Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Support for Snorts within Keyword

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 72

Support for Snort's within Keyword

The start of the state machine is prompted by a SYN; state 1 is reached if a packet of length greater than 0 but less than 20 is detected; state 2 is reached if a packet of length 1 is received right after a SYN or a second packet of length greater than 0 but less than 20 is detected; the final state is reached if a packet of a length between 0 and 100 is seen. This state diagram was derived from observing common fragmentation evasion patterns; it seems to catch most of them. More complex state diagrams can also be devised at your discretion.

Table 22 TCP Packets with Anomalous Segmentation

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 2 Fragment of size 1 "; dsize: 1; S:4; R:1; C:16;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 1 First fragment of size 0 <> 20 = state 1"; dsize: 0 <> 20; S:4; R:1; C:8;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 2 Second fragment of size 0 <> 20 = capture flow";

dsize: 0 <> 20; S:8; R:1; C:16;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 3 Capture flow fragments of size 0 <> 100"; dsize: 0 <> 100; S:16; R:2; C:16;)

Support for Snort's within Keyword

Many buffer-overflow detection rules use a within keyword that verifies that an end-of-line character is received within a certain number of bytes from the start of the session.

If the within statement is for a large number of bytes, the check needs to be performed across TCP segments. In this case, several packets must be captured to find the end-of-line character (or whatever the character might be). For this reason, within statements capture the entire flow.

The within statements are translated by the PNIC-Compiler upon setting the S:32 and S:64 bits. This causes two rules to trigger the capturing of TCP and UDP flows.

Table 23 shows two rules which trigger the capturing of TCP and UDP flows.

Table 23 Capturing TCP and UDP Flows

alert on c0 tcp any any -> any any (msg:"Z TCP within was issued previously for this flow = capture flow"; S:32; R:2; C:32;)

alert on c0 udp any any -> any any (msg:"Z UDP within was issued previously for this stream = capture stream"; S:64; R:2; C:64;)

