Snort Deployment for NIDS (final)

Questions and Answers

What is a limitation of Snort in regards to encrypted traffic?

• It can check for intrusion by checking SSL Proxies
• It cannot check for intrusion (correct)
• It cannot detect SSL Proxies
• It can decrypt encrypted traffic

What is the name of the program that can connect Snort to a database?

• SnortDB
• SensorConnect
• Barnyard2 (correct)
• Barnyard

Why might someone choose to use a Linux-based operating system for their Snort sensor?

• Because Snort is only available on Linux
• Because Linux is more user-friendly than Windows
• Because Linux is more secure than Windows
• Because the Windows version of Snort is no longer supported (correct)

What is an important consideration when choosing the base operating system for a Snort sensor?

Supportability (A)

What is one way to ensure the security of a Snort sensor?

Disable Unnecessary Services (C)

What is the purpose of Interface Pairing and SPAN in a Snort sensor?

To facilitate monitoring and detection (D)

What is a limitation of using open-source software like Snort?

Limited documentation and community support (A)

What is the primary function of a NIDS like Snort?

To detect and alert on potential intrusions (B)

Why is it recommended to not place a NIDS inline with network connections?

To prevent loss of network speed (C)

What is a Snort Sensor?

A NIDS placed in a network topology (B)

Why is it important to prioritize which systems to watch with a NIDS?

Because it's impossible to watch all systems and connections (C)

What is the purpose of a SPAN port on Cisco hardware?

To output all information on a single port (B)

What is a limitation of using modern switches with a NIDS?

They do not allow promiscuous mode by default (C)

Why is it recommended to use a hub to create a listening point in a network?

It allows promiscuous mode (B)

What is the benefit of using Cisco hardware with Snort?

Snort is built into many Cisco devices, making it easier to setup a Snort sensor (B)

What is the purpose of manual user intervention in a NIDS like Snort?

To stop an intrusion from continuing (A)

What is a crucial step in deploying Snort effectively?

Creating rules for Snort to function properly (B)

Why is Snort not a plug and watch solution?

Because it requires constant monitoring and troubleshooting (B)

What is the primary purpose of a NIDS like Snort?

To detect and respond to threats (B)

Why is it important to have a plan in place when using a NIDS like Snort?

To respond appropriately to identified attacks (B)

What should Snort be used in conjunction with?

Other security systems (D)

What is a limitation of Snort?

It does not provide comprehensive security (B)

Why are there commented out rules in the community rules?

Because they are not commonly needed rules and can be skipped. (C)

What is the purpose of community rules?

To provide alerting for common exploits that exist in networks. (C)

Why are not all active rules needed?

Because the rules that are active by default are the suggested rules to run on what is considered to be the most common network structure. (D)

What is the purpose of commenting out rules in community rules?

To leave them in the community rules in case the cyber security professional needs to use those rules. (C)

What should you do before implementing community rules?

Read the messages to get a better understanding of the purpose of the rule. (B)

Why are some rules not commonly used?

Because they are not needed for most networks. (D)

What is the purpose of the Attack-response.rules set?

To detect when a host is sending known responses to a successful attack (C)

Where can you download rules from the Snort.org Rule set?

https://www.snort.org/downloads/#rule-downloads (A)

What is the purpose of the Ddos.rules set?

To alert on traffic known for use in distributed denial of service attacks (A)

What is the purpose of the Experimental.rules set?

To include new type of rules (B)

What command is used to extract the rules from the Snort.org Rule set?

tar -xf (B)

What is the purpose of the Deleted.rules set?

To store old rules (D)

What is the purpose of the icmp-info.rules file?

Used when troubleshooting ICMP issues (D)

Which of the following rule categories is disabled by default and used to detect traffic sent from peer to peer services?

p2p.rules (D)

What is the minimum requirement for a Snort rule?

The sid option (A)

What is the purpose of the info.rules file?

Alerting on normal traffic found on a healthy, secure network (D)

What is the purpose of the rpc.rules file?

Alerting on known attacks against RPC services (B)

What is the purpose of the local.rules file?

Holding all custom rules created (B)

What is the purpose of the web-iis.rules file?

Alerting on known attacks against Microsoft Internet Information Server services (C)

What is the purpose of the imap.rules file?

