Snort BaitnSwitch

Man Page:

BAIT-AND-SWITCH:

This started out as a neat parlor trick hopefully it will be useful to someone as I wrote it in about two day's. Basically we use iptables PREROUTING/POSTROUTING chains and corresponding SNAT/DNAT rules to simulate full NAT and trick our attacker into thinking he is hacking away at one box when really he is attacking another.

BAIT-AND-SWITCH OPTIONS:

max_entries (int) Maximum amount of attacker entries allowed to be stored in the splaytree, yeah I know all the cool kids are using hash tables these days. I'll get there someday......

log (optional log file name) It does what it say's logs packets rerouted by our preproc and has crappy logging for reroute additions.

BAIT-AND-SWITCH-IGNOREHOSTS:

List of networks not to add to our reroute tree ever, you probably want to add your HOME_NET networks here as not to DoS? yourself.

example: preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24

BAIT-AND-SWITCH KEYWORD:

On to the rule language stuff, this keyword relies on the bait-and-switch preprocessor.

bait-and-switch:(reroute time in seconds,direction,honeypotip)

so lets say we have a drop rule

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;)

Now let's say that if this rule fires, we want to reroute all traffic from the attacker for the next 10 minutes to a honeypot(192.168.1.1) we would add the following rule.

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; bait-and-switch:600,src,192.168.1.1; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;)

We end up with DNAT/SNAT tables looking something like this

Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- attacker.ip attacked.ip to:honeypot.ip

Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- honeypot.ip attacker.ip to:attacked.ip

from etc/snort_inline.conf......

# bait-and-switch: Attempt to do stealthy reroutes of an attacker to a
honeypot for x number of seconds
# ----------------------------------------------------------------------------------
# For use in rule language
# reroute packets from attackers for x number of seconds because we
don't like them messing with
# our stuff.
#
# In the example below the first line tells bait-and-switch a max
amount of entries for memory allocation
# In addition the first line tells bait-and-switch to log droped
packets to the snort log dir #bands.log
#
#
# The second line tells which sources to never reroute it is very,
very important to add your #home net
# and you dns servers to this list.
#
#example:
#preprocessor bait-and-switch: max_entries 200,log
#preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24

-- MattJonkman - 20 Mar 2007

Topic revision: r1 - 2007-03-20 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats