Snort / 메모

Snort

  • Snort는 오픈 소스 침입 차단 시스템(IPS, Intrusion Prevention System)이다.
  • 홈페이지 : https://www.snort.org/
  • 주요 기능 : packet sniffer, packet logger, network intrusion prevention system

Snort can be deployed inline to stop these packets, as well. Snort has three primary uses: As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Snort can be downloaded and configured for personal and business use alike.

Snort Rule

구조

Action / Protocol / Source IP / Source Port / Direction / Destination IP / Destination Port / Option

Action

  • alert : 경고 생성 / 로그 기록
  • log : 로그 기록
  • pass : 무시
  • drop : 차단 / 로그 기록
  • reject : 차단 / 로그 기록 / TCP라면 TCP 리셋 전송, UDP ICMP port unreachable message 전송

Protocol

  • tcp
  • udp
  • icmp
  • ip

IP

  • 192.168.0.10/32
  • 192.168.0.0/24
  • [192.168.0.10/32, 192.168.0.11/32]
  • !192.168.0.10/32
  • any

Port

  • 80
  • !80
  • 1:200
  • !1:200
  • any

Direction

  • -> : 요청 패킷 탐지
  • <> : 요청, 응답 패킷 둘 다 탐지

Option

  • General
  • Payload Detection
  • Non-Payload Detection
  • Post-Detection

Option

General

  • msg
    The msg keyword tells the logging and alerting engine the message to print with the packet dump or alert.
  • reference
    The reference keyword allows rules to include references to external attack identification systems.
  • gid
    The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires.
  • sid
    규칙 식별자
  • rev
    규칙 리비전
  • classtype
    규칙 분류
  • priority
    우선 순위
  • metadata
    The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format.

Payload Detection

  • content
    검색할 문자열
    alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";)

  • protected_content

  • hash

  • length

  • nocase
    대소문자를 무시한다.
    alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER root"; nocase;)

  • rawbytes
    가공 전의 패킷 데이터에서 규칙을 매칭할 때 사용
    alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF F1|"; rawbytes;)

  • depth
    지정 바이트까지 탐지

  • offset
    지정 바이트 건너뛰고 탐지
    alert tcp any any -> any 80 (content:"cgi-bin/phf"; offset:4; depth:20;)

  • distance
    이전 content 패턴에 매치된 경우, 매치된 이후 바이트부터 몇 바이트 떨어진 위치에서 다음 content를 검사할 것인지 지정
    alert tcp any any -> any any (content:"ABC"; content:"DEF"; distance:1;)

  • within
    이전 content 패턴에 매치된 경우, distance부터 몇 바이트 범위 내에서 다음 content를 검사할 것인지를 지정
    alert tcp any any -> any any (content:"ABC"; content:"EFG"; within:10;)

  • http_client_body

  • http_cookie

  • http_raw_cookie

  • http_header

  • http_raw_header

  • http_method

  • http_uri

  • http_raw_uri

  • http_stat_code

  • http_stat_msg

  • http_encode

  • fast_pattern

  • uricontent

  • urilen

  • isdataat
    alert tcp any any -> any 111 (content:"PASS"; isdataat:50,relative; content:!"|0a|"; within:50;)

  • pcre

  • pkt_data

  • file_data

  • base64_decode

  • base64_data

  • byte_test

  • byte_jump

  • byte_extract

  • byte_math

  • ftpbounce

  • asn1

  • cvs

  • dce_iface

  • dce_opnum

  • dce_stub_data

  • sip_method

  • sip_stat_code

  • sip_header

  • sip_body

  • gtp_type

  • gtp_info

  • gtp_version

  • ssl_version

  • ssl_state

Non-Payload Detection

  • fragoffset
  • ttl
  • tos
  • id
  • ipopts
  • fragbits
  • dsize
  • flags
  • flow
  • flowbits
  • seq
  • ack
  • window
  • itype
  • icode
  • icmp_id
  • icmp_seq
  • rpc
  • ip_proto
  • sameip
  • stream_reassemble
  • stream_size

Post-Detection

  • logto
  • session
  • resp
    alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
    resp_t : rst_snd, rst_rcv, rst_all, reset_source, reset_dest, reset_both, icmp_net, icmp_host, icmp_port, icmp_all
  • react
  • tag
  • replace
  • detection_filter

예제

content 검출

  • content:"456"
    1234567890abcdef
  • content:456";depth:7
    1234567890abcdef
  • content:"456";offset:2;depth:4
    1234567890abcdef
  • content:"123";content:"789";distance:3
    1234567890abcdef
  • content:"123";content:"789";distance:3;within:5
    1234567890abcdef
  • content:"34";offset:2;depth:5;content:"0ab";distance:3;within:5
    1234567890abcdef

기타

Snort Rule Creator