Snort Intrusion Detection What is Snort l l
- Slides: 15
Snort Intrusion Detection
What is Snort l l Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2. 4. 4 as of April 17 th, 2006
Features l l l Small Package – 2. 7 M for source Cross Platform Open Source Backed by Sourcefire Fast (High rate of detection on average networks) Configurable
Design l Packet Analysis Pipline Data Acquisition Decode Preprocess Detect Action
Design Engine l l Uses Rules to form “signatures” Modular Detection elements to form specific signatures Detect Anomaly Activity Easily updateable
Different Modes l l Packet Sniffer Packet Logger NIDS Mode Inline Mode
Rules l Two Parts – – Rule Header Rule Options
Rule Header alert tcp $BAD any -> $GOOD any Dest. Port Rule action Protocol Dest. CIDR Direction Src. CIDR Src. Port alert tcp !10. 1. 1. 0/24 any -> 10. 1. 1. 0/24 any
Rule Options (flags: SF; msg: “SYN-FIN scan”; ) Keyword Separator Argument Delimiter
Common Rule Options l l l l IP TTL IP ID Fragment size TCP Flags TCP Ack number TCP Seq number Payload size l l l l Content offset Content depth Session recording ICMP type ICMP code Alternate log files
Make Custom Rules l Detect String alert tcp any -> any (content: clemson; msg: detected clemson!; )
Output l l l Log all the alerts Real-time alerts Several different types – – Syslog Plain text Databases Unified output
Common Options l Option -A fast l -A full l -A unsock l -A none -A console -A cmg l l l Description Fast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports. Full alert mode. This is the default alert mode and will be used automatically if you do not specify a mode. Sends alerts to a UNIX socket that another program can listen on. Turns off alerting. Sends “fast-style” alerts to the console (screen). Generates “cmg style” alerts.
Tools for Snort l l l l Acid Snort. Snarf Snort Alert Monitor (SAM) Snortalog Guardian De. Marc Pure. Secure IDSCenter (Windoze)
Resources l Snort. org – l Bleeding. Edge – l www. snort. org/dl (downloads) www. bleedingsnort. com/ Sourcefire – www. sourcefire. com
- L
- Infrasonic intrusion detection
- Firewalls and intrusion detection systems
- Open source network intrusion detection system
- Bro ids
- Common intrusion detection framework
- Fiber optic perimeter intrusion detection systems
- Snort ventajas y desventajas
- Acid snort
- Snort graphical interface
- Snort meaning
- Snort plugins
- Snort rules examples
- Utsa
- Acid snort
- Snort pcre 예제