Recipe 7.13. Snort as Evidence in the U.K.

Problem

You run a network, and you want to ensure that you can prosecute anyone who attempts to breach your network security.

Solution

Take all reasonable steps to ensure that your evidence can't be contaminated. Ensure that you have documented your system, policies, and procedures adequately, and also in cases of breach, ensure that you document the steps you take to resolve the situation.

Discussion

This is a difficult area and can be substantially different depending upon where you are. In the United Kingdom, prosecutions are most likely to be brought under the Computer Misuse Act (1990), which creates the following offenses :

Unauthorized access to computer material.
Unauthorized access with intent to commit or facilitate commission of further offenses.
Unauthorized modification of computer material.

Each offense has a specific criteria defining guilt, which, like most U.K. law, requires that the offender intentionally commit the offense or intend to commit the offense. To help prove this, it is advisable that you use banners to notify anyone connecting to the service or computer that it is a system that requires specific authorization to connect to it.

To prosecute, you must show that:

The offender knew that it was a secure resource.
The offender intentionally ignored such a fact.

Snort is capable of logging all network traffic, so you can show that a message indicating the authorization requirements has been sent to the offender and that she has persisted in connecting past this point.

You must, however, ensure that there is no way that your logging system can be altered. This preserves the "chain of evidence" so that there is no way the data can be corrupted, altered , or lost. You should ensure that your Snort system is secure - ideally with no network access at all, making use of taps to get data off the network without presenting the machine to the network at all.

Once you have determined that an event has taken place, it is vital that you contact your local law enforcement agency and notify them immediately. They may send someone to supervise the collection of evidence; comply with their wishes and be prepared to give them as much help as they require. It is highly likely that they will want to see documentation regarding the configuration of the system, and the procedures that you followed to determine that there has been a breach. This is to ensure that the data has had no way of being altered inadvertently, or if it has, that such an alteration has affected the quality of the data. They will most likely require that an image of the system and the data be taken -this may be to a specific forensic system or it may just be a hard copy to tape or CD. When setting up your system, you should consider providing such a mechanism for getting data off, with at least a writeable CD drive.

The key point to remember is that at any point in the process you must be able to account for what has happened to the data, who has had access to it, and what procedures have been carried out on it. This will allow a court to determine its accuracy, and hopefully get you your conviction .

Recipe 7.14. Snort as a Virus Detection Tool

Problem

Can Snort be used to help us document and detect viruses traveling across our network?

Solution

Using the ClamAV engine (http://www.clamav.net), several Snort developers from the open source community (Will Metcalf and Victor Julien) have been able to create a Snort preprocessor that can be used to detect viruses such as web-based, mail-based, and several other ports. One word of caution, though: this tool, while helpful, can place an extra load on a sensor. It should be deployed as its own sensor so as to not take processor time and space away from your main sensor platform. However, the value of a tool such as this should be immediately visible in demonstrating the threat posed by your RAS/VPN users, or even your remote sites that connect back into your network.

For example, if you have a RAS connection that connects directly to your network core without passing through any or little defenses, what would be the first line to be breached if a worm outbreak were to occur? Your RAS link would promptly help your network defense team discover which machines the patch management team didn't get to finish.

Another reason to run this preprocessor is that AV vendors often get detection methods for viruses and Trojans before the IDS community does. So for example with the ms04-028 exploit (jpeg JFIF exploit), ClamAV had an update that would detect the exploit, while the Snort community came out with several that worked only over HTTP. So when you are doing your threat count at the end of the day, you can determine that the exploit came in eight times over the Web and was correctly killed by the user AV software on the desktop, while the server team missed the 10 times it came in over SMTP through HTML emails.

Discussion

To enable this preprocessor, you have to patch Snort and first get the file from:

http:// sourceforge .net/tracker/download.php?group_id=78497&atid=553469&file_id=98150&aid=1011054.

This patch has been tested on Linux and BSD platforms. To enable it, we are going to follow these procedures to install the clamAV software and get the most current AV database, and then install Snort with the patch to log to a database (ACID, for simplicity). Following these instructions, you will have an antivirus detecting Snort that logs to a database (MySQL, for example).

