S3W: Snort 3.0 comes to Windows
Lateral movement has become a staple or today's malware. SMB vulnerabilities such as Eternal Blue and Eternal Romance are being leveraged by malware and attack frameworks to spread in the network, and exploits for NTLM vulnerabilities such as Rotten Potato have been integrated into tools like Juicy Potato, Mimikatz and Metasploit.
Having a host intrusion detection system (HIDS) provides you invaluable insight into attacks not only across security boundaries, but inside your network, and a host intrusion protection system (HIPS) can even block the incoming threat before it reaches the endpoint.
In this research we want to show how our Endpoint Detection and Response (EDR) system can be augmented by connecting inbound and outbound network flow information with application behavior. To this end, we have ported a state-of-the-art HIPS, Snort 3, to the Windows platform. We'll go into depth into the additional telemetry we gather, how the telemetry is integrated into our Endpoint Security, and how we were able to improve our detection logic with this additional information.
Snort 3.0 is an updated version of the SNORT® Intrusion Prevention System that features a redesigned architecture and a superset of Snort 2.X functionality that results in better performances and efficacy overall. Bearing this in mind the goal is to make Snort 3.0 capable of meeting and exceeding Snort 2.X achievements on Windows platforms. To this aim the Windows port of Snort 3.0 on Windows now perfectly works in passive mode, as an IDS, relying on Npcap, Windows packet capture library and driver.The absolute novelty, however, regards Snort 3.0 in Active mode / IPS. This is the first time an effort in this direction has been made for Snort on Windows since also Snort 2.X does not support active mode in Windows.
Snort 3.0 port to Windows is a fascinating layered challenge that involved, among others:
• Porting LibDAQ (The Data AcQuisition Library) an abstraction layer used by Snort to interact with a data source to Windows by changing the build system from Autotools to CMake.
• Analysing and identifying the right candidate to take over libpcap for network traffic capture in Windows to enable both passive and active features of Snort.
This research will provide huge benefits to securely and effectively detect malware by having Snort 3.0 monitor incoming and outgoing network traffic and feeding more advanced tools when it detects potentially harmful packets or threats on networks to provide a more accurate portrait of a malware attack. Moreover, Snort is capable of performing protocol analysis to inspect possibly harmful data packets in more detail and detect even the most recent attacks leveraging Snort signatures.
About the Presenter (Alessandro Pisani):
Alessandro is a software engineer and security researcher for Cisco Secure Endpoint, currently focusing on malware research and Windows offensive and defensive security. Alessandro holds a Masters’ degree in Computer Engineering. This research is his first publication and presentation. His main interests are offensive security and escalation of privileges, especially on Windows systems.