PG - Cut the Sh*t: How to Reign in Your IDS - Tony Robinson/da_667

yep right please welcome Tony rinson he's going to be about cut in your IDE good afternoon everyone okay before we uh get started here quick show of hands how many of you are responsible for managing an IDs in some aspect how many of you got thrown into the situation and had no idea what you were doing how many of you are familiar with this little piece of software called snort good that's most of you uh my name is Tony Robinson my talk is on IDs and NSM cutting the um this is a little bit of a who am I I'm going to kind of go over it briefly for the interest of Saving Time yall can come in get to know me a little

bit afterwards after the talk or something but um I'm a senior security analyst for Exelon uh big skas ID or IC all that good stuff um and here's some of my contact information I can tell you more about like past my past life um and all that crap later uh so this is the reason why I am here today um full disclosure I used to work for Source fire and I have seen some I have seen some um I've seen uh everything from people who turn on every single signature and uh then complain when their primary their production networks go down to people who have deployed something as a knee-jerk reaction and put it in line and again their

production Network goes down to we're logging all this stuff to our Sim but it's providing no value because the analysts are going nuts because there's too much data um if you name it I've probably seen it uh so the goals of the talk here um just briefly is we're going to go over things to reduce noise and get more valuable data out of your IDs uh why and how you would want to do this uh doing data correlation you know a lot of people say that correlation with IDs is a very difficult thing to pull off properly um you know getting extra Tools in place that will help you say definitively you user over here were at

this site I can prove that you've gotten infected and I'm going to Nuke your laptop have a nice day um then a couple of uh little toys and projects that I've been working on a couple of Open Source things that I've released you know just infos toys so we're going to start with um less noise and more signal you know a common complaint that I get all the time when I was doing uh Professional Services work and Technical Support is that the ID is a noise box we have too many false positives holy crap this thing CPU is at like 90% what's going on here you know the extra data that you get from your IDs is the whole reason

you put it in place you want to know you want to see the things that you couldn't see before sometimes though it can be incredibly obnoxious when you're having those false positives or even in the case when you have true positives and you're literally getting an alert every 5 seconds Jesus Christ I know it's infected hold on you know you know a couple of uh factors to consider here um we're going to go over briefly on uh separate slides here are you know placing your sensors on your network um variables uh to configure in your sn.com or in surata the the amamble configuration file that they use um disabling irrelevant rules using proper rule management tools for your

open source deployments and finally um noise reduction techniques that are built into snort and surata um before we go on any further I am going to refer to them as being more or less the same you know before people start throwing crap at me um they're are more or less the same under the hood with some minor things here and there so without further Ado I'm going to get started with sensor placement it's just a fact of life One sensor will not meet all of your NSM needs if you have a relatively large network of course there are are exceptions to the rule if you're a small business then you can probably get away with a single sensor and you're good to

go but for the majority out there a single sensor just isn't going to cut it no matter how well tuned you have it putting them in more places and by more places I mean like your Ingress egress points in your network or in the DMZ or at your core you know where your core switches are in the network or at the distribution layers closest to like the engineering department or the finance department putting more sensors in more places just makes more sense it makes it easier to tune each individual sensor and it gives you a little bit more correlation and a little bit more context with those alerts uh if you can't do it all you

know you don't have that uh capital expenditure that Opex to handle have the analyst handle all those events or buy all of those sensors start small start with one sensor at a time the most important place I usually would recommend to start is definitely at your Ingress deess points and to reduce the amount of pain you have to deal with um start behind any Gat devices you got or proxies this will save you a lot of pain in the future this is just a diagram that I threw together and it's a mess of arrows going all over the freaking place but the general idea is is that each of these little boxes right here the IDS

and ipss those are different areas of the network and they're looking at traffic and they have context into different users or different servers that your applications or your systems are going to again more being better and again I'm being a realist here you might not be able to cover all that at in the beginning just build your deployment scale it as you go so having covered uh placement we're going to go briefly into uh IP variables and Port variables um these are in uh the snort. comom file that pretty much is the brains behind snort tells it how to function tells it what IP addresses are what what ports go where I saw a lot

of hand go hands go up you all should know what this is um so starting with uh Port variables you know these are like TCP and UDP port numbers that a rule should apply to uh they can take Port ranges um a Comm separated a list of ports or even substitute valuable the value of another Port variable um IP variables work pretty much the same as Port variables except it just you're looking at IP addresses they take CER notation comma separated list of IP addresses and again you can substitute the value of one IP variable and put it inside of another um just a small note here um some people Miss is that uh the