Alerting on known attacks against IMAP email services (C)

What is the purpose of the misc.rules file?

Holding rules that are not included in other categories (B)

What is the purpose of the smtp.rules file?

Alerting on known attacks against SMTP mail services (C)

What is the purpose of the Backdoor.rules set?

To detect traffic generated by a backdoor network connection (D)

What is the purpose of the Bad-traffic.rules set?

To watch for illegal packet header settings (A)

What is the purpose of the Dns.rules set?

To alert on attacks against DNS services (B)

Where can you download rules from the Snort.org Rule set?

https://www.snort.org/downloads/#rule-downloads (C)

What is the purpose of the Experimental.rules set?

This is where new type of rules are included (C)

What command is used to extract the rules from the Snort.org Rule set?

tar -xf (B)

What is the main purpose of the icmp-info.rules file?

To troubleshoot icmp issues (B)

What is the minimum requirement for a Snort rule?

The 'sid' option only (A)

What does the 'Activate' rule action do?

Alerts then activates a dynamic rule (A)

What is the purpose of the p2p.rules file?

To detect traffic sent from peer to peer services (C)

What is the purpose of the oracle.rules file?

To detect known attacks against oracle database servers (D)

What does the 'Pass' rule action do?

Ignores or drops the packet (C)

What is the purpose of the web-misc.rules file?

To detect known attacks against common web attacks (B)

What is the purpose of the rpc.rules file?

To detect known attacks against RPC services (D)

What is the purpose of the sql.rules file?

To detect known attacks against MSSQL database servers (C)

What is the purpose of the local.rules file?

To hold all custom rules created (B)

What is the first step in writing your first snort rule?

Navigate to the /etc/snort/rules folder (B)

What is the purpose of the rule 'alert icmp any any any (msg:"ICMP detected";sid: 10001)'?

To detect ping requests (D)

How do you test your snort rule after creating it?

By sending 5 packets to google.com using the ping command (D)

What command is used to start Snort in console mode?

sudo snort -A console -c snort.conf (C)

What do you need to do to the community.rules file in snort.conf?

Comment it out (C)

What is the minimum requirement for a Snort rule?

An action and a protocol (A)

What is the purpose of the provided Python script?

To test and validate TCP and UDP rules (D)

What command can be used to verify the Python version?

python --version (D)

How many values are required to run a TCP packet test using the Python script?

2 (B)

What is the recommended Python version to use with the script?

2.7.5 (B)

How do you start the Python script?

By running python checkrule.py (D)

What type of protocol transactions can the Python script generate?

Both TCP and UDP (D)

What type of IP should be entered for IP/URL in a TCP call?

IPv4 (C)

What happens if no open port is found at the entered IP/URL?

The program will timeout after 1 minute (A)

What is the purpose of running checkrule.py?

To test each rule individually (A)

How many values need to be entered for a UDP packet call test?

3 (C)

What is the consequence of not testing each rule individually?

You may be testing the wrong rule (C)

What is not required to be entered in the URL for a TCP call?

HTTP or HTTPS (C)

What is the primary purpose of checking the flag in a TCP rule?

To filter the rule to only capture packets that are ACK (A)

What is the result of not specifying the flag in a TCP rule?

The rule will alert or log every transaction between the source and host (A)

What type of communication is captured by a basic TCP rule without a filter?

Any communication that is sent or received via TCP protocol (C)

Why are the rules being written against outgoing packets?

To test the rule against outgoing packets, so you don't have to configure an additional Virtual Machine (VM) to test your rules (A)

What is the purpose of a TCP rule?

To alert or log connection-oriented communications between a source and destination (C)

How many transactions occurred in the example of the TCP rule without a filter?

Seven transactions (D)

What is the purpose of applying a filter to a TCP rule?

To eliminate false positives and reduce the number of alerts (B)

What is the main difference between a UDP rule and a TCP rule?

UDP rules are connection-less protocols, unlike TCP rules (A)

What is the purpose of the 'content' option in a UDP rule?

To filter out specific UDP transactions based on content (B)

What is the purpose of the 'revision' option in a rule?

To mark the version of the rule (C)

What is the purpose of the 'nocase' option in a rule?

To make the uricontent and content options case-insensitive (C)

What is the purpose of the 'session' option in a rule?

