configuring-security-onion-detect-prevent-web-application-attacks-33980.pdf - SANS Institute Information Security Reading Room Using and Configuring

Configuring-security-onion-detect-prevent-web-application-attacks-33980.pdf

This preview shows page 1 out of 35 pages.

Unformatted text preview: SANS Institute Information Security Reading Room Using and Configuring Security Onion to detect and prevent Web Application Attacks ______________________________ Ashley Deuble Copyright SANS Institute 2019. Author Retains Full Rights. This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Detecting and Preventing Web Application © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. Attacks with Security Onion GIAC (GCIA) Gold Certification Author: Ashley Deuble, [email protected]­‐d.net Advisor: David Shinberg Accepted: 26th July 2012 Abstract Although web application attacks have existed for over the last 10 years, simple coding errors, failed input validation and output sanitization continue to exist in web applications that have led to disclosures for many well-­‐known companies. The most prevalent web application attacks are SQL Injection, Cross Site Scripting and OS Command Injection. With an increased number of companies conducting business over the Internet, many attackers are taking advantage of lax security and poor coding techniques to exploit web applications for fame, notoriety and financial gain. There are multiple ways to detect and prevent these vulnerabilities from being exploited and leaking corporate data on the Internet. One method involves using IDS/IPS systems to detect the attack and block or alert appropriate staff of the attack. Security Onion by Doug Burks contains a suite of tools that aid an analyst in detecting these events. Security Onion is a live Xubutnu based distribution containing many of the tools required to perform the detection and prevention of these exploits. ©2012TheSANSI nst i t ut e Keyf horr et ai nsf ul l r i ght s. i nger pr i nt=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Aut Detecting and Preventing Web Application 2 Attacks with Security Onion 1. Introduction © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. Security Onion contains software used for installing, configuring, and testing Intrusion Detection Systems. Security Onion contains Snort, Suricata, Sguil, Xplico, nmap, scapy, hping, netcat, and tcpreplay (Burks, 2012). This paper uses Security Onion release dated 20120405 and investigates how to alert and block on SQL Injection(SQLi), Cross Site Scripting (XSS), and command injection web application attacks. SQLi and XSS vulnerabilities were rated as OWASP’s number 1 and 2 risks in its 2010 report (The Open Web Application Security Project, 2010)1. As shown below in figure 1, 37% of attacks for January to June 2011 were targeted towards web applications (Hewlett-­‐Packard, 2011). Figure 1 – Comparison of attacks 1 Top 10 -­‐ 2010.pdf ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 3 Attacks with Security Onion 2. Test Lab Setup The test lab consists of Security Onion2, the Damn Vulnerable Web Application © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. (DVWA) distribution3 and the Samurai WTF distribution4 (refer to figure 2). Security Onion instances for Snort and Suricata were configured to analyze traffic between the vulnerable web applications in DVWA and the attacking machine (Samurai WTF). One of the main goals of the DVWA distribution is to aid security professionals in testing their skills and tools in a legal environment (Damn Vulnerable Web App, 2011), which makes it a great choice to demonstrate the capabilities of Security Onion. Figure 2 – Lab environment 3. Security Onion for Detection The latest version of Security Onion can be downloaded from the Security Onion website5. The recommended procedure for installing Security Onion to the hard drive of a system can be found on the Security Onion wiki site6. 2 3 4 5 6 -­‐onion/wiki/Installation ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 4 Attacks with Security Onion 3.1. Basic Configuration of Security Onion Configuring Security Onion can be done quickly using the provided setup tool. © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. The setup tool has two modes when setting up Security Onion: Quick Setup The Quick Setup process automatically configures most of the applications using Snort and Bro to monitor all network interfaces by default. This setup method is used when the IDS server and the IDS sensor are configured on the same system. The Quick Setup process also configures and enables Sguil, Squert and Snorby. Advanced Setup Advanced Setup allows more control over the setup of Security Onion. This process is used when an analyst wants to configure a system to: • Install either a Sguil server, Sguil sensor, or both • Select either Snort or Suricata IDS engine • Selecting an IDS ruleset, Emerging Threats, Snort VRT, or both • Configure network interfaces monitored by the IDS Engine and Bro Snort is the defacto standard of Open Source IDS engines, while Suricata is an emerging IDS developed by the Open Information Security Foundation. Suricata has many features of Snort, as well as unique capabilities such as multi-­‐threading and additional detection protocols. More information on Suricata can be found on the Open Information Security Foundation website7. 