pre-processors in snort and surata they have their own settings and their own IP address uh configurations um just a little aside I've seen that Miss a couple of times and that Sprouts fils positives all over the place uh this is just a diagram that kind of uh shows you what uh the sor.com file looks like for reporting IP variables um that text is way too small and I apologize but you see um ipv up here of homet um any is a special keyword with snort saying any IP address can be a home network address um generally speaking that's one of the first things that you want to change is defining that home net variable to a CER block that you want to

protect and usually setting external net to either any or bang home net which is uh in snort speak that's not home net um then down here we um Define uh this is how you would Define Port variables and here's a good example with um the HTTP Port variables these are uh ports where you would expect to see a web server or where uh snort should expect to see web servers and some of those web related rules uh should be applied again that you can refer to other uh IP variables you can refer to other Port variables within another variable it's pretty straightforward you can also Define your own variables that's perfectly fine and snor will let

you do that just as well um so why are we doing all this what's the importance of of this why should you care about setting these a lot of snort rules rely on those variables uh accurately reflecting your network accurately reflecting where you're deploying that sensor and if they're not giving any attention or love if you just go in with a straight home net any external n any uh you're going to have a very bad time it's going to be a lot of fun to clean up uh so if nothing else the first thing to focus on would be you know getting proper IP address ranges for your home net and your external net values um

generally speaking if you don't have that documented um a couple of places that I've uh had tremendous luck is you know talking to your CIS admins and getting dhtp Scopes um if you can get those exported and just in a little CSV file that's really awesome it helps set up your home networks it helps you to actually learn what networks um certain applications are running on and you get the bonus later for a frag 3 and a stream five pre-processors you get to know what operating systems and what applications are on what sub networks and it helps to configure those pre-processors and make them more accurate just as well so another area to look for your

Port variables would be what firewall rules do you have in place on your network currently um what is your firewall allowing what is it disallowing and if there are any port variables in your snort configuration file that are relevant to that just reflecting uh what your firewall profile what your firewall rules look like if you're still lost um at a minimum like I set up here you want to start focusing with your home net and external net variables just start with your generic um rfc1 1918 address ranges um your 192 16800 that's sl16 your 17216 and your 10 dot Network you know and just as you start getting events or as you get that information from those

other groups or you start bribing your admins with beer just fill that out that's all there is to it so we're going to move on to tuning the rule set here and I'm going to make this ridiculously fast show of hands how many of you here have not heard of P pork okay well just for you guys and just for uh our fine viewers on the internet um ped pork is an open source project uh it was made by JJ Cummings at sourcefire and it's um a godsend for rule management um it downloads the latest rules it automatically configures them uh there are tons of settings that Define what rules are enabled or disabled it handles your local rules and

it slices and dices and purees so if you aren't using it definitely use it um so the next portion here you know talking about those little internal features to do noise reduction uh we're going to start here with a little bit of a brief anatomy of a snort rule because those uh this is relevant to what I am going to talk about so as most of you know there's two major sections of a snort rule there's the header with um IP addresses and ports and then there's the body that defines what content matches you're actually looking for when you see a conversation with those IP addresses or on those individual Port ranges and here is like an example rule

that I pulled up it's for uh a logme in.com connection and you can see up here there's the rule header where we're looking at a specific action to take uh what protocol TCP UDP icmp uh what IP address variables we want this rule to apply to and uh port numbers that we want this rule to apply to as well as uh what direction we want this to go in and then the rule body defines what content matches we're doing or what unique things that we want to see this connection before we trigger an alert and that's kind of broken up down a little bit down here too your rule action your protocols your IP addresses

the directionality it's all fairly straightforward uh so we're going to start by talking about like those special te those nice techniques to reduce noise um I'm going to start with pass rules uh pass rules are incredibly effective um essentially all you're doing with a pass rule is you're modifying the header of a snort rule ever so slightly uh to where it only is effective with a few IP addresses or a couple of ports all you do all you're doing is mainly just messing with the header and copying and pasting and this basically allows you to Squatch out noise for a particular set of IP addresses that you know are generating false positives for a single rule while

