334.2 Network Intrusion Detection
Weight: 4
Description: Candidates should be familiar with the use and configuration of network security scanning, network monitoring and network intrusion detection software. This includes updating and maintaining the security scanners.
Key Knowledge Areas:
Implement bandwidth usage monitoring
Configure and use Snort, including rule management
Configure and use OpenVAS, including NASL
Partial list of the used files, terms and utilities:
ntop
snort
snort-stat
pulledpork.pl
/etc/snort/*
openvas-adduser
openvas-rmuser
openvas-nvt-sync
openvassd
openvas-mkcert
openvas-feed-update
/etc/openvas/*
Network Monitoring
ntop
ntop is the best tool to see network usage in a way similar to what top command does for processes i.e. it is network traffic monitoring software. You can see network status, protocol wise distribution of traffic for UDP, TCP, DNS, HTTP and other protocols.
ntop is a hybrid layer 2 / layer 3 network monitor, that is by default it uses the layer 2 Media Access Control (MAC) addresses AND the layer 3 tcp/ip addresses. ntop is capable of associating the two, so that ip and non-ip traffic (e.g. arp, rarp) are combined for a complete picture of network activity.
The ntop command may be used for basic administration tasks or to launch the ntop daemon
ntop is a network probe that shows in interactive mode, it displays the network status on the user’s terminal. It also has a Web mode. In Web mode, it acts as a Web server, creating a HTML dump of the network status.
ntop is currently replaced by ntopng
examples:
| ntop Command | Description |
|---|---|
/usr/sbin/ntop -A | Set ntop admin user password |
ntop --set-admin-password=NewP@$$ | setting new admin password |
ntop -P /etc/ntop -w4242 -d | run ntop as daemon with /etc/ntop config files serving at port number 4242. The -W option enables the port on which we want to access ntop through our web browser. If you don't specify this option, the default port is 3000. The -d option enables ntop in daemon mode. |
ntopng
ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.
cacti
Cacti is an open-source network monitoring tool that uses the Simple Network Management Protocol (SNMP) to monitor network traffic and bandwidth utilization of network devices such as routers and switches. It is more General purpose than ntop.
Working with Snort
What is snort?
Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. Snort can be deployed inline to stop these packets, as well.
Snort has three primary uses:
As a packet sniffer like tcpdump,
as a packet logger — which is useful for network traffic debugging,
or it can be used as a full-blown network intrusion prevention system.
Snort can be downloaded and configured for personal and business use alike.
Installing Snort
At one time, installing Snort was a lengthy manual process. It wasn’t difficult, but there were a lot of steps and it was easy to miss one out. The major Linux distributions have made things simpler by making Snort available from their software repositories.
The versions in the repositories sometimes lag behind the latest version that is available on the Snort website. If you want to, you can download and install from source. As long as you have the latest rules, it doesn’t matter too much if your Snort isn’t the latest and greatest—as long as it isn’t ancient.
Red Hat based Linux distribution users can download the Snort package from https://www.snort.org/downloads#snort-downloads and then install it by running the following command, where <Version> must be replaced with the current version that you downloaded.
Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The DAQ replaces direct calls to libpcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort.
Configuring Snort
Snort configuration file is /etc/snort/snort.conf. Before getting started, Debian users must follow the steps mentioned in the following. Other distro users can continue reading from the /etc/snort/snort.conf file edition.
Note for Debian users: Debian Linux overwrites some network settings in the Snort default configuration file. Under the /etc/snort directory, there is the /etc/snort/snort.debian.conf file from where the Debian network settings are imported.
If you are a Debian user, run the following code:
vim /etc/snort/snort.debian.conf
Check that all the information in this configuration file is correct including the CIDR address, network device, etc.
Save the file. Let’s start configuring the Snort.
/etc/snort/*
/etc/snort/snort.conf
Snort has a big configuration file
and we just mention some important sections of that here.
Check your network configuration and scroll down.
Define the ports that you want to be monitored.
Snort Rules
What is a Snort rule?
Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works.
Snort rules are enabled or disabled by commenting or uncommenting lines in the /etc/snort/snort.conf file. But the rules are stored in the /etc/snort/rules file.
To enable or disable the rules, open the
/etc/snort/snort.confwith a text editor. Rules are located at the end of the file.
