270 likes | 691 Views
SNORT. A Preview. NIDS vs. HIDS NIDS: Pattern matching HIDS: Log Monitoring, File Integrity Checking. Criteria For Software NIDS. Only as secure as the OS Logging to a different log server Tuning (all IDS) Ease of Monitoring (all IDS) Alarm
E N D
A Preview • NIDS vs. HIDS • NIDS: Pattern matching • HIDS: Log Monitoring, File Integrity Checking
Criteria For Software NIDS • Only as secure as the OS • Logging to a different log server • Tuning (all IDS) • Ease of Monitoring (all IDS) • Alarm • Response capability: kill a connection, log (Honeynets)
Location of NIDS • In the External DMZ • In the Internal DMZ • In the protected network • Before resource servers • In front/behind a firewall
What is Snort? • A Sniffer like Ethereal • A packet-logger like tcpdump • A Intrusion Detection System like CISCO IDS (Type of IDS?)
How to Use Snort? • Download Snort-2.3.0RC2 from www.snort.org • Install Snort as shown in the document • Create the folder /etc/snort and copy some important configuration files to that folder • Create folder /var/log/snort
How to Use Snort? (cont’d) • Pointing to the rule path in snort.conf file • Specify the HOME network and EXTERNAL network • Test run the snort configuration • snort daemon
More Advanced Configuration of Snort • The Snort Internals • Packet Decoder • Preprocessor • Detection Engine
Preprocessor Configurations • Preprocessor Configuration in snort.conf • frag2 – Detects packet fragmentation • stream4 – Self protection against Snot and Slick • http_inspect – Web Traffic • rpc_decode – RPC traffic • flow_portscan – Statistical details (not used) • sfportscan – Detect port scanning activities. • perfmonitor – Self assessment (not used)
Other Important Parts ofSnort.conf • Output plugins, e.g. logging to a SQL database. • Including specific rules files for signature comparisons
A Note on Usual Logging Methods • -l switch to run from command line • Default log directory when using running as a NIDS • Hierarchical Logging • Two Logging Modes • ASCII (i.e. plain text) • Inode problem • Binary
Understanding Snort Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any(msg:“SCAN SYN FIN”; flags:SF;\ reference:arachnids,198; classtype:attempted-recon;\ sid:624; rev:1; )
Types of the Rule Options • Metadata – reference • Payload Detection – content • Non-Payload Detection – packet characteristics like size, fragments • Post Detection – log to a particular file, kill conections
Information Sharing with Metadata • Web sites with information on security vulnerabilities: • CVE (Common Vulnerability Exposures) • cve.mitre.org • CERT • http://www.cert.org/nav/index_red.html
Uses of NIDS • Detect network based attacks • Detect host based vulnerabilities based on responses (a typical response of a buffer-overflow) • Test existing security policy loop holes
Disadvantages and Future • Human Resource • Encrypted traffic • Switched networks – port mirroring • False positives • Damage already occurred Future: - IPS (Intrusion Prevention Systems)
Deliverables • Read the 2 documents on Snort • Install Snort and test its response to an nmap/nessus scan • Submit a word file with a snap shot of the log files (ASCII and Binary) and a snippet of the alert file with a brief explanation of the kind of scan and the results • Research and Understand each of the following • Activate and Dynamic Actions (snort_manual.pdf) • Possible responses by Snort (snort_manual.pdf) • Slick and Snot • Try to understand the rules