1 / 17

Snort

Snort. The Lightweight Intrusion Detection System. The other games in town. Heavyweight systems: Stateful firewalls: Example: Checkpoint Firewall One Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR). The Art of Intrusion Detection:.

vanya
Download Presentation

Snort

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort The Lightweight Intrusion Detection System

  2. The other games in town Heavyweight systems: Stateful firewalls: Example: Checkpoint Firewall One Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR)

  3. The Art of Intrusion Detection: • Know the protocols. • Watch the web. • Set up your IDS monitor. • Install and tune Snort. • Set up your switches. • Watch and process logs.

  4. Know the protocols

  5. Watch the web

  6. Watch the web www.snort.org www.securityfocus.com csrc.nist.gov www.sans.org www.cert.org

  7. Set up your IDS monitor

  8. Set up your IDS monitor Generic Intel CPU The software UNIX-like O/S with LIBPCAP

  9. Install and tune Snort Download Tune the rules Compile

  10. Set up your switches Remote Switch Local Switch Cross-over jumper Management VLAN User PC Snort Box The Default VLAN or ELAN

  11. Set up your switches remote-switch# set vlan 2 port 3/2 remote-switch# set vlan 2 port 3/3 remote-switch# set span 1 3/1 create local-switch# set vlan 2 port 4/1 local-switch# set vlan 2 port 4/2

  12. Watch and process logs • There are lots of PERL programs. • Snort can send a WINPOPUP via SMB. • Snort can log to an MSQL database. • Get fancy by going through syslog. • Tip: keep systems in sync with NTP.

  13. Snort rule anatomy alert tcp any any - 10.1.1.0/24 80 \ (content: "/cgi-bin/phf"; msg: "PHF probe!";) alert tcp any any - 10.1.1.0/24 6000:6010 \ (msg: "X traffic";)

  14. Snort rule anatomy IMAP attack:

  15. Snort rule anatomy alert tcp any any - 192.168.1.0/24 143 \ (content:"|E8C0 FFFF FF|/bin/sh"; msg: \ "New IMAP Buffer Overflow detected!";)

  16. Operational hint Run from /etc/inittab with respawn option: snort:5:respawn:/usr/local/bin/snort or a shell program: #!/bin/sh : while true do /bin/date > /var/log/snort-restart.log /usr/local/bin/snort done

  17. Thank you

More Related