Snort(fp): Real-Time Passive Network Fingerprinting with Snort!

Snort(fp) 2.1.2 Patch (gzipped)
Snort(fp) 2.1.2 Patch w/out p2s (gzipped)
p2s utility (gzipped)
Patches for 2.2.0 and later can be found at   http://snort-wireless.org 

------------
Introduction
------------

Snort!(fp) extends the capability of the Snort! intrusion detection 
open-source product to include OS and network daemon fingerprinting.

Thus, with a properly configure Snort! environment (including the fp
extension), you would be able to determine, given an IDS alert:
(1) What operating system the (alert) source/destination system is running
(2) What network services/daemons the (alert) source/destination 
system is running

Example (1):
An IDS alert indicates a DCOM vulnerability (known to only affect 
Windows System). Is the destination system running a Windows operating 
system?  Snort!(fp) will tell you!

Example (2):
An IDS alert indicates a MS-SQL worm propogating on your network.  Are the destination systems running MS-SQL?  Snort!(fp) will tell you!

Example (3):
What new systems have appeared on my network?  What OSes are they 
running?  What services are they offering?  Snort!(fp) will tell you!

Example (4):
Are any of my old systems offering new network services that they 
shouldn't be?  Perhaps a backdoor of some kind?  Snort!(fp) will tell you!

------------
Architecture
------------

Snort!(fp) is based on the following tools:

IDS:			Snort! (needs to be patched before building)
DB:			MySQL (no modifications except to tables)
HTTPD:			Apache (no modifications needed)
Interface:		ACID (needs to be patched to support fingerprinting)
OS Fingerprinting:	p0f (the 'p2s' utility converts to Snort!syntax)
Service Fingerprinting:	native Snort! rules

Both Snort!and ACID have been extended to support fingerprinting functions.  The ACID database schema has also been modified to support fingerprinting. 

Snort! Modifications:

The following Snort!syntax has been modified/added to support OS fingerprinting.  With the addition of this syntax, p0f rules can be identically replicated in Snort!

window:[%,S,T]value;	Added modulus, "S" and "T" p0f window functions.
ttl:[<,>,=,<=,>=]value;	Modified TTL to support <= and >= operators.
length:[>,<,=]value;	Added tests for actual packet length (as compared to dsize).
tcpopts			Added TCP options test. Multiple options separated by comma.
tcpopts:nop;		NOP.
tcpopts:eol;		EOL.
tcpopts:ws[=,%]value;	Window Scale
tcpopts:mss[=,%]value;	Maximum Segment Size
tcpopts:sack;		Selective ACK
tcpopts:time[!,=]value;	Timestamp
tcpopts:number=value;	Generic TCP option number equals value.
quirks			TCP Quirks checks (from p0f)
quirks:opeol;		TCP options past EOL.
quirks:nzup;		Non-zero urgent pointer.
quirks:nzuf;		Non-zero unused (reserved) TCP flags
quirks:oddflags;	Unususal TCP flags set.
quirks:extra;		Extra TCP payload data.
quirks:broken;		Broken TCP options.
quirks:seqack;		Sequence number equals acknowledgement number.
quirks:rsttext;		Text (payload data) found in RST packet.

Additional modifications have been made in Snort! to support fingerprinting, especially within the database logging routines.  These modifications had to be made to separate traditional alerts from fingerprint log information.

Snort.conf and classification.config have also been modified.  Most notably, an service-fingerprint and os-fingerprint classification type have been added.  To increase efficiency, classification.config is now read earlier in snort.conf such that the database output plugin is aware of the fingerprinting data type.  (This prevents a classification lookup for every packet logged.)

Database Schema:

The MySQL database schema (other DB's not yet supported) has been modified to support fingerprinting.  Most notably, the addition of the "fpevent" table was created to separate standard alert events (originally and still in the "event" table) from fingerprint alerts.  The fpevent table (and corresponding Snort!database routine functions) have been modified to store only the first and last fingerprint entries for a given IP and port number (OS fingerprints are identified by port 0).  It is too impractical to store every fingerprint event.  However, given the first and last timestamps, we can answer important questions such as "What new services have appeared on my network in the last 24 hours?"

Additionally, generic fingerprint events are never replaced by existing specific fingerprint events.  The standard Snort! "priority" field is used to identify more specific fingerprint descriptions.  For example, a previously identified "specific" Apache Web Server should not be replaced by a "generic" TCP service fingerprint on port 80.  Similar to Snort!alert syntax, a lower priority is considered a more specific fingerprint.

ACID Modifications:

Two major modifications have been added to ACID.  First, the IP query (acid_stat_ipaddr) screen has been modified to include any fingerprints assocatied with the queried address.  Second, a "Network Fingerprints" (acid_stat_fingerprints) query has been added to display a list of all fingerprints.  Fingerprints can be sorted by address, port, signature, first seen (time), last seen (time), and service description.

------------
Installation
------------

These are general installation directions.  The reader is assumed to 
have knowledge of integrating ACID, MYSQL, Apache and Snort!

1. Download, build and install MYSQL database (www.mysql.com)

2. Download, build and install Apache httpd (www.apache.org)

3. Snort! IDS

3.1 Download the Snort! 2.1.2 source code (www.Snort.org)
3.2 Apply the 2.1.2fp patch

   $ cd snort-2.1.2
   $ patch -Np1 < snort-2.1.2fp.patch

3.3 Build Snort! with MYSQL DB support enabled

   $ configure --with-mysql[=/mysql/directory/path]
   $ make

     Warning(s) that can be safely ignored:

     spo_database.c:2417: warning: second parameter of `va_start' 
     not last named argument

   # make install 

4. Update MYSQL Schema

   Replace (as in destroy all previous data) MySQL database to support
   fingerprinting.
   YES, THIS WILL DESTROY ANY OLD DATA, so backup appropriately.

   $ mysql -u root -p < ./contrib/create_mysql_fp

5. ACID

5.1 Download, build and install ACID (http://www.andrew.cmu.edu/~rdanyliw/Snort/Snortacid.html, also available in ./contrib directory)

5.2 Apply the acid-0.9.6b23fp.patch directly in your htdocs/acid directory (patch available in ./contrib directory)

   # cd /usr/local/apache2/htdocs/acid
   # patch -Np1 < acid-0.9.6b23fp.patch

6. Configure snort.conf for MYSQL database support -- be sure to use 
the patched snort.conf and classification.conf files

7. Copy osfp-syn.rules and servicefp.rules from the 2.1.2 patched 
directory to your Snort! rules directory.

8. Start your HTTPD, MYSQL, and Snort! daemons

9. Browse ACID -- See the "Network Fingerprints" links on main page.

---
p2s
---

p2s is a conversion utility to convert p0f files to Snort! rules.  
See ./contrib/p2s-2.1.tar.gz for more info, including source and README.p2s

--------------
TODO/NEED HELP
--------------

(1) Complete testing of the p0f Snort! signatures.  See README.p2s in the 
gzipped archive for testing status.
(2) Test on other platforms.  Successfully tested on Red Hat Linux 8.0.
(3) Write DB routines in spo_database.c to support other databases.  
Presently, only MYSQL supported.
(4) Write more OS and service signatures!  

------------
Bugs/Support
------------

If you'd like to report a bug or contribute in another way to the Snort!(fp) project, 
please contact me directly at sdreed@verizon.net.

On-On!