SlideShare ist ein Scribd-Unternehmen logo

IPSflexresponse-eng

Pierpaolo Palazzoli
Pierpaolo Palazzoli
1 von 6
Downloaden Sie, um offline zu lesen
www.snortattack.org IPS FLEXIBLE RESPONSE Pierpaolo Palazzoli, Brescia, Italy Fabio Mostarda, Brescia, Italy Claudia Ghelfi, Brescia, Italy The IPS acronym references an Intrusion Prevention System, i.e. a network security device. It monitors the network traffic flow in order to feature real-time malicious traffic blocking. An IPS can be implemented using a server wherein Snort software works as an IPS, while Iptables handles the more specific firewall tasks and, leveraging specific packages, creates packet queues to be analyzed by the system. SNORT Snort is an intrusion detection and prevention system (IDPS), and can operate in two different ways, both of them totally invisible to the network flow. One of those setups, Flexible Response, is an unique feature of Snort with no equivalent on the market. o Inline. In this mode Snort works like an Ethernet bridge, that is, in order to monitor a network segment, it has to be inserted transparently with two bridged NICs. IPS InlineNetwork Internet Network Traffic <DROP> With this setup, any packet can flow through the bridge from a network card to the other, unless it matches the drop rules; in that case, the switch opens and blocks the packet. o Flexible Response. With this second setup, all the inbound traffic is replicated by a network device (i.e. a switch) to a “mirror port”. The IPS is then linked to that port, analyzing the traffic flow and sending RST packets whenever it detects a match in the drop policies. 1
www.snortattack.org The “flexible response” expression probably references a defence strategy used in the sixties by the USA president John Kennedy. With this strategic approach, it was intended to respond to enemy threats with a proportionate retaliation, thus phasing out the old concept of massive retaliation: this had proven outdated by the Soviet weapon race. Mirrored Traffic Network Catalyst 4948-10GE PS1 STATUS FAN PS2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 CON MGT X2-1 X2-2 Switch <RST> Internet IPS Flex The best performance output is achieved in inline mode, because it is able to block even attacks made up by a small number of packets. On the contrary, the flexible response mode takes more time to identify an intrusion attempt and thus to reset the related port. Anyway, whenever latency induced by an inline IPS is too high, it’s more convenient to use the flexible response setup; Snort flexresp is a passive device, therefore its efficiency is directly related to CPU power, system setup, free memory and I/O latencies. Snort features two Flexible Response operational modes:  FlexRespo: doesn’t really block connections, but sends error packets to the malicious attackers instead, letting them think about network unreacheability or service port outages. Every user is able to enforce its own ruleset regarding those network attacks responses.  FlexRespo2: a brand new feature, which updates libdnet with libevent. Flexrespo2, in addition to the standard Flexrespo features, prevents response loops which may overload the CPU and disrupt the service. Additionally, it delivers multiple responses in order to enforce malicious connection terminations. It is highly suggested, whenever possible, to implement this second version. 2
www.snortattack.org APPLICAZIONE The introduction of a Flexible Response IPS is related to the adoption of network switches with mirror ports, i.e. a special port where all network traffic is mirrored to; this technology has many commercial names: e.g., SPAN (Switched Port ANalyzer) for Cisco Networks. Mirror port traffic is replicated towards the IPS in order to be analyzed. Whenever malicious data packets are detected, Snort can work in two different ways:  RST, thus deleting any dangerous packet;  ICMP, communicating the information about the attack to the sender, and making the host/port unreacheable. An IPS can receive and analyze traffic coming from different mirror ports, using a single output port to forward RST or ICMPs. To implement a Snort IPS in Flexible Response mode, the following steps are suggested: 1. Installation of the following base packages: apt-get install vim gcc make build-essential libtool automake autoconf flex bison libpcre3-dev psmisc ethtool apache2 ntop ntpdate subversion apache2 kernel- package libncurses5-dev fakeroot wget bzip2 flex bison zlibc zlib1g-dev 2. PF_RING setup and Libpcap install: PF_RING is a network socket that speeds up packet capture speed. Therefore, if it is used in an IPS setup, it can increase the overall performance. Download PFRING cd /usr/src svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/ last version of pf_ring Check Kernel version: uname -a Modify the downloaded script in order to generate the desired kernel patch; in our example, we’ll use the proper version for our kernel: cd /usr/src/PF_RING/ 3
