SlideShare ist ein Scribd-Unternehmen logo

The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)

Martin Schütte
Martin Schütte

There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol. It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network. (https://www.troopers.de/troopers14/troopers14-ipv6-security-summit-2014/troopers14-ipv6-security-summit-2014-presentations/index.html#IPv6Snort)

Technologie
1 von 45
Downloaden Sie, um offline zu lesen
The IPv6 Snort Plugin Martin Schütte 18 March 2014
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Context • Diploma thesis • 2011 at Potsdam University • part of “attack prevention and validated protection of IPv6 networks” Martin Schütte IPv6 Snort Plugin 2014-03-18 2 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion State ∼ 1994 IPv4 Internet: • Research and Academic Networks • Known design & implementation errors • Little experience with protocol security • No urgency for improvement Martin Schütte IPv6 Snort Plugin 2014-03-18 3 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion State ∼ today IPv6 Internet: • Research and Academic Networks • Known design & implementation errors • Little experience with protocol security • No urgency for improvement (?) I WANT YOU TO USE IPv6 – Vint Cerf www.cs.brown.edu/~adf/cerf/ Martin Schütte IPv6 Snort Plugin 2014-03-18 4 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Security Issues • Main IPv6 RFCs from 1995/1998 ⇒ many years of IPv4 security experience to catch up with • Many accompanying RFCs and Internet Drafts (IPsec, SEND, RH0 deprecation, RA Guard, …) • Few (yet already old) implementations • Very little in end user devices • Uncertainty hinders deployment Martin Schütte IPv6 Snort Plugin 2014-03-18 5 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Attacks Against IPv6 The usual: • Value ranges • Fragmentation • Denial of Service • Portscans • Errors in Application Layer IPv6 specific: • Variable headers • Multicast • Routing • v4/v6 Transition • Autoconfiguration • Neighbor Discovery Martin Schütte IPv6 Snort Plugin 2014-03-18 6 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Header Chaining Martin Schütte IPv6 Snort Plugin 2014-03-18 7 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Design Flaw Designed in 1994, same premise as IPv4: secure and trustworthy LAN ⇒ cable LAN in organizational hierarchy No consideration of: • WiFi • mobile usage • anonymous users Martin Schütte IPv6 Snort Plugin 2014-03-18 8 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Workstation ∼ 1990s by Mike Chapman Martin Schütte IPv6 Snort Plugin 2014-03-18 9 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Network Device ∼ today gumstix-based Somniloquy prototype, Yuvraj Agarwal et al. Martin Schütte IPv6 Snort Plugin 2014-03-18 10 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Local Attacks Simple Denial of Service: 1. Host Alice starts Duplicate Address Detection: ”Anyone using IP X?” 2. Host Eve answers ”I have IP X.” 3. goto 1 Routing/Man in the Middle: 1. Host Eve sends ICMPv6 Redirect: ”This is router Bob, for google.com please use router Eve.” Martin Schütte IPv6 Snort Plugin 2014-03-18 11 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Remote Attacks • Denial of Service • Neighbor Cache Exhaustion • Oversized IPv6 Header Chains • Excessive Hop-by-Hop Options • Routing • RH0 source routing • Loop using IPv6 Automatic Tunnels Martin Schütte IPv6 Snort Plugin 2014-03-18 12 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Attack Collections: THC Toolkit and SI6 Networks’ IPv6 Toolkit Tools/Attacks/Tests for: • Autoconfiguration DoS • Neighbor Cache • Routing/Redirect • Flood-Attacks • Multicast Listener Discovery • DHCPv6 • implementation6 Martin Schütte IPv6 Snort Plugin 2014-03-18 13 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Honorable Mention: Scapy p = Ether(src='00:15:2c:c8:b8:80', dst='33:33:00:00:00:01') / IPv6(src='fe80::215:2cff:fec8:b880', dst='ff02::1') / ICMPv6ND_RA(M=0L, O=0L, routerlifetime=1800) / ICMPv6NDOptSrcLLAddr(lladdr='00:15:2c:c8:b8:80') / ICMPv6NDOptMTU(mtu=1500) / ICMPv6NDOptPrefixInfo(prefix='2001:638:807:3a::', prefixlen=64) wrpcap('mypacket.pcap', p) a = rdpcap('autoconf_winxp.pcap') a[5].psdump('scapy_na.ps', layer_shift=1) Martin Schütte IPv6 Snort Plugin 2014-03-18 14 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Scapy psdump() Ethernet 00 e0 81 75 c2 b8 dst 00:e0:81:75:c2:b8 00 24 1d a9 76 51 src 00:24:1d:a9:76:51 86 dd type 0x86dd IPv6 version 6L tc 0L 60 00 00 00 fl 0L 00 20 plen 32 3a nh ICMPv6 ff hlim 255 20 01 0d b8 00 12 00 ab bd 50 f2 b8 77 e0 44 69 src 2001:db8:12:ab:bd50:f2b8:77e0:4469 20 01 0d b8 00 12 00 ab 02 17 9a ff fe 3a 7c a6 dst 2001:db8:12:ab:217:9aff:fe3a:7ca6 ICMPv6 Neighbor Discovery - Neighbor Advertisement 88 type Neighbor Advertisement 00 code 0 05 78 cksum 0x578 R 0L S 1L O 1L 60 00 00 00 res 0x0L 20 01 0d b8 00 12 00 ab bd 50 f2 b8 77 e0 44 69 tgt 2001:db8:12:ab:bd50:f2b8:77e0:4469 ICMPv6 Neighbor Discovery Option - Destination Link-Layer Address 02 type 2 01 len 1 00 24 1d a9 76 51 lladdr 00:24:1d:a9:76:51 Martin Schütte IPv6 Snort Plugin 2014-03-18 15 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Countermeasures • Filter known-bad packets • Show anomalous network activity • Collect data for correlation and detection Martin Schütte IPv6 Snort Plugin 2014-03-18 16 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Where to Monitor Placement at: • Routers • Switches • Packet Filters • Hosts Implementation as: • Stand-alone tool (cf. ndpmon) • Add-on for existing application • Operating System module ⇒ High versatility: Intrusion Detection Systems Martin Schütte IPv6 Snort Plugin 2014-03-18 17 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Target System: Snort 2.9 • Widely used Open Source NIDS • Filter/inline mode (Intrusion Prevention System) • Plugin APIs • Decoder for common tunnel protocols ©2012 Snort, the Snort Pig are registered trademarks of Sourcefire, Inc. All rights reserved. Martin Schütte IPv6 Snort Plugin 2014-03-18 18 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort Packet Processing Overview ..Network. DAQ/libpcap . Packet Decoder . Pre- processor . Detection Engine . Rules . Alert, Log