Snort: "uninvited" detection engine
This document contains:
- What is the "uninvited" detection engine
- How to add to the snort-2.0.0 distribution
- How to use it
- Questions, comments, and feedback
What is the "uninvited" detection engine
The "uninvited" detection engine looks for any inbound packets that are not
part of a reply. It is intended for use outside a low-volume firewall,
such as a DSL or Cable modem. In this low-volume situation, there should
be few network sessions that initiate outside of the firewall. Rather,
requests generally initiate from within the firewall, and then remote
systems reply to the requests. These replies are "invited" by the local
host. In contrast, if the initial packet (request) comes from outside the
firewall, then the packet and entire session is "uninvited".
Note: "uninvited" does not mean "unwelcome". If you run a web server, then
you probably expect uninvited traffic on port 80/tcp.
This detection engine works by tracking all source and destination IP
addresses, ports, and protocols (s/d/p/p), and comparing them with both
previously seen s/d/p/p and with the IP address (or subnet) of the host
system.
- If neither source nor destination match the host system, then the
traffic is uninvited. On a cable, DSL, or regular modem, there should be
no adjacent IP traffic on the line.
- If s/d/p/p starts a session and originates from the host, then the
entire session is "invited".
- If s/d/p/p starts a session and originates from outside the host, then
the entire session is "uninvited".
The tracked sessions timeout after a period of inactivity.
- A remote TCP.SYN request times out after 10 seconds.
This fast timeout prevents ports scans for consuming all tracked session
ids. In addition, the local system should be able to respond within 10
seconds. For bigger servers, this timeout could be reduced to 2 seconds.
(There is a slack of +/- 0.9 seconds in the timings.)
- A local TCP.SYN request times out after 30 seconds.
This slow timeout assumes that the external network connection could be
slow.
- An established TCP session (SYN,ACK and ACKs after the initial SYN)
timeout after 30 minutes. For long idle sessions, you may wish to
increase this time.
- A TCP session changes to a 30 seconds timeout after a TCP.FIN or
TCP.RST are observed.
- A non-TCP session (e.g., UDP or ICMP) timeout after 5 minutes.
In addition, since ICMP packets may be in reply to a UDP or TCP request,
the system will match these ICMP packets (e.g., ICMP host unreachable or
TTL expired) with established TCP/UDP tracked sessions.
How to add to the snort-2.0.0 distribution
- Download the Snort-2.0.0 source code distribution from
www.snort.org
- Install the source code distribution
- Download the snort.uninvited.tar.Z
source code.
- Expand the snort.uninvited.tar.Z in the snort-2.0.0 directory.
This will create/overwrite the following files:
- src/detection-plugins/sp_uninvited.c: The uninvited detection engine.
- src/detection-plugins/sp_uninvited.h: The uninvited detection engine.
- src/detection-plugins/Makefile.in: Includes how to build the engine.
- src/plugbase.c: New file includes the sp_uninvited.h header and calls
the SetupUninvited() function.
- src/plugin_enum.h: Includes the PLUGIN_UNINVITED enumeration.
- Follow the snort-2.0.0 compilation instructions (configure, make)
How to use the "uninvited" detection engine
The "uninvited" detection engine is used like any other detection engine.
For example: A rule file containing
"log ip any any -> any any (uninvited;)"
will log all uninvited IP traffic, including TCP, UDP, and ICMP.
For someone on a cable modem, they may want to start snort using:
snort -de -b -l ~/tmp -h homenet -c Uninvited.rule -k none not arp and not host bootps_server
Cable modem terminal servers (CMTS) usually send all broadcast traffic
to all cable modems. Without filtering ARP and BOOTPS (67/udp), the
log file would quickly fill with broadcast messages.
NOTE: Currently it requires the use of "-h" to specify the home network IP
address range. I will change it to use $HOME_NET later.
(Parsing to find the p->name for $HOME_NET, and then splitting the
value into an IP address and subnet will take more time than I currently
have.) If someone wants to do this coding, I'll incorporate the changes.
Questions? Comments? Feedback?
If you have any thoughts or suggestions for this detection engine,
please contact:
I cannot respond to all messages or guarantee to incorporate any changes,
but I will read the messages and respond to as many as I can.