snort_manual.tex

This is the snapshot of Snot Latest Rules

\hline
\texttt{disable\_tcpopt\_obsolete\_\linebreak alerts} & \texttt{config disable\_tcpopt\_obsole\linebreak te\_alerts} & Turns off alerts generated by obsolete TCP options. \\
\hline
\texttt{disable\_tcpopt\_ttcp\_alerts} & \texttt{config disable\_tcpopt\_ttcp\_alerts} & Turns off alerts generated by T/TCP options. \\
\hline
\texttt{disable\_ttcp\_alerts} & \texttt{config disable\_ttcp\_alerts} & Turns off alerts generated by T/TCP options. \\
\hline
\texttt{dump\_chars\_only} & \texttt{config dump\_chars\_only} & Turns on character dumps (\texttt{snort -C}). \\
\hline
\texttt{dump\_payload} & \texttt{config dump\_payload} & Dumps application layer (\texttt{snort -d}). \\
\hline
\texttt{dump\_payload\_verbose} & \texttt{config dump\_payload\_verbose} & Dumps raw packet starting at link layer (\texttt{snort -X}). \\
\hline
\texttt{enable\_decode\_drops} & \texttt{config enable\_decode\_drops} & Enables the dropping of
bad packets identified by decoder (only applicable in inline mode).\\
\hline
\texttt{enable\_decode\_oversized\_\linebreak alerts} & \texttt{config enable\_decode\_oversized\_\linebreak alerts} & Enable alerting on packets that have headers containing length fields for which the value is greater than the length of the packet. \\
\hline
\texttt{enable\_decode\_oversized\_drops} & \texttt{config enable\_decode\_oversized\_\linebreak drops} & Enable dropping packets that have headers containing length fields for which the value is greater than the length of the packet.  \texttt{enable\_decode\_oversized\_alerts} must also be enabled for this to be effective (only applicable in inline mode). \\
\hline
\texttt{enable\_ipopt\_drops} &  \texttt{config enable\_ipopt\_drops} & Enables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).\\
\hline
\texttt{enable\_tcpopt\_drops} & \texttt{config enable\_tcpopt\_drops} & Enables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode).\\
\hline
\texttt{enable\_tcpopt\_experimental\_\linebreak drops} & \texttt{config enable\_tcpopt\_experi\linebreak mental\_drops} & Enables the dropping of bad packets with experimental TCP option.  (only applicable in inline mode).\\
\hline
\texttt{enable\_tcpopt\_obsolete\_\linebreak drops} & \texttt{config enable\_tcpopt\_obsole\linebreak te\_drops} & Enables the dropping of bad packets with obsolete TCP option.  (only applicable in inline mode).\\
\hline
\texttt{enable\_tcpopt\_ttcp\_drops} & \texttt{enable\_tcpopt\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\
\hline
\texttt{enable\_ttcp\_drops} & \texttt{enable\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\
\hline
\texttt{event\_queue} & \texttt{config event\_queue: max\_queue 512 log 100 order\_events priority} &  
Specifies conditions about Snort's event queue. You can use the following options:
\begin{itemize}
\item \texttt{max\_queue $<$integer$>$} (max events supported)
\item \texttt{log $<$integer$>$} (number of events to log) 
\item \texttt{order\_events [priority$|$content\_length]} (how to order events within the queue)
\end{itemize}
See Section \ref{eventqueue} for more information and examples.\\
% XXX - NEED MORE HERE!!!
\hline
\texttt{flexresp2\_attempts} & \texttt{config flexresp2\_attempts: 15} & Specify the number of TCP reset packets to send to the source of the attack.  Valid values are 0 to 20, however values less than 4 will default to 4.  The default value without this option is 4.  (Snort must be compiled with --enable-flexresp2) \\
\hline
\texttt{flexresp2\_interface} & \texttt{config flexresp2\_interface: eth0} & Specify the response interface to use.  In Windows this can also be the interface number.  (Snort must be compiled with --enable-flexresp2) \\
\hline
\texttt{flexresp2\_memcap} & \texttt{config flexresp2\_memcap: 100000} & Specify the memcap for the hash table used to track the time of responses.  The times (hashed on a socket pair plus protocol) are used to limit sending a response to the same half of a socket pair every couple of seconds.  Default is 1048576 bytes.  (Snort must be compiled with --enable-flexresp2) \\
\hline
\texttt{flexresp2\_rows} & \texttt{config flexresp2\_rows: 2048} & Specify the number of rows for the hash table used to track the time of responses.  Default is 1024 rows.  (Snort must be compiled with --enable-flexresp2) \\
\hline
\texttt{flowbits\_size} & \texttt{config flowbits\_size: 128} & Specifies the maximum number of flowbit tags that can be used within a rule set.\\
\hline
\texttt{ignore\_ports} & \texttt{config ignore\_ports: udp 1:17 53} & Specifies ports to ignore (useful for ignoring noisy NFS traffic). Specify the protocol (TCP, UDP, IP, or ICMP), followed by a list of ports. Port ranges are supported.\\
\hline
\texttt{interface} & \texttt{config interface: xl0} & Sets the network interface (\texttt{snort -i}). \\
\hline
\texttt{ipv6\_frag} & \texttt{config ipv6\_frag: bsd\_icmp\_frag\_alert off, bad\_ipv6\_frag\_alert off, frag\_timeout 120, max\_frag\_sessions 100000} &
The following options can be used:
\begin{itemize}
\item \texttt{bsd\_icmp\_frag\_alert on|off} (Specify whether or not to alert. Default is on)
\item \texttt{bad\_ipv6\_frag\_alert on|off} (Specify whether or not to alert. Default is on)
\item \texttt{frag\_timeout $<$integer$>$} (Specify amount of time in seconds to timeout first frag in hash table)
\item \texttt{max\_frag\_sessions $<$integer$>$} (Specify the number of fragments to track in the hash table)
\end{itemize} \\
\hline
\texttt{layer2resets} & \texttt{config layer2resets: 00:06:76:DD:5F:E3} & This option is only available when running in inline mode. See Section \ref{Snort Inline}.\\
\hline
\texttt{logdir} & \texttt{config logdir: /var/log/snort} & Sets the logdir (\texttt{snort -l}). \\
\hline
\texttt{min\_ttl} & \texttt{config min\_ttl:30} & Sets a Snort-wide minimum ttl to ignore all traffic. \\
\hline
\texttt{no\_promisc} & \texttt{config no\_promisc} & Disables promiscuous mode (\texttt{snort -p}). \\
\hline
\texttt{nolog} & \texttt{config nolog} & Disables logging. Note: Alerts will still occur. (\texttt{snort -N}). \\
\hline
\texttt{nopcre} & \texttt{config nopcre} & Disables pcre pattern matching. \\
\hline
\texttt{obfuscate} & \texttt{config obfuscate} & Obfuscates IP Addresses (\texttt{snort -O}). \\
\hline
\texttt{order} & \texttt{config order: pass alert log activation} & Changes the order that rules are evaluated. \\
\hline
\texttt{pidpath} & \texttt{config pidpath: /var/snort} & Set path to directory to store snort pid file. \\
\hline
\texttt{pkt\_count} & \texttt{config pkt\_count: 13} & Exits after N packets (\texttt{snort -n}). \\
\hline
\texttt{profile\_preprocs} & \texttt{config profile\_preprocs} & Print statistics on preprocessor performance.
See Section \ref{preproc profiling} for more details. \\

