Detecting Traffic to non-HTTP_PORTS Using Snort Rules

I wanted to draft a response to a post made to the snort-users group. My goal was to compare rules for detecting network activity occurring on non HTTP_PORTS that use the 'flow' option available in Snort with two alternate rules that do not use the 'flow' option. Before writing this article, I was almost certain Rule B would be my first choice, to be followed by Rule C, however, by the time I had finished the first draft, I could see that Rule A (which is is most preferred ( as long as I can specify a source or destination address for either EXTERNAL_NET or HTTP_SERVERS. )

Rule comparison tests

I created three test rules for this comparison. Rules A and B do not use 'flow'. Rule C does use 'flow'. Of the two that do not use flow, Rule A negates HTTP_PORTS from being the destination port in matching packets, whereas Rule B negates HTTP_PORTS from being the source port AND/OR the destination port in matching packets. I ran snort-2.4.3 and snort-2.7.0 against the same pre-captured data. Both versions of snort returned the same results exhibiting the same behavior.

Basic snort configuration

var EXTERNAL_NET any

var HTTP_SERVERS any

var HTTP_PORTS [ 80 ]

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS !$HTTP_PORTS (msg:"LOCAL NONHTTP nonflow test Rule A"; sid: 2000001; )

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HTTP_SERVERS HTTP_PORTS (msg:"LOCAL NONHTTP nonflow test Rule B"; sid: 2000002; )

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS !$HTTP_PORTS (msg:"LOCAL NONHTTP flow test Rule C"; flow:to_server,established; sid: 2000003; )

How does each work ?

Rule A successfully ignores HTTP_PORTS packets sent from the apparent client, but this rule matches on all return packets when we define both $EXTERNAL_NET and $HTTP_SERVERS to match 'any' host address. This latter behavior is what we definitely want to avoid.

Rule B successfully ignores HTTP_PORTS traffic, including return packets and all traffic originating from HTTP_PORTS

Rule C successfully ignores HTTP_PORTS traffic, including return traffic but only for established TCP connections. In cases where a connection is never established, network host scans (i.e. of random TCP ports) would not trigger this alert .

Which is "better" to implement: A, B or C ?

Rule A provides alerts when packets arrive on non-HTTP_PORTS but requires specifying a source or target host network to enforce packet direction and prevent related return packets from triggering on this rule.

Rule B provides alerts when packets arrive on non-HTTP_PORTS. This rule does nothing to notify you of packets that contain HTTP_PORTS as a source or estination port. Consider this rule to be 'blind' to TCP traffic involving HTTP_PORTS.

Rule C provides alerts only when access is made to normal, responsive TCP servers listening on non-HTTP_PORTS.

Why my preferred choices are A, B, and C; respectively

Rule A - When you can specify either a source or destination network to imply packet direction, this rule provides the most visibility of network activity occuring on non-HTTP_PORTS.

Rule B - If you cannot specify a source or destination network for this particular rule, this method might be the next best choice.

Problem #1: You will need to create second rule to catch the traffic this rule will miss; specifically traffic originating from HTTP_PORTS to any other port. This other rule will need to specify either a source or destination network to indicate which hosts should not be sending packets from HTTP_PORTS. (Only servers should send packets from HTTP_PORTS, whereas clients generally shouldn't.)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $REALHTTP_SERVERS !$HTTP_PORTS (msg:"LOCAL NONHTTP nonflow test Rule B fixup"; sid: 2000004; )

Problem #2: Caution: The above rule ignores packets originating from
$HTTP_PORTS going to $HTTP_PORTS. If you do not trust these connections, the
following rule would resolve this problem.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $REALHTTP_SERVERS any (msg:"LOCAL NONHTTP nonflow test Rule B fixup version 2 "; sid: 2000004; )

Rule C - This works well if I have a smart network firewall or a proxy server that effectively filters abnormal TCP traffic (i.e. half-open connections and stealth scans, or custom/backdoor-type communications using faux-RFC compliant TCP protocol headers that may not qualify the 'flow' as being 'established'.)

Problem #1 You need a backup plan to catch the stealth activity that this rule may miss.

Final thoughts

In this article I was most interested in detecting all non-HTTP_PORTS traffic. I chose Rule A for this because it provides the best detection capability for the traffic I am seeking to detect. Having to define either a source or destination network to make the rule work properly is worth the detection capability gained over the other rules tested with or without flow.