Once the ClamAV source code is downloaded from http://www.clamav.net, it needs to be installed. At the time of writing, the most current version is 0.80, which will successfully detect the jpeg exploit found in MS04-028! This tool runs as its own user, so you'll have to create an account as well before installing. This account is also specified at install time to make sure the tool is compiled correctly.

root#

adduser clamav

root#

./configure --with-user=clamav & make

If no errors are displayed after the make is complete, install the tool to the default location of /usr/local/share/clamAV . Then make a test run to make sure the executables compiled correctly using the following example.

root#

/usr/local/bin/clamscan /home/


<username>

If the summary doesn't look something like the following, the install failed, minus the actual exploit code.

[root# /usr/local/bin/clamscan /home/<username>/

/home/<username>//.bash_logout: OK

/home/<username>//.bash_profile: OK

/home/<username>//.bashrc: OK

/home/<username>//.bash_history: OK

/home/<username>//.viminfo: OK

/home/<username>//virus-jpeg.zip: Exploit.JPEG.Comment.4 FOUND

/home/<username>//.pinerc: OK

/home/<username>//p0f_db-0.3.tar: OK

/home/<username>//snort-2.2.0.tar.gz: OK

   

----------- SCAN SUMMARY -----------

Known viruses: 24618

Scanned directories: 1

Scanned files: 12

Infected files: 1

Data scanned: 28.71 MB

I/O buffer size: 131072 bytes

Time: 51.797 sec (0 m 51 s)

Now that ClamAV is installed and working, it is time to update the ClamAV database files with the most recent virus datafiles from http://www.clamAV.net. You can probably script the following example to pull the files daily, if your sensors aren't out of band .

Root#

cd /usr/local/share/clamav

root#

wget

http://db.local.clamav.net/main.cvd 

root#

wget

http://db.local.clamav.net/daily.cvd

Now that ClamAV is working on the sensor, it is time to build Snort 2.2.x to use the ClamAV preprocessor. Using the patch found at the following link:

http://sourceforge.net/tracker/download.php?group_id=78497&atid=553469&file_id=98150&aid=1011054

The Snort source code will have to be patched to use the preprocessor. (A very special thanks to William Metcalf for his help in getting this preprocessor to compile.) Once the patching is done, Snort will have to be resourced to make the changes before compile time.

root#

patch -p0 < clamav-snortv-2.2.0.diff

# Either run 

root#

autoreconf -f

# OR 

#root#

libtoolize -f & aclocal & autoheader & automake & autoconf

Now, compile Snort with the ClamAV preprocessor enabled, though you will have to compile Snort with all the ClamAV options. If all are not passed to the configure command, Snort does not compile the preprocessor correctly! Once configure is completed with no errors, make Snort as normal with make and make install .

root#

./configure --enable-clamav --with-clamav-includes=/usr/local/includes


--with-clamav-defdir=/usr/local/share/clamav --with-mysql

(--enable-debug ?optional)

#

Finally, edit the snort.conf file to use the ClamAV preprocessor. The preprocessor has to be placed in the snort.conf file immediately after the stream4_reassemble preprocessor but before the http_inspect preprocessor, unless you want the preprocessor to detect test viruses such as EICAR only! One last suggestion would be to test the build in the local snort-2.2.x directory first, as in the following:

#"preprocessor clamav" 

#

root#

./src/snort -c etc/snort.conf -i eth0 -l log -T

If you don't get any errors such as "unknown preprocessor: ClamAV," your build was successful. Simply install and change as necessary to start detecting viruses and Trojans on your network(s).

Unfortunately, there aren't many hard stats yet on the load this places on Snort and the sensor. But for a safe bet, either place a new sensor with this enabled or use on a slow link for staging until you are comfortable using the patch.

Another thought is this will detect only the viruses passing by your sensor. If your organization is considering venturing down the path of intrusion prevention systems (IPS) and application firewalls, you might want to check out the new patch for snort-inline that drops the virus packets at the inline device.

Finally, there are several applications for this as seen earlier; the best to start out with is to demonstrate the risks exposed to your network(s) by remote/RAS/VPN users. This can help an organization weigh the risks of having those connections and the level of protection and assurance that needs to be applied to those connections. Another example would be to place it in front of a heavy-load mail server to demonstrate the cost of allowing spam email through your mail server. The possibility with this preprocessor is the limit of the team applying it and for what purpose.