Evaluation Snort Rules Default Snort rules – 305 unique rules (after removing string matching components) 10 days of packet data from MIT Lincoln Labs.

Slides:

Advertisements

Similar presentations

A Full Bandwidth ATM Firewall Olivier Paul, Maryline Laurent, Sylvain Gombault ENST de Bretagne in collaboration with France Telecom R&D DRET.

Advertisements

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

NETWORK TRAFFIC ANALYSIS OPTIMIZATION FOR SIGNATURE-BASED INTRUSION DETECTION SYSTEMS Dmitry S. Kazachkin student, Computational systems lab at CMC MSU.

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Efficient Multi-Match Packet Classification with TCAM Fang Yu

A Novel Approach for Transparent Bandwidth Conservation David Salyers, Aaron Striegel University of Notre Dame Department of Computer Science and Engineering.

1 Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection Department of Computer Science and Information Engineering National.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

By: Colby Shifflett Dr. Grossman Computer Science /01/2009.

Detection and Resolution of Anomalies in Firewall Policy Rules

A Brief Taxonomy of Firewalls

15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.

Penetration Testing Security Analysis and Advanced Tools: Snort.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.

Presented by Group 2: Presented by Group 2: Shan Gao ( ) Shan Gao ( ) Dayang Yu ( ) Dayang Yu ( ) Jiayu Zhou ( ) Jiayu Zhou.

Packet Filtering and Firewall

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

Georg-Christian Pranschke Supervisor: Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University AUTOMATED FIREWALL.

Windows 7 Firewall.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.

Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.

1 Efficient Rule Matching for Large Scale Systems Packet Classification – A Case Study Alok Tongaonkar Stony Brook University TexPoint fonts used in EMF.

Network Security: Lab#5 Port Scanners and Intrusion Detection System

Snort Intrusion detection system Charles Beckmann Anthony Magee Vijay Iyer.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)

Artificial Intelligence Center,

Firewall – Survey  Purpose of a Firewall  To allow ‘proper’ traffic and discard all other traffic  Characteristic of a firewall  All traffic must go.

Department of Computer Sciences The University of Texas at Austin Complete Redundancy Detection in Firewalls Alex X. Liu Department of Computer Sciences.

Computer Science 1 Systematic Structural Testing of Firewall Policies JeeHyun Hwang 1, Tao Xie 1, Fei Chen 2, and Alex Liu 2 North Carolina State University.

Greg Steen.  What is Snort?  Snort purposes  Where can it be used?

Introduction to Linux Firewall

Author: Weirong Jiang and Viktor K. Prasanna Publisher: ACM Symposium on Parallel Algorithms and Architectures, SPAA 2009 Presenter: Chin-Chung Pan Date:

Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.

Packet Classification Using Dynamically Generated Decision Trees

Fault Tolerant Routing in Mobile Ad hoc Networks Yuan Xue and Klara Nahrstedt Computer Science Department University of Illinois.

Linux Firewall Iptables.

An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Firewalls and DMZ Dr. X. Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or.

BPF+ Exploiting Global Data-flow Optimization in a Packet Filter Architecture Andrew Begel, Steven McCanne, Susan L. Graham University of California, Berkeley.

Snort – IDS / IPS.

Advanced Cybersecurity

The Linux Operating System

Filtering/Firewalls CSE 581, Winter Anand Patwardhan

Consistency Methods for Temporal Reasoning

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Setting Up Firewall using Netfilter and Iptables

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Firewalls Jiang Long Spring 2002.

Using decision trees to improve signature-based intrusion detection

Non Deterministic Automata

Hazem Hamed, Adel El-Atawy, Ehab Al-Shaer

Presentation transcript:

Evaluation Snort Rules Default Snort rules – 305 unique rules (after removing string matching components) 10 days of packet data from MIT Lincoln Labs 1999 intrusion detection evaluation data set Evaluation Snort Rules Default Snort rules – 305 unique rules (after removing string matching components) 10 days of packet data from MIT Lincoln Labs 1999 intrusion detection evaluation data set ` Fast Packet Classification using Condition Factorization Automaton Size Snort-NG: nodes for 300 rules Condition Factorization: 1026 nodes for 300 rules Matching Time Firewall Rules Rules from firewall on a small network in department 42K to 500K packet traces Automaton Size Matching Time Per packet matching time of 69ns Automaton Size Snort-NG: nodes for 300 rules Condition Factorization: 1026 nodes for 300 rules Matching Time Firewall Rules Rules from firewall on a small network in department 42K to 500K packet traces Automaton Size Matching Time Per packet matching time of 69ns Alok Tongaonkar and R. Sekar Secure Systems Lab, Department of Computer Science, Stony Brook University Alok Tongaonkar and R. Sekar Secure Systems Lab, Department of Computer Science, Stony Brook University This research is supported by an ONR grant N and an NSF grant CCR This research is supported by an ONR grant N and an NSF grant CCR B. Deterministic automaton A. Backtracking automaton sample rules r1: a != 22 && b == 1 r2: a != 80 && b == 2 r3: a != 25 && b == 3 r4: c == 600 r5: c == 400 sample rules r1: a != 22 && b == 1 r2: a != 80 && b == 2 r3: a != 25 && b == 3 r4: c == 600 r5: c == 400 iptable rules –o eth3 –p tcp –d $NS –dport domain –j ACCEPT –o eth3 –p udp –d $NS –dport domain –j ACCEPT -o eth3 -i !eth3 –p icmp –j ACCEPT -o eth3 –j REJECT … iptable rules –o eth3 –p tcp –d $NS –dport domain –j ACCEPT –o eth3 –p udp –d $NS –dport domain –j ACCEPT -o eth3 -i !eth3 –p icmp –j ACCEPT -o eth3 –j REJECT … snort rules alert tcp $EXT any -> $HOME 600 (flags: A; …) alert icmp /24 any -> $HOME any (itype:0; …) alert icmp /32 any -> $HOME any ( icmp_id: 666; …) alert tcp $HOME any -> $EXT 6000 (win: 200; …); … snort rules alert tcp $EXT any -> $HOME 600 (flags: A; …) alert icmp /24 any -> $HOME any (itype:0; …) alert icmp /32 any -> $HOME any ( icmp_id: 666; …) alert tcp $HOME any -> $EXT 6000 (win: 200; …); … Packet classification automaton A.Backtracking automaton - reexamines packet fields e.g.. BSD Packet Filter, BPF+, Dynamic Packet Filter (DPF), PathFinder B.Deterministic automaton - exponential size e.g. Snort-NextGeneration (Snort-NG) C.Our technique (using condition factorization) – polynomial size near optimal matching time Packet classification automaton A.Backtracking automaton - reexamines packet fields e.g.. BSD Packet Filter, BPF+, Dynamic Packet Filter (DPF), PathFinder B.Deterministic automaton - exponential size e.g. Snort-NextGeneration (Snort-NG) C.Our technique (using condition factorization) – polynomial size near optimal matching time C. Condition Factorization – Reorder tests, decompose complex tests, and eliminate semantically redundant tests 1. Select optimal ordering of tests to minimize size 2. Generate DAG to reduce number of states 3. Introduce non-deterministic edges