Support for Snorts within Keyword | Force10 Networks 100-00055-01

The start of the state machine is prompted by a SYN; state 1 is reached if a packet of length greater than 0 but less than 20 is detected; state 2 is reached if a packet of length 1 is received right after a SYN or a second packet of length greater than 0 but less than 20 is detected; the final state is reached if a packet of a length between 0 and 100 is seen. This state diagram was derived from observing common fragmentation evasion patterns; it seems to catch most of them. More complex state diagrams can also be devised at your discretion.

Table 22 TCP Packets with Anomalous Segmentation

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 2 Fragment of size 1 "; dsize: 1; S:4; R:1; C:16;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 1 First fragment of size 0 <> 20 = state 1"; dsize: 0 <> 20; S:4; R:1; C:8;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 2 Second fragment of size 0 <> 20 = capture flow";

dsize: 0 <> 20; S:8; R:1; C:16;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 3 Capture flow fragments of size 0 <> 100"; dsize: 0 <> 100; S:16; R:2; C:16;)

Support for Snort's within Keyword

Many buffer-overflow detection rules use a within keyword that verifies that an end-of-line character is received within a certain number of bytes from the start of the session.

If the within statement is for a large number of bytes, the check needs to be performed across TCP segments. In this case, several packets must be captured to find the end-of-line character (or whatever the character might be). For this reason, within statements capture the entire flow.

The within statements are translated by the PNIC-Compiler upon setting the S:32 and S:64 bits. This causes two rules to trigger the capturing of TCP and UDP flows.

Table 23 shows two rules which trigger the capturing of TCP and UDP flows.

Table 23 Capturing TCP and UDP Flows

alert on c0 tcp any any -> any any (msg:"Z TCP within was issued previously for this flow = capture flow"; S:32; R:2; C:32;)

alert on c0 udp any any -> any any (msg:"Z UDP within was issued previously for this stream = capture stream"; S:64; R:2; C:64;)

