1 / 13

Snort

Snort. Introduction to Snort’s Working and configuration file. Three modes of snort. Snort can be configured in three modes Sniffer Packet Logger Network Intrusion Detection System. Sniffer mode. In sniffer mode, snort act as a sniffer like tcpdump, ethereal

rea
Download Presentation

Snort

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort Introduction to Snort’s Working and configuration file

  2. Three modes of snort Snort can be configured in three modes • Sniffer • Packet Logger • Network Intrusion Detection System

  3. Sniffer mode • In sniffer mode, snort act as a sniffer like tcpdump, ethereal • Following options of snort are useful for sniffer mode. • -d Dump the app layer data when displaying • -e Display the link layer packet headers • -v prints packet to the console

  4. Packet logger mode • In packet logger mode, snort just logs the packet which can later be used for running analysis, NIDS mode of snort and otherwise • Following options of snort are useful for sniffer mode. • -l Followed by directory: this will log the packets to particular directory • -dev Can also be used for logger mode, but they are slow. • -b logs the packets in binary. This is recommended for packet logger mode, as it is fast

  5. NIDS mode • NIDS mode is started with -c snort.conf • Different ways to start snort are following • snort -devl ./log -h 192.168.1.0/24 -c snort.conf • snort -bl ./log -h 192.168.1.0/24 -c snort.conf • snort -b -A fast -c snort.conf • snort -b -l ./log -c snort.conf –o

  6. Snort.conf Configuration File defines the following • Network Variables • Preprocessors and their variables • Classification Files • Reference Files • Rules

  7. Snort.conf (II) Network Variables Different network variables are set. Examples are given below var HTTP_PORTS 80 var TELNET_SERVERS 10.1.1.1/29

  8. Snort.conf (III) Preprocessors Pre-compiled set of functions which handle detection. Preprocessors are fast but cannot be used from within a rule.

  9. Snort.conf (IV) Classification File In this file, priorities are stored for different attacks. 1 means highest priority or dangerous attack. Sample from classification file • config classification: attempted-dos,Attempted Denial of Service,2 • config classification: successful-dos,Denial of Service,2 • config classification: attempted-user,Attempted User Privilege Gain,1 • config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1

  10. Snort.conf (V) Reference File This includes reference URLs for different software. The reference is defined in rules, so that a URL is also displayed for administrators to rectify the problem.

  11. Snort.conf (VI) Rules Rules are defined in several files which are included in snort.conf. The updated set of rules can be downloaded from snort.org

  12. Modify Snort Snort provides three mechanisms to modify its functionality. • Plug-ins Two types of plug-ins • Output plug-ins • Detection plug-ins • Preprocessors • Source Code Modification

  13. The End

More Related