Managing Security with Snort & IDS Tools by Kerry J. Cox, Christopher Gerg

What follows are methods attackers use to gather information about the network, IP address range, or business assets they wish to attack—without sending a single packet to your network:

An initial tactic is to gather information regarding the IP addresses owned or managed by a particular company, the contact people, or even the physical address or location of the company. Here are some sites that give out this type of information:

There are several other free WHOIS services available on the Internet. Each one offers nearly the same information that can be gleaned from the main Network Solutions page. Sites such as http://www.hyperwhois.com and http://www.accesswhois.com are also used. Attackers visit these sites to locate domain names pending expiration. Network Solutions and Verisign have proved most accommodating recently by providing alternative misspellings of common domain names. Both of these features are useful when attempting to take over a domain or redirect normal commerce traffic to another site by means of subversion. Check these web pages for information about your own company. If too much data is available on the Internet or if you wish to minimize your company’s exposure, resubmit the correct forms to Network Solutions or to your domain name provider. Also, update the information contained on the ARIN site by modifying RWHOIS records. One tactic is to replace names with titles, or even use bogus names to make it harder for social engineering to succeed.

Another common tactic is to gather data from corporate web sites. Most companies list their physical address and provide maps and directions. Typical business sites often display not only the president or CEO’s name (and all other higher management personnel) but provide an email address and phone number. These are useful to attackers when performing social engineering. In addition, the email address can assist in DNS requests and MX record lookups. Minimize the amount of data you are willing to share with strangers by censoring corporate web pages. Explain this to company managers as well as to the webmaster. Anyone using the corporate web site for marketing or sales purposes should be aware of any inherent security risks.

There are several free tools for Windows-based machines that execute commands similar to those found on Linux. The two I mention here are Sam Spade and IP-Tools . Their URLs are listed at the end of this chapter. The former is free, while the latter currently requires a $35 registration fee. Both of these utilities provide Windows users with much the same functionality as Linux. They offer many like features, including webcrawling utilities, real-time blackhole lists for determining the IP addresses of repeat spam offenders, ping, whois, dig, and traceroute. The IP-Tools application does have some added functionality such as port and NetBIOS scanning similar to that of Nmap for Linux, along with a telnet utility. It also performs netstat commands that displays open ports listening for connection requests.

There are several other DNS query tools available for use directly off web pages. I recommend the netcraft.com site for determining version and release numbers of a particular web server. This leads us into the active probing that can be performed to gather information about your network.

One of the most widely used network mappers or port scanners is Nmap . Fyodor, the author, describes his tool in the following manner

Nmap is available for most systems, including nearly all BSD variants, Solaris and Linux, and Windows. Nmap can be used from the command line as a console tool or in its graphical release. It is started from the prompt with the command nmap. The graphical version is initiated using nmapfe, short for “nmap frontend.” Nmap is best run as root so all options are granted to the user. Consult the Nmap home page at http://www.insecure.org/nmap/ for available options and latest source code. Nmap comes in source and RPM formats. It is included as a standard package with most Linux distributions, including Red Hat. Install it initially or compile it later from source.

Figure 4-1 shows Nmap run as root with the graphical frontend. Selecting different variables within “Scan options” and “General options” customizes how stealthy or unobtrusive the scans run against target systems. The output as it appears on the command line is displayed directly below the options. By noting the syntax that appears below the main window, a scan can be run from the console or the command line.

Figure 4-1. The main interface for the Nmap Front End tool

After selecting a target IP address, subnet, or domain name, execute the scan. The output displays in the lower box. All detected open ports are shown here with the service name and port number.

The latest release of Nmap shows not only the open ports but performs fingerprinting of the listening ports and displays the software version and release currently running on that port. Not only can I find out if a port is open, but I can see the Apache version and the current PHP release running on my system.

Currently, Nmap is best run from the command line for a detailed report on available services. Here is what a scan showed against a typical machine with a default or “vanilla” configuration.