www.snortattack.org vi mkpatch.sh edit the right kernel VERSION=${VERSION:-2} PATCHLEVEL=${PATCHLEVEL:-6} SUBLEVEL=${SUBLEVEL:-26} Run the script to patch the kernel sh ./mkpatch.sh cd workspace/ cd linux-2.6.26-1-686-smp-PF_RING cp /boot/config-2.6.26-1-686-bigmem .config Enable pfring, in order to include it in the new kernel make menuconfig select Networking -> Networking Options and make sure PF_RING socket is enabled. Save the changes and exit the menu. Now it’s possible to generate and install the package with the new kernel: make-kpkg clean fakeroot make-kpkg -initrd -revision=pfring.1.0 linux-image cd ../ dpkg -i linux-image-2.6.26_pfring.1.0_i386.deb In order to use this new kernel at every boot, you have to properly edit this file: vi /boot/grub/menu.lst Create the file : vi /etc/modprobe.d/options adding the line : options ring num_slots=32740 transparent_mode=0 65535 is the buffer ring memory. (just choose it according to system resources, if it’s higher you’ll have to change in grub the proper value; i.e. vmalloc=256M for 256M) Reload the server and check if the correct kernel version is running: reboot Copy the ring source file in the linux directory: cp /usr/src/PF_RING/workspace/linux-2.6.26-1-686-smp- PF_RING/include/linux/ring.h /usr/include/linux/ cd /usr/src/PF_RING/userland make 4
www.snortattack.org Install the Libpfring libraries: cd lib gcc -shared -Wl,-soname -Wl,libpfring.so.0.9.7 -o libpfring.so.0.9.7 *.o -lc cp libpfring.a libpfring.so.0.9.7 /usr/local/lib cp pfring.h /usr/local/include ln -s /usr/local/lib/libpfring.so.0.9.7 /usr/local/lib/libpfring.so ldconfig ldconfig -v |grep pfring This last command checks if the installed libraries are correct; the desired input is therefore: libpfring.so.0.9.7 -> libpfring.so.0.9.7 Last, install Libpcap-ring linraries: cd /usr/src/PF_RING/userland wget http://www.tcpdump.org/release/libpcap-0.9.7.tar.gz tar -zxvf libpcap-0.9.7.tar.gz cd libpcap-0.9.7 mv pcap-int.h pcap-int.h.orig mv pcap-linux.c pcap-linux.c.orig cp ../libpcap-0.9.7-ring/pcap* . ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" make && gcc -shared -Wl,-soname -Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc make install && cp libpcap.so.0.9.7 /usr/local/lib ldconfig -v |grep pcap This last command checks the installed libraries version; the desired input is therefore: libpcap.so.0.9.7 -> libpcap.so.0.9.7 3. Install Libdnet libraries: wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download tar zxvf libdnet-1.11.tar.gz cd libdnet-1.11 ./configure make make install ldconfig (rearranges libraries) 4. Install Snort: Run: wget http://www.snort.org/dl/snort-2.8.3.2.tar.gz 5
www.snortattack.org tar zxvf snort-2.8.3.1.tar.gz cd snort-2.8.3.1 ./configure --enable-flexresp2 --enable-memory-cleanup --enable-linux-smp- stats --enable-pthread vi src/Makefile Modify the Makefile in modo order to have: LDFLAGS = -L/usr/lib -lpcre -L/usr/local/lib -ldnet -lpfring -lpcap CPPFLAGS = -DENABLE_RESPONSE2 -I/usr/local/include -fno-strict- aliasing If everything went fine, just run: make make install cd .. mkdir /var/log/snort 5. Define Snort rules: The rules according to which Snort decide sto reset network connections or not, are found in /etc/snort/rules/, arranged in files At the end of every rule, it’s compulsory to have: resp: reset_both,icmp_all; this references Snort Flexible Response mode. A rule example is: alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net 'emote' message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|17 00 00 00|"; offset:4; depth:4; classtype: policy-violation; sid:2002152; rev:2; resp: reset_both,icmp_all;) 6. Run Snort: Run a Snort instance, with special rules, analyzing traffic from every mirror port. In this example, there are two network flows coming from two switches (Switch_1 and Switch_2). Snort has to be run twice, one for each switch: snort -A fast -i eth0 -b -d -D -c /etc/snort/snort_1.conf snort -A fast -i eth1 -b -d -D -c /etc/snort/snort_2.conf 6

