Problem
You want to use Snort with your honeypot or honeynet.
Solution
What are honeypots and honeynets? Why would you run one?
A honeypot is "a system whose value is being probed, attacked, or compromised" (project.honeynet.org). The Honeynet Project is a group of individuals who study honeynets from around the world. Different organizations have different uses for honeynet datafrom research and tactics in the case of the Honeynet Project to nabbing criminals, as is the case with some law enforcement and government agencies. A honeynet is a group or network of honeypots, which are usually either actual machines or virtual hosts, such as with a tool such as VMware. For the purpose of this discussion, most organizations use honeypots or honeynets only for research such as studying attackers' tactics. If your organization employs legal honeypots (nets), your corporate legal department should be consulted with first.
There are three great uses for Snort when it comes to honeypots and honeynets:
Discussion
Snort is great for recording all traffic entering and exiting your honeypot or honeynet. The simplest way to use it is in passive mode via a switch span port or a network tap. This allows Snort to stealthily capture any attacker activity. In this scenario, you can use Snort in any of its three modes, depending on your needs: packet sniffer, packet logger, or NIDS. A newer approach to integrating Snort with honeynets is with Snort Inline. Snort Inline sits between network segments and acts as a layer 2 bridge, passing traffic between interfaces. Once again, Snort is stealthy in this mode because it does not have an IP address and does not add a hop in the network, making it virtually undetectable. Snort Inline also provides intrusion prevention system (IPS) technology. This can mitigate or nullify attacks as they occur, without the attacker's knowledge. It runs on a Linux system and uses iptables packet queuing to collect and make decisions about packets as they traverse the system's interfaces. Using Snort on a production network, as an IPS allows you to block attacks or replace the content in them to nullify the attack. Using Snort Inline's additional rule actions does this:
drop
Drops the packet using Iptables and logs via Snort
reject
Drops the packet using Iptables and logs to syslog, then the communication is closed by either TCP RST for TCP sessions or an ICMP port-unreachable message for UDP
sdrop
Drops the packet using Iptables but does not log itreplace
replace
The rule language reference with the ability to replace hostile text with the same size harmless text in payload when running Snort inline
Snort Inline can be used to control outgoing packets from a honeypot or honeynet. If a honeypot is compromised by a worm or similar attack, Snort Inline can use its new rule keywords to keep the worm from propagating outside of the network. It can also keep an attacker from using a compromised honeypot to attack other systems outside the network. Even more beneficial is the replace keyword. By replacing the content of the attack as it traverses the network, the attacker will not know why the attack isn't working, giving the IDS team more time to analyze attacker behavior and techniques. Since all Snort Inline actions are logged, this gives the team an abundance of valuable information for analysis, including types of attacks, attack tools, and attacker skill sets.
The following is an example of a Snort Inline rule to drop packets:
drop tcp $HOME_NET any $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named"; flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh";)
The following is an example of a Snort Inline rule to change packet contents:
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS EXPLOIT named"; flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)
The Honeynet Project has been using Snort Inline extensively and has incorporated it into their Honeywall CD-ROM. Some of the Snort Inline functionality also has been incorporated into the Snort 2.3 release; however, it continues to refer to the Snort Inline project for the latest features and advancements. When working with honeypots and honeynets, always remember to consult your organization's legal department and get permission first!
See Also
http://project.honeynet.org
http://snort-inline.sourceforge.net/
Performing Forensics Using Snort |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index