When you reach the end of the file, you will see a list of rules for different purposes. Uncomment the rules that you want to enable and comment the rules that you want to disable.
For example, to detect the traffic related to DOS attacks, uncomment the DOS rule. Or uncomment the FTP rule to monitor ports 21.
okey kets take a look at rules:
as you can see, by default there is no rule , let get comunity rules:
and now:
there are tons of rules, try vim community.rules .
Rules Syntax
Snort Rules are made up of two primary components: The Rule Header and The Rule Option:
Rule Header alert — Rule action. Snort will generate an alert when the set condition is met. any — Source IP. (If you use “any” Snort will look at all sources.) any — Source port. (If you use “any” Snort will look at all ports.) -> — Direction. From source to destination. any — Destination IP. Snort will look at all destinations on the protected network. any — Destination port. Snort will look at all ports on the protected network.
Rule Options msg:”ICMP test” — Snort will include this message with the alert. rev:1 — Revision number. This option allows for easier rule maintenance. classtype:icmp-event — Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.
If we want to look at requests from a particular target, what should we do? It’s simple. Just replace “any” to the desired IP or port. For example a Snort rule;
note: Snort rule options are separated from each other using a semicolon.
take a look at bottom of this page for additional notes and information about snort rules.
In here $HOME_NET is defined in snort.conf.
Read more article about that how to write a Snort rules file for secure network and how to design a Snort architecture.
Keeping the Snort Rules Updated
Snort contains two main types of rules: community rules developed by the Snort community and official rules. You can always update the community rules by default. But to update the official rules, you need an Oink Code – a code which allows you to download the latest rule (visit : https://www.snort.org/oinkcodes)
After registering, confirm the account from your email and login to the Snort site.
On the dashboard left side menu, press OinkCode and you will see your code.
the result url would be something like this:
You can create a cron script to download and extract the rules to the proper directory.
snort commands
snort | If you run snort without any parameters you can think of it like tcpdump. It would dump bunch of network traffic for you. |
snort -D | It is also possible to run snort as a daemon and it would actively monitor our networks and analyze it based on rules we have installed. |
snort-stat | snort-stat is a small script that generates a nice statistic on the port scans that were detected by snort and reported via /var/log/snort/alert . The output of this script is mailed to the user confgured in the /etc/snort/snort. *note: might not present in the latest snort releases |
OpenVas and NASL
What is OpenVas?
The Open Vulnerability Assessment System, known more commonly as OpenVAS, is a suite of tools that work together to run tests against client computers using a database of known exploits and weaknesses. The goal is to learn about how well your servers are guarded against known attack vectors.
Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
OpenVAS has been developed and driven forward by the company Greenbone Networks since 2006. As part of the commercial vulnerability management product family Greenbone Enterprise Appliance, the scanner forms the Greenbone Community Edition together with other open-source modules.
The scanner is supported by a "feed" with vulnerability tests that has a long history and is updated daily. This Greenbone Community Feed includes more than 50,000 vulnerability tests and compliance checks.
note: The openvassd program is the daemon for the openvas scanner.
Administering OpenVAS
updating the OpenVAS (GVM) Feeds
Sometimes the config does not work as expected in OpenVAS so you will need to update the feeds.
openvas-feed-sync
Here are the three feeds to be updated:
Also, to update the feeds eventually, just type in gvm-feed-update -h .
Keeping up to date on threats:
The OpenVAS Security Scanner performs several security checks, each of them being coded as an external plugin coded in NASL. As new security holes are published every day, new plugins appear on the OpenVAS site (www.openvas.org).
What is NASL?
The Nessus Attack Scripting Language, usually referred to as NASL, is a scripting language that is used by vulnerability scanners like Nessus and OpenVAS. With NASL specific attacks can be automated, based on known vulnerabilities.
Tens of thousands of plugins have been written in NASL for Nessus and OpenVAS. Files that are written in this language usually get the file extension .nasl. For the exploitation of a zero day attack it is possible for an end user of Nessus or OpenVAS to write custom code in NASL which is executed by these vulnerability scanners.
openvas-nvt-sync
The script openvas-nvt-sync (or greenbone-nvt-sync )will fetch all new and updated security checks and install them at the proper location. Once this is done it will send a signal to the OpenVAS Scanner, openvassd(8) so that the new NVTs are loaded and considered for new security scans.
