Presentation is loading. Please wait.

Presentation is loading. Please wait.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Published byMohammed Algood Modified over 9 years ago

Similar presentations

Presentation on theme: "Snort & ACID. UTSA IS 6973 Computer Forensics SNORT."— Presentation transcript:

1 Snort & ACID

2 UTSA IS 6973 Computer Forensics SNORT

3 UTSA IS 6973 Computer Forensics Overview Tool Description Where You Can Find it Applicability to Forensics Tool Use/Screen Views Observations Lessons Learned

4 UTSA IS 6973 Computer Forensics Technical Description What is Snort? –“Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.” –Performs protocol analysis, content searching/matching –Can detect all sorts of probes and attacks

5 UTSA IS 6973 Computer Forensics Where to Find the Tool Snort –www.snort.orgwww.snort.org

6 UTSA IS 6973 Computer Forensics How Snort Supports Forensics Snort is a packet sniffer on steroids. Can be placed at different points in a network to provide real time information. By logging alerts and rule violations, a systems administrator can be mindful of attacks in progress or research past incidents.

7 UTSA IS 6973 Computer Forensics Snort Usage Run from the command line or as a Windows Service. Lots of options

8 UTSA IS 6973 Computer Forensics Snort Options USAGE: snort [-options] snort /SERVICE /INSTALL [-options] snort /SERVICE /UNINSTALL snort /SERVICE /SHOW Options: -A Set alert mode: fast, full, console, or none (alert file ale rts only) -b Log packets in tcpdump format (much faster!) -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -e Display the second layer header info -E Log alert messages to NT Eventlog. (Win32 only) -f Turn off fflush() calls after binary log writes -F Read BPF filters from file -h Home network = -i Listen on interface -I Add Interface name to alert output -k Checksum mode (all,noip,notcp,noudp,noicmp,none) -l Log to directory

9 UTSA IS 6973 Computer Forensics More Snort Options -L Log to this tcpdump file -n Exit after receiving packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass|Alert|Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -r Read and process tcpdump file -R Include 'id' in snort_intf.pid file name -s Log alert messages to syslog -S Set rules file variable n equal to value v -T Test and report on the current Snort configuration -U Use UTC for timestamps -v Be verbose -V Show version number -W Lists available interfaces. (Win32 only) -w Dump 802.11 management and control frames -X Dump the raw packet data starting at the link layer -y Include year in timestamp in the alert and log files -z Set assurance mode, match on established sesions (for TCP) -? Show this information are standard BPF options, as seen in TCPDump

10 UTSA IS 6973 Computer Forensics Snort in Action

11 UTSA IS 6973 Computer Forensics Snort Raw Output

12 UTSA IS 6973 Computer Forensics Snort Logs – Better Information

13 UTSA IS 6973 Computer Forensics Observations of Snort - Good FREE! Large user base Community provides constant rule updates Free tools to provide log analysis and email/pager alerts

14 UTSA IS 6973 Computer Forensics Observations of Snort - Bad UNIX tool ported to Windows; behaves like a UNIX tool –Difficult to configure Cryptic command line driven interface All configuration is driven by files Lacks standardized support

15 UTSA IS 6973 Computer Forensics Lessons Learned - Snort You get what you pay for! Documentation for running Snort on XP is inconsistent and out of date. Since the solution comprises several free tools, each tool has separate issues with XP.

16 UTSA IS 6973 Computer Forensics ACID

17 UTSA IS 6973 Computer Forensics Overview Tool Description Where You Can Find it Applicability to Forensics Tool Use/Screen Views Observations Lessons Learned

18 UTSA IS 6973 Computer Forensics Technical Description What is ACID? –The Analysis Console for Intrusion Databases (ACID) –PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

19 UTSA IS 6973 Computer Forensics Where to Find the Tool ACID –http://acidlab.sourceforge.net/

20 UTSA IS 6973 Computer Forensics How ACID Supports Forensics ACID helps to make sense of Snort data in a visual manner. Can help analyze trends and help filter out the noise by categorizing attacks and IP addresses. Query-builder and search interface. Can provide alerts when events occur.

21 UTSA IS 6973 Computer Forensics ACID Usage Acid runs as a set of PHP web pages under IIS or Apache. Reports, alerts, and information is accessed through the web interface

22 UTSA IS 6973 Computer Forensics ACID at Work

23 UTSA IS 6973 Computer Forensics Alert Screen

24 UTSA IS 6973 Computer Forensics Alert Screen - Detail

25 UTSA IS 6973 Computer Forensics Alert Screen – Graph

26 UTSA IS 6973 Computer Forensics Observations of ACID - Good FREE! Nice graphical interface written in PHP, therefore user community to rely on. Free tools to provide log analysis and email/pager alerts. Helps sort through all the info from Snort.

27 UTSA IS 6973 Computer Forensics Observations of ACID - ACID Lacks standardized support Lots of options to become familiar with

28 UTSA IS 6973 Computer Forensics Lessons Learned – ACID You get what you pay for! Configuration is file driven, no GUI. Most documentation for running ACID pertains to Apache servers and took some searching to run on IIS. Reliance on PHP means that any interesting aspects on running PHP on Windows had to be sorted through.

29 UTSA IS 6973 Computer Forensics Summary Both Snort and ACID are excellent tools for Intrusion Detection. Open Source means (hopefully) constant improvements Free tools for companies that cannot afford tools or services provided by other companies. Can be time frustrating to deal with and requires an administrator with the time and expertise to master all the options and create a working system.

Download ppt "Snort & ACID. UTSA IS 6973 Computer Forensics SNORT."

Similar presentations

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Lesson 6 Commercial Intrusion Detection Systems. UTSA IS 3523 ID & Incident Response Overview Common Commercial IDS IDS Evaluations Specialized IDS.

Lesson 6 Commercial Intrusion Detection Systems. UTSA IS 3523 ID & Incident Response Overview Common Commercial IDS IDS Evaluations Specialized IDS.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet,

Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention with Snort Dr. Jim Chen, Victor Tsao, Barry Williams, Tokunbo Olojo, John Smet,
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
Introduction to Snort’s Working and configuration file

Introduction to Snort’s Working and configuration file
Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.

Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.

Similar presentations

Ads by Google