                  # nmap -sV -T4 -F localhost

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-09-17 19:36 MDT
Interesting ports on localhost (127.0.0.1):
(The 1203 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsFTPd 1.1.3
22/tcp   open  ssh         OpenSSH 3.5p1 (protocol 2.0)
25/tcp   open  smtp        Sendmail smtpd Secure/Rabid
80/tcp   open  http        Apache httpd 1.3.28 ((Unix) PHP/4.3.2)
110/tcp  open  pop3        UW Imap pop3 server 2001.78rh
6000/tcp open  X11         (access denied)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 9.486 days (since Mon Sep  8 07:56:31 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 16.151 seconds

Nmap scans are useful for testing Snort installations. By default, Nmap is fairly noisy and easily detectable. Most Nmap scans readily show up in the alerts file or via the ACID web page.^[1] Existing signatures that alert administrators to Nmap scans can be customized to suit.

Here is one of several possible alerts that appear in the Snort alert log when Nmap is run (using Nmap’s -P0 option prevents the ping from being sent).

[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2] 
09/18-02:58:18.144568 64.147.136.144 -> 209.63.147.19
ICMP TTL:22 TOS:0x0 ID:51496 IpLen:20 DgmLen:28
Type:8  Code:0  ID:44209   Seq:8907  ECHO
[Xref =>  arachnids 162]

There are also Nmap-specific scans that show up in the Snort alert log. These range from Nmap web-based attacks to fingerprint attempts (much like the example scan shown above) to TCP scans. To view sample alerts generated by Snort when Nmap is run against it, simply grep the text “nmap” within the Snort rules. There are plenty of occurrences in which Nmap plays a role in generating alerts. Each of these rules can be customized to give alerts on a more specific level.

Once ACID is operational with Snort, consult the logs frequently for network scans and connection attempts. Some Nmap scans may be stealthy connection attempts so also look for SNMP requests and proxy scans, which are fairly typical for Nmap.

Armed with this information, an attacker can go to a variety of web sites and discover if you are running an operating system or service version with known vulnerabilities. Once this is determined, it is a relatively easy manner to find scripts or programs that can exploit the vulnerable system, leading to a penetration.

Port scanning, fingerprinting, and determining software versions takes a considerable amount of time and some skill at rooting out information on the Internet. To make research easier, a number of tools are available that perform all these tasks automatically. There are expensive commercial solutions and free open source tools. While these tools were designed to make it easier for administrators to evaluate their security posture, they are a boon to the bad guys, too.

One open source tool has risen above the others (arguably including the commercial alternatives): Nessus. It can be downloaded from http://www.nessus.org. Nessus is free, manageable even by novice users, has clients for both Unix-based systems and Windows, and displays the data in an easy-to-understand format. It also suggests what measures to take to fix any listed problems. It should be noted that Nessus works with a client/server model and only a client is available for Windows systems. A server version exists, but it is a commercial solution from Tenable Security (http://www.tenablesecurity.com). Nessus also includes Nmap and provides additional reports on OS detection, what ports are currently open, and so forth. Nessus should not be implicitly trusted. False positives are a frequent occurrence and corroborating evidence is suggested before taking aggressive measures against any system.

Because Nessus is manageable even by new Linux users, it is often abused. As a result, Nessus probes and scans readily show up in Snort alerts. There are a variety of Snort signatures that detect a typical Nessus scan. These are normally classified as attempted-recon and as such fall under a classtype 2 categorization or have a Medium severity. Nessus scans are serious infractions and should be considered a potential threat. Just because they are classtype 2 does not mean the information gathered may not affect you later.

There are currently four different methods of downloading and installing Nessus. You can install directly from the web site, by running a local script, or you can build from source. Some distributions have precompiled binaries available. Refer to the documentation to determine which method suits your environment.

Once the program is installed and a certificate and user are added, start the Nessus daemon on the local server with the command:

                  # /usr/local/sbin/nessusd -D &

You will not need to reboot the machine upon starting this daemon. However, you should automate startup of the Nessus daemon on the local server after a reboot by placing this command on a line in the /etc/rc.d/rc.local file. Remember, the Nessus daemon must be running for the Nessus client to run. The client is typically run locally but can also be run on another system by connecting to the local daemon. Keep the Nessus application current with the latest plug-ins by running the command /usr/local/sbin/nessus-update-plugins. This command can be placed in a cron job and run nightly. Some users prefer doing this manually.

Start the Nessus client from the command line as a regular user (or by executing the Windows binary). You are warned that all dangerous plug-ins, or those that have the ability to crash a system, have been disabled. This is the suggested method of running Nessus initially. These dangerous plug-ins include checks that may cause a service or system to crash and should only be used as when downtime will not adversely affect your environment.

