Writing Snort Rules

Writing Snort Rules
by Kishin Fatnani

Snort, as you would know, is a tool used to detect intrusions on a network. Though the tool can also be used for packet logging, sniffing or as an IPS, however in this article we will look more into the concept of rules by which Snort detects interesting traffic for us, basically the kind of traffic we are looking for, like a network attack, a policy violation or may be traffic from a network application or device that you are troubleshooting. For instance, if someone is doing XMAS port scan to our network using nmap with the -sX option, Snort will give us the following alert message.

[**] [1:2000546:6] ET SCAN NMAP -f -sX [**]

[Classification: Attempted Information Leak] [Priority: 2]

10/15-08:51:46.970325 192.168.0.111:62202 -> 192.168.0.1:132

TCP TTL:53 TOS:0x0 ID:28031 IpLen:20 DgmLen:40

**U*P**F Seq: 0xD70FB1F3 Ack: 0x0 Win: 0x800 TcpLen: 20 UrgPtr: 0x0

[Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_NMAP][Xref => http://doc.emergingthreats.net/2000546]

If the use of P2P or IM applications is against the corporate policy, Snort can detect their use on the network and provide alerts with messages similar to these:

To read the complete article, download the magazine from here:
http://hakin9.org/magazine/1576-hakin9-starterkit-snort-exposed

Interest in information security or may be hacking seems to be really growing in India. Immediately after the first malware conference ended in Mumbai, another conference 'ClubHack' commenced in Pune. ClubHack is not new, it is India's first hacking convention and this was their 4th year. It's one of my favourite events and I make sure to attend every year, however this year I could just attend the technical briefings and missed the workshops and panel discussions.

The briefings surely had enough of good quality stuff to make it worth travelling all the way to Pune. It was great to learn about Android issues from an expert who has developed the most popular Android app 'Antivirus Free'. The session on Firefox security was also an eye-opener making us understand how easy it was to write a malicious extension for the browser and even easier was their installation. Another interesting presentation was about cloud computing for forensics in which it was demonstrated how to make the time consuming tasks in forensic analysis quicker and that to at a highly reduced cost.

Rohit and his team have been doing a fabulous job of conducting the conference each year and regularly publishing the ClubHack Magazine.

'Malcon' that is the name of the first ever malware conference which was held in Mumbai in Dec 2010. I was very excited when I heard about this conference and immediately decided to attend this. The number of people that showed up for this conference were beyond my expectation and surprised me a lot, though it can in no way be compared with the crowd I've seen at DefCon, however as a new comer it was a great success. The audience was a mix of students, security pros, government officials, teachers, cops and may be the real bad guys too. There were a couple of pre-conference workshops, of which I attended the malware analysis by Atul Alex. It was good to hear all the low level stuff like assembly instructions, opcodes, interrupts etc and see a demonstration of writing malware.

Atul Alex also presented a paper in the conference which was about taking over control of Symbian phones which was an eye opener. The other presentations were also quite good and so was the panel discussion at the end of the conference. One of the panelists was Alok Vijayant, Director NTRO who has been backing the organizers of most of the security conferences and encouraging the young Indian hackers. He believes that having the best protection is not just enough but we also need to have the capability to attack back. The conference has done a good job of making people aware of the malware capabilities and how it is created, there is also a threat of people getting the wrong message or misusing their skills. It is actually debatable whether such conferences will help the nation by spreading awareness and have better skills or creating more malware making it difficult for the entire world to cope with. Well I would hope for the better but it will have some kind of side effects too.

During the panel discussion, a teacher stood up and said that now she can give a Green signal to her students to GO AND HACK, though the panelists explained her the right way to go about it. There was another interesting question about reporting a vulnerability on some government website, if someone finds a vulnerability on a website that means he might be trying to attack the site or must have done something which he was not supposed to be doing, in that case will he be arrested for the misconduct or awarded for reporting the bug. An example of the EVM machines was given by the participant. Taking the case of downloading data using SQL injection, which was mentioned by the participant, the panelist answered that if he downloads the data then he is at fault so he can just report the SQL injection vulnerability. This seemed perfectly fine to me while i was there but then I thought if he was testing a DoS attack, it can be detected only if there is actually a denial of some service, unlike SQL injection where an alert message will prove that the vulnerability exists. What will happen in that case?