Output . Logfiles, Database . Snort Martin Schütte IPv6 Snort Plugin 2014-03-18 19 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Decoding .. Incoming Packet . DecodeEthPkt Ethernet .DecodeVlanPkt 802.1Q . DecodePPPoEPkt PPPoE . DecodePppPktEncapsulated PPP . DecodeARP ARP . DecodeIP IPv4 . DecodeIPV6 IPv6 . DecodeIPV6Extensions IPv6 Ext Hdrs . DecodeIPV6Options IPv6 Options . DecodeICMP ICMP . DecodeUDP UDP . DecodeTCP TCP . DecodeICMP6 ICMPv6 Martin Schütte IPv6 Snort Plugin 2014-03-18 20 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Decoding Result: struct _Packet typedef struct _Packet { const DAQ_PktHdr_t *pkth; // packet meta data const uint8_t *pkt; // raw packet data EtherARP *ah; const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */ const VlanTagHdr *vh; const IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH */ const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner */ const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer */ uint32_t preprocessor_bits; /* flags for preprocessors to check */ uint32_t preproc_reassembly_pkt_bits; uint8_t ip_option_count; /* number of options in this packet */ uint8_t tcp_option_count; uint8_t ip6_extension_count; uint8_t ip6_frag_index; IPOptions ip_options[MAX_IP_OPTIONS]; TCPOptions tcp_options[MAX_TCP_OPTIONS]; IP6Extension ip6_extensions[MAX_IP6_EXTENSIONS]; // ... } Packet; Martin Schütte IPv6 Snort Plugin 2014-03-18 21 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Rule Engine Example detection rule: var EXTERNAL_NET any var SMTP_SERVERS [192.0.2.123, 2001:db8:12:ab::123] alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( flow:to_server ,established; content: "|0A|Croot|0A|Mprog"; metadata:service smtp; msg:"SMTP sendmail 8.6.9 exploit"; reference:bugtraq ,2311;reference:cve ,1999-0204; classtype:attempted -user; sid:669; rev:9; ) Martin Schütte IPv6 Snort Plugin 2014-03-18 22 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Support technically yes, but … All major IDS have IPv6 support. What does that mean? • Fragment reassembly • TCP & UDP decoding ⇒ upper-layer checks • Decoder-warning on severe protocol errors Not: • check extensions (Routing Headers, Jumbograms) • support all rule options (fragbits) • IPv6 specific detection (ICMPv6/Neighbor Discovery) Martin Schütte IPv6 Snort Plugin 2014-03-18 23 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Signatures Existing rules work for IPv4 and IPv6 No keywords for IPv6-only fields, no IPv6-only rules provided alert ip icmp any -> any any (msg:"IPv6 ICMP Echo-Request?"; itype:128; classtype:icmp-event; sid:2000001; rev:1;) Good for application layer checks Bad for protocol layer detection ⇒ need to develop a IPv6-Plugin Martin Schütte IPv6 Snort Plugin 2014-03-18 24 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort Customizations • Writing rules • Dynamic Detection API: compiled rule evaluations • Dynamic Preprocessor API: • add rule options • do something with a packet ..Network. libpcap . Packet Decoder . Pre- processor . Detection Engine . Rules . Alert, Log Output . Logfiles, Database . Snort Martin Schütte IPv6 Snort Plugin 2014-03-18 25 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion New IPv6 Rule Options Goal: Provide IPv6 access for signatures • Basic Header • Extension Headers • Neighbor Discovery Options Functionality: • Handler for option parsing on config (re-)load • Callbacks for option keywords • Called with rule parameter and current packet • Return match/no_match Martin Schütte IPv6 Snort Plugin 2014-03-18 26 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Implementation // IPv6_Rule_Init() reads rule "ipv: 6;" into IPv6_RuleOpt_Data int IPv6_Rule_Eval(void *raw_packet, const u_int8_t **cursor, void *data) { SFSnortPacket *p = (SFSnortPacket*) raw_packet; struct IPv6_RuleOpt_Data *sdata = (struct IPv6_RuleOpt_Data *) data; switch (sdata->type) { case IPV6_RULETYPE_IPV: { uint_fast8_t ipv = GET_IPH_VER(p); if (checkField(sdata->op, ipv, sdata->opt.number)) return RULE_MATCH; else return RULE_NOMATCH; // ... } } Martin Schütte IPv6 Snort Plugin 2014-03-18 27 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Rule Options alert icmp any any -> any any (itype:8; ipv: 4; msg:"ICMPv4 PING in v4 pkt"; sid:1000000; rev:1;) alert icmp any any -> any any (itype:8; ipv: 6; msg:"ICMPv4 PING in v6 pkt"; sid:1000001; rev:1;) alert icmp any any -> any any (itype:128; ipv: 4; msg:"ICMPv6 PING in v4 pkt"; sid:1000002; rev:1;) alert icmp any any -> any any (itype:128; ipv: 6; msg:"ICMPv6 PING in v6 pkt"; sid:1000003; rev:1;) Martin Schütte IPv6 Snort Plugin 2014-03-18 28 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Resulting Evaluation Tree ..Port Group ICMP any->any . NC Rule Tree Root . itype:8 . itype:128 . ipv:4 . ipv:6 . leaf . leaf Martin Schütte IPv6 Snort Plugin 2014-03-18 29 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Rule Options of the IPv6-Plugin ipv IP version ip6_tclass Traffic Class ip6_flow Flow Label ip6_exthdr Extension Header ip6_extnum Num. of Ext Hdrs. ip6_ext_ordered Ext Hdrs. correctly ordered (bool) ip6_option Destination-/HbH-Option ip6_optval Destination-/HbH-Option Value ip6_rh Routing Header icmp6_nd Neighbor Discovery (bool) icmp6_nd_option Neighbor Discovery Option (Most rules accept comparison operators = ! < >) Martin Schütte IPv6 Snort Plugin 2014-03-18 30 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion More Examples alert ip any any -> any any (ip6_rh: !2; msg:"invalid routing hdr"; sid:1000004; rev:1;) alert ip any any -> any any (ip6_option: 0.0xc2; msg:"ip6 option: Jumbo in HBH hdr"; sid:100066; rev:1;) # event threshold alert icmp any any -> any any (icmp6_nd; detection_filter: track by_dst , count 50, seconds 1; msg:"ICMPv6 flooding"; sid:100204; rev:1;) # log only one flooding event per second: event_filter gen_id 1, sig_id 100204, type limit, track by_src , count 1, seconds 1 Martin Schütte IPv6 Snort Plugin 2014-03-18 31 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Preprocessor for Neighbor Discovery Tracking Goal: monitor network changes • new hosts • new routers • basic extensions/options check Functionality: • Reads ICMPv6 messages • Follows network state, i. e. (MAC, IP) tuple of: • On-link routers • On-link hosts • Ongoing DADs • Alert on change Martin Schütte IPv6 Snort Plugin 2014-03-18 32 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Configuration in snort.conf, all optional net_prefix subnet prefixes router_mac known router MAC addresses host_mac known host MAC addresses max_routers max routers in state (default: 32) max_hosts max hosts in state (default: 8 K) max_unconfirmed max unconfirmed nodes in state (default: 32 K) keep_state remember nodes for n minutes (default: 180) expire_run clean memory every n minutes (default: 20) disable_tracking only rules & stateless checks (default: false) Martin Schütte IPv6 Snort Plugin 2014-03-18 33 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Configuration “normal use” preprocessor ipv6: net_prefix 2001:0db8:1::/64 router_mac 00:16:76:07:bc:92 Martin Schütte IPv6 Snort Plugin 2014-03-18 34 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Preprocessor State at Runtime .. struct IPv6_State . struct IPv6_Hosts_head *routers struct IPv6_Hosts_head *hosts struct IPv6_Hosts_head *unconfirmed struct IPv6_Statistics *stat struct IPv6_Config *config time_t next_expire . struct IPv6_Hosts_head . struct RB_HEAD(IPv6_Host) data u_int32_t entry_limit u_int32_t entry_counter . struct IPv6_Host . RB_ENTRY(IPv6_Host) entries u_int8_t ether_source[6] sfip_t ip … . struct IPv6_Statistics . uint32_t pkt_seen uint32_t pkt_fragments uint32_t pkt_icmpv6 … . struct IPv6_Config . u_int32_t max_routers u_int32_t max_hosts u_int32_t max_unconfirmed struct MAC_Entry_head *router_whitelist struct MAC_Entry_head *host_whitelist … Martin Schütte IPv6 Snort Plugin 2014-03-18 35 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Implementation of NS Processing static void IPv6_Process_ICMPv6_NS(const SFSnortPacket *p, struct IPv6_State *context) { struct nd_neighbor_solicit *ns = (struct nd_neighbor_solicit *) p->ip_payload; sfip_t *target_ip; struct IPv6_Host *ip_entry; target_ip = sfip_alloc_raw(&ns->nd_ns_target , AF_INET6, &rc); // .. ip_entry = get_host_entry(context->hosts, target_ip); if (ip_entry) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN , "Neighbour solicitation from known hostn");); return; } /* this is the expected part: the IP is yet unknown --> put into DAD state */ ip_entry = create_dad_entry_ifnew(context->unconfirmed , &p->pkt_header->ts, p->ether_header ->ether_source , target_ip); if (!ip_entry) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN , "create_dad_entry_ifnew failedn");); return; } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN , "%s DAD started by %s / %sn", pprint_ts(ip_entry->last_adv_ts), pprint_mac(ip_entry->ether_source), sfip_to_str(&ip_entry->ip));); _dpd.alertAdd(GEN_ID_IPv6 , SID_ICMP6_ND_NEW_DAD , 1, 0, 3, SID_ICMP6_ND_NEW_DAD_TEXT , 0 ); } Martin Schütte IPv6 Snort Plugin 2014-03-18 36 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort IPv6 Alerts: ND Tracking SID Message 1 RA from new router 2 RA from non-router MAC address 3 RA prefix changed 4 RA flags changed 5 RA for non-local net prefix 6 RA with lifetime 0 7 new DAD started 8 new host in network 9 new host with non-allowed MAC addr. 10 DAD with collision 11 DAD with spoofed collision Martin Schütte IPv6 Snort Plugin 2014-03-18 37 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort IPv6 Alerts: Packet Attributes SID Message 12 mismatch in MAC/NDP src ll addr. 13 extension header has only padding 14 option lengths ̸= ext length 15 padding option data ̸= zero 16 consecutive padding options Martin Schütte IPv6 Snort Plugin 2014-03-18 38 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion tester.pl ..Test Runner (snort -c -r) . Logfile (unified2) . Compare . PCAP data . snort.conf lines . Expected SIDs . Result Extremely useful for development. Verify intended results for given packet samples. Martin Schütte IPv6 Snort Plugin 2014-03-18 39 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Output/Visualization • Big Problem • barnyard2 tool for Snort log processing (e. g. write SQL) • Few Open Source frontends (BASE & Snorby) • All using old SQL Schema, without IPv6 field Martin Schütte IPv6 Snort Plugin 2014-03-18 40 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Performance Theory: • Stateless checks require processing • ND Tracking requires memory ⇒ DoS risk Practice: • Snort’s packet decoding does 90 % of the work • Configurable memory limit ~ 8 Mb • TCP stream reassembly is much more expensive Martin Schütte IPv6 Snort Plugin 2014-03-18 41 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Bugs Found in Snort 2.9.0 or: Real-World Problems of Major Commercial Security Products • Ping of Death, cannot process > 40 extension headers • wrong Endianness in GET_IPH_VER() • fragmentation breaks ICMP/UDP checksums • Routing Headers break ICMP/UDP checksums • fragbits rules not supported Martin Schütte IPv6 Snort Plugin 2014-03-18 42 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Extension Header Parsing in Snort 2.9.0 fixed in 2.9.1 void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p) { uint32_t hdrlen = 0; if(p->ip6_extension_count < IP6_EXTMAX) { switch (type) { case IPPROTO_HOPOPTS: hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); } } /* missing else => hdrlen=0 => infinite mutual recursion */ DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p); } void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p) { switch(next) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: case IPPROTO_AH: DecodeIPV6Options(next, pkt, len, p); return; } } Martin Schütte IPv6 Snort Plugin 2014-03-18 43 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Conclusion • It works! • Dynamic Library (no need to recompile Snort) • Enables IPv6-specific detection signatures • Snort & IPv6-Plugin detects THC attacks • Cannot solve fundamental problems: DoS and insecure Ethernet • Can raise visibility and awareness of network threat situation Martin Schütte IPv6 Snort Plugin 2014-03-18 44 / 45
. . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Contact E-Mail: info@mschuette.name Project Page: http://mschuette.name/wp/snortipv6/ Source Code: https://github.com/mschuett/spp_ipv6 Questions? Martin Schütte IPv6 Snort Plugin 2014-03-18 45 / 45

