The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala
The main distribution site for Snort is IDS & History of Snort What is Snort? Features of Snort Snort Modes Compiling & Installing Snort Snort Rules Snort in different Modes Using Snort Third Party Enhancements Conclusion
Intrusion: An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system. NIDS: network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack).
NIDS & History of Snort... Snort was a true case of a programmer scratching his own itch. Here was Marty Roesch with his home network, wanting to see who, if anyone, was trying to penetrate it. This was a small and simple detection system for home use Initial Release on Dec snort-0.96.tar.gz Latest Release on Oct 3 - snort tar.gz Martin Roesch is the founder and CTO of Sourcefire, Inc.
What is Snort? Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort does NOT block intruders. Assumes a human is watching!!!
Snort in simple words … Automated tool to detect intrusions Works locally (reactionary) or network wide (preemptive) Preemptive IDS can use traffic monitoring or content monitoring Does NOT block intruders. Assumes a human is watching!!!
Operating Systems i386SparcM68k/ PPC AlphaOther XXXXXLinux XXXOpenBSD XXFreeBSD XXSolaris XXSunOS 4.1.X XXHP-UX XAIX XIRIX XTRU64 XMacOS X Server XWin32
“Lightweight” Free Portable Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win2K Configurable with easy setup
Snort Modes Packet sniffer Packet Logger Preemptive IDS - Actively monitors network traffic in real time to match intrusion signatures and send alerts
On Red Hat Linux 7.2, as root: Download and install libpcap Download and install these three.rpm: libnet-1.0.2a-1snort.i386.rpm snort snort.i386.rpm snort-postgresql+flexresp snort.i386.rpm Create /var/log/snort directory
Files installed: /etc/snort contains conf and rule files /var/log/snort will contain logs /usr/sbin/snort contains snort binary For a quick test, execute this command within the /etc/snort directory: snort –A console From a separate machine, use nmap to generate events for Snort to detect: nmap –sP
Installing on Windows 2000 Download and install winpcap Download & execute Snort184Win32.exe, select “typical” installation mkdir “c:\Program Files\Sourcefire\Snort\log” Files installed in c:\Program Files Files\Sourcefire\Snort: snort.conf \rules directory contains rules Snort.exe executable
To test, execute this command within the c:\Program Files\Sourcefire\Snort directory: snort –A console From a separate machine, use nmap to generate events for Snort to detect: nmap –sP You should see an alert like this: 03/27-15:18: [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} > Installing Snort
Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS Sample rule alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";) Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged
Elements before parentheses comprise ‘rule header’ Elements in parentheses are ‘rule options’ Rules can: Alert, Log, or Pass Used for IP, UDP, ICMP Source address / port Destination address / port Additional options - This is where content matching can take place
bad-traffic.rules exploit.rules scan.rules finger.rules ftp.rules telnet.rules smtp.rules rpc.rules rservices.rules dos.rules ddos.rules dns.rules tftp.rules web-cgi.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-attacks.rules sql.rules x11.rules icmp.rules netbios.rules misc.rules backdoor.rules shellcode.rules policy.rules porn.rules info.rules icmp-info.rules virus.rules local.rules attack-responses.rules
Luckily you probably won’t have to write rules!
Snort Modes Sniffer: snort –dvae will be display payloads, be verbose, display arp traffic, and display link layer data Packet Logger: snort –b –l /var/log/snort will log binary data to the /var/log/snort directory NIDS: snort –b –l /var/log/snort –A full –c /etc/snort/snort.conf will log binary data in the /var/log/snort directory, with full alerts in /var/log/snort/alert, reading the configuration file in /etc/snort
SnortSnarf SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports Output intended for diagnostic inspection Silicon Defense also supplies sensors with commercial support Description and screenshot taken from SnortSnarf web
Analysis Console for Intrusion Databases (ACID) acidlab.sourceforge.net/ PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation. Description and screenshots taken from ACID web
Conclusions Snort is a powerful tool, but maximizing its usefulness requires a trained operator Snort is considered a superior NIDS when compared to most commercial systems Snort is a wonderful low to no cost solution for businesses. Snort, written in C, can compile and run on variety of different Operating Systems.
Snort.org Securityfocus.com Whitehats.com
Questions?