Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Slides:



Advertisements
Similar presentations
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet,
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Snort - Open Source Network Intrusion Detection System Survey.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Intrusion Detection MIS ALTER 0A234 Lecture 4.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Module 1: Reviewing the Suite of TCP/IP Protocols.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Introduction to firewalls and IDS/IPS
Penetration Testing Security Analysis and Advanced Tools: Snort.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Chap 9 TCP/IP Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
What is a “Network Intrusion Detection System (NIDS)"?
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Cs490ns - cotter1 Snort Intrusion Detection System
Linux Networking and Security
Adaptive Data Visualization Packet Information Collection and Transformation for Network Intrusion Detection and Prevention Richard A. Aló,
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
An overview.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
JMU GenCyber Boot Camp Summer, 2015
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
Intrusion Detection System
Greg Steen.  What is Snort?  Snort purposes  Where can it be used?
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Snort. Overview What ’ s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Snort – IDS / IPS.
James Logan CS526 Dr. Chow April 29, 2009
CompTIA Security+ Study Guide (SY0-401)
Intrusion Detection Systems (IDS)
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Presentation transcript:

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation

Overview  What ’ s snort?  Snort architecture  Snort components  Detection engine and rules in snort  Possible research works in snort.

What’s snort?  NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.  Snort: an open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods  Snort: the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.

Snort 1. A packet sniffer: capture and display packets from the network with different levels of detail on the console 2. Packet logger: log data in text file 3. Honeypot monitor: deceiving hostile parties 4. NIDS: network intrusion detection system

Typical locations for snort

Requirement of snort  lightweight NIDS  small, flexible  highly capable system

Snort architecture From: Nalneesh Gaur, Snort: Planning IDS for your enterprise,

Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.

Logical components of snort  Packet Decoder: takes packets from different types of network interfaces (Ethernet, SLIP,PPP … ), prepare packets for processing  Preprocessor: (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams.  Detection Engine: the most important part, applies rules to packets  Logging and Alerting System  Output Modules: process alerts and logs and generate final output.

TCP/IP layer Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer Physical layer

Detection Engine ※ Requirement 1. Time critical 2. Fast ※ Things need to be done for detection engine: The IP header of the packet The transport layer header. TCP, UDP, ICMP etc. The application layer level header. Header of DNS, FTP, SNMP, SMTP Packet payload ※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm

Detection engine  Number of rules  Traffic load on the network  Speed of network and machine  Efficiency of detection algorithm

Rules  In a single line  Rules are created by known intrusion signatures.  Usually place in snort.conf configuration file. rule headerrule options

Rule examples Alert will be generated if criteria met Apply to all ip packets Source ip address Source port # destination ip address Destination port Rule options Rule header

Detection engine order to scan the rules  Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: 1. Alert rules 2. Pass rules 3. Log rules

Challenges with snort  Misuse detection – avoid known intrusions  Rules database is larger and larger  It continues to grow  snort version 2.3.2, there are 2,600 rules  80% of them are signatures  Snort spends 80% work time to do string match  Anomaly detection – identify new attacks  Probability of detection is low

Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.

Attempts to improve  Increasing preprocessing ability --- offload partial work from detect engine  Using hardware to reduce workload - a hybrid architecture --- software has more flexibility, hardware has relatively higher throughput  Better detection algorithm

Possible ways?  Organize the well-known rules into better data structure to achieve better performance  A detector with acceptable detection probability

Thank you !