Empfohlen

The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
Martin Schütte
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
Martin Schütte
 
NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog Protocols
Martin Schütte
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
Musa Stephen HONLUE
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
primeteacher32
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
Vladimir Koychev
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 

Empfohlen

The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
Martin Schütte
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
Martin Schütte
 
NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog Protocols
Martin Schütte
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
Musa Stephen HONLUE
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
primeteacher32
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
Vladimir Koychev
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
Snort
SnortSnort
Snort
Michael Boman
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
amiable_indian
 
Wireshark
WiresharkWireshark
Wireshark
ashiesh0007
 
Snort
SnortSnort
Snort
Fadwa Gmiden
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
Evans Ye
 
Sectools
SectoolsSectools
Sectools
securedome
 
aaa
aaaaaa
aaa
hungnhatban
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
All About Snort
All About SnortAll About Snort
All About Snort
28pranjal
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
Mark Smith
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
Thierry Zoller
 
Snort
SnortSnort
Snort
nazzf
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hood
amiable_indian
 
Cipc
CipcCipc
Cipc
ashiesh0007
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Positive Hack Days
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
EC-Council
 
Snort
SnortSnort
Snort
bala150985
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
Tudor Damian
 
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
aaajjj4
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
Shumon Huque
 

Weitere ähnliche Inhalte

Was ist angesagt?

Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
Evans Ye
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
EC-Council
 

Was ist angesagt? (20)

Snort
SnortSnort
Snort
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
Wireshark
WiresharkWireshark
Wireshark
 
Snort
SnortSnort
Snort
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
All About Snort
All About SnortAll About Snort
All About Snort
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
Snort
SnortSnort
Snort
 
IPV6 Under the Hood
IPV6 Under the HoodIPV6 Under the Hood
IPV6 Under the Hood
 
Cipc
CipcCipc
Cipc
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
 
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
Критически опасные уязвимости в популярных 3G- и 4G-модемах или как построить...
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
 
Snort
SnortSnort
Snort
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 

Ähnlich wie The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
aaajjj4
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
Digicomp Academy AG
 
PACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONPACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATION
Goutham Royal
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 

Ähnlich wie The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit) (20)

BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
BRKDCT-3144 - Advanced - Troubleshooting Cisco Nexus 7000 Series Switches (20...
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
 
ONS 2014 Bare Metal Switching & Programming
ONS 2014 Bare Metal Switching & ProgrammingONS 2014 Bare Metal Switching & Programming
ONS 2014 Bare Metal Switching & Programming
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
PACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATIONPACKET Sniffer IMPLEMENTATION
PACKET Sniffer IMPLEMENTATION
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4
 
I pv6 mrtg_20111025
I pv6 mrtg_20111025I pv6 mrtg_20111025
I pv6 mrtg_20111025
 
V6 v4-threats
V6 v4-threatsV6 v4-threats
V6 v4-threats
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 