There are varying levels of testing available for use with the Nessus client. Before trying anything familiarize yourself with the available plug-ins, preferences, scan options, and target selection possibilities. Security scans can be customized to be extremely nonintrusive and last for several hours, or they can blast away at a network or a single box while employing all the local machine’s available CPU power and memory to run the scan.

Figure 4-2 is a sample screenshot of available plug-ins that can be enabled during a test scan. Note the checkboxes to the far-right of the listed plug-ins.

Figure 4-2. Enable or disable available plug-ins in Nessus depending on the type of scan

A typical network scan can include multiple servers or systems at the same time. The more machines you select to scan, however, the higher the CPU load on your system and the slower the results. A typical scan can also be run overnight to reduce the load on the system and minimize the effect on the target systems. When complete, the scan’s final results are displayed in a window much like that shown in Figure 4-3. Here you can burrow down into the findings and view the warnings, notes, or security holes detected by Nessus, along with recommended solutions.

Figure 4-3. Viewing the final Nessus report

Save the report when it’s done. It can be useful later when running follow-up scans. The report itself is saved in a variety of formats, including NBE (a proprietary Nessus format), NSR (an older deprecated Nessus style), XML, HTML, LaTeX, ASCII text, or even in HTML format with pies and graphs. The last option makes for clean presentations when you are presenting findings to an audience.

Since Nessus attempts hundreds of different checks against the target systems, it generates many alerts with a wide variety of signatures. Here is a sample of the Snort output from a Nessus scan:

[**] [1:1228:3] SCAN nmap XMAS [**]
[Classification: Attempted Information Leak] [Priority: 2] 
03/21-22:01:41.686864 192.168.1.105:33977 -> 192.168.1.100:134
TCP TTL:38 TOS:0x0 ID:1147 IpLen:20 DgmLen:60
**U*P**F Seq: 0xEB5E3384  Ack: 0x0  Win: 0xC00  TcpLen: 40  UrgPtr: 0x0
TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL 
[Xref => http://www.whitehats.com/info/IDS30]

[**] [1:2385:3] NETBIOS SMB DCE/RPC NTLMSSP invalid mechlistMIC attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2] 
03/21-22:01:47.771281 192.168.1.105:53857 -> 192.168.1.100:445
TCP TTL:64 TOS:0x0 ID:14271 IpLen:20 DgmLen:269 DF
***AP*** Seq: 0x737329C2  Ack: 0xF9186CC  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1654636883 34559859 
[Xref => http://www.securityfocus.com/bid/9635][Xref => http://www.securityfocus.com/
bid/9633][Xref => http://cgi.nes
sus.org/plugins/dump.php3?id=12054]

[**] [1:2251:4] NETBIOS DCERPC Remote Activation bind attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1] 
03/21-22:01:48.364347 192.168.1.105:53861 -> 192.168.1.100:135
TCP TTL:64 TOS:0x0 ID:14354 IpLen:20 DgmLen:256 DF
***AP*** Seq: 0x73FB71F0  Ack: 0x957540DC  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1654637476 0 
[Xref => http://www.microsoft.com/technet/security/bulletin/MS03-039.asp][Xref => 
http://cve.mitre.org/cgi-bin/cvenam
e.cgi?name=CAN-2003-0605][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-
2003-0528][Xref => http://cve.mit
re.org/cgi-bin/cvename.cgi?name=CAN-2003-0715]

Another network scanner of note is nikto, a web CGI probe that performs comprehensive tests against web servers for multiple vulnerabilities. This includes detecting over 2,200 potentially dangerous files or CGIs on over 140 servers and problems on over 210 servers. Written by Sullo, it superseded the Whisker application originally written by Rain Forest Puppy (or RFP), who decided to abandon development of Whisker in favor of nikto. This application uses the LibWhisker libraries from Rain Forest Puppy Labs (rfp.labs) or http://sourceforge.net/projects/whisker/ as a base for all network detection. Nikto is not an overly stealthy tool. It tests a web server in the shortest time span possible and its probes are readily apparent in the web server’s logfiles.

