1 / 22

Snort:

Jason Booth – Intrusion Detection System . Snort: . Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql Log Files Location What is logged. Overview.

jasmine
Download Presentation

Snort:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jason Booth – Intrusion Detection System Snort:

  2. Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql Log Files Location What is logged Overview

  3. Snort is an Intrusion Detection System. It generally runs on a Bastion Server (Server with one purpose). This helps to limit the possible attack points on the Bastion Server. What is SNORT?

  4. Drawbacks • Slower network (more overhead)‏ • The IDS can become an intrusion point in and of itself • Laws limit what can be logged from a packet. • IDS is only as good as its definition rules

  5. A tcp/ip packet

  6. [**] [1:1384:8] MISC UPnP malformed advertisement [**] [Classification: Misc Attack] [Priority: 2] 02/23-10:20:29.041905 192.168.0.1:1900 -> 239.255.255.250:1900 UDP TTL:127 TOS:0x0 ID:17771 IpLen:20 DgmLen:346 Len: 318 [Xref => http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0877] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0876] [Xref => http://www.securityfocus.com/bid/3723] What snort logs

  7. Prioritizing with classification.config config classification: successful-dos, Denial of Service, 2 http://www.linux.com/articles/29830 Snort Priority

  8. What this means

  9. Theory

  10. Theory

  11. Test

  12. Practical IDS • Choose a setup that is practical and cost effective for yourself or business yet offer a fast response to intrusions.

  13. Setup Scripts • /var/log/syslog for • a line that looks like this: • snort[1731]: Snort initialization completed successfully (pid=1731)‏

  14. Setup Scripts • /var/snort • Goto setup.txt file to demonstrate this.

  15. SNORT Rules • The rules are the vital part of snort. There are various categories of rules shipped with snort. They can be found in /etc/snort/, ending with *.rules.

  16. OinkMaster • “If you have many sensors, it can be a very difficult job to keep all the • rules current on all of your sensors. A great tool for this task is Oinkmaster” • (http://www.snort.org/docs/setup_guides/deb-snort-howto.pdf)‏

  17. Snort-Mysql • Snort supports mysql. In the snort.confg • # vim /etc/snort/snort.conf • Find this line below, uncomment the line, and then add your appropriate values: • output database: log, mysql, user=snort password=mypass dbname=snort host=localhost • Go restart snort and verify its writing to the database. Easiest way is to • get into mysql and "select * from event" and you should see lots of events • if you still have the alerting going on for each packet or the icmp rule. • Or you can run this command: • # mysql -uroot -pmypassword -D snort -e "select count(*) from event"

  18. Points of Reference • http://www.snort.org/docs/ • Google it! • Snort • Snort-mysql • IDS • Linux and snort • Careers with IDS and snort

  19. Mis. Section • Snort in promiscuous mode

  20. Poisoning the network • I'm having a very anoying problem in my LAN: someone (or a virus?) is sending ARP messages like the following (in human words): • "I am computer with mac de:ad:de:ad:de:ad and with IP <victim's IP> and I am asking everyone (destination MAC ff:ff:ff:ff:ff:ff): does anyone else have this IP?" • http://www.webservertalk.com/message1217112.html

  21. Question? • How does snot know its been penetrated? • It looks the packets and determines the payload.

  22. Conclusion • Snort is a versatile and strong network IDS – tool. When used correctly a network admin can have a great deal of network info with low cost in overhead.

More Related