Mehr von Martin Schütte

Mehr von Martin Schütte (10)

Writing Ansible Modules (DENOG11)
Writing Ansible Modules (DENOG11)Writing Ansible Modules (DENOG11)
Writing Ansible Modules (DENOG11)
 
Writing Ansible Modules (CLT'19)
Writing Ansible Modules (CLT'19)Writing Ansible Modules (CLT'19)
Writing Ansible Modules (CLT'19)
 
Terraform – Infrastructure as Code (Kielux'18)
Terraform – Infrastructure as Code (Kielux'18)Terraform – Infrastructure as Code (Kielux'18)
Terraform – Infrastructure as Code (Kielux'18)
 
Terraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeTerraform -- Infrastructure as Code
Terraform -- Infrastructure as Code
 
Terraform: Cloud Configuration Management (WTC/IPC'16)
Terraform: Cloud Configuration Management (WTC/IPC'16)Terraform: Cloud Configuration Management (WTC/IPC'16)
Terraform: Cloud Configuration Management (WTC/IPC'16)
 
Terraform: Configuration Management for Cloud Services
Terraform: Configuration Management for Cloud ServicesTerraform: Configuration Management for Cloud Services
Terraform: Configuration Management for Cloud Services
 
Software Testing on the Web
Software Testing on the WebSoftware Testing on the Web
Software Testing on the Web
 
PGP/GPG Einführung
PGP/GPG EinführungPGP/GPG Einführung
PGP/GPG Einführung
 
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
Design and Implementation of an IPv6 Plugin for the Snort Intrusion Detection...
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)