\hline
\texttt{profile\_rules} & \texttt{config profile\_rules} & Print statistics on rule performance.
See Section \ref{rule profiling} for more details. \\
\hline
\texttt{quiet} & \texttt{config quiet}& Disables banner and status reports (\texttt{snort -q}). \\
\hline
\texttt{read\_bin\_file} & \texttt{config read\_bin\_file: test\_alert.pcap} & Specifies a pcap file to use 
(instead of reading from network),
        same effect as -r $<$tf$>$ option.\\
%debug Make snort print out debugging info debug \\
%no\_stream\_inserts] Do not perform detection on packets that that are going to be rebuilt 
%max\_queue\_events] Queues multiple alerts per packet and selects the most specific one (default: 5) Example: config max\_queue\_events: 5
\hline
\texttt{reference} & \texttt{config reference: myref http://myurl.com/?id=} & Adds a new reference system to Snort.  \\
\hline
\texttt{reference\_net} & \texttt{config reference\_net 192.168.0.0/24} & For IP obfuscation, the obfuscated net will be used if the packet contains an IP address in the reference net.  Also used to determine how to set up the logging directory structure for the \texttt{session} post detection rule option and ascii output plugin - an attempt is made to name the log directories after the IP address that is not in the reference net. \\
\hline
\texttt{set\_gid} & \texttt{config set\_gid: 30} & Changes GID to specified GID (\texttt{snort -g}). \\
\hline
\texttt{set\_uid} & \texttt{set\_uid: snort\_user} & Sets UID to $<$id$>$ (\texttt{snort -u}). \\
\hline
\texttt{show\_year} & \texttt{config show\_year} & Shows year in timestamps (\texttt{snort -y}). \\
\hline
\texttt{snaplen} & \texttt{config snaplen: 2048} & Set the snaplength of packet, same effect as 
\texttt{-P $<$snaplen$>$} or \texttt{--snaplen $<$snaplen$>$} options.\\
\hline
\texttt{stateful} & \texttt{config stateful} & Sets assurance mode for stream4 (est). See the stream4\_reassemble configuration in table \ref{stream4 reassemble defaults}. \\
\hline
\texttt{tagged\_packet\_limit} & \texttt{config tagged\_packet\_limit: 512} & When a metric other than \texttt{packets} is used in a tag option in a rule, this option sets the maximum number of packets to be tagged regardless of the amount defined by the other metric.  See Section \ref{tag section} on using the tag option when writing rules for more details.  The default value when this option is not configured is 256 packets.  Setting this option to a value of 0 will disable the packet limit. \\
\hline
\texttt{threshold} & \texttt{config threshold: memcap 100000} & Set global memcap in bytes for thresholding. Default is 1048576 bytes (1 megabyte). \\
\hline
\texttt{umask} & \texttt{config umask: 022} & Sets umask when running (\texttt{snort -m}). \\
\hline
\texttt{utc} & \texttt{config utc} & Uses UTC instead of local time for timestamps (\texttt{snort -U}). \\
\hline
\texttt{verbose} & \texttt{config verbose} & Uses verbose logging to STDOUT (\texttt{snort -v}). \\
\hline