To capture TCP session information (D)

What is the purpose of the 'stateless' option in a rule?

To send an alert once the TCP session is completed (B)

What is the result of applying a filter to a TCP rule?

Fewer alerts are generated (A)

What is the benefit of using options in a rule?

To eliminate false positives and reduce the number of alerts (C)

What is the purpose of creating a basic TCP rule with an applied filter?

To eliminate false positives and reduce the number of alerts (B)

What is the primary function of Session Interception in an Intrusion Prevention System (IPS)?

Terminating TCP connections by sending a reset packet (C)

What is the risk associated with IPS identification?

Exploit beating the attempted block (B)

What is the purpose of the flexresp plugin in Snort?

To allow Snort to act as a session interception IPS (C)

What is the primary function of Gateway Intrusion Detection in Snort?

Blocking hostile traffic using Snort Inline (B)

What is the risk associated with altering access lists in Snort?

Self-inflicted Denial of Service (C)

What is the primary function of SnortSAM in Snort?

Sending messages to routers' access lists (A)

What is the purpose of the 'react' response rule option?

To block access to the session if the rule is triggered (B)

What is the function of the 'replace' rule option in Snort Inline?

To change the content of the packet to allow the packet to be sent without affecting the content in an adverse way (A)

What is the function of SnortSAM?

To provide an IPS like action for snort (B)

What is the function of the 'sdrop' action in Snort Inline?

To drop the packet without generating an alert (D)

What is the purpose of the 'flexresp' plugin?

To send reset packets to the sender or recipient (A)

What is the difference between the 'drop' and 'sdrop' actions in Snort Inline?

The 'drop' action generates an alert while the 'sdrop' action does not (A)

What is a limitation of SnortSAM?

It is not widely used (D)

What is the purpose of the 'rst_snd' keyword in the 'flexresp' plugin?

To send a reset packet to the sender (B)

What is the purpose of Snort Inline?

To add new functionality to snort (A)

What is the requirement to enable flex response?

Compile snort from source (B)

What is the primary function of Session Interception in an IPS?

Terminating TCP connections by sending a reset packet (A)

What is the risk associated with altering access lists in Snort?

Self-inflicted Denial of Service (C)

What is the purpose of the flexresp plugin in Snort?

To allow Snort to act as a session interception IPS (A)

What can happen when Snort detects an attack and ends the TCP connection using RST?

Session Interception IPS identification (C)

What is the primary function of SnortSAM in Snort?

To send messages to routers access lists to prevent hostile traffic (C)

What can happen during the lag between the detect and the attack when SnortSAM is used?

Exploit beating the attempted block (B)

What is the purpose of the 'resp' rule option?

To send a reset packet to the sender or recipient (C)

Which of the following plugins require changes to the Snort configuration?

Flex response, Snort Inline, and SnortSAM (A)

What is the purpose of the 'react' rule option?

To send a message back to the browser or to send a warning to the client browser (A)

What is the purpose of the 'replace' rule option in Snort Inline?

To change the content of the packet to allow it to be sent without affecting the content (A)

What is the purpose of SnortSAM?

To provide an IPS like action for Snort (A)

What is the difference between the 'drop' and 'sdrop' actions in Snort Inline?

The 'drop' action generates an alert, while the 'sdrop' action does not (D)

What is required to enable flex response?

Building Snort from source with the flexresp plugin (D)

What is the limitation of using SnortSAM?

It requires running another program on top of Snort (B)

What is the purpose of the 'proxy' keyword in the react option?

To indicate the proxy port if the system runs on a proxy (C)

What is the requirement for using the react option?

Using the react option only with TCP protocol rules (D)

What is the purpose of the react rule option in Snort?

To block the TCP session (D)

What happens when the content of a TCP packet matches the 'verybadthings' pattern in the Snort rule?

The packet is blocked and the session is terminated (A)

What is required to test the Snort rule with the react option?

A TCP transmission with a message that contains 'verybadthings' (A)

What is the purpose of the modified checkrule.py script?

To add a message to TCP packets (B)

What is the purpose of the sid field in the Snort rule?

To identify the rule in the Snort database (A)

What is the result of adding the rule to the local.rules file?

