Snort Intrusion Detection What is Snort l l

  • Slides: 15
Download presentation
Snort Intrusion Detection

Snort Intrusion Detection

What is Snort l l Packet Analysis Tool Most widely deployed NIDS Initial release

What is Snort l l Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2. 4. 4 as of April 17 th, 2006

Features l l l Small Package – 2. 7 M for source Cross Platform

Features l l l Small Package – 2. 7 M for source Cross Platform Open Source Backed by Sourcefire Fast (High rate of detection on average networks) Configurable

Design l Packet Analysis Pipline Data Acquisition Decode Preprocess Detect Action

Design l Packet Analysis Pipline Data Acquisition Decode Preprocess Detect Action

Design Engine l l Uses Rules to form “signatures” Modular Detection elements to form

Design Engine l l Uses Rules to form “signatures” Modular Detection elements to form specific signatures Detect Anomaly Activity Easily updateable

Different Modes l l Packet Sniffer Packet Logger NIDS Mode Inline Mode

Different Modes l l Packet Sniffer Packet Logger NIDS Mode Inline Mode

Rules l Two Parts – – Rule Header Rule Options

Rules l Two Parts – – Rule Header Rule Options

Rule Header alert tcp $BAD any -> $GOOD any Dest. Port Rule action Protocol

Rule Header alert tcp $BAD any -> $GOOD any Dest. Port Rule action Protocol Dest. CIDR Direction Src. CIDR Src. Port alert tcp !10. 1. 1. 0/24 any -> 10. 1. 1. 0/24 any

Rule Options (flags: SF; msg: “SYN-FIN scan”; ) Keyword Separator Argument Delimiter

Rule Options (flags: SF; msg: “SYN-FIN scan”; ) Keyword Separator Argument Delimiter

Common Rule Options l l l l IP TTL IP ID Fragment size TCP

Common Rule Options l l l l IP TTL IP ID Fragment size TCP Flags TCP Ack number TCP Seq number Payload size l l l l Content offset Content depth Session recording ICMP type ICMP code Alternate log files

Make Custom Rules l Detect String alert tcp any -> any (content: clemson;

Make Custom Rules l Detect String alert tcp any -> any (content: clemson; msg: detected clemson!; )

Output l l l Log all the alerts Real-time alerts Several different types –

Output l l l Log all the alerts Real-time alerts Several different types – – Syslog Plain text Databases Unified output

Common Options l Option -A fast l -A full l -A unsock l -A

Common Options l Option -A fast l -A full l -A unsock l -A none -A console -A cmg l l l Description Fast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports. Full alert mode. This is the default alert mode and will be used automatically if you do not specify a mode. Sends alerts to a UNIX socket that another program can listen on. Turns off alerting. Sends “fast-style” alerts to the console (screen). Generates “cmg style” alerts.

Tools for Snort l l l l Acid Snort. Snarf Snort Alert Monitor (SAM)

Tools for Snort l l l l Acid Snort. Snarf Snort Alert Monitor (SAM) Snortalog Guardian De. Marc Pure. Secure IDSCenter (Windoze)

Resources l Snort. org – l Bleeding. Edge – l www. snort. org/dl (downloads)

Resources l Snort. org – l Bleeding. Edge – l www. snort. org/dl (downloads) www. bleedingsnort. com/ Sourcefire – www. sourcefire. com

Intrusion Detection snort Snort Get snort Installation ConfigureIntrusion Detection snort Snort Get snort Installation Configure
Snort Overview Whats snort Snort architecture Snort componentsSnort Overview Whats snort Snort architecture Snort components
Intrusion Detection System 1 Intrusion Detection Intrusion detectionIntrusion Detection System 1 Intrusion Detection Intrusion detection
Intrusion Detection System Snort What is Snort nIntrusion Detection System Snort What is Snort n
Intrusion Detection Snort Basics History l Snort wasIntrusion Detection Snort Basics History l Snort was
Network Analysis and Intrusion Detection with Snort SnortNetwork Analysis and Intrusion Detection with Snort Snort
SNORT RULES 1 Snort rules Snort uses aSNORT RULES 1 Snort rules Snort uses a
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
Intrusion Detection System Intrusion Prevention System Topics IntrusionIntrusion Detection System Intrusion Prevention System Topics Intrusion
Intrusion Detection Methods Intrusion detection is the processIntrusion Detection Methods Intrusion detection is the process
TEMA Intrusion Detection EBITEMA TEMA Intrusion Detection TemalineTEMA Intrusion Detection EBITEMA TEMA Intrusion Detection Temaline
Intrusion Detection Outline p Intrusion detection and computerIntrusion Detection Outline p Intrusion detection and computer
Intrusion Detection Systems IDS IDS Intrusion Detection SystemIntrusion Detection Systems IDS IDS Intrusion Detection System