Presentation is loading. Please wait.

Presentation is loading. Please wait.

The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala.

Published byMartha Lane Modified over 9 years ago

Similar presentations

Presentation on theme: "The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala."— Presentation transcript:

1 The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala

2 The main distribution site for Snort is http://www.snort.org  IDS & History of Snort  What is Snort?  Features of Snort  Snort Modes  Compiling & Installing Snort  Snort Rules  Snort in different Modes  Using Snort  Third Party Enhancements  Conclusion

3 Intrusion: An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system. NIDS: network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack).

4 NIDS & History of Snort... Snort was a true case of a programmer scratching his own itch. Here was Marty Roesch with his home network, wanting to see who, if anyone, was trying to penetrate it. This was a small and simple detection system for home use Initial Release on Dec 22 1998 - snort-0.96.tar.gz Latest Release on Oct 3 - snort-1.9.0.tar.gz Martin Roesch is the founder and CTO of Sourcefire, Inc.

5 What is Snort? Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort does NOT block intruders. Assumes a human is watching!!!

6 Snort in simple words … Automated tool to detect intrusions Works locally (reactionary) or network wide (preemptive) Preemptive IDS can use traffic monitoring or content monitoring Does NOT block intruders. Assumes a human is watching!!!

7 Operating Systems i386SparcM68k/ PPC AlphaOther XXXXXLinux XXXOpenBSD XXFreeBSD XXSolaris XXSunOS 4.1.X XXHP-UX XAIX XIRIX XTRU64 XMacOS X Server XWin32

8 “Lightweight” Free Portable Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win2K Configurable with easy setup

9 Snort Modes Packet sniffer Packet Logger Preemptive IDS - Actively monitors network traffic in real time to match intrusion signatures and send alerts

10 On Red Hat Linux 7.2, as root: Download and install libpcap Download and install these three.rpm: libnet-1.0.2a-1snort.i386.rpm snort-1.8.4-1snort.i386.rpm snort-postgresql+flexresp-1.8.4-1snort.i386.rpm Create /var/log/snort directory

11 Files installed: /etc/snort contains conf and rule files /var/log/snort will contain logs /usr/sbin/snort contains snort binary For a quick test, execute this command within the /etc/snort directory: snort –A console From a separate machine, use nmap to generate events for Snort to detect: nmap –sP

12 Installing on Windows 2000 Download and install winpcap Download & execute Snort184Win32.exe, select “typical” installation mkdir “c:\Program Files\Sourcefire\Snort\log” Files installed in c:\Program Files Files\Sourcefire\Snort: snort.conf \rules directory contains rules Snort.exe executable

13 To test, execute this command within the c:\Program Files\Sourcefire\Snort directory: snort –A console From a separate machine, use nmap to generate events for Snort to detect: nmap –sP You should see an alert like this: 03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 129.244.70.17 -> 129.244.70.237 Installing Snort

14 Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS Sample rule alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";) Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged

15 Elements before parentheses comprise ‘rule header’ Elements in parentheses are ‘rule options’ Rules can: Alert, Log, or Pass Used for IP, UDP, ICMP Source address / port Destination address / port Additional options - This is where content matching can take place

16 bad-traffic.rules exploit.rules scan.rules finger.rules ftp.rules telnet.rules smtp.rules rpc.rules rservices.rules dos.rules ddos.rules dns.rules tftp.rules web-cgi.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-attacks.rules sql.rules x11.rules icmp.rules netbios.rules misc.rules backdoor.rules shellcode.rules policy.rules porn.rules info.rules icmp-info.rules virus.rules local.rules attack-responses.rules

17 Luckily you probably won’t have to write rules!

18 Snort Modes Sniffer: snort –dvae will be display payloads, be verbose, display arp traffic, and display link layer data Packet Logger: snort –b –l /var/log/snort will log binary data to the /var/log/snort directory NIDS: snort –b –l /var/log/snort –A full –c /etc/snort/snort.conf will log binary data in the /var/log/snort directory, with full alerts in /var/log/snort/alert, reading the configuration file in /etc/snort

19 SnortSnarf www.silicondefense.com/software/snortsnarf/ SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports Output intended for diagnostic inspection Silicon Defense also supplies sensors with commercial support Description and screenshot taken from SnortSnarf web

20

21 Analysis Console for Intrusion Databases (ACID) acidlab.sourceforge.net/ PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation. Description and screenshots taken from ACID web

22

23

24

25 Conclusions Snort is a powerful tool, but maximizing its usefulness requires a trained operator Snort is considered a superior NIDS when compared to most commercial systems Snort is a wonderful low to no cost solution for businesses. Snort, written in C, can compile and run on variety of different Operating Systems.

26 Snort.org Securityfocus.com Whitehats.com

27 Questions?

Download ppt "The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala."

Similar presentations

F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.

F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.

IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Martin Roesch Sourcefire Inc.

Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Introduction to Snort’s Working and configuration file

Introduction to Snort’s Working and configuration file
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Similar presentations

Ads by Google