Snort can easily detect a nikto probe. There are entire categories of signatures that define web attack and web CGI rules. Nikto appears plainly in Snort alerts. The name “nikto” may not be obvious, but a flurry of web CGI alerts should show up in the Snort logs when a scan is run against the web servers.

Here are just a few of the possible alerts that can be generated in response to a Whisker- or nikto-based scan. These are all classified as miscellaneous web rules. A URL points to more information on identifying Whisker-based scans. Detecting such a scan almost always indicates that the early stages of an attack are underway.

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; classtype:
attempted-recon; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.
html; sid:1139;  rev:6;)
web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-M
ISC whisker HEAD with large datagram"; content:"HEAD"; offset: 0; depth: 4; nocase; 
dsize:>512; flow:to_server,established,no_stream; classtype:attempted-recon;
reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; sid:1171; rev:
7;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
MISC whisker space splice attack"; content:"|20|"; flow:to_server,established; dsize:
1; reference:arachnids,296; classtype:attempted-recon; reference:url,www.wiretrip.
net/rfp/pages/whitepapers/whiskerids.html; sid:1104;  rev:6;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
MISC whisker tab splice attack"; dsize: <5; flow:to_server,established; content: 
"|09|"; reference:arachnids,415; classtype:attempted-recon; reference:url,www.
wiretrip.net/rfp/pages/whitepapers/whiskerids.html; sid:1087; rev:6;)

Installing and running nikto is simple. Download the source code and uncompress it in a secure directory. Within the new nikto/ directory, run the nikto.pl Perl script. Be sure to define the target host with a -h <target> option. Here is how a sample command appears.

                  # ./nikto.pl -h www.mydomain.com

Refer to the help file for additional options you can tailor the scan for your environment to speed things up. Nikto can use an Nmap file as input and can generate output in several formats, including HTML.

Here are some sample results when nikto is run against an older Apache web server on a standard Linux machine. As you can see, there are several items that can and should be cleaned up.

                  # ./nikto.pl -h www.mydomain.com
-*** SSL support not available (see docs for SSL install instructions) ***
---------------------------------------------------------------------------
- Nikto 1.30/1.06     -     www.cirt.net
+ Target IP:       192.168.0.10
+ Target Hostname: www.mydomain.com
+ Target Port:     80
+ Start Time:      Sat Oct 11 08:17:36 2003
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache/1.3.26 (Unix) PHP/4.2.2
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, 
PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
+ HTTP method 'PUT' method may allow clients to save files on the web server.
+ HTTP method 'CONNECT' may allow server to proxy client requests.
+ HTTP method 'DELETE' may allow clients to remove files on the web server.
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may allow DAV 
authorized users to consume system memory via large requests or fill disk quotas.
+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed. This may allow DAV 
authorized users to consume system memory via large requests or fill disk quotas.
+ HTTP method 'TRACE' may allow client XSS or credential theft. See http://www.
cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details.
+ Apache/1.3.26 appears to be outdated (current is at least Apache/2.0.46). Apache 1.
3.27 is still widely used and considered secure.
+ PHP/4.2.2 appears to be outdated (current is at least PHP/4.3.0)
+ Apache/1.3.26 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow 
which allows attackers to kill any process on the system. CAN-2002-0839.
+ /~root - Enumeration of users is possible by requesting ~username (responds with 
Forbidden for real users, not found for non-existent users) (GET).
+ /icons/ - Directory indexing is enabled, it should only be enabled for specific 
directories (if required). If indexing is not used all, the /icons directory should 
be removed. (GET)
+ /index.html.en - Apache default foreign language file found. All default files 
should be removed from the web server as they may give an attacker additional system 
information. (GET)
+ /manual/images/ - Apache 2.0 directory indexing is enabled, it should only be
enabled for specific directories (if required). Apache's manual should be removed and 
directory indexing disabled. (GET)
+ / - TRACE option appears to allow XSS or credential theft. See http://www.
cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See 
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACK)
+ /manual/ - Web server manual? tsk tsk. (GET)
+ /test/ - This might be interesting... (GET)
+ 1632 items checked - 9 items found on remote host
+ End Time:        Sat Oct 11 08:17:59 2003 (23 seconds)
---------------------------------------------------------------------------

Some of the more obvious results are that both Apache and PHP should be updated to the latest version. The scan displays the most grievous security concerns and provides some suggested measures. The first line of the scan also indicates that there is no built-in secure socket layer (SSL) support in this version of nikto. Do not enable features you do not understand or that may be unnecessary. If the server your are scanning only supports SSL connections (port 443), consider running the scans through an open-source tool called SSL Proxy. There is also an older, alternative Whisker release that does support SSL at http://www.digitaloffense.net.

