Snort
Snort
- Snort는 오픈 소스 침입 차단 시스템(IPS, Intrusion Prevention System)이다.
- 홈페이지 : https://www.snort.org/
- 주요 기능 : packet sniffer, packet logger, network intrusion prevention system
Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.
Snort Rule
구조
Action / Protocol / Source IP / Source Port / Direction / Destination IP / Destination Port / Option
Action
- alert : 경고 생성 / 로그 기록
- log : 로그 기록
- pass : 무시
- drop : 차단 / 로그 기록
- reject : 차단 / 로그 기록 / TCP라면 TCP 리셋 전송, UDP ICMP port unreachable message 전송
Protocol
- tcp
- udp
- icmp
- ip
IP
- 192.168.0.10/32
- 192.168.0.0/24
- [192.168.0.10/32, 192.168.0.11/32]
- !192.168.0.10/32
- any
Port
- 80
- !80
- 1:200
- !1:200
- any
Direction
- -> : 요청 패킷 탐지
- <> : 요청, 응답 패킷 둘 다 탐지
Option
- General
- Payload Detection
- Non-Payload Detection
- Post-Detection
Option
General
- msg
The msg keyword tells the logging and alerting engine the message to print with the packet dump or alert. - reference
The reference keyword allows rules to include references to external attack identification systems. - gid
The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires. - sid
규칙 식별자 - rev
규칙 리비전 - classtype
규칙 분류 - priority
우선 순위 - metadata
The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format.
Payload Detection
-
content
검색할 문자열
alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";) -
protected_content
-
hash
-
length
-
nocase
대소문자를 무시한다.
alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER root"; nocase;) -
rawbytes
가공 전의 패킷 데이터에서 규칙을 매칭할 때 사용
alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF F1|"; rawbytes;) -
depth
지정 바이트까지 탐지 -
offset
지정 바이트 건너뛰고 탐지
alert tcp any any -> any 80 (content:"cgi-bin/phf"; offset:4; depth:20;) -
distance
이전 content 패턴에 매치된 경우, 매치된 이후 바이트부터 몇 바이트 떨어진 위치에서 다음 content를 검사할 것인지 지정
alert tcp any any -> any any (content:"ABC"; content:"DEF"; distance:1;) -
within
이전 content 패턴에 매치된 경우, distance부터 몇 바이트 범위 내에서 다음 content를 검사할 것인지를 지정
alert tcp any any -> any any (content:"ABC"; content:"EFG"; within:10;) -
http_client_body
-
http_cookie
-
http_raw_cookie
-
http_header
-
http_raw_header
-
http_method
-
http_uri
-
http_raw_uri
-
http_stat_code
-
http_stat_msg
-
http_encode
-
fast_pattern
-
uricontent
-
urilen
-
isdataat
alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative; content:!"|0a|"; within:50;) -
pcre
-
pkt_data
-
file_data
-
base64_decode
-
base64_data
-
byte_test
-
byte_jump
-
byte_extract
-
byte_math
-
ftpbounce
-
asn1
-
cvs
-
dce_iface
-
dce_opnum
-
dce_stub_data
-
sip_method
-
sip_stat_code
-
sip_header
-
sip_body
-
gtp_type
-
gtp_info
-
gtp_version
-
ssl_version
-
ssl_state
Non-Payload Detection
- fragoffset
- ttl
- tos
- id
- ipopts
- fragbits
- dsize
- flags
- flow
- flowbits
- seq
- ack
- window
- itype
- icode
- icmp_id
- icmp_seq
- rpc
- ip_proto
- sameip
- stream_reassemble
- stream_size
Post-Detection
- logto
- session
- resp
alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
resp_t : rst_snd, rst_rcv, rst_all, reset_source, reset_dest, reset_both, icmp_net, icmp_host, icmp_port, icmp_all - react
- tag
- replace
- detection_filter
예제
content 검출
content:"456"
1234567890abcdefcontent:456";depth:7
1234567890abcdefcontent:"456";offset:2;depth:4
1234567890abcdefcontent:"123";content:"789";distance:3
1234567890abcdefcontent:"123";content:"789";distance:3;within:5
1234567890abcdefcontent:"34";offset:2;depth:5;content:"0ab";distance:3;within:5
1234567890abcdef
기타
Snort Rule Creator
- SNORPY : http://snorpy.cyb3rs3c.net/