The rule is applied to the TCP packets in real-time (C)

What is a false positive indicator?

When a rule generates an unexpected alert or more alerts than expected (D)

Why might you need to tune your IDS?

To alert and log more information than needed (D)

What is a potential cause of a false negative?

All of the above (D)

What is the purpose of the flow preprocessor?

To monitor port scans (A)

What should you do when verifying a rule that generates an unexpected alert?

Verify the rule and any equipment that is part of the rule (B)

What is the purpose of uncommenting the decoder configurations?

To tailor decoders and preprocessors (B)

What should you do with rule sets that are not needed?

Comment them out (C)

What is the problem with using pass rules?

They can make it difficult to detect attacks (C)

What is the purpose of the http_inspector preprocessor?

To troubleshoot and find false positives (C)

What is the advantage of suppression rules over thresholding rules?

Suppression rules are more flexible (C)

What should you do with individual rules in a rule set that do not cover operations in your system?

Comment them out (A)

What is the purpose of setting the reassemble to 'noalerts'?

To prevent false positives (D)

What is the term for when a rule generates an unexpected alert or more alerts than expected?

False Positive (A)

Why is it necessary to tune your IDS?

To reduce the number of false positives (A)

What is the primary function of the flow preprocessor?

To detect port scans (C)

What can be disabled if monitoring portscans is not important to your system?

Flow preprocessor (B)

What is a potential cause of a false negative?

All of the above (D)

What is the purpose of uncommenting decoder configurations?

To tailor decoders and preprocessors (A)

What is the purpose of tailoring decoders and preprocessors in Snort?

To reduce false positives (C)

Why should you disable the flow-portscan preprocessor if not tracking portscans?

To prevent unnecessary alerts (B)

What is the problem with using pass rules in Snort?

They make it nearly impossible to detect attacks (D)

What is the advantage of suppression rules over thresholding rules?

They are more flexible (D)

Why should you comment out individual rules in a rule set that do not cover operations in your system?

To reduce false positives (B)

What is the purpose of setting the reassemble to 'noalerts' in Snort?

To disable alerts for non-security related issues (D)

What should you do when performing tuning?

Use the no_alerts option to remove unnecessary data (A)

What is the purpose of tailoring the rule set?

To uncomment/comment out rules that are needed or not needed in your Snort configuration (B)

Why should you avoid using pass rules?

Because they are not specific enough to handle exceptions to rules (C)

What should you consider when tuning individual rules?

Making rules as specific as possible (C)

What is the purpose of tuning individual rules?

To avoid false positives (D)

Why should decoder configurations be commented out when developing rules?

To verify that rules are still sending alerts (C)

What should you do with rules that are not specific enough?

Use thresholding to limit the number of alerts produced (A)

What is the purpose of the flow preprocessor?

To provide service to the flow-portscan preprocessor (D)

When can the frag 3 preprocessor be disabled?

If your snort sensor is behind a firewall or router that does fragment reassembly (A)

What information does the http_inspector preprocessor provide?

Value information that can generate a lot of data (C)

What is the benefit of making a backup of your snort.conf file?

To ensure that changes can be reversed if needed (B)

Why should changes to the snort.conf file be made one at a time?

To test the configuration before making additional changes (C)

What is the purpose of commenting out the decoder configurations?

To disable alerts on certain rules (D)

When can the frag 3 preprocessor be disabled?

When a firewall or router does fragment reassembly (C)

What is the purpose of the flow preprocessor?

To provide service to the flow-portscan preprocessor (D)

What happens when the decoder configurations are uncommented?

Alerts on certain rules are disabled (A)

What information does the http_inspector preprocessor provide?

Value information that can generate a lot of data (A)

Why is it recommended to make changes to the snort.conf file one at a time?

To test the configuration before making additional changes (B)

What is the purpose of using the no_alerts option when performing tuning?

To remove noise data that provides no benefit (B)

What should you do with rules that are not common services run on a network?

Comment them out (B)

What is the purpose of pass rules?

To remove false positives (A)

What is a recommended approach when a rule cannot be specific enough?

Using thresholding (B)

Why is it recommended to avoid using pass rules?

Because they should be replaced by thresholding (C)

What is the purpose of tuning individual rules?

