snort PID file
--snaplen <snap> Same as -P
--help Same as -?
--version Same as -V
--alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup
--treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline.
--process-all-events Process all queued events (drop, alert,...), default stops after 1st action group
--enable-inline-test Enable Inline-Test Mode Operation
--dynamic-engine-lib <file> Load a dynamic detection engine
--dynamic-engine-lib-dir <path> Load all dynamic engines from directory
--dynamic-detection-lib <file> Load a dynamic rules library
--dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
--dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib <file> Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
--dynamic-output-lib <file> Load a dynamic output library
--dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock Snort PID file
--no-interface-pidfile Do not include the interface name in Snort PID file
--disable-attribute-reload-thread Do not create a thread to reload the attribute table
--pcap-single <tf> Same as -r.
--pcap-file <file> file that contains a list of pcaps to read - read mode is implied.
--pcap-list "<list>" a space separated list of pcaps to read - read mode is implied.
--pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied.
--pcap-filter <filter> filter to apply when getting pcaps from file or directory.
--pcap-no-filter reset to use no filter when getting pcaps from file or directory.
--pcap-loop <count> this option will read the pcaps specified on command line continuously.
for <count> times. A value of 0 will read until Snort is terminated.
--pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
--pcap-reload if reading multiple pcaps, reload snort config between pcaps.
--pcap-show print a line saying what pcap is currently being read.
--exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
takes from signaling until DAQ_Stop() is called.
--conf-error-out Same as -x
--enable-mpls-multicast Allow multicast MPLS
--enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds
--max-mpls-labelchain-len Specify the max MPLS label chain
--mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
--require-rule-sid Require that all snort rules have SID specified.
--daq <type> Select packet acquisition module (default is pcap).
--daq-mode <mode> Select the DAQ operating mode.
--daq-var <name=value> Specify extra DAQ configuration variable.
--daq-dir <dir> Tell snort where to find desired DAQ.
--daq-list[=<dir>] List packet acquisition modules available in dir. Default is static modules only.
--dirty-pig Don't flush packets and release memory on shutdown.
--cs-dir <dir> Directory to use for control socket.
--ha-peer Activate live high-availability state sharing with peer.
--ha-out <file> Write high-availability events to this file.
--ha-in <file> Read high-availability events from this file on startup (warm-start).
--suppress-config-log Suppress configuration information output.
Sniffer Mode¶
daemon mode
$ ps -ef | grep snort
root 2898 1706 0 05:53 ? 00:00:00 snort -c /etc/snort/snort.conf -D
$ sudo kill -9 2898
menampilkan header paket TCP/IP
menampilkan header paket IP dan TCP/UDP/ICMP pada interface tertentu
menampilkan paket data/payload
jika ingin menampilkan juga data link layer headers
menampilkan full detail paket dalam HEX
Packet Logger Mode¶
read binary log
read menggunakan tcpdump
membaca log dan filter
sudo snort -r logname.log -X
sudo snort -r logname.log icmp
sudo snort -r logname.log tcp
sudo snort -r logname.log 'udp and port 53'
membaca 10 packet awal
IDS/IPS¶
terdapat beberapa alert dalam snort
- console: menampilkan "fast style" alerts.
- cmg: menampilkan detail basic header dalam payload format hex dan text.
- full: Full alert mode, menampilkan semua informasi yang mungkin tentang alert.
- fast: mode fast alert. menampilkan alert dalam format sederhana. timestamp, alert message, source dan destination IPs/ports.
- none: Disabling alerting.
sudo snort -c /etc/snort/snort.conf -A console
sudo snort -c /etc/snort/snort.conf -A cmg
sudo snort -c /etc/snort/snort.conf -A fast
sudo snort -c /etc/snort/snort.conf -A full
sudo snort -c /etc/snort/snort.conf -A none
menjalankan snort tanpa configuration file, akan membantu dalam menguji rules yang dibuat, meskipun memberikan performa yang kurang
mode IPS diaktifkan dengan parameter -Q --daq afpacket
perlu mengaktifkan modul Data Acquisition (DAQ) modul afpacket dengan -i eth0:eth1. diperlukan 2 interface untuk bekerja
PCAP Investigation¶
snort disamping dapat melakukan sniffing, logging, detect/prevent threats, juga dapat membaca dan menginvestigasi file PCAP. snort akan membaca traffic dengan alert tergantung rule yang dipakai.
membaca PCAP dengan snort tanpa parameter hanya akan membaca captured traffic, kita dapat menggunakan fitur snort untuk mengidentifikasi captured traffic.
| Parameter | Description |
|---|---|
| -r / --pcap-single= | Read a single pcap |
| --pcap-list="" | Read pcaps provided in command (space separated). |
| --pcap-show | Show pcap name on console during processing. |
sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A console -n 10
...
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap
...
sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"
Snort Rule¶
Rule Header¶
| Action |
terdapat beberapa action yang umum digunakan: - alert: generate alert dan log packet - log: log packet - drop: block dan drop packet - reject: block packet, melakukan log, dan terminate sesi packet |
| Protocol | Snort2 hanya memiliki 4 rule protocols (IP, TCP, UDP and ICMP), tetapi dapat menggunakan nomor port. |
Direction¶
menunjukkan trafik yang akan disnort, bagian kiri menunjukkan source, kanan menunjukkan destination
- -> source to destination
- <> bidirectional flow
Rule Options¶
terdapat 3 opsi utama dalam snort:
- General Rule Option: opsi fundamendal rule
- Payload Rule Option: opsi rule untuk investigasi data payload. berguna untuk mendeteksi spesifik payload
- Non-Payload Rule Option: opsi rule untuk data non-payload. berguna untuk identifikasi masalah network
General Rule Option¶
| msg | pesan yang ditampilkan ketika rule tertriger. biasanya message adalah ringkasan event yang one-liner |
| sid | adalah ID rule, dibagi menjadi 3: - <100: Reserved rule - 100 - 999,999: Rule came with the build - >=100,000,000: Rule yang dibuat user Rule ID yang dibuat user harus lebih dari >= 1,000,000. dan ID harus unique |
| reference | tiap rule dapat memiliki informasi tambahan / referensi, untuk mempermudah analis dalam menganalisis alert dan investigasi |
| rev | Hanya menunjukkan berapa kali rule telah direvisi, dan itu dilakukan manual oleh user |
Payload Detection Rule Options¶
| content | data payload. semakin spesifik pattern yang dicari, semakin memakan waktu - ASCII mode alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;) - HEX mode alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;) |
| nocase | disable case sensitivity |
| fast_pattern |
memprioritaskan search content. biasanya digunakan untuk investigasi lebih jauh. opsi ini selalu case sensitive dan hanya dapat digunakan sekali tiap rule. opsi ini diperlukan ketika menggunakan multiple opsi "content" berikut contohnya, fast_pattern memerintahkan snort untuk menggunakan opsi content pertama (GET) untuk initial packet match alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;) |
Non-Payload Detection Rule Options¶
| id | filter IP id alert tcp any any <> any any (msg: "ID TEST"; id:123456; sid: 100001; rev:1;) |
| flags | filter TCP flag - F - FIN - S - SYN - R - RST - P - PSH - A - ACK - U - URG alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;) |
| dsize | filter ukuran packet payload - dsize:min<>max; - dsize:>100; - dsize:<100; alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300; sid: 100001; rev:1;) |
| sameip | filter source dan destination IP address untuk duplikasi alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;) |