1 / 12

an overview

an overview. Snort is an Intrusion Detection System (IDS). Automated tools to detect intrusions Works locally (reactionary) or network wide (preemptive) Preemptive IDS can use traffic monitoring or content monitoring Does NOT block intruders. Assumes a human is watching!!!.

ahava
Download Presentation

an overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. an overview

  2. Snort is an Intrusion Detection System (IDS) • Automated tools to detect intrusions • Works locally (reactionary) or network wide (preemptive) • Preemptive IDS can use traffic monitoring or content monitoring • Does NOT block intruders. Assumes a human is watching!!!

  3. What IDS are available? • Cisco Secure IDS (Formerly NetRanger) • Network Flight Recorder • Realsecure (ISS) • SecureNet Pro • Snort!!!

  4. Why pick Snort? • “Lightweight” • Free • Portable • Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win2K • Configurable with easy setup

  5. What can Snort do? • Packet sniffer • Packet Logger • Preemptive IDS • Actively monitors network traffic in real time to match intrusion signatures and send alerts

  6. Rules, Rules, Rules alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";) • Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged • Can also alert based on packet content not just source / destination ports

  7. And more Rules • Rules can: Alert, Log, or Pass • Used for IP, UDP, ICMP • Source address / port • Destination address / port • Additional options • This is where content matching can take place

  8. Luckily you probably won’t have to write rules!

  9. What do the alerts look like? [**] MISC source port 53 to <1024 [**] 05/21-16:30:07.697467 129.219.17.200:53 -> 129.219.XXX.XXX:1024 UDP TTL:253 TOS:0x0 ID:60955 IpLen:20 DgmLen:268 DF Len: 248 • These can also be nicely formatted by different parser programs

  10. Installation • Install libcap • Install Snort • # ./configure • # make • # make install • Test • #snort -v

  11. More resources • Snort.org • Securityfocus.com • Whitehats.com

  12. PSCS Implementation By Mark Peoples

More Related