1 / 23

SNORT

SNORT. A Preview. NIDS vs. HIDS NIDS: Pattern matching HIDS: Log Monitoring, File Integrity Checking. Criteria For Software NIDS. Only as secure as the OS Logging to a different log server Tuning (all IDS) Ease of Monitoring (all IDS) Alarm

yehudah
Download Presentation

SNORT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SNORT

  2. A Preview • NIDS vs. HIDS • NIDS: Pattern matching • HIDS: Log Monitoring, File Integrity Checking

  3. Criteria For Software NIDS • Only as secure as the OS • Logging to a different log server • Tuning (all IDS) • Ease of Monitoring (all IDS) • Alarm • Response capability: kill a connection, log (Honeynets)

  4. A Common Network Topology

  5. Location of NIDS • In the External DMZ • In the Internal DMZ • In the protected network • Before resource servers • In front/behind a firewall

  6. What is Snort? • A Sniffer like Ethereal • A packet-logger like tcpdump • A Intrusion Detection System like CISCO IDS (Type of IDS?)

  7. How to Use Snort? • Download Snort-2.3.0RC2 from www.snort.org • Install Snort as shown in the document • Create the folder /etc/snort and copy some important configuration files to that folder • Create folder /var/log/snort

  8. How to Use Snort? (cont’d) • Pointing to the rule path in snort.conf file • Specify the HOME network and EXTERNAL network • Test run the snort configuration • snort daemon

  9. More Advanced Configuration of Snort • The Snort Internals • Packet Decoder • Preprocessor • Detection Engine

  10. Preprocessor Configurations • Preprocessor Configuration in snort.conf • frag2 – Detects packet fragmentation • stream4 – Self protection against Snot and Slick • http_inspect – Web Traffic • rpc_decode – RPC traffic • flow_portscan – Statistical details (not used) • sfportscan – Detect port scanning activities. • perfmonitor – Self assessment (not used)

  11. Other Important Parts ofSnort.conf • Output plugins, e.g. logging to a SQL database. • Including specific rules files for signature comparisons

  12. A Note on Usual Logging Methods • -l switch to run from command line • Default log directory when using running as a NIDS • Hierarchical Logging • Two Logging Modes • ASCII (i.e. plain text) • Inode problem • Binary

  13. Inode - Example

  14. Logging- Examples

  15. Logging- Examples (cont’d)

  16. Understanding Snort Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any(msg:“SCAN SYN FIN”; flags:SF;\ reference:arachnids,198; classtype:attempted-recon;\ sid:624; rev:1; )

  17. Logging- Examples (cont’d)

  18. Types of the Rule Options • Metadata – reference • Payload Detection – content • Non-Payload Detection – packet characteristics like size, fragments • Post Detection – log to a particular file, kill conections

  19. Use of Metadata – Search with reference arachnids,198

  20. Information Sharing with Metadata • Web sites with information on security vulnerabilities: • CVE (Common Vulnerability Exposures) • cve.mitre.org • CERT • http://www.cert.org/nav/index_red.html

  21. Uses of NIDS • Detect network based attacks • Detect host based vulnerabilities based on responses (a typical response of a buffer-overflow) • Test existing security policy loop holes

  22. Disadvantages and Future • Human Resource • Encrypted traffic • Switched networks – port mirroring • False positives • Damage already occurred Future: - IPS (Intrusion Prevention Systems)

  23. Deliverables • Read the 2 documents on Snort • Install Snort and test its response to an nmap/nessus scan • Submit a word file with a snap shot of the log files (ASCII and Binary) and a snippet of the alert file with a brief explanation of the kind of scan and the results • Research and Understand each of the following • Activate and Dynamic Actions (snort_manual.pdf) • Possible responses by Snort (snort_manual.pdf) • Slick and Snot • Try to understand the rules

More Related