an overview Snort is an Intrusion Detection System
![What do the alerts look like? [**] MISC source port 53 to <1024 [**]](https://slidetodoc.com/presentation_image_h2/aabe11b9d7cb8925ff99ac59842a3ba2/image-9.jpg "What do the alerts look like? [**] MISC source port 53 to <1024 [**]")
- Slides: 12
an overview
Snort is an Intrusion Detection System (IDS) • Automated tools to detect intrusions • Works locally (reactionary) or network wide (preemptive) • Preemptive IDS can use traffic monitoring or content monitoring • Does NOT block intruders. Assumes a human is watching!!!
What IDS are available? • • • Cisco Secure IDS (Formerly Net. Ranger) Network Flight Recorder Realsecure (ISS) Secure. Net Pro Snort!!!
Why pick Snort? • “Lightweight” • Free • Portable – Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win 2 K • Configurable with easy setup
What can Snort do? • Packet sniffer • Packet Logger • Preemptive IDS – Actively monitors network traffic in real time to match intrusion signatures and send alerts
Rules, Rules alert udp $EXTERNAL_NET 53 -> $HOME_NET : 1024 (msg: "MISC source port 53 to <1024"; ) • Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged • Can also alert based on packet content not just source / destination ports
And more Rules • • • Rules can: Alert, Log, or Pass Used for IP, UDP, ICMP Source address / port Destination address / port Additional options – This is where content matching can take place
Luckily you probably won’t have to write rules!
What do the alerts look like? [**] MISC source port 53 to <1024 [**] 05/21 -16: 30: 07. 697467 129. 219. 17. 200: 53 -> 129. 219. XXX: 1024 UDP TTL: 253 TOS: 0 x 0 ID: 60955 Ip. Len: 20 Dgm. Len: 268 DF Len: 248 • These can also be nicely formatted by different parser programs
Installation 1. Install libcap 2. Install Snort • • • #. /configure # make install 3. Test • #snort -v
More resources • Snort. org • Securityfocus. com • Whitehats. com
PSCS Implementation By Mark Peoples