1 / 27

The open source network intrusion detection system.

Snort. The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala. The main distribution site for Snort is http://www.snort.org. SNORT. IDS & History of Snort What is Snort? Features of Snort Snort Modes

marcin
Download Presentation

The open source network intrusion detection system.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Snort The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala

  2. The main distribution site for Snort is http://www.snort.org SNORT • IDS & History of Snort • What is Snort? • Features of Snort • Snort Modes • Compiling & Installing Snort • Snort Rules • Snort in different Modes • Using Snort • Third Party Enhancements • Conclusion

  3. NIDS & History of Snort Intrusion: An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system. NIDS: network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack).

  4. Martin Roesch is the founder and CTO of Sourcefire, Inc. NIDS & History of Snort... Snort was a true case of a programmer scratching his own itch. Here was Marty Roesch with his home network, wanting to see who, if anyone, was trying to penetrate it. This was a small and simple detection system for home use Initial Release on Dec 22 1998 - snort-0.96.tar.gz Latest Release on Oct 3 - snort-1.9.0.tar.gz

  5. Snort does NOT block intruders. Assumes a human is watching!!! What is Snort? Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

  6. Snort in simple words … • Automated tool to detect intrusions • Works locally (reactionary) or network wide (preemptive) • Preemptive IDS can use traffic monitoring or content monitoring • Does NOT block intruders. Assumes a human is watching!!!

  7. Operating Systems Snort works on following OS

  8. Features of Snort • “Lightweight” • Free • Portable • Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win2K • Configurable with easy setup

  9. Snort Modes • Packet sniffer • Packet Logger • Preemptive IDS • - Actively monitors network traffic in real time to match intrusion signatures and send alerts

  10. Installing Snort • On Red Hat Linux 7.2, as root: • Download and install libpcap • Download and install these three .rpm: • libnet-1.0.2a-1snort.i386.rpm • snort-1.8.4-1snort.i386.rpm • snort-postgresql+flexresp-1.8.4-1snort.i386.rpm • Create /var/log/snort directory

  11. Installing Snort • Files installed: • /etc/snort contains conf and rule files • /var/log/snort will contain logs • /usr/sbin/snort contains snort binary • For a quick test, execute this command within the /etc/snort directory: snort –A console • From a separate machine, use nmap to generate events for Snort to detect: nmap –sP <snort_machine_IP_address>

  12. Installing on Windows 2000 • Download and install winpcap • Download & execute Snort184Win32.exe, select “typical” installation • mkdir “c:\Program Files\Sourcefire\Snort\log” • Files installed in c:\Program Files • Files\Sourcefire\Snort: • snort.conf • \rules directory contains rules • Snort.exe executable

  13. InstallingSnort • To test, execute this command within the c:\Program Files\Sourcefire\Snort directory: • snort –A console • From a separate machine, use nmap to generate events for Snort to detect: • nmap –sP <snort_machine_IP_address> • You should see an alert like this: • 03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**] • [Classification: Attempted Information Leak] [Priority: 2] • {ICMP} 129.244.70.17 -> 129.244.70.237

  14. Rules, Rules, Rules • Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS • Sample rule • alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";) • Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged

  15. And More Rules • Elements before parentheses comprise ‘rule header’ • Elements in parentheses are ‘rule options’ • Rules can: Alert, Log, or Pass • Used for IP, UDP, ICMP • Source address / port • Destination address / port • Additional options • - This is where content matching can take place

  16. And More Rules • bad-traffic.rules exploit.rules scan.rules • finger.rules ftp.rules telnet.rules • smtp.rules rpc.rules rservices.rules • dos.rules ddos.rules dns.rules • tftp.rules web-cgi.rules web-coldfusion.rules • web-frontpage.rules web-iis.rules web-misc.rules • web-attacks.rules sql.rules x11.rules • icmp.rules netbios.rules misc.rules • backdoor.rules shellcode.rules policy.rules • porn.rules info.rules icmp-info.rules • virus.rules local.rules attack-responses.rules

  17. Good News Luckily you probably won’t have to write rules!

  18. Snort Modes • Sniffer: snort –dvae will be display payloads, be verbose, display arp traffic, and display link layer data • Packet Logger: snort –b –l /var/log/snort will log binary data to the /var/log/snort directory • NIDS: snort –b –l /var/log/snort –A full –c /etc/snort/snort.conf will log binary data in the /var/log/snort directory, with full alerts in /var/log/snort/alert, reading the configuration file in /etc/snort

  19. Third Party Enhancements • SnortSnarf www.silicondefense.com/software/snortsnarf/ • SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports • Output intended for diagnostic inspection • Silicon Defense also supplies sensors with commercial support • Description and screenshot taken from SnortSnarf web

  20. Third Party Enhancements • Analysis Console for Intrusion Databases (ACID) • acidlab.sourceforge.net/ • PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools • Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation. • Description and screenshots taken from ACID web

  21. Conclusions • Snort is a powerful tool, but maximizing its usefulness requires a trained operator • Snort is considered a superior NIDS when compared to most commercial systems • Snort is a wonderful low to no cost solution for businesses. • Snort, written in C, can compile and run on variety of different Operating Systems.

  22. Online Resources Snort.org Securityfocus.com Whitehats.com

  23. Questions?

More Related