Support for Snorts flow Keyword | Force10 Networks 100-00055-01

You can inspect Signatures 4, 5, and 6, and verify that they trigger a match and place a packet in Match Memory — thus alerting the host — if three consecutive packets are seen with size between 0 and 100. The third packet references the previous two stored in Temporary Memory. Thus, once the third packet is received, the three segments are presented to the host through the DPI network interface. Notice that the bit pattern used in the two rules avoids collision with the previous rule if the flow hashing also happens to collide.

The meta.rules File

The meta.rules file — located in the pnic-compiler/rulesdirectory — specifies a number of stateful rules to be used with standard Snort rules (which use the Flow keyword). In addition, these rules implement a stateful mechanism to circumvent some common forms of TCP IDS evasion. The meta rules are given in Appendix C, on page 123.

Support for Snort's flow Keyword

The two stateful rules in Table 21 initiate a new flow if a SYN or a SYN-ACKare seen. A Snort flow- established keyword is translated to S:4 and S:2 for client-to-server and server-to-client flows, respectively. These keywords are automatically inserted by the PNIC-Compiler when a flow-established keyword is encountered during compilation. You can also insert the keywords directly into your rules.

Table 21 Flow Established Rules

alert tcp any any -> any any (msg:"Z SYN"; flags:S,12; S:1; R:2; C:3;) alert tcp any any -> any any (msg:"Z SYNACK"; flags:SA; S:1; R:2; C:5;)

Handling Segmentation Evasion

Tools like fragroute or Nessus are used to fragment the packet payload in several TCP segments in order to evade packet-based signature systems. The stateful rules in Table 22 detect the arrival of packets exhibiting an anomalous use of TCP segmentation.

P-Series Installation and Operation Guide, version 2.3.1.2

71

Image 71

Force10 Networks 100-00055-01 manual Support for Snorts flow Keyword, Handling Segmentation Evasion

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Convention Description Keyword ObjectivesAudience Conventions Additional Resources Information SymbolsSymbol Warning Description Related Documents This LED is not used This LED is blue when the hard disk is accessedThis LED is green when the power is on Label Description PB-10GE-2P System SpecificationsPhysical Connections Step Task Security Check BootingConfiguration Once the appliance is booted Cd SW Gmake installCp -Rf /usr/local/pnic/ /home Tar xvzf PTPS-PMAIN Located in the directory pnic-compiler Cd upgradedirectory/pnic-compilerInstall pre-compiled firmware if needed Re-compile all rules firmware with the new compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Introduction Types of RulesSample Rules and Firmware Rx1 Tx1 Mirror Rule Set Description Rule ManagementDeploying the P-Series Sample Rules Files Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui Command Description GUI CommandsGUI Commands Rule Management GUI Managing Rules, Policies, and Firmware Permit Deny Editing Dynamic Rules with the GUIOption Description Policy Capture To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI Select Manage Firmware see Figure Runtime StatisticsTo select firmware Runtime Statistics for Channel 0 and 1-FPGA Loaded Statistic Description Reloading FirmwareRuntime Statistics Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Series Node Manager has four major management capabilities Managing the P-Series using Node ManagerWeb-browser Security Certificates Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil Server Installing the Sguil SystemInstalling the Sguil Sensor Wish Installing the Sguil ClientTo uninstall the server Source the server configuration file. The default Server Installation FilesSguil Files and Directories File Location Sensor Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Change directories to /usr/local/pnic/0 CLI CommandsEditing Dynamic Rules with the CLI MAC Rewriting Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface To complile rules Creating Rules FilesRules Capacity Compiling Rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration File Description Location Configuration and Generated FilesConfiguration and Generated Files Firmware Filename Description Compiler ErrorsFirmware Filenames Describes each of the elements in this format Snort Rule Syntax Snort Rule SyntaxSnort Rule Headers Protocol Ports Keyword Static Dynamic Series Rule SyntaxSeries Supported Snort Keywords Snort Rule Options Yes Yes, no ranges Seq YesYes Only /8/16/24/32 masks Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Appendix a Pnic aggregate-mode-disablePnic aggregate-mode-disable number Pnic apply-firmware Pnic aggregate-mode-enablePnic aggregate-mode-enable number Different ports. This is the default behavior Display the available firmware Pnic apply-firmware Command Example Syntax pnic capture-on Pnic capture-offPnic capture-on Pnic capture-off Display the driver version Display the configuration parameters of the systemPnic cardstatus Pnic cardstatus number Pnic compilerules number Pnic default-drop-disablePnic default-drop-disable number Pnic compilerules Pnic diag Pnic default-drop-enableEnable firewall functionality Run diagnostic tests on the card Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-enable Pnic flow-teardown-disable Pnic getmachashindex number Example pnic flow-teardown-enable Command ExamplePnic getmachashindex Syntax pnic gui Pnic guiLaunch the graphical user interface Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadeproms number Pnic loadepromsPnic loadparams deprecated Load the PCI-X and front-end EEPROMs Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Pnic macrewrite-off Disable MAC rewriting. This is the default behaviorEnable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting using the command pnic macrewrite-off 100 Appendix a Pnic off deprecatedSyntax pnic off Pnic on Example pnic off Command ExampleEnable the capturing of packets via direct memory access Pnic on deprecated Pnic params number Pnic passive-mode-disableSyntax pnic passive-mode-disable number Pnic params Configure the ports to only receive traffic Pnic passive-mode-enableConfigure the ports to only receive traffic Example pnic passive-mode-disable Command Example Stop capturing and matching Pnic resetconfPnic resetconf number Pnic restart Pnic restart Series Installation and Operation Guide, version 105Pnic sguil-sensor-start Start the Sguil sensor Pnic sguil-sensor-start -f Pnic sguil-sensor-stop -f Series Installation and Operation Guide, version 107Pnic sguil-sensor-stop Stop the Sguil sensor List the available firmware images Display configuration parameters of the cardPnic showconf Pnic show-firmwares Pnic showtech number filename.dat Series Installation and Operation Guide, version 109Pnic showtech Apply a specific firmware to the card Pnic start number Disable the network interface using the command pnic stopExample pnic showtech Command Example Pnic start Pnic stop Turn off capture and disable the network interfaceEnable the network interface using the command pnic start Disable the network interface Enable temporary memory. This is the default behavior Pnic temp-mem-disablePnic temp-mem-enable Disable temporary memory Specifies an LSB value for a particular hash index Pnic updatemacvalueDisable temporary memory Pnic updatemacvalue number Vlan Tag Remove feature is disabled by default Pnic vlan-remove-disablePnic vlan-remove-enable Disable the Vlan Tag Remove feature Display the driver version Disable the web server using the command pnic web-gui-stopPnic version Pnic web-gui-start Pnic web-gui-stop -f Pnic web-gui-stopStop the web server Stop the web server Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Flags!*+ FSRPAU120 Description of P-Series Snort KeywordsKeyword Description Rule Syntax Ack Checks for a specific TCP acknowledgment number Ipproto ! name number Flow establishedstatelessIcmp idnumber Icmp seq number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Evasion Rules Meta Rules for Channel 0 and ChannelMeta Rules 124 Appendix C Pwd Unix CommandsLogout Passwd Number Vi Commands? text Set number no Collection Dynamic RulesFlow Garbage Static Rules SnortSpan Port State ISupport Website Accessing iSupport ServicesSeries Installation and Operation Guide, version 129 Manual Pages Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support