Well to end this note, I would just say Malcon was great, I enjoyed being there and I hope we see it happening every year and growing always. I also hope that the government always supports such events and hope Alok is always part of it.

New Check Point Provider-1 courseware

Recently I got a chance to review the Check Point Provider-1 and VSX coursewares. see the acknowledgements in the image

Launch of Packet Master

K-Secure successfully conducted its first batch of the latest training program 'Packet Master' that teaches how to analyze network packets and craft custom packets for security testing.

Hyderabad - 11&12 Dec 2010
Mumbai - 18&19 Dec 2010

Learn how to analyze and craft packets

The skill of analyzing packets is the most essential skill required if you are a pentester / ethical hacker, a network or security administrator, intrusion analyst, forensic analyst, application security tester, researcher of vulnerabilities, or you deploy or audit firewalls and IDS, or you write custom IDS signatures. If you already acquire the skill to analyze packets, learning Scapy would just do wonders in doing your job much more efficiently and making your organizations more secure.

K-Secure's Packet Master training program would be a great help if you:

• Want to audit or test your firewall rules
• Do pentest on networks or applications
• Like to test if your IDS signature / rule works
• Wondered if your pentesting tools like nmap, arpspoof, hping etc. can give you more control and information
  

Web Attackers will have a tough time now!

The attackers have surely moved their focus on web applications but this team is now fully prepared to detect and analyze any intrustion happening through their web applications. They've acquired these skills by going through a specialized training from K-Secure.

Security Professionals' Group

We're glad to have formed a group of professionals working in the area of information security. In our first meeting yesterday, which was conducted at K-Secure's office in Mumbai, we discussed on the Vulnerability Assessment services, where the members shared their experiences talking about what vulnerabilities are commonly found and the challenges they face in closing them. There was also a demonstration of tools which made it more interesting.

The meeting was supposed to be for a 1 hour duration but there was so much excitement that we wanted to go on and on but finally decided to wind up after about 10 hours.

We have lots and lots of plans for the future of the group, so if you are interested in joining this group, please email to spg@ksecure.net.

OWASP Top 10 - 2010 released

Want to get started with application security? OWASP (The Open Web Application Security Project) has released the list of ten most critical web application security risks.

Top 10
------
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration (New)
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards (New)

More on Top 10 is given here - OWASP Top 10

Facebook phishing through live chat with Ranbir Kapoor

I was hooked on for a while to Ranbir's live chat for the Pepsi game on facebook today. At the end of the session, i observed some messages informing the users that Ranbir was still online and asked them to click on a link. Though the link looked legitimate, however, I did not want to trust it so I ran my tools to do some investigation. Soon I found that it was taking me to another URL which included the word 'hacking'. Now I was very sure that it wasnt a genuine message. Little more into it and there came a page which looked exactly like the login page of Facebook. It did not need any further investigation as it was very obvious that this was a phishing site and was looking for usernames and passwords.

GIAC recertification - taking exam is not the only option

I have been taking GIAC exams every time any of my GIAC ceritifications was about to expire and I always wondered if they can come out with an alternate option like the CISSP's CPE approach. Well the time has come and GIAC has finally made a major shift and given some options to the certified professionals. In short they have this Certification Maintenance Unit (CMU) approach. You will need to have 36 CMUs to get recertified. The CMUs can be earned by publishing a technical research paper, completing information assurance related training, documented work experience or GIAC / SANS community participation. For more information you can check thier website - http://www.giac.org/certification-renewal/

Though you can escape the examination, however, you cannot escape the recertification fees of $399 which has to be paid irrespective of what option you choose for the recertification.

DVWA / XAMPP installation