allowing that rule to still be active for the rest of your network and this next uh page here gives an example um again this is our log . rule it's the same rule that was on the last page we're looking at traffic from external net on Port 443 coming into our home network with logme in.com in the Stream and then all we're doing down here is we're changing alert to pass we're changing this to a single IP address that we don't want this to apply to and maybe adding a note here from the message to let us know what this pass rule was for and then down here ging it a different snort signature ID number

and a Vision number for us to track that and this basically says um if you see this content match for this particular IP address and this port just ignore it don't generate an alert it's fine um next I'm going to discuss uh suppressions limits and thresholds um in layman's terms suppressions basically stop the rule from firing without removing the rule from your rule set um I don't like them as much as past rules because because with those pass rules you can be very granular you can add extra content matches you can add different ports and IP addresses and a bunch of different criteria what where a suppression operates on basically a source or a destination IP address and a

signature ID number for snort um thresholding is BAS uh is the concept that a rule must match or a Content match must occur um a certain number of times within a certain number of seconds before we trigger a single alert um then finally we have limits here that say we only want to see X number of lerts if it's triggered within y number of seconds I personally love limits uh the most uh aside or in comparing thresholds and limits I like using limits a lot more um it helps in reducing the noise it helps in those situations where you know your host is infected with something but you're not being chain guned with those alerts

every 5 Seconds every 20 seconds you know just say I only want to see this alert this many times in this period in seconds and I'll show an example on the next page here of what a limit looks like uh so we have here for our log mean.com rule um we say that we want that particular generator ID that snort signature we're telling snort that this is a limit and that we want to track it by the source IP address that generated it we only want to see one event every 3600 seconds so that's one event per hour that's enough to let me know that this this activity is going on and it's not filling up the console filling up

the Sim with extra worthless alerts and down here we have an example of a threshold and thresholds kind of work in an opposite manner where you know we still have the generator ID and the signature ID but instead we're tracking if 10 events uh occur within 60 seconds that's when I want to see an alert pop up on my console or go to the Sim so I added this one in at the last minute um snort has a uh relatively new feature um IP reputation it's just IP wh listing and blacklisting um basically uh blacklisted IP is the way it works in storage is if it sees one that is part of that Blacklist that uh P pork incidentally

will pull down for you automatically it's just the the alerts generated there's no further processing done we know this is bad traffic let's move on and again it works in a similar man manner for whitelisted IP addresses this is a known good IP address we don't care about it let's move on um it's a little bit lower in the SN or storts uh software stack in terms of uh processing traffic doing normalization with pre-processor scanning against signatures it's lower in that uh software stack so these are pretty efficient if you know that there are certain IP addresses on your network that you have vulnerability scanners or things of that nature that you know are noisy and are going to generate false

positives just white or black list them right off the bat and you're good to go uh the downside is is that your only criteria of course is IP address you know uh pass rules are a little bit more surgical but they operate further up the sa up up that sack so to speak uh after signature while during signature processing um I'll show a diagram of that in just a little bit here um and of course we come to the old stand by Berkeley packet filtering um if you're familiar with TCP dump you've probably seen a Berkeley packet filter sometime in your life um I got a link in here on my slide deck that has been absolutely awesome in

teaching Berkeley packet filters for uh snort um I'll be releasing the slide deck after the talk um it's absolutely awesome um basically what this allows you to do is um when snort is doing traffic acquisition and just picking up that traffic off the wire the burkly packet filter allows you to just ignore it straight out as soon as the traffic comes in um it's even more efficient than those Whit list rules or the uh IP reputation pre-processor in that aspect um but I'm going to give an example here of a simple BPF um right up here the near the top that is uh not and all this in parenthesis here is uh not TCP protocol and Port 443 and host

192 168 1.2 and that just translates into I don't care about TCP traffic where this host IP address is a sore store destination ad or destination for that traffic on Port 443 um the pros being is that if you're really good with Berkeley packet filtering they can be even more surgical than pass rules are the downside is is that Berkeley packet filtering is black magic and I am a firm believer in that um it's very easy to paint very broad Strokes like this Berkeley packet filter I have up here this is going to ignore all https traffic going to my box and in some cases that might be something that you want to do in most cases probably

not and that's just a basic example uh so I said that I had a diagram up here that kind of explains uh snort software stack a little bit and where these noise reduction te techniques kind of fit in and here we have you know your data on The Wire this is the data that's coming from your tab or your span Port um and then the first thing snorts doing is acquiring that data acquiring that Network traffic uh this is where your bpfs are going to take place as a noise reduction technique then you come up here to your traffic normalization your uh frag 3 your Stream 5 pre-processors the application layer pre-processor cessors IP reputation is in this area generally

speaking the lower in the stack it is the faster snort can make a determination whether or not this is good or bad or something that you care about so the lower you can do this or the lower you can use your uh noise reduction techniques the faster it's going to make it and the more efficient your IDs is going to be oh five minutes so basically to recap um there's all sorts of sensor placement options you have IP and Port variables to define rule management tools um options for noise reduction that are built into snort and that's more or less this for that for that section um I'm going to briefly uh skim over correlation because

