Go Learn Some Snort (aka learning network protocols and how networks work) …

Go Learn Some Snort (aka learning network protocols and how networks work) …

I was at a talk recently on some funding around cybersecurity and aviation, and one of the presenters outlined that our kids can use technology, but they often don’t know how it works. We thus need to drive our education system to focus on not how to use things, but how things fundamentally work.

I also think — in cybersecurity — that we need to avoid wide and thin knowledge bases and focus on deep knowledge. In this way we will develop people with strong specialisms, and who can be trusted within their areas. Just now, the professional certificates often go wide, and never really dig deep around topics. I often worry about the depth of knowledge of some involved in cybersecurity when you ask how a firewall works, or how public-key encryption is actually used.

When asked about the core things that a student should learn about Cybersecurity, I always come back to the same things … solid networking skills, a good understanding of the protocol stack, command-line usage, operating systems, domain rights, and services. I would now add the ability to script, especially around AWS and with Python and/or Node.js.

So, let’s bring most of these things together around a pig … Snort. With Snort we have one of the most basic building blocks within computer security, and where we can detect a range of things in network traffic, and log and respond. Within this, we want to be able to detect a threat at an early phase, and not when it gets to profit. We thus use an IDS (Intrusion Detection Systems) to detect the possible earlier signs of an attack:

So, here’s a quick overview of IDS:

We can then use Snort to detect fairly standard signs of an intrusion, such as for continual logins and port scans:

In the following I have created a rules file which will detects things like ARP spoofing, a given signature in the network packet payload, bad logins, and so on:

# ARP Spoofing
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.47.200 00:0C:29:0F:71:A3

# Signature Detection
alert tcp any any -> any any (content:"GIF89a"; msg:"GIF";sid:10000)
alert tcp any any -> any any (content:"%PDF"; msg:"PDF";sid:10001)
alert tcp any any -> any any (content:"|89 50 4E 47|"; msg:"PNG";sid:10002)
alert tcp any any -> any any (content:"|50 4B 03 04|"; msg:"ZIP";sid:10003)

# Port scan
preprocessor sfportscan:\
        proto { all } \
        scan_type { all } \
        sense_level { high } \	
    	logfile { portscan.log }

# Converted Format Detection
alert tcp any any -> any 25 (content:"/9j/4AAQSkZJRgABAQEA"; msg:"Ehealth graphic";sid:10005)
alert tcp any any -> any 25 (content:"image/gif"; msg:"GIF in email";sid:10006)

# DoS Flood Detection
alert tcp any any -> any 80 (msg:"DOS flood denial of service attempt";flow:to_server; \
detection_filter:track by_dst,  count 60, seconds 60; \
sid:25101; rev:1;)

# Bad FTP Login Detection
alert tcp any 21 -> any any (msg:"FTP Bad login"; content:"530 User "; nocase; flow:from_server,established; sid:491; rev:5;)

# Detecting email addresses in an email
alert tcp any any <> any 25 (pcre:"/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9._%+-]/"; \
msg:"Email in message";sid:9000000;rev:1;)

# Detecting credit card details
alert tcp any any <> any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \
	msg:"MasterCard number detected in clear text";content:"number";nocase;sid:9000003;rev:1;)

alert tcp any any <> any any (pcre:"/3\d{3}(\s|-)?\d{6}(\s|-)?\d{5}/"; \
	msg:"American Express number detected in clear text";content:"number";nocase;sid:9000004;rev:1;)

alert tcp any any <> any any (pcre:"/4\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; \
	msg:"Visa number detected in clear text";content:"number";nocase;sid:9000005;rev:1;)

Here is my on-line editor for Snort:

The great thing about Snort is that you don’t always have to run it online, as the “-r” option allows you to feed in a network trace, and view the output:

This approach is useful in creating your own Snort signatures and testing them. And so, I developed a Snort analyser to run Snort with a network trace and with a given set of rules, and so that a learner could see the outputs. This basically just runs Snort off-line and where we feed it a rules file and a network trace (PCAP):

To view the traces, you will have to install Wireshark [here]. The following are the traces that can be used in Snort:

• Trace with Hydra FTP crack/Bad Login: here Test.
• Trace with Hydra Telnet crack: here Test.
• Trace with Port Scan: here Test.
• Trace with SYN Flood (DoS): here Test.
• Trace with FIN Flood (DoS): here Test.
• Trace with PDF file: here Test.
• Trace with GIF file: here Test.
• Trace with PNG file: here Test.
• Trace with ZIP file: here Test.
• Trace with JPEG file: here Test.
• Trace with MP3 file: here Test.
• Trace with RAR file: here Test.
• Trace with AVI file: here Test.
• Trace with SWF file: here Test.
• Trace with GZip file: here Test.
• Trace with email attachments (MIME): here Test.
• Trace with email addresses: here Test.
• Trace with IP address: here Test.
• Trace with credit card details: here Test.
• Trace with DNS: here Test.
• Trace with Ping sweep: here Test.
• Trace with SNMP: here Test.
• Trace with ARP Spoof: here Test.
• Trace with Heartbleed: here Test.
• Teardrop DoS: here Test.
• Bittorrent: here Test.
• Trace with Wanna Crypto (infecting): here Test.
• Trace with Wanna Crypto (Tor): here Test.

Conclusions

A core part of learning cybersecurity must be a strong understanding of network traffic, and how networks actually work.

IDS must also be a core element of your networked infrastructure and will generate log alerts. You never quite know if the alerts will lead to something or not, but it’s better to have them than to not — just in case.