Snort!(fp): Real-Time Passive Network Fingerprinting with Snort! ------------ Introduction ------------ Snort!(fp) extends the capability of the Snort! intrusion detection open-source product to include OS and network daemon fingerprinting. Thus, with a properly configure Snort! environment (including the fp extension), you would be able to determine, given an IDS alert: (1) What operating system the (alert) source/destination system is running (2) What network services/daemons the (alert) source/destination system is running Example (1): An IDS alert indicates a DCOM vulnerability (known to only affect Windows System). Is the destination system running a Windows operating system? Snort!(fp) will tell you! Example (2): An IDS alert indicates a MS-SQL worm propogating on your network. Are the destination systems running MS-SQL? Snort!(fp) will tell you! Example (3): What new systems have appeared on my network? What OSes are they running? What services are they offering? Snort!(fp) will tell you! Example (4): Are any of my old systems offering new network services that they shouldn't be? Perhaps a backdoor of some kind? Snort!(fp) will tell you! ------------ Architecture ------------ Snort!(fp) is based on the following tools: IDS: Snort! (needs to be patched before building) DB: MySQL (no modifications except to tables) HTTPD: Apache (no modifications needed) Interface: ACID (needs to be patched to support fingerprinting) OS Fingerprinting: p0f (the 'p2s' utility converts to Snort!syntax) Service Fingerprinting: native Snort! rules Both Snort!and ACID have been extended to support fingerprinting functions. The ACID database schema has also been modified to support fingerprinting. Snort! Modifications: The following Snort!syntax has been modified/added to support OS fingerprinting. With the addition of this syntax, p0f rules can be identically replicated in Snort! window:[%,S,T]value; Added modulus, "S" and "T" p0f window functions. ttl:[<,>,=,<=,>=]value; Modified TTL to support <= and >= operators. length:[>,<,=]value; Added tests for actual packet length (as compared to dsize). tcpopts Added TCP options test. Multiple options separated by comma. tcpopts:nop; NOP. tcpopts:eol; EOL. tcpopts:ws[=,%]value; Window Scale tcpopts:mss[=,%]value; Maximum Segment Size tcpopts:sack; Selective ACK tcpopts:time[!,=]value; Timestamp tcpopts:number=value; Generic TCP option number equals value. quirks TCP Quirks checks (from p0f) quirks:opeol; TCP options past EOL. quirks:nzup; Non-zero urgent pointer. quirks:nzuf; Non-zero unused (reserved) TCP flags quirks:oddflags; Unususal TCP flags set. quirks:extra; Extra TCP payload data. quirks:broken; Broken TCP options. quirks:seqack; Sequence number equals acknowledgement number. quirks:rsttext; Text (payload data) found in RST packet. Additional modifications have been made in Snort! to support fingerprinting, especially within the database logging routines. These modifications had to be made to separate traditional alerts from fingerprint log information. Snort.conf and classification.config have also been modified. Most notably, an service-fingerprint and os-fingerprint classification type have been added. To increase efficiency, classification.config is now read earlier in snort.conf such that the database output plugin is aware of the fingerprinting data type. (This prevents a classification lookup for every packet logged.) Database Schema: The MySQL database schema (other DB's not yet supported) has been modified to support fingerprinting. Most notably, the addition of the "fpevent" table was created to separate standard alert events (originally and still in the "event" table) from fingerprint alerts. The fpevent table (and corresponding Snort!database routine functions) have been modified to store only the first and last fingerprint entries for a given IP and port number (OS fingerprints are identified by port 0). It is too impractical to store every fingerprint event. However, given the first and last timestamps, we can answer important questions such as "What new services have appeared on my network in the last 24 hours?" Additionally, generic fingerprint events are never replaced by existing specific fingerprint events. The standard Snort! "priority" field is used to identify more specific fingerprint descriptions. For example, a previously identified "specific" Apache Web Server should not be replaced by a "generic" TCP service fingerprint on port 80. Similar to Snort!alert syntax, a lower priority is considered a more specific fingerprint. ACID Modifications: Two major modifications have been added to ACID. First, the IP query (acid_stat_ipaddr) screen has been modified to include any fingerprints assocatied with the queried address. Second, a "Network Fingerprints" (acid_stat_fingerprints) query has been added to display a list of all fingerprints. Fingerprints can be sorted by address, port, signature, first seen (time), last seen (time), and service description. ------------ Installation ------------ These are general installation directions. The reader is assumed to have knowledge of integrating ACID, MYSQL, Apache and Snort! 1. Download, build and install MYSQL database (www.mysql.com) 2. Download, build and install Apache httpd (www.apache.org) 3. Snort! IDS 3.1 Download the Snort! 2.1.2 source code (www.Snort.org) 3.2 Apply the 2.1.2fp patch $ cd snort-2.1.2 $ patch -Np1 < snort-2.1.2fp.patch 3.3 Build Snort! with MYSQL DB support enabled $ configure --with-mysql[=/mysql/directory/path] $ make Warning(s) that can be safely ignored: spo_database.c:2417: warning: second parameter of `va_start' not last named argument # make install 4. Update MYSQL Schema Replace (as in destroy all previous data) MySQL database to support fingerprinting. YES, THIS WILL DESTROY ANY OLD DATA, so backup appropriately. $ mysql -u root -p < ./contrib/create_mysql_fp 5. ACID 5.1 Download, build and install ACID (http://www.andrew.cmu.edu/~rdanyliw/Snort/Snortacid.html, also available in ./contrib directory) 5.2 Apply the acid-0.9.6b23fp.patch directly in your htdocs/acid directory (patch available in ./contrib directory) # cd /usr/local/apache2/htdocs/acid # patch -Np1 < acid-0.9.6b23fp.patch 6. Configure snort.conf for MYSQL database support -- be sure to use the patched snort.conf and classification.conf files 7. Copy osfp-syn.rules and servicefp.rules from the 2.1.2 patched directory to your Snort! rules directory. 8. Start your HTTPD, MYSQL, and Snort! daemons 9. Browse ACID -- See the "Network Fingerprints" links on main page. --- p2s --- p2s is a conversion utility to convert p0f files to Snort! rules. See ./contrib/p2s-2.1.tar.gz for more info, including source and README.p2s -------------- TODO/NEED HELP -------------- (1) Complete testing of the p0f Snort! signatures. See README.p2s in the gzipped archive for testing status. (2) Test on other platforms. Successfully tested on Red Hat Linux 8.0. (3) Write DB routines in spo_database.c to support other databases. Presently, only MYSQL supported. (4) Write more OS and service signatures! ------------ Bugs/Support ------------ If you'd like to report a bug or contribute in another way to the Snort!(fp) project, please contact me directly at sdreed@verizon.net. On-On!