In this lesson, I'll talk about Snort and how it's used for detection and monitoring of assets. So network resources, system resources, we actually had it before we had an intrusion prevention system. I actually used this for probably six years to detect malicious traffic on the network. And we had a ten-gigabit, or it was monitoring a ten-gigabit network but it was using a lot of resources to do that. So you can get Snort to identify all different kinds of things. So attack hits, malicious traffic on the Internet, backdoors into systems, exploit kits. It has a few different modes, it has a sniffer built in. It's used for network intrusion detection, and can also be used for packet logging. It is probably my favorite piece of software just because of what it does and what the capabilities are. Let's talk about the features real quick of Snort. Snort works like tcpdump. And it can work like tcpdump, where it's sniffing packets and downloading them based on criterium. We could output that information to a stdout, or we can also input it to a number of different architectures, like SQL, or we could have it alert via e-mail, or other databases. It acts as a a Network Intrusion Detection device, and this is what it's most famous for, it's famous for detecting patterns. Snort has a specific process it uses. And in order to understand how Snort works, we have to look at the process. So the packet stream is, you're going to get that from a number of different sources. That could be the number itself, it could be in line sniffing, or it could be from a network tap, like a fiber tap, which is passive, or it could be an active feed from something like a SPAN port on a switch, and that's what we had at the university. We monitored multiple 10-gig network interfaces. And it was processing consistently and losing very few packets, but the server itself was pretty beefy. So, in order for Snort to do traffic analysis it has to be put in inside the string, some data has to be given to it. So, it looks like at, it has a packet decoder. It runs the preprocessor first, which is the plug-ins. Then it goes to the detection engine, which also we could put plug-ins there. And then output, the output could be alerts and it could be logging to a SQL database like I've said before. It's also able to look at many different rules. The things the we looked out for were exploits, scans, denial of service, dns.rules, web type traffic, sql-traffic, shellcode, backdoor, and attack-responses, as well as virus.rules. Now, a lot of these rules, there's literally tens of thousands of rules here. And in order to process these, you do have to have a very large processing system to do this. Depending on how many rules that you have is going to determine how well the system responds. Let's start looking at Snort. I'm going to bring up my virtual machine here. Okay. And what I've done, malware-traffic-analysis.net provides a lot of good packet captures for you to analyze. So if you want to do this yourself you're more than welcome to do it, and I will put a link to what we're talking about this demo today inside of one of the readings. Now, let me just go back here and show you a little bit. Here are all the traffic analysis exercises that for 2017, 2016, we're going to go down to this one here, three different hosts. So we can download the TXT of the Snort events that are triggered, but we're not going to do that. I'm actually going to show you how it actually operates. And then here's the PCAP itself. Now, if you're, what you want to make sure if you are doing this yourself is to have it on a virtual machine. The problem is that if you download this information on a system that's up and running you're going to execute the traffic, so you're going to get infected. Your system is going to get infected if you don't do this on a virtual machine. So, I'm going to go back to my terminal here. And I already have Snort up and running on this box. So let's run Snort. And the software that I'm using, the distribution is called security onion. It has a lot of built-in security modules that you can use to help with traffic analysis. So I'm going to call Snort. I'm going to use the mode of read only, and use that packet capture that I've just downloaded. And I'm going to use this configuration file for Snort that I also modified to show the rules outputted. So I'm going to run this real quick. It's going to start the processing. Now it's reading the packet capture itself. And it's completed. So, let's look at the alerts that its generated. So I have this going to varlog snort alert. So as you can see, that generated a huge amount of alerts on that packet capture. Let's look at several of these. The last one, we'll look at specifically. ET, which means emerging threats, TROJAN Cryptowall. Cryptowall Is a ransomware virus that encrypts a victim's hard drive and files, and gets you to pay or they want you to pay for getting your files back. So here is the 2022048 is the signature ID, and it looks like it was downloaded from a .onion, which is a tor routing proxy domain. Here is information where we can actually see more about the alert that was generated. So let's look at the rule itself. Now I'm going to look up the signature. So I'm going to go to where the rules are. So, cat /etc/nsm/rules/downloaded.rules, and then I'm going to search for 2022048, which is the rule that fired. So here's my rule inside of Snort. So alert udp, which is the protocol. My HOME_NET, which is configured for probably 192.168.something. I'm going to look for a, it's going to an external address on port 53. Port 53 is DNS. The message is going to be ET TROJAN Cryptowall .onion Proxy Domain. And inside the packet, this is what we're looking for, we're looking for this type of byte pattern inside the packet. And then we're going to look at a depth of at least 10. The offset is going to be 2 looking at the packet itself. And then we're also going to look for this pattern inside of the payload. If those two match, or if these three items, four items here match, then we have a hit on our alert. And we can be assured that something malicious is happening. So, in conclusion, Snort is an extremely powerful network intrusion detection tool. It's not necessarily meant for intrusion prevention, but it will give you all kinds of information on your network traffic that you have flowing through your network.
