Monday, June 28, 2010

Snort Preprocessors and Alerts

Snort Preprocessors

Preprocessors were introduced in Snort v1.5. Preprocessor code is run before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism. Preprocessors help in identifying possible attack packets before rules are applied, after the preprocessing stage various rules are applied on the packets (raw data) for detecting attacks based on the pattern matches. Preprocessors need to be configured from snort.conf file which can be found at /etc/ or /etc/snort/. frag2 should be commented if frag3 is used and stream4 is commented if stream5 is used.

preprocessor frag2
preprocessor frag3 // IP packet reassembly or defragmentation
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor stream5 // TCP Segmentation reassembly, stateful protocol analysis
preprocessor http_decode // http normalization of url-encoded data
preprocessor rpc_decode
preprocessor bo // back orifice backdoor traffic detection
preprocessor telnet_decode
preprocessor sf_portscan // detects various portscans
preprocessor sf_ssh
preprocessor sf_smtp
preprocessor sf_ftptelnet
preprocessor sf_dns
preprocessor sf_dcerpc
preprocessor sf_ssl

Snort also has Postprocessors or output plug-ins. These are the snort processors/plug-ins that determine what to do after traffic is identified as malicious based on pre-processors or rules. Popular post-processors are those that send snort alerts and log data to databases; those which allow SNMP event messaging etc.

Snort Alerts

Snort alerts logged onto a logfile look like (there may be different alerts in your environment)
[**] [1:2050:14] SQL version overflow attempt [**]
[**] [1:8428:9] WEB-MISC SSLv2 openssl get shared ciphers overflow attempt [**]
[**] [122:3:0] (portscan) TCP Portsweep [**]
[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]

The first number (1, 122, 119 here) is the Generator ID, this tells the user what component of Snort generated this alert. List of GIDs can be found at etc/generators in the Snort source.

Generators file has the format shown below
generatorid || alertid || MSG
Below diagram shows the generator id, alert id or snort id and alert name.

<!--[if !vml]-->
<!--[if !vml]--><!--[endif]-->
Any alert under ARP Spoofing and spp_fnord will have a Generator ID's of 112 and 114 respectively.

The second number (2050, 8428, 3, 4 here) is the Snort ID (or Signature ID). For a list of preprocessor SIDs, please see etc/ Rule-based SIDs are written directly into the rules with the “sid” option.

The third number (14, 9, 0, 1 from above alerts) is the revision ID. This number is primarily used when writing signatures, as each re-edition or fine tuning of the rule should increment this number with the “rev” option. e.g. " SQL version overflow attempt" signature is modified 14 times !!!

For detailed description of various concepts refer SnortTM Users Manual.