Empfohlen

Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep diveNaoto MATSUMOTO
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
CDP Indicator
CDP IndicatorCDP Indicator
CDP Indicatornpsg
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus SDN/OpenFlow switch
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 

Empfohlen

Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
x86_64 Hardware Deep dive
x86_64 Hardware Deep divex86_64 Hardware Deep dive
x86_64 Hardware Deep diveNaoto MATSUMOTO
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
CDP Indicator
CDP IndicatorCDP Indicator
CDP Indicatornpsg
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
 
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics WorkshopLagopus SDN/OpenFlow switch
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguideLiễu Hồng
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)Kirill Tsym
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksfangjiafu
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKLagopus SDN/OpenFlow switch
 
VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法Naoto MATSUMOTO
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applicationsVipin Varghese
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsrranjithrajaram
 
Userspace Linux I/O
Userspace Linux I/O Userspace Linux I/O
Userspace Linux I/O Garima Kapoor
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesAnne Nicolas
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
Ccnp3 lab 3_1_en (hacer)
Ccnp3 lab 3_1_en (hacer)Ccnp3 lab 3_1_en (hacer)
Ccnp3 lab 3_1_en (hacer)Omar Herrera
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDKKernel TLV
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Hajime Tazaki
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CMLnpsg
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDKKernel TLV
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceCumulus Networks
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
IPS_3M_eng
IPS_3M_engIPS_3M_eng
IPS_3M_engPierpaolo Palazzoli
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENPierpaolo Palazzoli
 

Weitere ähnliche Inhalte

Was ist angesagt?

FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)Kirill Tsym
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksfangjiafu
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKLagopus SDN/OpenFlow switch
 
VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法Naoto MATSUMOTO
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsrranjithrajaram
 
Userspace Linux I/O
Userspace Linux I/O Userspace Linux I/O
Userspace Linux I/O Garima Kapoor
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesAnne Nicolas
 
Ccnp3 lab 3_1_en (hacer)
Ccnp3 lab 3_1_en (hacer)Ccnp3 lab 3_1_en (hacer)
Ccnp3 lab 3_1_en (hacer)Omar Herrera
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDKKernel TLV
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Hajime Tazaki
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CMLnpsg
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDKKernel TLV
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceCumulus Networks
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 

Was ist angesagt? (20)

snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguide
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
 
VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法VYATTAによるマルチパスVPN接続手法
VYATTAによるマルチパスVPN接続手法
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
 
Open VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needsOpen VSwitch .. Use it for your day to day needs
Open VSwitch .. Use it for your day to day needs
 
Userspace Linux I/O
Userspace Linux I/O Userspace Linux I/O
Userspace Linux I/O
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Ccnp3 lab 3_1_en (hacer)
Ccnp3 lab 3_1_en (hacer)Ccnp3 lab 3_1_en (hacer)
Ccnp3 lab 3_1_en (hacer)
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CML
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDK
 
How deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performanceHow deep is your buffer – Demystifying buffers and application performance
How deep is your buffer – Demystifying buffers and application performance
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 

Ähnlich wie IPSflexresponse-eng

Network simulator 2 a simulation tool for linux
Network simulator 2 a simulation tool for linuxNetwork simulator 2 a simulation tool for linux
Network simulator 2 a simulation tool for linuxPratik Joshi
 
Ospf routing protocol in gns3
Ospf routing protocol in gns3Ospf routing protocol in gns3
Ospf routing protocol in gns3Prashant Joshi
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)Igalia
 
An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)Naoto MATSUMOTO
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesTrowalts
 
Coscup2021 open source network os for datacenter
Coscup2021 open source network os for datacenterCoscup2021 open source network os for datacenter
Coscup2021 open source network os for datacenterDung-Ru Tsai
 
Snabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporterSnabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporterIgalia
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkRiyaj Shamsudeen
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Linux System Monitoring
Linux System Monitoring Linux System Monitoring
Linux System Monitoring PriyaTeli
 
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)Igalia
 

Ähnlich wie IPSflexresponse-eng (20)

IPS_3M_eng
IPS_3M_engIPS_3M_eng
IPS_3M_eng
 
hakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_ENhakin9_6-2006_str22-33_snort_EN
hakin9_6-2006_str22-33_snort_EN
 
Network simulator 2 a simulation tool for linux
Network simulator 2 a simulation tool for linuxNetwork simulator 2 a simulation tool for linux
Network simulator 2 a simulation tool for linux
 
Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Ospf routing protocol in gns3
Ospf routing protocol in gns3Ospf routing protocol in gns3
Ospf routing protocol in gns3
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osio
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)
 
An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)An Easy way to build a server cluster without top of rack switches (MEMO)
An Easy way to build a server cluster without top of rack switches (MEMO)
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
An Optics Life
An Optics LifeAn Optics Life
An Optics Life
 
Coscup2021 open source network os for datacenter
Coscup2021 open source network os for datacenterCoscup2021 open source network os for datacenter
Coscup2021 open source network os for datacenter
 
Snabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporterSnabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporter
 
ENSA_Module_10.pptx
ENSA_Module_10.pptxENSA_Module_10.pptx
ENSA_Module_10.pptx
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Gns3
Gns3Gns3
Gns3
 
Linux System Monitoring
Linux System Monitoring Linux System Monitoring
Linux System Monitoring
 
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
D. Fast, Simple User-Space Network Functions with Snabb (RIPE 77)
 

IPSflexresponse-eng

  • 1. www.snortattack.org IPS FLEXIBLE RESPONSE Pierpaolo Palazzoli, Brescia, Italy Fabio Mostarda, Brescia, Italy Claudia Ghelfi, Brescia, Italy The IPS acronym references an Intrusion Prevention System, i.e. a network security device. It monitors the network traffic flow in order to feature real-time malicious traffic blocking. An IPS can be implemented using a server wherein Snort software works as an IPS, while Iptables handles the more specific firewall tasks and, leveraging specific packages, creates packet queues to be analyzed by the system. SNORT Snort is an intrusion detection and prevention system (IDPS), and can operate in two different ways, both of them totally invisible to the network flow. One of those setups, Flexible Response, is an unique feature of Snort with no equivalent on the market. o Inline. In this mode Snort works like an Ethernet bridge, that is, in order to monitor a network segment, it has to be inserted transparently with two bridged NICs. IPS InlineNetwork Internet Network Traffic <DROP> With this setup, any packet can flow through the bridge from a network card to the other, unless it matches the drop rules; in that case, the switch opens and blocks the packet. o Flexible Response. With this second setup, all the inbound traffic is replicated by a network device (i.e. a switch) to a “mirror port”. The IPS is then linked to that port, analyzing the traffic flow and sending RST packets whenever it detects a match in the drop policies. 1
  • 2. www.snortattack.org The “flexible response” expression probably references a defence strategy used in the sixties by the USA president John Kennedy. With this strategic approach, it was intended to respond to enemy threats with a proportionate retaliation, thus phasing out the old concept of massive retaliation: this had proven outdated by the Soviet weapon race. Mirrored Traffic Network Catalyst 4948-10GE PS1 STATUS FAN PS2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 CON MGT X2-1 X2-2 Switch <RST> Internet IPS Flex The best performance output is achieved in inline mode, because it is able to block even attacks made up by a small number of packets. On the contrary, the flexible response mode takes more time to identify an intrusion attempt and thus to reset the related port. Anyway, whenever latency induced by an inline IPS is too high, it’s more convenient to use the flexible response setup; Snort flexresp is a passive device, therefore its efficiency is directly related to CPU power, system setup, free memory and I/O latencies. Snort features two Flexible Response operational modes:  FlexRespo: doesn’t really block connections, but sends error packets to the malicious attackers instead, letting them think about network unreacheability or service port outages. Every user is able to enforce its own ruleset regarding those network attacks responses.  FlexRespo2: a brand new feature, which updates libdnet with libevent. Flexrespo2, in addition to the standard Flexrespo features, prevents response loops which may overload the CPU and disrupt the service. Additionally, it delivers multiple responses in order to enforce malicious connection terminations. It is highly suggested, whenever possible, to implement this second version. 2
  • 3. www.snortattack.org APPLICAZIONE The introduction of a Flexible Response IPS is related to the adoption of network switches with mirror ports, i.e. a special port where all network traffic is mirrored to; this technology has many commercial names: e.g., SPAN (Switched Port ANalyzer) for Cisco Networks. Mirror port traffic is replicated towards the IPS in order to be analyzed. Whenever malicious data packets are detected, Snort can work in two different ways:  RST, thus deleting any dangerous packet;  ICMP, communicating the information about the attack to the sender, and making the host/port unreacheable. An IPS can receive and analyze traffic coming from different mirror ports, using a single output port to forward RST or ICMPs. To implement a Snort IPS in Flexible Response mode, the following steps are suggested: 1. Installation of the following base packages: apt-get install vim gcc make build-essential libtool automake autoconf flex bison libpcre3-dev psmisc ethtool apache2 ntop ntpdate subversion apache2 kernel- package libncurses5-dev fakeroot wget bzip2 flex bison zlibc zlib1g-dev 2. PF_RING setup and Libpcap install: PF_RING is a network socket that speeds up packet capture speed. Therefore, if it is used in an IPS setup, it can increase the overall performance. Download PFRING cd /usr/src svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/ last version of pf_ring Check Kernel version: uname -a Modify the downloaded script in order to generate the desired kernel patch; in our example, we’ll use the proper version for our kernel: cd /usr/src/PF_RING/ 3