72	Writing Rules

Image 72

Force10 Networks 100-00055-01 manual Support for Snorts within Keyword

Contents

P-Series Installation and Operation Guide VersionMay 27 Copyright 2008 Force10 Networks TrademarksStatement of Conditions USA Federal Communications Commission FCC StatementContents ContentsInstallation PrefaceCommand Line Interface Graphical User InterfaceChapter Web-based ManagementCommand Line Reference Basic Unix CommandsCompiling Rules Writing RulesAppendix E GlossaryAppendix F Technical SupportPreface About this GuideObjectives AudienceInformation Symbols Related DocumentsAdditional Resources P-Series Release NotesInstallation ChapterSystem Specifications Physical ConnectionsPB-10GE-2P Step Task Booting ConfigurationSecurity Check Upgrading Softwaremkdir ~/upgradedirectory filename ~/upgradedirectorycd upgradedirectory scp username@serverabsolutepathCommand cd upgradedirectory/pnic-compilercd upgradedirectory/firmware gmake installReturning to the Default Configuration Getting StartedChapter To begin inspecting and filtering traffic you mustGetting Started Introduction Hardware Architecture OverviewChapter Types of Rules Sample Rules and FirmwareRule Management Deploying the P-SeriesFirewall Deployment” on page Inline Deployment Fail-safe Deployment10-Gigabit Optical Bypass 10-GigabitHighly-available Deployment Passive DeploymentP1P0 10-GigabitCapturing Matched Traffic Network Switch with SPAN portNetwork Tap 10-Gigabit 10-Gigabit P-Series P10Capturing to a Host CPU Mirroring to Another Device PB-10GE-2PM1 P1 P0 M0 Traffic to MonitorChapter 4 Graphical User Interface GUI Commands Command DescriptionManaging Rules, Policies, and Firmware PNIC0 Not ActiveEditing Dynamic Rules with the GUI directory see “Editing Dynamic Rules with the GUI” on pageGUI” on page To manage firmware, see “Selecting Firmware with the GUI” on pageManaging Capture/Forward Policies with the GUI To modify dynamic rulesTo change capture/forward policies Selecting Firmware with the GUI fn9000013fn9000014 Runtime Statistics Figure 19 Runtime Statistics for Channel 0 and 1-FPGA Loaded Graphical User InterfaceReloading Firmware Graphical User Interface Chapter 5 Web-based Management Launching the P-Series Node ManagerTo launch the P-Series Node Manager Figure 21 Lauching the P-Series Node Manager Web-based ManagementManaging the P-Series using Node Manager Web-browser Security CertificatesMonitoring System Performance on page Managing Firmware Images on pageMonitoring System Performance Managing Firmware Images Managing the Network Interface CardFigure 25 P-Series Node Manager Card Management Panel Web-based ManagementManaging Policies Figure 26 P-Series Node Manager Policy Managment Panel Web-based ManagementChapter 6 Network Security Monitoring P-Series SensorsSguil Server Sguil ClientInstalling the Sguil System Installing the Sguil SensorInstalling the Sguil Server Hardware and Software RequirementsInstalling the Sguil Client Uninstalling the Sguil ServerWireshark Installation Files # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dllRunning the Sguil System Running the Sguil SensorWriting New Rules Running the Sguil Server Running the Sguil Client To run the Sguil Clientfn90028mp fn90027mpChapter 7 Command Line Interface CLI CommandsCLI commands are given in Command Line Reference on page Editing Dynamic Rules with the CLIIn Figure To enable MAC rewritingRemoving VLAN Tags Command Line Interface Compiling Rules Creating Rules FilesRules Capacity Compiling RulesTarget Device Match non-IP Trafficpage 3 Match Fragmented IPv4 Packets or IPv4 Packets w/ OptionsSegmentation Evasion Rules see Figure 36 on pageMaximum String see Figure 37 on pageEnter command gmake from pnic-compiler directory P-Series Installation and Operation Guide, version Figure 36 pnic-Compiler OptionSummary of configuration Starting and Stopping the pnic-CompilerConfiguration and Generated Files which the .bit files in /usr/local/pnic/0 areto which the .mapping files in /usr/local/pnic Compiler Errors Firmware FilenamesWriting Rules Snort Rule SyntaxSnort Rule Headers ActionProtocol Source AddressesPorts Direction OperatorP-Series Rule Syntax P-Series Supported Snort KeywordsSnort Rule Options Destination Address and PortKeyword StaticDynamic protocolWriting Stateful Rules Stateful MatchingEquation ∧ si= si ⎬ then cpiStateful Rule Examples In TableSupport for Snorts flow Keyword Handling Segmentation EvasionThe meta.rules File Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Firewall Deploying the P-Series as a FirewallChapter Enabling the Firewall Drop mode Disabled Drop mode EnabledVerify Drop mode is Enabled Figure 39 Enabling and Disabling Drop ModeAllowing Traffic through the Firewall Writing Rules for a Firewall Deployment#permit let through and do not log to the host Appendix A Command Line Reference pnic aggregate-mode-disable on pagepnic aggregate-mode-enable on page pnic apply-firmware on page pnic default-drop-disable on page pnic default-drop-enable on pagepnic aggregate-mode-disable pnic temp-mem-disable on page pnic temp-mem-enable on pagepnic updatemacvalue on page pnic vlan-remove-disable on page pnic vlan-remove-enable on page pnic web-gui-start on pagepnic aggregate-mode-enable pnic apply-firmwareParameters Command History Example Commandspnic show-firmwares Display the available firmwarepnic capture-off pnic capture-onEnable the capturing of packets via direct memory access Syntax Parameters Command History Examplepnic cardstatus CommandsSyntax Parameters Command History Example Commandspnic default-drop-disable pnic compilerulespnic default-drop-enable Temporary memory is disabled while the firewall is enabledpnic diag Parameters Command History ExampleParameters Command History Example Usage InformationVersion PMAIN2.3.0.014 root@localhost SW# pnic flow-teardown-disable pnic flow-teardown-enablepnic flow-teardown-disable pnic flow-teardown-enablepnic getmachashindex value for an IP address pairspnic gui Enable MAC rewritingDisable MAC rewriting pnic updatemacvaluepnic gui Command Example P-Series Installation and Operation Guide, versionExample pnic help Syntax Command History Examplepnic help output omittedpnic linkdown pnic linkupSyntax Parameters Command History Example Commandspnic loadconf Parameters Command History ExampleCommands Syntax Parameters Command HistoryAddress Corresponding Parameterpnic loadeproms pnic loadparams deprecatedpnic loadeproms number pnic loadparams numberAddress Corresponding Parameterpnic loadrules Command History Example Usage InformationSyntax Parameters pnic macrewrite-off pnic macrewrite-onpnic off deprecated Syntax pnic offpnic on deprecated Usage Information Related CommandsSyntax Parameters Command History Example pnic on deprecatedpnic passive-mode-disable pnic paramspnic passive-mode-enable pnic passive-mode-enableCommand Commandspnic resetconf pnic restartSyntax Parameters Command History Example Stop capturing and matchingpnic sguil-sensor-start Disable the network interfaceEnable the network interface Syntax Command History ExampleStop the Sguil sensor using the command pnic sguil-sensor-stop Syntax Parameters Command History ExampleCommands pnic sguil-sensor-start -fpnic sguil-sensor-stop Syntax Parameters Command History ExampleCommands pnic sguil-sensor-start Start the Sguil sensorpnic showconf pnic show-firmwaresSyntax Parameters Command History Example Commandspnic showtech Command History ExampleCommands Syntax Parameters Command Historypnic start Load the capture/block configuration Load the runtime parametersEnable the network interface Disable the network interface using the command pnic stoppnic stop Enable the network interfaceCommands Syntax Parameters Command History Examplepnic temp-mem-disable pnic temp-mem-enablepnic updatemacvalue Use this command with the MAC rewrite featurepnic temp-mem-disable Enable MAC rewritingpnic vlan-remove-disable pnic vlan-remove-enablepnic vlan-remove-disable pnic vlan-remove-enablepnic version pnic web-gui-startDisable the web server using the command pnic web-gui-stop Display the driver versionEnable the web server using the command pnic web-gui-start pnic web-gui-stopCommands CommandCommands pnic web-gui-startExample RelatedAppendix A Appendix B Snort Keywordsack number dsize number numberKeyword uricontent ! “datastring” KeywordDescription Rule SyntaxAppendix B Appendix C Meta and Evasion Rules meta RulesEvasion Rules Appendix C Appendix D Basic Unix Commands Unix CommandsCommand Descriptionvi Commands CommandDescription ? textAppendix E GlossarySnort SPAN PortState Static RulesAccessing iSupport Services Appendix FTechnical Support Manual PagesContacting the Technical Assistance Center Locating P-Series Serial NumbersSerial Number see Locating P-Series Serial Numbers on page Requesting a Hardware Replacement To request replacement hardware, follow these stepsTechnical Support