3.2. Advanced Configuration of Security Onion Advanced configurations of Security Onion may be required in larger complex environments. In these cases Sguil sensors may be distributed to multiple network segments. A conceptual design diagram may look similar to figure 3. In this scenario, the Advanced Setup wizard would be run to configure two Sguil sensors and a Sguil server. Snort or Suricata will monitor the network link for 7 ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 5 Attacks with Security Onion security events and log them, Barnyard will forward events from the Snort or Suricata logs to the Sguil sensor agent. The Sguil sensor agent will record the entries in the Sguil server database and a separate instance of Snort or Suricata © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. will log the packets to local disks. The Sguil sensors also listen for commands from the Sguil server that request previously logged packet data. Figure 3 – Multiple sensors 3.3. Addition Setup Tasks In-­‐place upgrades should be performed regularly with the following command to ensure all tools, applications and functionalities are up to date. The upgrade script is cumulative and will upgrade older versions of Security Onion to the most recent version (including updates in between) (Burks, 2012). sudo -i "curl -L > ~/security-onionupgrade.sh && bash ~/security-onion-upgrade.sh" ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 6 Attacks with Security Onion For installations in a virtual environment, it’s highly recommended the screen saver be disabled. This can be completed in Security Onion by clicking Applications -­‐> Settings -­‐> Screensaver. When the Screensaver Preferences © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. window appears, click the Mode dropdown and select "Disable Screen Saver" or "Blank Screen Only", close the Screensaver Preferences window to save the settings. 3.4. Basic IDS Configuration During setup, The Security Onion setup tool will configure the selected IDS engine. Important configuration files common to Snort and Suricata can be found in the following locations /etc/nsm/rules/ This folder contains the IDS engine rules used for detection of events. All rules downloaded with pulledpork will be saved to downloaded.rules and will be specifically for the IDS engine that was selected. All user created rules should be saved into local.rules. 3.4.1. Basic Snort Configuration Configuration files specific to Snort can be found at the following locations /etc/nsm/name_of_sensor/Snort.conf The Snort.conf file is used to configure Snort. Steps to customize the configuration in the Snort.conf file are as follows: 1. Set the network variables. 2. Configure the decoder 3. Configure the base detection engine 4. Configure dynamic loaded libraries 5. Configure preprocessors 6. Configure output plugins 7. Customize the rule set 8. Customize preprocessor and decoder rule set ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 7 Attacks with Security Onion 9. Customize shared object rule set The Snort sensor should be restarted after any changes have been made to any of © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. the rules or configuration files. Issuing the following command will apply the changes: sudo nsm --sensor --restart --only-Snort-alert 3.4.2. Basic Suricata Configuration Important configuration files specific to Suricata can be found in the following locations /etc/nsm/name_of_sensor/Suricata.yaml The Suricata.yaml file is used to configure Suricata. The recommended steps to customize the configuration in the Suricata.yaml file are as follows: 1. Set the network variables of the home network at HOME_NET 2. Set EXTERNAL_NET to !HOME_NET (not the home network). It is also possible to set EXTERNAL_NET to ‘any’ (the same as the default Snort configuration) but this may increase the chances for false-­‐positives. 3. Configure the settings for HTTP_SERVERS, SMTP_SERVERS , SQL_SERVERS , DNS_SERVERS and TELNET_SERVERS (these are set to HOME_NET by default) 4. Configure the HTTP_PORTS, SHELLCODE_PORTS, ORACLE_PORTS and SSH_PORTS port variables to suit the network After changes have been made to the Suricata rules or configuration files the following command must be issued to restart the sensor: sudo nsm --sensor --restart --only-Snort-alert In this version of Security Onion the “-­‐-­‐only-­‐Snort-­‐alert” command line switch applies to the IDS engine that is currently in use (either Snort or Suricata). ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 8 Attacks with Security Onion 4. Writing Custom Rules for Snort and Suricata Both Snort and Suricata use the same base rule language. Additionally, Suricata has the ability to use the additional protocol keywords HTTP, TLS, FTP and SMB. © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. Rules are broken into two sections, the rule header and rule options (Figure 4). The rule header contains the rule’s action, protocol, source IP address/netmask and port, destination IP address/netmask and port, and traffic direction. The rule options can contain alert messages, references (cve, bugtraq, Nessus etc.), revision etc. Information on writing Snort and Suricata rules, as well as detailed descriptions of all the fields can be found in the Snort manual8 and on the Suricata website9. Figure 4 – Snort rule For a rule to function correctly, it must contain all elements of the rule header, a payload detection rule option (e.g. “content”), as well as the “msg” and “sid” rule options. Without these elements, the IDS engine will fail to parse the rule correctly and will not start. 