  • 4. www.snortattack.org vi mkpatch.sh edit the right kernel VERSION=${VERSION:-2} PATCHLEVEL=${PATCHLEVEL:-6} SUBLEVEL=${SUBLEVEL:-26} Run the script to patch the kernel sh ./mkpatch.sh cd workspace/ cd linux-2.6.26-1-686-smp-PF_RING cp /boot/config-2.6.26-1-686-bigmem .config Enable pfring, in order to include it in the new kernel make menuconfig select Networking -> Networking Options and make sure PF_RING socket is enabled. Save the changes and exit the menu. Now it’s possible to generate and install the package with the new kernel: make-kpkg clean fakeroot make-kpkg -initrd -revision=pfring.1.0 linux-image cd ../ dpkg -i linux-image-2.6.26_pfring.1.0_i386.deb In order to use this new kernel at every boot, you have to properly edit this file: vi /boot/grub/menu.lst Create the file : vi /etc/modprobe.d/options adding the line : options ring num_slots=32740 transparent_mode=0 65535 is the buffer ring memory. (just choose it according to system resources, if it’s higher you’ll have to change in grub the proper value; i.e. vmalloc=256M for 256M) Reload the server and check if the correct kernel version is running: reboot Copy the ring source file in the linux directory: cp /usr/src/PF_RING/workspace/linux-2.6.26-1-686-smp- PF_RING/include/linux/ring.h /usr/include/linux/ cd /usr/src/PF_RING/userland make 4
  • 5. www.snortattack.org Install the Libpfring libraries: cd lib gcc -shared -Wl,-soname -Wl,libpfring.so.0.9.7 -o libpfring.so.0.9.7 *.o -lc cp libpfring.a libpfring.so.0.9.7 /usr/local/lib cp pfring.h /usr/local/include ln -s /usr/local/lib/libpfring.so.0.9.7 /usr/local/lib/libpfring.so ldconfig ldconfig -v |grep pfring This last command checks if the installed libraries are correct; the desired input is therefore: libpfring.so.0.9.7 -> libpfring.so.0.9.7 Last, install Libpcap-ring linraries: cd /usr/src/PF_RING/userland wget http://www.tcpdump.org/release/libpcap-0.9.7.tar.gz tar -zxvf libpcap-0.9.7.tar.gz cd libpcap-0.9.7 mv pcap-int.h pcap-int.h.orig mv pcap-linux.c pcap-linux.c.orig cp ../libpcap-0.9.7-ring/pcap* . ./configure CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" make && gcc -shared -Wl,-soname -Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc make install && cp libpcap.so.0.9.7 /usr/local/lib ldconfig -v |grep pcap This last command checks the installed libraries version; the desired input is therefore: libpcap.so.0.9.7 -> libpcap.so.0.9.7 3. Install Libdnet libraries: wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz?download tar zxvf libdnet-1.11.tar.gz cd libdnet-1.11 ./configure make make install ldconfig (rearranges libraries) 4. Install Snort: Run: wget http://www.snort.org/dl/snort-2.8.3.2.tar.gz 5
  • 6. www.snortattack.org tar zxvf snort-2.8.3.1.tar.gz cd snort-2.8.3.1 ./configure --enable-flexresp2 --enable-memory-cleanup --enable-linux-smp- stats --enable-pthread vi src/Makefile Modify the Makefile in modo order to have: LDFLAGS = -L/usr/lib -lpcre -L/usr/local/lib -ldnet -lpfring -lpcap CPPFLAGS = -DENABLE_RESPONSE2 -I/usr/local/include -fno-strict- aliasing If everything went fine, just run: make make install cd .. mkdir /var/log/snort 5. Define Snort rules: The rules according to which Snort decide sto reset network connections or not, are found in /etc/snort/rules/, arranged in files At the end of every rule, it’s compulsory to have: resp: reset_both,icmp_all; this references Snort Flexible Response mode. A rule example is: alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net 'emote' message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|17 00 00 00|"; offset:4; depth:4; classtype: policy-violation; sid:2002152; rev:2; resp: reset_both,icmp_all;) 6. Run Snort: Run a Snort instance, with special rules, analyzing traffic from every mirror port. In this example, there are two network flows coming from two switches (Switch_1 and Switch_2). Snort has to be run twice, one for each switch: snort -A fast -i eth0 -b -d -D -c /etc/snort/snort_1.conf snort -A fast -i eth1 -b -d -D -c /etc/snort/snort_2.conf 6