I have a ton of crap to go over yet I'm sorry um so I'm going to go over a couple of tools that we use in our Enterprise um HTTP pry passive DNS Argus and last but not least of course bro um pry is basically open source HTTP header parsing this pair this tool pairs really well with um malware CNC Blacklist user agent URI and exploit kit rules from the snort rule set and it basically allows you to record HTTP headers on the wire as long as you give it a network feed and this next page is just kind of a brief example this is my web client requesting Twitter you can see my user

agent the IP address what time it happened um all the options that are in the HTTP headers and what response I got back from the server uh passive DNS uh works almost just like HTTP pry you give it a passive traffic feed and any DNS queries it sees across the wire it's going to log them good for malw hunting good for looking at your CNC domains and IP addresses but recursive DNS uh makes this sort of a pain in the ass to use in very large Enterprise environments Cu uh often times you're not going to get that Source IP address you're going to get your active directory server that's querying your primary domain name server

or something of that nature um here's an example uh you can see queries that for me doing an appat install on one of my systems and me going to Twitter and posting something and then finally we have Argus and ENT toop which are you know metadata for traffic those are your initiator and responders source and destination IP addresses what protocols and ports how many bytes were transferred and information of that nature in the session this isn't full packet capture this is just metadata about that session that occurred and here's a screen cap I mean I know it's really tiny but you can see that there's icmp traffic here that there's TCP traffic that there's R here

just the metadata how many bytes how many total packets what who initiated the connection and things of that nature and then basically all I want to really say about bro is that it does all of that by default um it does the httv header parsing it does passive DNS it does um a little bit of flow monitoring and it also does um it can log Services it can log software at seen on the network it can do connection summaries and all of this without is without knowing the Bros scripting language this is just compiling it and pointing at a traffic feed I generated this data in a single evening um just to recap again you know

these are tools that will help make uh making sense of your IDs events a little bit easier if you get an HTTP alert for a known exploit kit uh signature you can go through your HTTP proges and correlate that as an example you can correlate the DNS hits things of that nature it makes uh making sense of your IDs logs that much easier and uh this final section here I'm just going to go over a couple of uh little neat open source projects that I've been working on in my spare time uh the first one here being Autos snort uh the long story short this is a program that's or this is a uh set of

scripts that I developed that will take you from a base operating system out of the list here um install all your prerequisites for snort install a nice web front end my SQL get everything up and running to get you a standalone stener as soon as possible um at the bottom there is just the uh web interfaces and the output interface is that my script will automate for you um this is just a screen cap as an example it's very metlo like I'll give you an example of what's going on here uh yellow being informational events green being good events blue being what am I doing right now and red uh asteris there being you know this is something bad that's

happened look at the air logs or send them to me and complain to me um unlimited is just a really simple um python script that I threw together for generating uh thresholds and limits for snort to include in your snort configuration files it takes a comma separated file and it will produce those uh threshold and limit statements for you for creating a separate configuration file full of them and overall just make that whole threshold and limit generation portion a lot easier for you to do um it runs python 27 and it works for Windows and Linux and this is just a screen cap here I'm almost done please and that's just a screen capture of what the script does and what it

looks like it will handle all of the uh generation it'll show you what the output looks like and it'll put it into a text file for you and then blind Seeker is just uh a Wiki and a Blog that I have set up um it's just a information security Centric Wiki that I have uh for discussing all sorts of security techniques um mainly centered around IDs right now like introductory IDs Concepts and IPS Concepts uh feel free to go there take a look at it tell me what you think tell me what you'd like to see sell me what isn't clear and I'll add to it you know as soon as I have time to do

it and that's basically about it right now I give shout outs and thank yous but I'm already over time I severely apologize again if you want to get to know me I'll be out in the hall and I'll see you guys there [Applause]