Snort The Lightweight Intrusion Detection System The other

Snort The Lightweight Intrusion Detection System

The other games in town Heavyweight systems: Stateful firewalls: Example: Checkpoint Firewall One Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR)

The Art of Intrusion Detection: Know the protocols. n Watch the web. n Set up your IDS monitor. n Install and tune Snort. n Set up your switches. n Watch and process logs. n

Know the protocols

Watch the web

Watch the web www. snort. org www. securityfocus. com csrc. nist. gov www. sans. org www. cert. org

Set up your IDS monitor

Set up your IDS monitor Generic Intel CPU The software UNIX-like O/S with LIBPCAP

Install and tune Snort Download Tune the rules Compile

Set up your switches Remote Switch Cross-over jumper Local Switch Management VLAN User PC Snort Box The Default VLAN or ELAN

Set up your switches remote-switch# set vlan 2 port 3/2 remote-switch# set vlan 2 port 3/3 remote-switch# set span 1 3/1 create local-switch# set vlan 2 port 4/1 local-switch# set vlan 2 port 4/2

Watch and process logs There are lots of PERL programs. n Snort can send a WINPOPUP via SMB. n Snort can log to an MSQL database. n Get fancy by going through syslog. n Tip: keep systems in sync with NTP. n

Snort rule anatomy alert tcp any - 10. 1. 1. 0/24 80 (content: "/cgi-bin/phf"; msg: "PHF probe!"; ) alert tcp any - 10. 1. 1. 0/24 6000: 6010 (msg: "X traffic"; )

Snort rule anatomy IMAP attack:

Snort rule anatomy alert tcp any - 192. 168. 1. 0/24 143 (content: "|E 8 C 0 FFFF FF|/bin/sh"; msg: "New IMAP Buffer Overflow detected!"; )

Operational hint Run from /etc/inittab with respawn option: snort: 5: respawn: /usr/local/bin/snort or a shell program: #!/bin/sh : while true do /bin/date > /var/log/snort-restart. log /usr/local/bin/snort done

Thank you