Several useful tools exist that have more esoteric results, duplicate the functionality of the tools we discussed earlier, or are more difficult to use. You are invited to investigate these tools at your leisure.

If during the Probe phase a username/password prompt for a particular service is discovered, an attacker can use a script (or one of several password grinding tools available) to start guessing passwords. The script can either brute-force the passwords of various lengths by trying all possible combinations or use a dictionary of potential passwords. Usernames are fairly easy to discover since email addresses are very often the same as usernames. Alternatively, many operating systems and services have default usernames that can be guessed. If the authentication mechanism behind the discovered username/password prompt does not lock accounts after a certain number of bad password guesses (Windows does not lock the built-in Administrator account by default), an attacker can take as long as is necessary to discover passwords. Even diligent administrators who enable intruder lockout protections in their environment can be defeated by a web-based interface that does not use the same protection when authenticating users. Even with these measures in place, you are just making it take longer to guess the passwords. A patient attacker will throttle the speed of the guessing so as to not trigger lockout.

Buffer overflows represent at least 50% of newly discovered vulnerabilities. Simply put (very simply... it can get complex), when an application is running, it allocates memory for the different information it needs to keep track of—names, addresses, phone numbers, costs, item names, and so on. Very often, applications ask the system or the user of the application for information to insert into these memory locations. If the application blindly accepts whatever the user (or system) provides, problems can result.

Let’s say that an application asks for your name. It allocates 20 characters in memory for this information. If the user provides more than this number of characters and the application does not check for that possibility, memory past the previously allocated 20 characters can be overwritten with the user’s information. If the user is very crafty and provides a character length that forces the application to overwrite portions of memory that the system uses to run other programs, it may be possible to trick the system into running whatever you want it to run. This could be a variety of things: instructions to install remote control software, return the contents of a directory, dump the username and password database, and so on. Anything you can put in a small chunk of code can be run using this technique.

Most buffer overflows result in a service or system crashing. The real art in crafting a successful buffer overflow is determining how many characters to insert before the malicious code to get the code to run. This length is commonly referred to as the offset.

This is a difficult category to define. When a developer designs an application, he does not always anticipate the ways the application may be tricked into doing other things that are not intended. A great example of this are the techniques that tricked Windows IIS web servers into running a command shell from the system directories using Unicode characters to represent a “dot-dot-slash.” In most operating systems, a “../” moves a command shell up a layer in the filesystem. By crafting a URL with these Unicode characters and sending it to a vulnerable web server, it was possible to trick the web server into jumping out of its web root directory and into the system directory. From the there the attacker could execute any of the system applications—including cmd.exe, the command shell. Once a command shell running under the context of the web server is available, anything is possible.

This is just one example and there are many like it that affect a wide range of applications and operating systems. Please don’t think I’m picking on Microsoft. Snort is well equipped to catch most of the known variations of this class of attack.

When a system is not configured according to industry-accepted best practices, security vulnerabilities can be exposed. If an account has a very poor password, it may be guessed, for example. If a firewall is misconfigured to allow dangerous ports through into the internal network, it may increase the chances of a successful attack against your environment. A fair number of Snort signatures catch some of this “low-hanging fruit.”

One consequence of not checking what information a user supplies to an application was discussed in Section 4.2.2.2, above. Other, equally dire, consequences can result from not validating a user’s input. A rule of thumb when attempting to write secure code is, “Never trust anything a user or other process tells you.”

One common technique for exploiting careless user input validation is called SQL Injection. Most (really useful) web pages are built from the data contained in a database. If a web page asks the user for input (including things like login credentials), it is possible to replace what the web page is looking for with SQL code that gets passed to the database server on the backend. If this is properly crafted, it can make the database dump data that the user would normally not have access to—sometimes sensitive business data. It is also possible to insert data into the database, thereby poisoning the database and making it impossible to trust. The inserted data could also be used to create a user and password with high privileges if the database is used for authentication.

There are several Snort signatures that watch for this variety of attack, as well.