The OpenVAS Scanner performs several security checks. These are called Network Vulnerability Tests (NVTs) and are mostly implemented in the programming language NASL.
Requires restarting openvas-scanner(8) or send a SIGHUP to its main process.
note: Host should have access to rsync.openvas.org using the rsync protocol (TCP/UDP port 873).
/etc/openvas/openvassd.conf
The OpenVas has an ordinary configuration file:
Securing Scanner Communication:
The OpenVAS Scanner protects its communication with clients by using SSL. SSL requires the scanner to present a certificate to the client. The client can optionally present a certificate to the scanner.
openvas-mkcert
The OpenVAS Security Scanner protects the communication between the client and the scanner by using SSL. SSL requires the scanner to present a certificate to the client, and the client can optionally present a certificate to the scanner.
This script openvas-mkcert creates a certificate authority (if none exists already) and generates the scanner certificate.
| Commande | Description |
|---|---|
openvas-mkcert -q | quickly generate a new certificate, without asking any question. The -q option will not prompt for input and select defaults. |
openvas-mkcert -f | force over writing of already existing certificate files |
that's all.
.
additional notes:
Snort Rules
as we mentioned above Snort Rules are made up of two primary components:
The Rule Header
and The Rule Option.
Snort Rule Template:
[action][protocol][sourceIP][sourceport] -> [destIP][destport] ( [Rule options] )
The header is the part prior to the parenthesis.
The Options are enclosed in the parenthesis.
Rule Header Format:
action Action to take (option)
The rule action tells Snort what to do when it finds a packet that matches the rule criteria (usually alert).
Actions:
alert — Generate an alert based on configuration and log packet
pass — Do not intercept
log — Log packet
activate — Alert and turn on dynamic rule
dynamic — A rule that may only be enabled by activate
reject — Drop packet, log packet, and send TCP reset on TCP connections and ICPM port unreachable for UDP connections
drop — Drop packet
sdrop — Drop packet and do not log
protocol:
Type of traffic.
There are four protocols that Snort currently analyzes for suspicious behavior: TCP, UDP, ICMP, and IP.
Source address(es)
Source port(s)
->
Destination address(es)
Destination port(s)
Rule Options
Snort rule options are separated from each other using a semicolon.
Rule option keywords are separated from their arguments with a colon.
There are two types of rule option: General and Detection.
General Rule Options
Message
A meaningful message typically includes what the rule is detecting. It is a simple text string.
Flow
For the rule to fire, specifies which direction the network traffic is going. Used in conjunction with TCP stream reassembly. It allows rules to only apply to certain directions of the traffic flow.
Reference
Allows rules to include references to external sources of information (such as a URL).
Classtype
How Snort shares what the effect of a successful attack would be.
sid/rev
The snort id is a unique identifier for each rule. This information allows output plugins to identify rules easily and should be used with the rev (revision) keyword.
Detection Rule Options:
Content
Allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. May contain mixed text and binary data.
distance/offset
Allow the rule writer to specify where to start searching relative to the beginning of the payload or the beginning of a content match.
within/depth
Allow the write rule to specify how far forward to search relative to the end of a previous content match and, once that content match is found, how far to search for it.
PCRE
Allows rules to be written using Perl compatible regular expressions which allows for more complex matches than simple content matches. Byte test. Allows a rule to test a number of bytes against a specific value in binary.
.
.
.
resources:
https://www.cyberciti.biz/faq/debian-ubuntu-install-ntop-network-traffic-monitoring-software/
https://linuxhint.com/intrusion_detection_snort_tutorial/
https://www.howtogeek.com/devops/how-to-use-the-snort-intrusion-detection-system-on-linux/
https://www.snort.org/faq/what-is-a-snort-rule
https://medium.com/@acaremrullahkku/what-is-snort-547916bece5f
https://www.rapid7.com/blog/post/2016/12/09/understanding-and-configuring-snort-rules/
https://getcyber.org/how-to-update-the-openvas-gvm-feeds/
https://manpages.ubuntu.com/manpages/bionic/man8/greenbone-nvt-sync.8.html
https://en.wikipedia.org/wiki/Nessus_Attack_Scripting_Language
https://linux.die.net/man/8/openvas-mkcert
.
Last updated
