an overview
Snort is an Intrusion Detection System (IDS) Automated tools to detect intrusions Works locally (reactionary) or network wide (preemptive) Preemptive IDS can use traffic monitoring or content monitoring Does NOT block intruders. Assumes a human is watching!!!
What IDS are available? Cisco Secure IDS (Formerly NetRanger) Network Flight Recorder Realsecure (ISS) SecureNet Pro Snort!!!
Why pick Snort? “Lightweight” Free Portable Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win2K Configurable with easy setup Lightweight – does not have a big foot print (110 KB) Free – Licensed under the GPL and has no cost (combined with lightweight – can be run on an old 486)
What can Snort do? Packet sniffer Packet Logger Preemptive IDS Actively monitors network traffic in real time to match intrusion signatures and send alerts Snort has many applications
Rules, Rules, Rules alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";) Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged Can also alert based on packet content not just source / destination ports Does not block the problem. Assumes that someone is watching.
And more Rules Rules can: Alert, Log, or Pass Used for IP, UDP, ICMP Source address / port Destination address / port Additional options This is where content matching can take place
Luckily you probably won’t have to write rules! Rules are published on Snort.org http://www.wiretapped.net/pub/snort/snort-rules/ http://www.whitehats.com/ ------------------------------------------------------------------ A good way to write rules is to run attacks against a particular machine and implement the rule signatures from the packets captured during the attack.
What do the alerts look like? [**] MISC source port 53 to <1024 [**] 05/21-16:30:07.697467 129.219.17.200:53 -> 129.219.XXX.XXX:1024 UDP TTL:253 TOS:0x0 ID:60955 IpLen:20 DgmLen:268 DF Len: 248 These can also be nicely formatted by different parser programs
Installation Install libcap Install Snort Test # ./configure # make # make install Test #snort -v Will see packets flowing through with a final summary of the scanned traffic.
More resources Snort.org Securityfocus.com Whitehats.com
PSCS Implementation By Mark Peoples