1 / 30

Intrusion Detection Systems with Snort

Intrusion Detection Systems with Snort. Hailun Yan 564-project. Outline. IDS category Installation Procedure Components of Snort Most frequently used functions Testing of Snort/ACID. Components of Security System. A security system consists: Firewalls Intrusion detection systems (IDS)

pier
Download Presentation

Intrusion Detection Systems with Snort

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Systems with Snort Hailun Yan 564-project

  2. Outline • IDS category • Installation Procedure • Components of Snort • Most frequently used functions • Testing of Snort/ACID

  3. Components of Security System A security system consists: • Firewalls • Intrusion detection systems (IDS) • Vulnerability assessment tools

  4. Category of IDS • Network Intrusion Detection System (NIDS) • Listens & analyses traffic in a network • Capture data package • Compare with database signatures • Host-based Intrusion Detection System (HIDS) • Installed as an agent of a host • Listens & analyses system logs

  5. Snort-based IDS

  6. Single Sensor IDS

  7. Multiple Sensor IDS

  8. Installation • Snort can be download from http://www.snort.org • Supported platform includes: • Linux • FreeBSD • OpenBSD • Solaris • AIX • HP-UX • MacOS • Windows

  9. Installation (Cont.) • Pre-installation • Zlib1.2.1 • LibPcap0.7.2 • MySQL4.0.15 • Apache2.0.52 PHP4.3.3

  10. Installation (Cont.) Install Snort #> tar –xzvf snort-2.2.0 .tar.gz #> cd snort-2.2.0 #> ./configure –with-mysql=/usr/local/mysql #> make #> make install

  11. Installation (Cont.) Install rules and configuration file #> mkdir /etc/snort #> mkdir /var/log/snort #> cd rules #> cp * /etc/snort #> cd ../etc #> cp snort.conf /etc/snort #> cp *.config /etc/snort

  12. Installation (Cont.) Snort Configuration (in snort.conf) • var HOME_NET 192.168.0.0/24 • var RULE_PATH /etc/snort/ • output database: log, mysql, user=snort password=xxx dbname=snort host=localhost

  13. Installation (Cont.) Setting Up The Database In MySQL mysql> set password for root@localhost=password(‘xxx’); mysql> create database snort; mysql > grant insert, select on root,.* to snort@localhost; mysql> set password for snort@localhost=password(‘xxx’); mysql> grant create, insert, select, delete, update on snort.* to snort@localhost; mysql> grant create, insert, delete, select, update on snort.* to snort; mysql> exit shell> /usr/local/mysql/bin/mysql –u root –p < ./contrib./create_mysql snort Enter password: xxx

  14. Installation (Cont.) To display alert massages generated by Snort in a web browser • Analysis Console for Intrusion Detection (Acid) • JPGraph • ADODB

  15. Check to See If Everything Is Working #> /usr/local/apache/bin/apachectl start #> /usr/local/mysql/bin/mysqld_safe & #> /usr/local/bin/snort –c /etc/snort/snort.conf –D #> ping yahoo.com

  16. Output on ACID

  17. Components of Snort A Snort-based IDS contains the following components: • Packet Decoder • Preprocessors • Detection Engine • Logging and Alerting System • Output Modules

  18. Packet Detector • Takes packets from different types of network interfaces • Send the packets to the preprocessor • Send the packets to the detection engine

  19. Preprocessor Hackers use different techniques to fool an IDS • Exact match: You created a rule to find a signature “httpd/conf” in HTTP packets, a hacker can easily fool you by modifying the string as “httpd/./conf” or “httpd../httpd/conf”. A preprocessor can rearrange the string so that it is detectable by the IDS. • Packets fragmentation: Hackers can use fragmentation to hide a signature into several small units to fool the IDS. A Preprocessor can reassemble these small units first and send the whole packet to the detection engine for signature testing.

  20. The Detection Engine • Its responsibility is to detect if any intrusion activity exists in a packet. • It can dissert a packet and apply rules on different parts of the packet. • The IP header of the packet • The Transport layer header: e.g. TCP, UDP. • The application layer level header: e.g. DNS, FTP, SNMP, and SMTP • Packet payload: you can create a rule to find a string inside the data.

  21. Logging and Alerting System • The captured packet may be used to log the activity or generate an alert. • Logs are kept in • simple text files • tcpdump-style files • some other form • log files are stored under /var/log/snort folder by default • use –l parameter to modify the log location

  22. Output Modules Depending on the configuration, output modules can do things like the following: • Simply logging to /var/log/snort/alerts file • Sending SNMP traps • Sending messages to syslog facility • Logging to a database like MySQL or Oracle. • Generating XML output • Modifying configuration on routers and firewalls • Sending Server Message Block (SMB) messages to Microsoft Windows-based machines

  23. Components of Snort

  24. Snort Modes Snort operates in two basic modes: • Sniffer mode • Log packages into log files • Log files can be analyzed by tcpdump, snort etc. • Simillar tools includes tcpdump, snoop etc. • NIDS mode • Rule-based IDS • Generate alerts and saved into database • Analyzed by ACID software package

  25. Sniffing Mode #> snort -v

  26. Sniffing Mode (Cont.) Ctrl+C, generate statistics before exiting Snort

  27. Sniffing Mode (Cont.) Parameter e allows Snort to capture layer 2 packets #> snort -ve

  28. Sniffing Mode (Cont.) Parameter d allows Snort to capture payload information #> snort -vd

  29. Network Intrusion Detection Mode • It does not log each captured packet • It applies rules on all captured packets • It read the configuration file snort.conf and all other files included in it before start

  30. Structure of A Rule A Snort rule is divided into two parts: • rule header • information about what action a rule takes • criteria for matching a rule against data packets • rule options

More Related