If I wanted to perform passive server availibility monitoring or if I wanted to monitor the integrity of HTTP server responses in all normal traffic, the use of 'flow' (as demonstrated in Rule C ) would be a good starting point for this.

How to view ongoing network activity

Problem: You have unpredictable slowness on your network and want to know the cause. Network traffic logs do not reveal any significant transfers occurring at the time of each incident. You expect the problem is either local to your network, your ISP or to the remote hosts you are communicating with. Additionally, your logs do not show tell-tale signs of remote communication problems nor do they contain enough granular information to detemine peak loads that may be contributing to the problem.

Solution: Implement a network flow anaylsis tool that shows live packet and byte counters as traffic occurs in a format that can be quickly viewed and referenced to detect correlated activity occurring at the time of reported slowness.

--------------

My Review:
I've conducted a quick review of these three network flow tools that work from command line using 'ncurses'. These are: trafshow, iptraf, and iftop.

My Review Process:
I compiled each from source and briefly tested each without reading beyond the README and the help section which was built-in to each tool.

My Recommendations:
trafshow - Information provided by this tool is displayed at intervals which makes it more difficult to detect active hosts when observing over time. (ref: http://www.freshports.org/net/trafshow/)

iptraf - This is my favorite 'out-of-box' solution for this purpose, you can watch byte and packet counters rapidly changing to quickly hone in on active hosts. (ref: http://iptraf.seul.org/download.html)

iftop - This is my second choice, you see the same information as iptraf, but must rely on dynamic bars rather than counters to detect active hosts because counters are not grandular enough to detect slight changes in counters which would indicate live communication. (ref: http://freshmeat.net/projects/iftop/)

Network Security Monitoring

I wanted to state some sort of preamble before I started posting information to this blog, so here it goes.

Network Security Monitoring (NSM) is not just about a methodology of recording different forms of network traffic for future examination, though that is an immediate goal of the recording system. The purpose of NSM is to provide analysts with the information they need to validate and escalate network activity that warrants human observation and action. As network activity varies from one monitoring domain to the next, NSM tools must be flexible in order to provide analysts with the means to detect, validate and assess the importance of all changes occurring within their monitoring domain.

I've provided a couple of definitions from Merriam-Websters's Collegiate Dictionary Tenth Edition, copyright 1994 which you may find helpful towards the understanding of NSM as it relates to analysis. I'll add more words to this list.

Definitions:

analysis 1 : separation of a whole into its component parts 2 a : the identification or separation of ingredients of a substance b : statement of the constitutuents of a mixture 3 a : proof of a mathematical proposition by assuming the result and deducing a valid statement by a series of reversible steps, b (1) : a branch of mathematics concerned mainly with functions and limits (2): CALCULUS 1b 4 a : an examination of a complex, its elements, and their relations b: a statement of such an analysis 5 a : a method in philosophy of resolving complex expressions into simpler or more basic ones b: clarification of an expression by an elucidation of its use in discourse 6: the use of function words instead of inflectional forms as a characteristic device of a language 7 PSYCHOANALYSIS

ponder 1 : to weigh in the mind : appraise 2 : to think about : reflect on : to think of consider esp. quietly, soberly, and deeply

SYN: MEDITATE, MUSE, RUMINATE

ponder - ponder implies a careful weighing of a problem or often prolonged inconclusive thinking about a matter

meditate - implies a definite focusing of ones thoughts on something so as to understand it deeply

muse - suggests a more or less focused daydreaming as in rememberance

ruminate - implies going over the same matter in ones thoughts again and again but suggests little of either purposive thinking or rapt absorption

rapt - 1 : lifted up and carried away 2 : transported with emotion : enraptured 3 : wholly absorbed : engrossed

Google Adsense review

I've reviewed the Google AdSense technology which allows web publishers (people who have web pages) to generate revenue through providing advertising space to Google. Google's job is to ensure the ads that appear are relevant to the content on the web page so that advertisers are most closely paired with their intended market. By doing this they are making your ad space most valuable.

I am interested to see how the whole program works, so I created this blog site to try it out and learn more. So far, the Google Adsense account creation process has been simple. The video tutorial did help to better explain how the program works. It was through the tutorial that I learned about using Adsense with the Google Beta Blogger, which is why I chose to create this blog. This will test my ability to provide relevant, helpful content for others.

You can visit http://www.google.com/adsense if you would like to learn more about the Google Adsense program.