  • 1. The IPv6 Snort Plugin Martin Schütte 18 March 2014
  • 2. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Context • Diploma thesis • 2011 at Potsdam University • part of “attack prevention and validated protection of IPv6 networks” Martin Schütte IPv6 Snort Plugin 2014-03-18 2 / 45
  • 3. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion State ∼ 1994 IPv4 Internet: • Research and Academic Networks • Known design & implementation errors • Little experience with protocol security • No urgency for improvement Martin Schütte IPv6 Snort Plugin 2014-03-18 3 / 45
  • 4. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion State ∼ today IPv6 Internet: • Research and Academic Networks • Known design & implementation errors • Little experience with protocol security • No urgency for improvement (?) I WANT YOU TO USE IPv6 – Vint Cerf www.cs.brown.edu/~adf/cerf/ Martin Schütte IPv6 Snort Plugin 2014-03-18 4 / 45
  • 5. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Security Issues • Main IPv6 RFCs from 1995/1998 ⇒ many years of IPv4 security experience to catch up with • Many accompanying RFCs and Internet Drafts (IPsec, SEND, RH0 deprecation, RA Guard, …) • Few (yet already old) implementations • Very little in end user devices • Uncertainty hinders deployment Martin Schütte IPv6 Snort Plugin 2014-03-18 5 / 45
  • 6. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Attacks Against IPv6 The usual: • Value ranges • Fragmentation • Denial of Service • Portscans • Errors in Application Layer IPv6 specific: • Variable headers • Multicast • Routing • v4/v6 Transition • Autoconfiguration • Neighbor Discovery Martin Schütte IPv6 Snort Plugin 2014-03-18 6 / 45
  • 7. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Header Chaining Martin Schütte IPv6 Snort Plugin 2014-03-18 7 / 45
  • 8. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Design Flaw Designed in 1994, same premise as IPv4: secure and trustworthy LAN ⇒ cable LAN in organizational hierarchy No consideration of: • WiFi • mobile usage • anonymous users Martin Schütte IPv6 Snort Plugin 2014-03-18 8 / 45
  • 9. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Workstation ∼ 1990s by Mike Chapman Martin Schütte IPv6 Snort Plugin 2014-03-18 9 / 45
  • 10. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Network Device ∼ today gumstix-based Somniloquy prototype, Yuvraj Agarwal et al. Martin Schütte IPv6 Snort Plugin 2014-03-18 10 / 45
  • 11. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Local Attacks Simple Denial of Service: 1. Host Alice starts Duplicate Address Detection: ”Anyone using IP X?” 2. Host Eve answers ”I have IP X.” 3. goto 1 Routing/Man in the Middle: 1. Host Eve sends ICMPv6 Redirect: ”This is router Bob, for google.com please use router Eve.” Martin Schütte IPv6 Snort Plugin 2014-03-18 11 / 45
  • 12. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Remote Attacks • Denial of Service • Neighbor Cache Exhaustion • Oversized IPv6 Header Chains • Excessive Hop-by-Hop Options • Routing • RH0 source routing • Loop using IPv6 Automatic Tunnels Martin Schütte IPv6 Snort Plugin 2014-03-18 12 / 45
  • 13. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Attack Collections: THC Toolkit and SI6 Networks’ IPv6 Toolkit Tools/Attacks/Tests for: • Autoconfiguration DoS • Neighbor Cache • Routing/Redirect • Flood-Attacks • Multicast Listener Discovery • DHCPv6 • implementation6 Martin Schütte IPv6 Snort Plugin 2014-03-18 13 / 45
  • 14. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Honorable Mention: Scapy p = Ether(src='00:15:2c:c8:b8:80', dst='33:33:00:00:00:01') / IPv6(src='fe80::215:2cff:fec8:b880', dst='ff02::1') / ICMPv6ND_RA(M=0L, O=0L, routerlifetime=1800) / ICMPv6NDOptSrcLLAddr(lladdr='00:15:2c:c8:b8:80') / ICMPv6NDOptMTU(mtu=1500) / ICMPv6NDOptPrefixInfo(prefix='2001:638:807:3a::', prefixlen=64) wrpcap('mypacket.pcap', p) a = rdpcap('autoconf_winxp.pcap') a[5].psdump('scapy_na.ps', layer_shift=1) Martin Schütte IPv6 Snort Plugin 2014-03-18 14 / 45
  • 15. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Scapy psdump() Ethernet 00 e0 81 75 c2 b8 dst 00:e0:81:75:c2:b8 00 24 1d a9 76 51 src 00:24:1d:a9:76:51 86 dd type 0x86dd IPv6 version 6L tc 0L 60 00 00 00 fl 0L 00 20 plen 32 3a nh ICMPv6 ff hlim 255 20 01 0d b8 00 12 00 ab bd 50 f2 b8 77 e0 44 69 src 2001:db8:12:ab:bd50:f2b8:77e0:4469 20 01 0d b8 00 12 00 ab 02 17 9a ff fe 3a 7c a6 dst 2001:db8:12:ab:217:9aff:fe3a:7ca6 ICMPv6 Neighbor Discovery - Neighbor Advertisement 88 type Neighbor Advertisement 00 code 0 05 78 cksum 0x578 R 0L S 1L O 1L 60 00 00 00 res 0x0L 20 01 0d b8 00 12 00 ab bd 50 f2 b8 77 e0 44 69 tgt 2001:db8:12:ab:bd50:f2b8:77e0:4469 ICMPv6 Neighbor Discovery Option - Destination Link-Layer Address 02 type 2 01 len 1 00 24 1d a9 76 51 lladdr 00:24:1d:a9:76:51 Martin Schütte IPv6 Snort Plugin 2014-03-18 15 / 45
  • 16. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Countermeasures • Filter known-bad packets • Show anomalous network activity • Collect data for correlation and detection Martin Schütte IPv6 Snort Plugin 2014-03-18 16 / 45
  • 17. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Where to Monitor Placement at: • Routers • Switches • Packet Filters • Hosts Implementation as: • Stand-alone tool (cf. ndpmon) • Add-on for existing application • Operating System module ⇒ High versatility: Intrusion Detection Systems Martin Schütte IPv6 Snort Plugin 2014-03-18 17 / 45
  • 18. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Target System: Snort 2.9 • Widely used Open Source NIDS • Filter/inline mode (Intrusion Prevention System) • Plugin APIs • Decoder for common tunnel protocols ©2012 Snort, the Snort Pig are registered trademarks of Sourcefire, Inc. All rights reserved. Martin Schütte IPv6 Snort Plugin 2014-03-18 18 / 45
  • 19. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort Packet Processing Overview ..Network. DAQ/libpcap . Packet Decoder . Pre- processor . Detection Engine . Rules . Alert, Log Output . Logfiles, Database . Snort Martin Schütte IPv6 Snort Plugin 2014-03-18 19 / 45
  • 20. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Decoding .. Incoming Packet . DecodeEthPkt Ethernet .DecodeVlanPkt 802.1Q . DecodePPPoEPkt PPPoE . DecodePppPktEncapsulated PPP . DecodeARP ARP . DecodeIP IPv4 . DecodeIPV6 IPv6 . DecodeIPV6Extensions IPv6 Ext Hdrs . DecodeIPV6Options IPv6 Options . DecodeICMP ICMP . DecodeUDP UDP . DecodeTCP TCP . DecodeICMP6 ICMPv6 Martin Schütte IPv6 Snort Plugin 2014-03-18 20 / 45