72	Writing Rules

Image 72

Force10 Networks 100-00055-01 manual Support for Snorts within Keyword

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Contents Graphical User Interface Command Line Reference Glossary Objectives AudienceConventions Convention Description Keyword Information Symbols Symbol Warning DescriptionRelated Documents Additional Resources This LED is blue when the hard disk is accessed This LED is green when the power is onLabel Description This LED is not used System Specifications Physical ConnectionsPB-10GE-2P Step Task Booting ConfigurationOnce the appliance is booted Security Check Gmake install Cp -Rf /usr/local/pnic/ /homeTar xvzf PTPS-PMAIN Cd SW Cd upgradedirectory/pnic-compiler Install pre-compiled firmware if neededRe-compile all rules firmware with the new compiler Located in the directory pnic-compiler Returning to the Default Configuration Chapter Getting Started Getting Started Chapter Introduction Hardware Architecture Overview Types of Rules Sample Rules and FirmwareRx1 Tx1 Mirror Introduction Rule Management Deploying the P-SeriesSample Rules Files Rule Set Description Inline Deployment Fail-safe Deployment Highly-available Deployment Passive Deployment Capturing Matched Traffic Series supports capturing matched traffic for analysis Capturing to a Host CPU Capturing Matched Traffic via the libpcap Interface Mirroring to Another Device Creating an IDS Accelerator with the P-Series Invoke the GUI by entering the command pnic gui Graphical User Interface GUI Commands GUI CommandsCommand Description Managing Rules, Policies, and Firmware Rule Management GUI Editing Dynamic Rules with the GUI Option DescriptionPolicy Capture Permit Deny Managing Capture/Forward Policies with the GUI To modify dynamic rules Selecting Firmware with the GUI Managing Capture/Forward Policies GUI Runtime Statistics To select firmwareSelect Manage Firmware see Figure Runtime Statistics for Channel 0 and 1-FPGA Loaded Reloading Firmware Runtime Statistics DescriptionStatistic Description Graphical User Interface Web-based Management Launching the P-Series Node Manager Lauching the P-Series Node Manager Web-based Management Managing the P-Series using Node Manager Web-browser Security CertificatesSeries Node Manager has four major management capabilities Monitoring System Performance Series Node Manager Home Panel Web-based Management Managing Firmware Images Managing the Network Interface CardPage Managing Policies Page Network Security Monitoring Installing the Sguil System Installing the Sguil SensorInstalling the Sguil Server Installing the Sguil Client To uninstall the serverSource the server configuration file. The default Wish Installation Files Sguil Files and DirectoriesFile Location Sensor Server Running the Sguil System Running the Sguil Sensor Running the Sguil Server Task Script Running the Sguil Client To run the Sguil Client Selecting the Sensor to Monitor CLI Commands Editing Dynamic Rules with the CLIMAC Rewriting Change directories to /usr/local/pnic/0 Command Line Interface Rewriting Destination MAC Addresses to Load Balance Removing Vlan Tags Command Line Interface Creating Rules Files Rules CapacityCompiling Rules To complile rules Compilation Option Description Content matching Positives Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Summary of configuration Starting and Stopping the pnic-Compiler Configuration and Generated Files Configuration and Generated FilesFile Description Location Compiler Errors Firmware FilenamesDescribes each of the elements in this format Firmware Filename Description Snort Rule Syntax Snort Rule HeadersSnort Rule Syntax Protocol Ports Series Rule Syntax Series Supported Snort KeywordsSnort Rule Options Keyword Static Dynamic Seq Yes Yes Only /8/16/24/32 masksYes Yes, no ranges Writing Stateful Rules Stateful Matching Pre-match Condition the S Value Stateful Rule Examples Support for Snorts flow Keyword Handling Segmentation Evasion Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Chapter Firewall Deploying the P-Series as a Firewall Enabling the Firewall Firewall Allowing Traffic through the Firewall Writing Rules for a Firewall Deployment Sample Firewall Rules Appendix a Command Line Reference Pnic aggregate-mode-disable Pnic aggregate-mode-disable numberAppendix a Pnic aggregate-mode-enable Pnic aggregate-mode-enable numberDifferent ports. This is the default behavior Pnic apply-firmware Pnic apply-firmware Command Example Display the available firmware Pnic capture-off Pnic capture-onPnic capture-off Syntax pnic capture-on Display the configuration parameters of the system Pnic cardstatusPnic cardstatus number Display the driver version Pnic default-drop-disable Pnic default-drop-disable numberPnic compilerules Pnic compilerules number Pnic default-drop-enable Enable firewall functionalityRun diagnostic tests on the card Pnic diag Pnic diag Command Example Example pnic diag Command Example Pnic flow-teardown-disable Pnic flow-teardown-enablePnic flow-teardown-disable Pnic flow-teardown-enable Example pnic flow-teardown-enable Command Example Pnic getmachashindexPnic getmachashindex number Pnic gui Launch the graphical user interfaceSyntax pnic gui Pnic gui Command Example Pnic help Pnic help Pnic linkdown Pnic linkup Pnic loadconf Pnic loadconf number Pnic loadconf Address Mapping Address Corresponding Parameter Pnic loadeproms Pnic loadparams deprecatedLoad the PCI-X and front-end EEPROMs Pnic loadeproms number Pnic loadparams Command Example Loadparams Address Mapping Pnic loadrules Pnic loadrules channel Disable MAC rewriting. This is the default behavior Enable MAC rewriting using the command pnic macrewrite-onDisable MAC rewriting using the command pnic macrewrite-off Pnic macrewrite-off Pnic off deprecated Syntax pnic off100 Appendix a Example pnic off Command Example Enable the capturing of packets via direct memory accessPnic on deprecated Pnic on Pnic passive-mode-disable Syntax pnic passive-mode-disable numberPnic params Pnic params number Pnic passive-mode-enable Configure the ports to only receive trafficExample pnic passive-mode-disable Command Example Configure the ports to only receive traffic Pnic resetconf Pnic resetconf numberPnic restart Stop capturing and matching Series Installation and Operation Guide, version 105 Pnic sguil-sensor-startStart the Sguil sensor Pnic restart Pnic sguil-sensor-start -f Series Installation and Operation Guide, version 107 Pnic sguil-sensor-stopStop the Sguil sensor Pnic sguil-sensor-stop -f Display configuration parameters of the card Pnic showconfPnic show-firmwares List the available firmware images Series Installation and Operation Guide, version 109 Pnic showtechApply a specific firmware to the card Pnic showtech number filename.dat Disable the network interface using the command pnic stop Example pnic showtech Command ExamplePnic start Pnic start number Turn off capture and disable the network interface Enable the network interface using the command pnic startDisable the network interface Pnic stop Pnic temp-mem-disable Pnic temp-mem-enableDisable temporary memory Enable temporary memory. This is the default behavior Pnic updatemacvalue Disable temporary memoryPnic updatemacvalue number Specifies an LSB value for a particular hash index Pnic vlan-remove-disable Pnic vlan-remove-enableDisable the Vlan Tag Remove feature Vlan Tag Remove feature is disabled by default Disable the web server using the command pnic web-gui-stop Pnic versionPnic web-gui-start Display the driver version Pnic web-gui-stop Stop the web serverStop the web server Pnic web-gui-stop -f Series Installation and Operation Guide, version 117 Start the web server 118 Appendix a Description of P-Series Snort Keywords Keyword Description Rule SyntaxAck Checks for a specific TCP acknowledgment number Flags!*+ FSRPAU120 Flow establishedstateless Icmp idnumberIcmp seq number Ipproto ! name number Uricontent ! datastring Ttl This keyword checks for the specified IP time-to-live 122 Appendix B Meta Rules for Channel 0 and Channel Meta RulesEvasion Rules 124 Appendix C Unix Commands LogoutPasswd Pwd Vi Commands ? textSet number no Number Dynamic Rules FlowGarbage Collection Snort Span PortState Static Rules Accessing iSupport Services Series Installation and Operation Guide, version 129Manual Pages ISupport Website Contacting the Technical Assistance Center Locating P-Series Serial Numbers Requesting a Hardware Replacement To request replacement hardware, follow these steps 132 Technical Support