\end{longtable}
\end{center}

%\begin{note}
%The Wu-Manber pattern matching engine (\texttt{search-method mwm}) will be
%deprecated in a future Snort release in favor of pattern matching algorithms
%with better performance and smaller memory consumption.
%\end{note}

\newpage
\section{Preprocessors}

Preprocessors were introduced in version 1.5 of Snort. They allow
the functionality of Snort to be extended by allowing users and programmers
to drop modular plugins into Snort fairly easily.
Preprocessor code is run before the detection engine is called, but
after the packet has been decoded. The packet can be modified or analyzed
in an out-of-band manner using this mechanism.

Preprocessors are loaded and configured using the {\tt preprocessor} keyword.
The format of the preprocessor directive in the Snort rules file is:

\begin{verbatim}
preprocessor <name>: <options>
\end{verbatim}

\begin{figure}[!hbpt]
\begin{verbatim}
preprocessor minfrag: 128
\end{verbatim}

\caption{\label{Preprocessor Example}Preprocessor Directive Format Example}
\end{figure}


%\subsection{Frag2\label{Frag2 Section}}

%\begin{note}
%Frag2 is deprecated in Snort 2.4.0 and later in favor of frag3. See Section \ref{frag3 section} for more information about frag3.
%\end{note}

%Frag2 is a new IP defragmentation preprocessor introduced in Snort 1.8 and is 
%designed to replace the Defrag preprocessor.
%This defragmenter is designed to be memory efficient and use the same
%memory management routines that are in use in other parts of Snort. 
%
%Frag2 has configurable memory usage and fragment timeout options.
%Given no arguments, Frag2 uses the default memory limit of 4194304
%bytes (4\textsc{mb}) and a timeout period of 60 seconds. The timeout
%period is used to determine a length of time after which an unassembled fragment
%should be discarded.
%
%In Snort 1.8.7, several options were added to help catch the use of
%evasion techniques, such as fragroute. 
%
%
%\subsubsection{Format}
%
%\begin{verbatim}
%preprocessor frag2: [memcap <xxx>], [timeout <xx>], [min_ttl <xx>], \
%                    [detect_state_problems], [ttl_limit <xx>] 
%\end{verbatim}
%\begin{tabular}{| l | p{5in} |}
%\hline
%\textbf{Option} & \textbf{Description}\\
%\hline
%\hline
%\texttt{timeout~<seconds>} & Amount of time to keep an inactive stream in
%the state table; sessions that are flushed will automatically be picked
%up again if more activity is seen. The default value is 30 seconds.\\
%\hline
%\texttt{memcap~<bytes>} & Number of bytes to set the memory cap at; if this
%limit is exceeded, Frag2 will aggressively prune inactive reassemblers. The
%default value is 4\textsc{mb}.\\
%\hline
%\texttt{detect\_state\_problems} & Turns on alerts for events such as overlapping
%fragments.\\
%\hline
%\texttt{min\_ttl} & Sets the minimum ttl that Frag2 will accept.\\
%\hline
%\texttt{ttl\_limit} & Sets the delta value that will set off an evasion alert
%(initial fragment ttl +/- ttl limit). \\
%\hline
%\end{tabular}
%%
%\begin{figure}[!hbpt]
%\begin{verbatim}
%preprocessor frag2: memcap 16777216, timeout 30
%\end{verbatim}
%
%\caption{Frag2 Preprocessor Configuration \label{Frag2 Example}}
%\end{figure}