To make rules more specific to avoid false positives (C)

Study Notes

Snort Tuning and Thresholding

• False Positives: Unexpected alerts or more alerts than expected, requiring rule verification to ensure it's not a real intrusion attempt. • False Negatives: Undetected intrusions, caused by traffic encryption, network configuration problems, day zero attacks, faulty signatures, poor change management, and Snort sensor administration problems.

Initial Configuration and Tuning

• Decoders and Preprocessors: + Uncomment decoder configurations + Disable unnecessary preprocessors (e.g., flow, frag, stream) based on system requirements + Set reassemble to "noalerts" for stream preprocessor • Tailoring Decoders and Preprocessors: + http_inspector preprocessor: set with no_alerts when not used for troubleshooting + flow-portscan preprocessor: disable if not tracking portscans • Tailoring the Rule Set: + Comment out unnecessary rule sets and individual rules + Restrict rule sets to only use web technology and database used in the system

Thresholding and Suppression

• Threshold Rules: + Limit: alert only the first X number of events + Threshold: alert every X times + Both: alert only the X number of thresholds • Global Thresholds: use sig_id set to 0, meaning all rules • Suppression Rules: similar to threshold rules, can suppress by signature, source or destination address, or CIDR network block

Using Snort as an IPS

• React Rule Option: used to block TCP sessions, e.g., blocking TCP packets containing "verybadthings"

Snort Limitations and Considerations

• Open Source: may have limited documentation and require troubleshooting • Configuration: only the first step, requiring manual user intervention and a plan to stop intrusions • NIDS: one layer in network security, should be used in conjunction with other layers (IPS, Firewall, VPN) • Initial Configuration: essential to success, consider systems, topography, and network environment • Sensor Placement: prioritize systems to watch, use natural bottlenecks, and enable port mirroring or use a hub

Deploying Snort

• Important Key Points: + Snort is not a plug-and-watch solution + Understand what protections Snort provides and how it affects network and defense systems + Snort can't check encrypted traffic, but can check SSL Proxies • Securing the Sensor: harden the sensor, disable unnecessary services, apply patches and updates, and utilize robust authentication • Connecting Sensors: connect Snort to a database to save alerts and tie them to a sensor### Snort Rules

• Snort rules are used to detect and alert on various types of network traffic
• There are different types of rule sets available, including:
  • Exploit rules: detect known exploits
  • Finger rules: detect known types of finger attacks
  • FTP rules: detect known file transfer protocol attacks
  • ICMP-info rules: detect ICMP issues (not enabled by default)
  • IMAP rules: detect attacks against IMAP email services
  • Info rules: detect normal traffic on a healthy, secure network (not enabled by default)
  • Local rules: holds all custom rules created
  • Misc rules: holds rules that are not included in other categories
  • Multimedia rules: detect multimedia that is against company policy (not enabled by default)
  • MySQL rules: detect attacks against MySQL servers
  • Netbios rules: detect attacks against Windows systems using the NetBIOS protocol
  • NNTP rules: detect attacks against the Network Time Protocol
  • Oracle rules: detect attacks against Oracle database servers
  • Other-IDS rules: detect traffic from other IDS services
  • P2P rules: detect traffic sent from peer-to-peer services (disabled by default)
  • Policy rules: detect traffic sent from security policy violating services (disabled by default)
  • Pop2 rules: detect attacks against POP2 email services
  • Pop3 rules: detect attacks against POP3 email services
  • Porn rules: detect a variety of off-color packets (disabled by default)
  • RPC rules: detect attacks against remote procedure call (RPC) services
  • Rservices rules: detect attacks against remote services (rsh, rlogin, rexec)
  • Scan rules: detect attacks against a variety of network and service scans
  • Shellcode rules: detect shell code in packet payloads (disabled by default)
  • SMTP rules: detect attacks against SMTP mail services
  • SQL rules: detect attacks against MSSQL Database servers
  • Telnet rules: detect attacks against telnet services
  • TFTP rules: detect attacks against TFTP Services
  • Virus rules: detect viruses (disabled by default, not used or maintained)
  • Web-attack rules: detect web attacks (disabled by default, not used or maintained)
  • Web-cgi rules: detect attacks against Common Gateway Interface (CGI) services
  • Web-client rules: detect attacks against mainly Microsoft Outlook services
  • Web-coldfusion rules: detect attacks against ColdFusion web application services
  • Web-frontpage rules: detect attacks against Microsoft FrontPage web authoring services
  • Web-iis rules: detect attacks against Microsoft Internet Information Server (IIS) web services
  • Web-misc rules: detect attacks against common web attacks
  • Web-php rules: detect attacks against webservers running PHP application services
  • X11 rules: detect attacks against remote X-Windows services