  • 21. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Decoding Result: struct _Packet typedef struct _Packet { const DAQ_PktHdr_t *pkth; // packet meta data const uint8_t *pkt; // raw packet data EtherARP *ah; const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */ const VlanTagHdr *vh; const IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH */ const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner */ const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer */ uint32_t preprocessor_bits; /* flags for preprocessors to check */ uint32_t preproc_reassembly_pkt_bits; uint8_t ip_option_count; /* number of options in this packet */ uint8_t tcp_option_count; uint8_t ip6_extension_count; uint8_t ip6_frag_index; IPOptions ip_options[MAX_IP_OPTIONS]; TCPOptions tcp_options[MAX_TCP_OPTIONS]; IP6Extension ip6_extensions[MAX_IP6_EXTENSIONS]; // ... } Packet; Martin Schütte IPv6 Snort Plugin 2014-03-18 21 / 45
  • 22. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Rule Engine Example detection rule: var EXTERNAL_NET any var SMTP_SERVERS [192.0.2.123, 2001:db8:12:ab::123] alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( flow:to_server ,established; content: "|0A|Croot|0A|Mprog"; metadata:service smtp; msg:"SMTP sendmail 8.6.9 exploit"; reference:bugtraq ,2311;reference:cve ,1999-0204; classtype:attempted -user; sid:669; rev:9; ) Martin Schütte IPv6 Snort Plugin 2014-03-18 22 / 45
  • 23. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Support technically yes, but … All major IDS have IPv6 support. What does that mean? • Fragment reassembly • TCP & UDP decoding ⇒ upper-layer checks • Decoder-warning on severe protocol errors Not: • check extensions (Routing Headers, Jumbograms) • support all rule options (fragbits) • IPv6 specific detection (ICMPv6/Neighbor Discovery) Martin Schütte IPv6 Snort Plugin 2014-03-18 23 / 45
  • 24. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Signatures Existing rules work for IPv4 and IPv6 No keywords for IPv6-only fields, no IPv6-only rules provided alert ip icmp any -> any any (msg:"IPv6 ICMP Echo-Request?"; itype:128; classtype:icmp-event; sid:2000001; rev:1;) Good for application layer checks Bad for protocol layer detection ⇒ need to develop a IPv6-Plugin Martin Schütte IPv6 Snort Plugin 2014-03-18 24 / 45
  • 25. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort Customizations • Writing rules • Dynamic Detection API: compiled rule evaluations • Dynamic Preprocessor API: • add rule options • do something with a packet ..Network. libpcap . Packet Decoder . Pre- processor . Detection Engine . Rules . Alert, Log Output . Logfiles, Database . Snort Martin Schütte IPv6 Snort Plugin 2014-03-18 25 / 45
  • 26. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion New IPv6 Rule Options Goal: Provide IPv6 access for signatures • Basic Header • Extension Headers • Neighbor Discovery Options Functionality: • Handler for option parsing on config (re-)load • Callbacks for option keywords • Called with rule parameter and current packet • Return match/no_match Martin Schütte IPv6 Snort Plugin 2014-03-18 26 / 45
  • 27. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Implementation // IPv6_Rule_Init() reads rule "ipv: 6;" into IPv6_RuleOpt_Data int IPv6_Rule_Eval(void *raw_packet, const u_int8_t **cursor, void *data) { SFSnortPacket *p = (SFSnortPacket*) raw_packet; struct IPv6_RuleOpt_Data *sdata = (struct IPv6_RuleOpt_Data *) data; switch (sdata->type) { case IPV6_RULETYPE_IPV: { uint_fast8_t ipv = GET_IPH_VER(p); if (checkField(sdata->op, ipv, sdata->opt.number)) return RULE_MATCH; else return RULE_NOMATCH; // ... } } Martin Schütte IPv6 Snort Plugin 2014-03-18 27 / 45
  • 28. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion IPv6 Rule Options alert icmp any any -> any any (itype:8; ipv: 4; msg:"ICMPv4 PING in v4 pkt"; sid:1000000; rev:1;) alert icmp any any -> any any (itype:8; ipv: 6; msg:"ICMPv4 PING in v6 pkt"; sid:1000001; rev:1;) alert icmp any any -> any any (itype:128; ipv: 4; msg:"ICMPv6 PING in v4 pkt"; sid:1000002; rev:1;) alert icmp any any -> any any (itype:128; ipv: 6; msg:"ICMPv6 PING in v6 pkt"; sid:1000003; rev:1;) Martin Schütte IPv6 Snort Plugin 2014-03-18 28 / 45
  • 29. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Resulting Evaluation Tree ..Port Group ICMP any->any . NC Rule Tree Root . itype:8 . itype:128 . ipv:4 . ipv:6 . leaf . leaf Martin Schütte IPv6 Snort Plugin 2014-03-18 29 / 45
  • 30. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Rule Options of the IPv6-Plugin ipv IP version ip6_tclass Traffic Class ip6_flow Flow Label ip6_exthdr Extension Header ip6_extnum Num. of Ext Hdrs. ip6_ext_ordered Ext Hdrs. correctly ordered (bool) ip6_option Destination-/HbH-Option ip6_optval Destination-/HbH-Option Value ip6_rh Routing Header icmp6_nd Neighbor Discovery (bool) icmp6_nd_option Neighbor Discovery Option (Most rules accept comparison operators = ! < >) Martin Schütte IPv6 Snort Plugin 2014-03-18 30 / 45
  • 31. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion More Examples alert ip any any -> any any (ip6_rh: !2; msg:"invalid routing hdr"; sid:1000004; rev:1;) alert ip any any -> any any (ip6_option: 0.0xc2; msg:"ip6 option: Jumbo in HBH hdr"; sid:100066; rev:1;) # event threshold alert icmp any any -> any any (icmp6_nd; detection_filter: track by_dst , count 50, seconds 1; msg:"ICMPv6 flooding"; sid:100204; rev:1;) # log only one flooding event per second: event_filter gen_id 1, sig_id 100204, type limit, track by_src , count 1, seconds 1 Martin Schütte IPv6 Snort Plugin 2014-03-18 31 / 45
  • 32. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Preprocessor for Neighbor Discovery Tracking Goal: monitor network changes • new hosts • new routers • basic extensions/options check Functionality: • Reads ICMPv6 messages • Follows network state, i. e. (MAC, IP) tuple of: • On-link routers • On-link hosts • Ongoing DADs • Alert on change Martin Schütte IPv6 Snort Plugin 2014-03-18 32 / 45