\subsection{Frag3 \label{frag3 section}}

The frag3 preprocessor is a target-based IP defragmentation module for Snort.
Frag3 is intended as a replacement for the frag2 defragmentation module and 
was designed with the following goals:
\begin{slist}
\item Faster execution than frag2 with less complex data management.
\item Target-based host modeling anti-evasion techniques.
\end{slist}

The frag2 preprocessor used splay trees extensively for managing the data 
structures associated with defragmenting packets.  Splay trees are excellent 
data structures to use when you have some assurance of locality of reference
for the data that you are handling but in high speed, heavily fragmented 
environments the nature of the splay trees worked against the system and 
actually hindered performance.  Frag3 uses the sfxhash data structure and 
linked lists for data handling internally which allows it to have much more
predictable and deterministic performance in any environment which should 
aid us in managing heavily fragmented environments.

Target-based analysis is a relatively new concept in network-based intrusion
detection.  The idea of a target-based system is to model the actual targets
on the network instead of merely modeling the protocols and looking for 
attacks within them.  When IP stacks are written for different operating 
systems, they are usually implemented by people who read the RFCs and then
write their interpretation of what the RFC outlines into code.  Unfortunately, there
are ambiguities in the way that the RFCs define some of the edge conditions 
that may occurr and when this happens different people implement certain aspects
of their IP stacks differently.  For an IDS this is a big problem.

In an environment where the attacker can determine what style of IP 
defragmentation is being used on a particular target, the attacker can try to
fragment packets such that the target will put them back together in a 
specific manner while any passive systems trying to model the host traffic 
have to guess which way the target OS is going to handle the overlaps and 
retransmits.  As I like to say, if the attacker has more information about the
targets on a network than the IDS does, it is possible to evade the IDS.  This
is where the idea for ``target-based IDS'' came from.  For more detail on this
issue and how it affects IDS, check out the famous Ptacek \& Newsham paper at
\url{http://www.snort.org/docs/idspaper/}.

The basic idea behind target-based IDS is that we tell the IDS information 
about hosts on the network so that it can avoid Ptacek \& Newsham style evasion
attacks based on information about how an individual target IP stack operates.
Vern Paxson and Umesh Shankar did a great paper on this very topic in 2003 that 
detailed mapping the hosts on a network and determining how their various IP 
stack implementations handled the types of problems seen in IP defragmentation 
and TCP stream reassembly.  Check it out at \url{http://www.icir.org/vern/papers/activemap-oak03.pdf}.

We can also present the IDS with topology information to avoid TTL-based 
evasions and a variety of other issues, but that's a topic for another day.  
Once we have this information we can start to really change the game for these 
complex modeling problems.

Frag3 was implemented to showcase and prototype a target-based module within
Snort to test this idea.

\subsubsection{Frag 3 Configuration}

Frag3 configuration is somewhat more complex than frag2.  There are at least
two preprocessor directives required to activate frag3, a global configuration
directive and an engine instantiation.  There can be an arbitrary number of
engines defined at startup with their own configuration, but only one global
configuration.

\textbf{Global Configuration}
\begin{itemize}
\item Preprocessor name: \texttt{frag3\_global}
\item Available options:
  \begin{itemize}
   \item     \texttt{max\_frags $<$number$>$} - Maximum simultaneous fragments to track. Default is 8192.