Creating Your Own Rules

• To create your own rule, you need to add it to any of the existing rules packs
• The syntax for creating a rule includes:
  • "sid" option: the rule ID
  • "msg" option: a unique message describing what the rule has detected
• Rule actions:
  • Alert: alerts and logs the packet when triggered
  • Log: only logs the packet when triggered
  • Pass: ignores or drops the packet
  • Activate: alerts and then activates a dynamic rule/rules
  • Dynamic: ignores until started by an activate rule, then acts as a log rule
• Rule protocols:
  • TCP
  • UDP
  • IP
  • ICMP
  • Possible protocols in the future: ARP, IGRP, GRE, OSPF, RIP

Testing Your Rule

• To test your rule, you need to:
  • Configure your VM with a NAT network setup
  • Start Snort on your VM using the following command: sudo snort -A console -c snort.conf
  • Open another terminal window and send a ping call to test the rule
  • Verify that the rule worked by checking the console in the other window

Snort Rule Syntax

• Every rule requires at a minimum the "sid" option
• It is also good practice to include a unique message describing what the rule has detected, "msg" option
• When a rule is positive, the message is logged

TCP Rules

• TCP rules can alert or log connection-oriented communications between a source and destination
• You can check the flag that is being sent with the packet
• You do not need to check the flag, but you will alert/log every transaction between the source and host if you do not specify the flag

UDP Rules

• UDP rules can alert or log connectionless communications between a source and destination
• You can specify the content of the packet to filter out false positives

Non-Filtering Rule Options

• Revision: used to mark the version of the rule
• Nocase: removes case sensitivity for uricontent and content options
• Session: allows the TCP session information to be captured
• Stateless: changes when the alert is made, watching a TCP session and sending an alert once the session is completed### Flex Response
• Flex Response is a plugin that allows Snort to act as a session interception IPS
• Requires building Snort from source with the flexresp plugin
• Allows Snort to send a reset packet to the sender, recipient, or both parties
• Keywords: rst_snd, rst_rcv, rst_all, icmp_net, icmp_host, icmp_port, icmp_all

React Response

• The React response option is useful when blocking attacks that use the TCP session
• Does not require compiling Snort from source
• Only works on TCP protocol rules
• Keywords: block, warn, msg, proxy

Snort Inline and SnortSAM

• Snort Inline adds new functionality to Snort, including two new actions and a new rule option
• The two new actions are drop and sdrop, which allow Snort to drop offending packets
• The new rule option is replace, which allows Snort to change the content of a packet
• SnortSAM is a program that runs alongside Snort to provide IPS-like actions
• SnortSAM requires patching Snort to provide a different output module

Intrusion Prevention Strategies

• Host-based memory and process protection
• Session Interception
• Gateway intrusion detection
• Intrusion Prevention Risks: Session interception IPS identification, Exploit beating the attempted block, Self-inflicted Denial of service

Tuning Snort

• Tailor the decoder and preprocessors
• Use the no_alerts option to remove unnecessary data
• Tune individual rules to be as specific as possible
• Use thresholding to limit the number of alerts produced by a single rule
• Pass rules are used to remove false positives, but should not be used in favor of thresholding

Decoder Configurations

• There are six decoder configurations in the snort.conf file
• These configurations disable alerts on certain rules
• Should be commented out when developing rules and verified when active
• Located under step 2 of the snort.conf file

Preprocessors

• Flow preprocessor provides service to the flow-portscan preprocessor
• Frag 3 preprocessor is used for fragment reassembly
• Http_inspector preprocessor provides valuable information, but can generate a lot of noise

Description

Learn how to effectively deploy Snort as a Network Intrusion Detection System (NIDS) and configure the snort.conf file to ensure optimal performance. Understand the essential components required for successful Snort deployment. Quiz yourself on Snort setup and configuration.