  • 33. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Configuration in snort.conf, all optional net_prefix subnet prefixes router_mac known router MAC addresses host_mac known host MAC addresses max_routers max routers in state (default: 32) max_hosts max hosts in state (default: 8 K) max_unconfirmed max unconfirmed nodes in state (default: 32 K) keep_state remember nodes for n minutes (default: 180) expire_run clean memory every n minutes (default: 20) disable_tracking only rules & stateless checks (default: false) Martin Schütte IPv6 Snort Plugin 2014-03-18 33 / 45
  • 34. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Configuration “normal use” preprocessor ipv6: net_prefix 2001:0db8:1::/64 router_mac 00:16:76:07:bc:92 Martin Schütte IPv6 Snort Plugin 2014-03-18 34 / 45
  • 35. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Preprocessor State at Runtime .. struct IPv6_State . struct IPv6_Hosts_head *routers struct IPv6_Hosts_head *hosts struct IPv6_Hosts_head *unconfirmed struct IPv6_Statistics *stat struct IPv6_Config *config time_t next_expire . struct IPv6_Hosts_head . struct RB_HEAD(IPv6_Host) data u_int32_t entry_limit u_int32_t entry_counter . struct IPv6_Host . RB_ENTRY(IPv6_Host) entries u_int8_t ether_source[6] sfip_t ip … . struct IPv6_Statistics . uint32_t pkt_seen uint32_t pkt_fragments uint32_t pkt_icmpv6 … . struct IPv6_Config . u_int32_t max_routers u_int32_t max_hosts u_int32_t max_unconfirmed struct MAC_Entry_head *router_whitelist struct MAC_Entry_head *host_whitelist … Martin Schütte IPv6 Snort Plugin 2014-03-18 35 / 45
  • 36. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Implementation of NS Processing static void IPv6_Process_ICMPv6_NS(const SFSnortPacket *p, struct IPv6_State *context) { struct nd_neighbor_solicit *ns = (struct nd_neighbor_solicit *) p->ip_payload; sfip_t *target_ip; struct IPv6_Host *ip_entry; target_ip = sfip_alloc_raw(&ns->nd_ns_target , AF_INET6, &rc); // .. ip_entry = get_host_entry(context->hosts, target_ip); if (ip_entry) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN , "Neighbour solicitation from known hostn");); return; } /* this is the expected part: the IP is yet unknown --> put into DAD state */ ip_entry = create_dad_entry_ifnew(context->unconfirmed , &p->pkt_header->ts, p->ether_header ->ether_source , target_ip); if (!ip_entry) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN , "create_dad_entry_ifnew failedn");); return; } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN , "%s DAD started by %s / %sn", pprint_ts(ip_entry->last_adv_ts), pprint_mac(ip_entry->ether_source), sfip_to_str(&ip_entry->ip));); _dpd.alertAdd(GEN_ID_IPv6 , SID_ICMP6_ND_NEW_DAD , 1, 0, 3, SID_ICMP6_ND_NEW_DAD_TEXT , 0 ); } Martin Schütte IPv6 Snort Plugin 2014-03-18 36 / 45
  • 37. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort IPv6 Alerts: ND Tracking SID Message 1 RA from new router 2 RA from non-router MAC address 3 RA prefix changed 4 RA flags changed 5 RA for non-local net prefix 6 RA with lifetime 0 7 new DAD started 8 new host in network 9 new host with non-allowed MAC addr. 10 DAD with collision 11 DAD with spoofed collision Martin Schütte IPv6 Snort Plugin 2014-03-18 37 / 45
  • 38. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Snort IPv6 Alerts: Packet Attributes SID Message 12 mismatch in MAC/NDP src ll addr. 13 extension header has only padding 14 option lengths ̸= ext length 15 padding option data ̸= zero 16 consecutive padding options Martin Schütte IPv6 Snort Plugin 2014-03-18 38 / 45
  • 39. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion tester.pl ..Test Runner (snort -c -r) . Logfile (unified2) . Compare . PCAP data . snort.conf lines . Expected SIDs . Result Extremely useful for development. Verify intended results for given packet samples. Martin Schütte IPv6 Snort Plugin 2014-03-18 39 / 45
  • 40. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Output/Visualization • Big Problem • barnyard2 tool for Snort log processing (e. g. write SQL) • Few Open Source frontends (BASE & Snorby) • All using old SQL Schema, without IPv6 field Martin Schütte IPv6 Snort Plugin 2014-03-18 40 / 45
  • 41. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Performance Theory: • Stateless checks require processing • ND Tracking requires memory ⇒ DoS risk Practice: • Snort’s packet decoding does 90 % of the work • Configurable memory limit ~ 8 Mb • TCP stream reassembly is much more expensive Martin Schütte IPv6 Snort Plugin 2014-03-18 41 / 45
  • 42. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Bugs Found in Snort 2.9.0 or: Real-World Problems of Major Commercial Security Products • Ping of Death, cannot process > 40 extension headers • wrong Endianness in GET_IPH_VER() • fragmentation breaks ICMP/UDP checksums • Routing Headers break ICMP/UDP checksums • fragbits rules not supported Martin Schütte IPv6 Snort Plugin 2014-03-18 42 / 45
  • 43. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Extension Header Parsing in Snort 2.9.0 fixed in 2.9.1 void DecodeIPV6Options(int type, const uint8_t *pkt, uint32_t len, Packet *p) { uint32_t hdrlen = 0; if(p->ip6_extension_count < IP6_EXTMAX) { switch (type) { case IPPROTO_HOPOPTS: hdrlen = sizeof(IP6Extension) + (exthdr->ip6e_len << 3); } } /* missing else => hdrlen=0 => infinite mutual recursion */ DecodeIPV6Extensions(*pkt, pkt + hdrlen, len - hdrlen, p); } void DecodeIPV6Extensions(uint8_t next, const uint8_t *pkt, uint32_t len, Packet *p) { switch(next) { case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: case IPPROTO_AH: DecodeIPV6Options(next, pkt, len, p); return; } } Martin Schütte IPv6 Snort Plugin 2014-03-18 43 / 45
  • 44. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Conclusion • It works! • Dynamic Library (no need to recompile Snort) • Enables IPv6-specific detection signatures • Snort & IPv6-Plugin detects THC attacks • Cannot solve fundamental problems: DoS and insecure Ethernet • Can raise visibility and awareness of network threat situation Martin Schütte IPv6 Snort Plugin 2014-03-18 44 / 45
  • 45. . . . . . . . . . . . . . . . IPv6 . . . . . . . . IDS/Snort . . . . . . . . . . . . . . . . . . IPv6 Plugin . . Conclusion Contact E-Mail: info@mschuette.name Project Page: http://mschuette.name/wp/snortipv6/ Source Code: https://github.com/mschuett/spp_ipv6 Questions? Martin Schütte IPv6 Snort Plugin 2014-03-18 45 / 45