~$ whoami
Marshal Graham
BSidesMO
October 2011
Marshal Graham
Network and Systems Administrator
Firewall/LAN/Server/DB/Backup/Desktop/Phone/Wireless/iPad/iPhone/Television/Table Lamp/... Technician
I also fix printers
And plug in cables
I install software
People call me and ask questions
Sometimes I answer their questions
I have 3 children and 1 wife
I have met Mickey Mantle and Catfish Hunter
Most people misspell my name
I have already heard the jokes about marshmallows and graham crackers
I've heard the Marshall Dillion jokes too
ls -l /home/marshal/job
The boss says, "Go ahead and get us some security."
And Security...
Oh yeah, and I take care of security too.
?
Why should you listen to me?
Intrusion Detection System
What does it do?
IDS is not just for detecting intrusions
Many things you use Wireshark for could be automated with an IDS
Detection Examples
Bad things
botnet C&C
malware checkins
port scans
SQLi attacks
XSS attempts
Policy violations
chat clients
P2P software
IRC
Protocol stuff
malformed HTTP
SYN floods
specific URI patterns
Anything that crosses the wire
SSL certicate serial #
telnet
SSNs
credit card #s
router config changes
Be creative
unused ports
hostile IPs
bruteforcing
Logon failures
Logon successes
Everyone wants to be a rockstar
4chan
/b
Bad stuff is everywhere
The bad guys are making it even easier for script kiddies
exploit kits
LOIC
REfRef
The good guys are making easier too
Backtrack
Metasploit
SET
The truth is, most 12 year olds have
access to enough tools to pwn you.
It's not always the bad guys
Step 1 -

Install Snort on Windows

7-Zip
gVim
Kiwi Syslog Server
WinPcap
Snort
Strawberry Perl
Wireshark
Step 2 -

Rules
cpan - Sys::Syslog
pulledpork
pulledpork.pl
pulledpork.conf

Rule sources
Sourcefire (VRT)
Emerging-Threats.net

Create scheduled task to automate rule updates.

Step 3 -

Configure Snort
emerging.conf
snort.conf
enable some rules

Start with a very small
number of enabled rules.
Step 4 -

Test and run Snort
identify the interface to listen on
Test snort.conf
Install as service
Set to autostart
Test a rule
Why else?
It's easy
It's informative
Any Sysadmin can do it
Even if security is not in your job description,
it's probably in your best intersts to do what
you can to secure your environment.
Questions?
Marshal Graham
@marshalgraham
http://www.marshalgraham.com
Start small
Really small
One rule small
++
If you can profile it,
you can detect it.
Bad stuff is everywhere

Would your users fall for this?
Search poisining
Email spam/scams
Facebook scams
Twitter spam
Don't click links, yeah right
Do your users like kitties?
The 30
Minute IDS
What is an IDS?
Why use an IDS?
Rules
Make it work for you
Thank you
Network
Anomaly
Detection
System
Rules are the heart of Snort
alert tcp any any -> any any (msg:”TCP detected”;)
The World's Simplest Snort Rule
Rule Action
alert
log
pass
activate
dynamic
drop
reject
sdrop
Protocol
TCP
UDP
ICMP
IP
IP Addresses
source
destination
variables
any
Ports
source
destination
variables
any
individual
list (80,88)
range (8000:8888 or :1024 or 1025:)
Alert message that appears in logs.
Direction operator
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:trojan-activity; sid:2009796; rev:8;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent|3a| LimeWire"; nocase; http_header; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001808; classtype:policy-violation; sid:2001808; rev:8;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; content:"/WiPlayer?movieid="; http_uri; content:"Host|3a| movies.netflix.com|0d 0a|"; http_header; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:1;)

alert tcp [108.59.1.0/24,108.59.9.65,108.60.159.33,109.108.128.28,109.110.0.0/19,109.120.128.0/18,109.123.117.10,109.123.117.85,109.123.118.42,109.123.88.25,109.127.8.242,109.127.8.243,109.169.62.114,109.169.68.137,109.169.70.121,109.196.130.42,109.196.130.58,109.196.134.0/24,109.196.140.19,109.196.141.0/24] any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network IP TCP (1)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; flowbits:set,ET.RBN; flowbits:set,ET.Evil; classtype:misc-attack; sid:2406000; rev:274;)

alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P? encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; classtype:trojan-activity; sid:2009205; rev:5;) 

alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode"; content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1;)

Get a plan
Potential monitoring points
Customize for you
Write your own rules
Don't be afraid to hard code IPs
Identify high priority alerts
Email a daily report
IDS for the Sysadmin
Keep expanding
www.snort.org
www.snort.org/docs
emergingthreats.net
www.vorant.com/files/EZ_Snort_Rules.pdf