2. Snort: Overview Chris Copeland

3. What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network intrusion or network penetration. The primary objective of an IDS is to alert when intrusion takes place. IDS come in two methodologies: – Host (HIDS) – Network (NIDS)

4. What is Snort? Snort is a network intrusion detection system – NIDS Developed from older UNIX tools – Written By Marty Roesch – TCPDump Runs on multiple platforms Open source http://www.snort.org/

5. How Snort Functions as an IDS Sniffer Mode: reads packets only Packet Logger Mode: Logs packet information to local disk NIDS Mode: Packet capture and analysis

6. Snort Rules A rule is any “guideline” which Snort looks for in the NIDS mode. Example: rule for any attempt at ToolTalk alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg:"RPC tooltalk TCP overflow attempt"; \ flow:to_server,established; \ content:"|00 00 00 02|"; depth:4; offset:12;\ content:"|00 01 86 F3|"; depth:4; offset:16; \ content:"|00 00 00 07|"; within:4; distance:4; \ byte_jump:4,4,relative,align; \ byte_test:4,>,128,0,relative; \ content:"|00 00 00 00|"; depth:4; offset:8; \ reference:bugtraq,122; \ reference:cve,1999-0003; \ classtype:misc-attack; sid:1965; rev:8;)

7. Known Issues: Massive Amounts of Data False Alarms due to outdated rules Missed Alerts 10/29-11:08:20.852840 192.168.246.37 -> 192.168.246.12 ICMP TTL:128 TOS:0x0 ID:17878 IpLen:20 DgmLen:40 Type:14 Code:0 ID: 25124 Seq: 0 TIMESTAMP REPLY: Orig: 4259537666 Rtime: 40100906 Ttime: 40100906 62 24 00 00 02 63 E3 FD 2A E4 63 02 2A E4 63 02 b$...c..*.c.*.c. Sample Snort Log Entry

8. Snort Tools and Add-Ons ACID (Analysis Console for Intrusion Database) PHP based, Database driven, and Web Delivered

9. Conclusion Host or Network IDS Rule versus Signature Detection Multi-Platform Open Source Supported Low TCO for Security/Network Admins