4.1. Confirming Your IDS Engine is Working A quick way to verify Snort or Suricata is working correctly, is to create the following rule in the /etc/nsm/rules/local.rules file. This alert will trigger on any 8 9 les ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 9 Attacks with Security Onion ICMP traffic from the analyst’s workstation to another system (assuming that the analysts IP address is 10.1.1.1). © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. Alert icmp 10.1.1.1 any -> any any (msg:”ICMP”; sid:100002;) From a command prompt on the analyst’s workstation, issue the required ping request and review the alerts in the Sguil console. If the IDS engine is configured and running correctly, the analyst should see a successful response similar to figure 5. Figure 5 – Successful alert 4.2. Cross-Site Scripting (XSS) XSS attacks are a type of injection problem, in which malicious scripts is injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a client side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application accepts input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know the script should not be trusted, and will execute the script (The Open Web Application Security Project, 2011). The following code will exploit XSS vulnerabilities <script>alert(1)</script> ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 10 Attacks with Security Onion To exploit this vulnerability the above code would be copied to a field within the vulnerable web application and produce a result similar to figure 6. The output of this attack in Wireshark is shown in figure 7. © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. Figure 6 – XSS attack Figure 7 – XSS Wireshark output As seen in the example, this XSS attack utilizes the <script> and </script> tags. The script tags have been decoded from ascii to hexadecimal format producing the following output. %3Cscript%3Ealert%281%29%3C%2Fscript%3E Both Suricata and Snort will detect and transcode ascii and hexadecimal characters. There are other formats for XSS attacks, examples of which can be found on the ha.ckers.org XSS (Cross Site Scripting) Cheat Sheet10. An analyst can use these references to fine-­‐tune or create additional rules for detecting and blocking other types of Cross Site Scripting attacks. 10 ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 11 Attacks with Security Onion 4.2.1. Rules to Detect and Block XSS Attacks Security Onion will detect and alert on the above example Cross Site Scripting attack using the Emerging Threats ruleset located in the downloaded.rules file. © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. To alert and block on XSS attacks all rules must be configured to use the “drop” action as shown below. Snort drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt"; flow:to_server,established; content:"</script>"; fast_pattern:only; nocase; http_uri; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:6;) Suricata drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"</script>"; nocase; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:5;) 4.3. SQL Injection A SQL Injection attack consists of insertion or "injection" of a SQL query via input data from the client into the application. A successful SQL Injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 12 Attacks with Security Onion SQL Injection attacks are a type of injection attack, in which SQL commands are injected into data-­‐plane input in order to effect the execution of predefined SQL commands (The Open Web Application Security Project, 2011). © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. The following code will exploit SQL Injection vulnerabilities. ' UNION ALL SELECT load_file('C:\\xampp\\htdocs\\dvwa\\config\\config.inc.ph p'), '1 Like Cross Site Scripting, the above code is entered into a field in the vulnerable application. In this example the page does not display any information to the screen (figure 8) but includes the information within the page source code (figure 9). Figure 8 – SQL Injection Figure 9 – Page source from SQL Injection ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 13 Attacks with Security Onion The Wireshark output of this attack (figure 10) shows this SQL Injection exploit utilizes the “UNION” and “SELECT” functions within SQL. © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. Figure 10 – SQL Injection Wireshark output 4.3.1. Rules to Detect and Block SQLi Attacks Security Onion will detect and alert on SQL Injection attacks using rules from the Emerging Threats ruleset located in the downloaded.rules file. To alert and block on SQL Injection attacks all rules must be configured to use the “drop” action as shown below. Snort drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:11;) ©2012TheSANSAshley I nst i t ut e horr et a nsf ul l r i ght s. Keyf i n er pr i nt=AF19FA272F94998D Deuble, [email protected]­‐d.net FDB5DE3DF8B506E4A1694E46 Aut i Detecting and Preventing Web Application 14 Attacks with Security Onion Suricata drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. SELECT"; flow:established,to_server; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:11;) 4.4. OS Command Injection In this example, an application designed to ping an IP address is vulnerable to command execution exploits (figure 11). Figure 11 – Vulnerable web application The application lets the user enter an IP address, run the ping command and return the result to the screen (figure 12). Figure 12 – Intended function of web application ©201...
View Full Document

  • Fall '18
  • hh

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask 0 bonus questions You can ask 0 questions (0 expire soon) You can ask 0 questions (will expire )
Answers in as fast as 15 minutes