Difference between revisions of "SNORT-RULES: Coba Menulis Rules untuk pemula"

Revision as of 10:30, 31 March 2017

Sumber: courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf

Snort mirip dengan tcpdump, tetapi memiliki output yang lebih bersih dan bahasa aturan yang lebih fleksibel. Sama seperti tcpdump, snort akan mendengarkan antarmuka tertentu, atau membaca jejak paket dari sebuah file. Umumnya administrator keamanan diminta untuk melihat jejak paket untuk menganalisis serangan yang terjadi. Disini kita akan belajar bagaimana menggunakan snort untuk membaca jejak dan belajar bagaimana menulis aturan / rules baru.

Alat

server dengan snort yang di instalasi

Bacaan

www.snort.org
http://www.snort.org/docs/FAQ.txt - Snort FAQ
http://www.snort.org/docs/snort_manual/node2.html - Snort Overview
http://www.snort.org/docs/snort_manual/node16.html - How to Write Snort Rules and Keep Your Sanity

Beberapa perintah bermanfaat

Melihat perintah snort

snort –help

Contoh membaca log

snort –r /tmp/snort-ids-lab.log -P 5000 –c /tmp/rules –e –X -v

Versi snort yang baru punya masalah saat membaca checksum paket yang tidak benar. Kita perlu menambahkan kalimat

config checksum_mode : none

di bagian atas rules file jika kita memperoleh checksum problem.

Tujuan utama snort adalah untuk memberikan alert administrator jika ada rules yang cocok dengan paket yang masuk. Setiap rules biasanya satu kalimat mengikuti format yang sama, seperti contoh berikut,

alert tcp any any -> 192.168.0.100 23 (msg: "Ada yang telnet ke mesin!"; sid:1000001)

arti dari rule di atas adalah,

action: kasi tanda bahaya ("alert")
semua paket ke telnet port (port 23)
ke mesin 192.168.0.100
tambahkan string yang bisa di baca admin "Ada yang telnet ke mesin!"
sid - rule ID start dari 1000000

Secara umum, semua rules mengikuti aturan:

action protocol address port direction address port (rule option)

Pada contoh,

Pilihan action adalah "log" atau "alert". "alert" akan menuliskan semua alert ke sebuah file "alert" yang sama. Sementara log akan menyimpan traffic untuk masing-masing IP address yang bermasalah pada sebuah folder untuk di analisa lebih lanjut.
Bagian protocol harus di isi "tcp", "udp",or "icmp". "Any" tidak di ijinkan.
Address dapat berupa notasi CIDR
Port dapat menggunakan range dan operator "!. Contoh log paket ke sekumpulan mesin dengan port tidak antara 6000-6010

log tcp any any -> 192.168.1.0/24 !6000:6010

Operator arah "->" atau "<-" atau "<>" untuk traffic bi-directional antara dua address.

Rule option dapat menentukan task yang harus dilakukan jika address dan protocol cocok. Contoh, snort rule untuk menangkap semua ICMP echo message,

alert tcp any any -> 192.168.10.2 any (itype: 8; msg: "ping detected";)

perhatikan mengapa itype = 8?

Catatan rule option:

harus berada dalam kurung ( )
harus di akhiri dengan ;
Opsi yang menarik untuk di explorasi "content", "flags", dan ipoption".

Contoh Rule

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect";
content:"Login incorrect"; flags: A+; reference:arachnids,127;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT BIND Tsig
Overflow Attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh";)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F;
reference:arachnids,27;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"MISC linux rootkit attempt
lrkr0x";flags: A+; content:"lrkr0x";)5. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI view-source
access ";flags: A+; content:"/view-source?../../../../../../../etc/passwd";
nocase;reference:cve,CVE-1999-0174;)

alert icmp any any -> any any (msg:"ICMP Source Quench"; itype: 4; icode: 0;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named
overflow";flags:
A+;content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanyway
whocareshorizongotitworkingsoalliscool"; reference:cve,CVE-1999-0833;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB
ADMIN$access"; flow:to_server,established; content:"\\ADMIN$|00 41 3a 00|";
reference:arachnids,340; classtype:attempted-admin; sid:532; rev:4;)

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any
(msg:"SHELLCODE sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c
c013|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:4;)

Phatbot Analysis

Read the analysis of the phatbot (sometimes referred to as polybot) Trojan at http://www.lurhq.com/phatbot.html. Question 3. As with question 2, evaluate the snort signatures contained in the above document. Comment on the effectiveness of these signatures. Question 4. The waste protocol used in the phatbot Trojan originally included the capability of encrypting the peer-to-peer data stream. What effect would this have on the effectiveness of the above signature. Question 5. Do some additional research about the phatbot/polybot Trojan. Assume that phatbot develops the capability of encrypting the data stream. Phatbot has a consistent and obvious signature of network activity across multiple packets that allow it to be detected even with out access to content of the data stream. The signature may traverse multiple packets. Snort rules generally deal with packet-by-packet data signatures. This question is intentionally vague and is designed to have you apply some of the skills you have acquired to tackling a real world problem such as being able to detect malicious activity even when you do not have access to the content of the data streams. Explain in a few paragraphs what other tools and techniques you may use to detect this signature. Provide enough detail so that a campus network administrator could follow your explanation to deploy your system in production. Question 6. What techniques would you use to minimize the number of false positives with your technique described above. 4 Evaluation Question 7: How hard was this lab? Was it fair? How would you change it to improve it?

Referensi

courses.umass.edu/cs415/labs/lab2/415-lab2-Snort.pdf

@@ Line 55: / Line 55: @@
 * Pilihan action adalah "log" atau "alert". "alert" akan menuliskan semua alert ke sebuah file "alert" yang sama. Sementara log akan menyimpan traffic untuk masing-masing IP address yang bermasalah pada sebuah folder untuk di analisa lebih lanjut.
-* The protocol field can be "tcp", "udp",or "icmp". "Any" is not allowed.
+* Bagian protocol harus di isi "tcp", "udp",or "icmp". "Any" tidak di ijinkan.
-* Addresses can be specified in CIDR notation
+* Address dapat berupa notasi CIDR
-* ports can be given as ranges and with the "!" operator. For example, the
+* Port dapat menggunakan range dan operator "!. Contoh log paket ke sekumpulan mesin dengan port tidak antara 6000-6010
-example below (stolen from the documentation!) logs all packets to a range of machine not on
-ports 6000-6010.
   log tcp any any -> 192.168.1.0/24 !6000:6010
-* The direction operator is either "->" or "<-"or "<>" for bi-directional traffic between two addresses.
+* Operator arah "->" atau "<-" atau "<>" untuk traffic bi-directional antara dua address.
-The rule options specify tasks to be performed if the addresses and protocols match.
+Rule option dapat menentukan task yang harus dilakukan jika address dan protocol cocok.
-For example, here's a snort rule to catch all ICMP echo messages:
+Contoh, snort rule untuk menangkap semua ICMP echo message,
   alert tcp any any -> 192.168.10.2 any (itype: 8; msg: "ping detected";)
-Run this single rule on the packet trace. The results will be written to /var/log/snort/alert. In your
+perhatikan mengapa itype = 8?
-write up, state why the value 8 was used. And, include the output of that command.
-Note that serveral options can be llisted in the parentheses. Each must end with a semicolon,
-even if there is only one rule. Other useful options include, "content", "flags" , "ipoption". More are
-list in the "writing snort rules" document.
+Catatan rule option:
+* harus berada dalam kurung ( )
+* harus di akhiri dengan ;
+* Opsi yang menarik untuk di explorasi "content", "flags", dan ipoption".
-What to hand in
-Question 1. There are seven other distinct packet signatures in the packet trace file. In other
+==Contoh Rule==
-words, there are 30 packets total in the packet trace. There are 8 rules that will uniquely identify
-the 8 different packet signatures. You already have one of the rules. Look though the packet trace
-and figure out the other rules. Look for more general signatures where you can, however, be
-careful not to write too general signatures. Part of the intent of the lab is to teach you how to write
-effective rules. It is easy to write a rules that matches all IP datagrams regardless of content, but
-this would be a very ineffective rule at detecting anomalous or malicious activity.
-Include in your write up the 7 other rules you came up with as well as the /var/log/snort/alert
-output. (The alert file is append each time snort has output, so you want to erase the alert file
-before each snort run while experiementing with different rules.) Be sure to include a descriptive
-message ("msg") with each alert.
-T
-he rules you write may be instructive, but not the most useful for a real system.
-Question 2. Once you've completed that trace, state how each of following real rules from the
-snort home page work:
   alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect";