Snort / 메모

Snort

• Snort는 오픈 소스 침입 차단 시스템(IPS, Intrusion Prevention System)이다.
• 홈페이지 : https://www.snort.org/
• 주요 기능 : packet sniffer, packet logger, network intrusion prevention system

Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

Snort Rule

구조

Action / Protocol / Source IP / Source Port / Direction / Destination IP / Destination Port / Option

Action

• alert : 경고 생성 / 로그 기록
• log : 로그 기록
• pass : 무시
• drop : 차단 / 로그 기록
• reject : 차단 / 로그 기록 / TCP라면 TCP 리셋 전송, UDP ICMP port unreachable message 전송

Protocol

• tcp
• udp
• icmp
• ip

IP

• 192.168.0.10/32
• 192.168.0.0/24
• [192.168.0.10/32, 192.168.0.11/32]
• !192.168.0.10/32
• any

Port

• 80
• !80
• 1:200
• !1:200
• any

Direction

• -> : 요청 패킷 탐지
• <> : 요청, 응답 패킷 둘 다 탐지

Option

• General
• Payload Detection
• Non-Payload Detection
• Post-Detection

Option

General

• msg
  The msg keyword tells the logging and alerting engine the message to print with the packet dump or alert.
• reference
  The reference keyword allows rules to include references to external attack identification systems.
• gid
  The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires.
• sid
  규칙 식별자
• rev
  규칙 리비전
• classtype
  규칙 분류
• priority
  우선 순위
• metadata
  The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format.

Payload Detection

• content
  검색할 문자열
  alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";)

• protected_content

• hash

• length

• nocase
  대소문자를 무시한다.
  alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER root"; nocase;)

• rawbytes
  가공 전의 패킷 데이터에서 규칙을 매칭할 때 사용
  alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF F1|"; rawbytes;)

• depth
  지정 바이트까지 탐지

• offset
  지정 바이트 건너뛰고 탐지
  alert tcp any any -> any 80 (content:"cgi-bin/phf"; offset:4; depth:20;)

• distance
  이전 content 패턴에 매치된 경우, 매치된 이후 바이트부터 몇 바이트 떨어진 위치에서 다음 content를 검사할 것인지 지정
  alert tcp any any -> any any (content:"ABC"; content:"DEF"; distance:1;)

• within
  이전 content 패턴에 매치된 경우, distance부터 몇 바이트 범위 내에서 다음 content를 검사할 것인지를 지정
  alert tcp any any -> any any (content:"ABC"; content:"EFG"; within:10;)

• http_client_body

• http_cookie

• http_raw_cookie

• http_header

• http_raw_header

• http_method

• http_uri

• http_raw_uri

• http_stat_code

• http_stat_msg

• http_encode

• fast_pattern

• uricontent

• urilen

• isdataat
  alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative; content:!"|0a|"; within:50;)

• pcre

• pkt_data

• file_data

• base64_decode

• base64_data

• byte_test

• byte_jump

• byte_extract

• byte_math

• ftpbounce

• asn1

• cvs

• dce_iface

• dce_opnum

• dce_stub_data

• sip_method

• sip_stat_code

• sip_header

• sip_body

• gtp_type

• gtp_info

• gtp_version

• ssl_version

• ssl_state

Non-Payload Detection

• fragoffset
• ttl
• tos
• id
• ipopts
• fragbits
• dsize
• flags
• flow
• flowbits
• seq
• ack
• window
• itype
• icode
• icmp_id
• icmp_seq
• rpc
• ip_proto
• sameip
• stream_reassemble
• stream_size

Post-Detection

• logto
• session
• resp
  alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
  resp_t : rst_snd, rst_rcv, rst_all, reset_source, reset_dest, reset_both, icmp_net, icmp_host, icmp_port, icmp_all
• react
• tag
• replace
• detection_filter

예제

content 검출

• content:"456"
  1234567890abcdef
• content:456";depth:7
  1234567890abcdef
• content:"456";offset:2;depth:4
  1234567890abcdef
• content:"123";content:"789";distance:3
  1234567890abcdef
• content:"123";content:"789";distance:3;within:5
  1234567890abcdef
• content:"34";offset:2;depth:5;content:"0ab";distance:3;within:5
  1234567890abcdef

기타

Snort Rule Creator

• SNORPY : http://snorpy.cyb3rs3c.net/