Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Published byAlison Little Modified over 9 years ago

Similar presentations

Presentation on theme: "Penetration Testing Security Analysis and Advanced Tools: Snort."— Presentation transcript:

1 Penetration Testing Security Analysis and Advanced Tools: Snort

2 Introduction to Snort Analysis Snort – Widely used, open-source, network-based intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks – Performs protocol analysis and content matching to detect a variety of attacks and probes such as: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more

3 Modes of Operation Snort can be configured to run in the following modes: – Packet Sniffer – Packet Logger – Network Intrusion Detection System – Inline

4 Features of Snort Features of Snort: – Protocol analysis – Content searching/matching – Real-time alerting capability – Can read a Tcpdump trace and run it against a rule set – Flexible rules language Snort can be configured to watch a network for a particular type of attack profile – It can alert the incident response team as soon as the attack takes place

5 Configuring Snort Snort is configured using the text file snort.conf – include keyword allows other rules files to be included within the rules file Variables – Used to define parameters for detection, specifically those of the local network or specific servers or ports for inclusion or exclusion in the rules Snort Preprocessors – Offer additional detection capabilities – Port scan: TCP connection that attempts to send to more than P ports in T seconds or as UDP packets sent to more than P ports in T seconds

6 Configuring Snort (cont’d.) These are the different directives that can be used with the config command

7 Configuring Snort (cont’d.) Output Plug-ins – Allow Snort to be much more flexible in the formatting and presentation of output to its users – Snort has nine output plug-ins: alert_syslog alert_fast alert_full alert_unixsock log_tcpdump database csv unified log_null

8 How Snort Works Initializing Snort – Starting Up – Parsing the Configuration File Decoding – Execution begins at the ProcessPacket() function when a new packet is received Preprocessing – ProcessPacket() function tests to see the mode in which Snort is running Detection – Detection phase begins in the Detect() function

9 Content Matching Snort uses a series of string matching and parsing functions – Contained in the src/mstring.c and src/mstring.h files in the Snort source tree Detection engine slightly changes the way Snort works by having the first phase be a setwise pattern match Some detection options, such as pcre and byte test, perform detection in the payload section of the packet, rather than using the setwise pattern- matching engine

10 The Stream4 Preprocessor stream4 module – Provides TCP stream reassembly and stateful analysis capabilities to Snort – Gives large-scale users the ability to track many simultaneous TCP streams – Set to handle 8,192 simultaneous TCP connections in its default configuration Stream4 contains two configurable modules: – Global Stream4 preprocessor – Stream4 reassemble preprocessor

11 Inline Functionality Implemented utilizing the iptables or ipfw firewall option to provide the functionality for a new set of rule types: drop, reject, and sdrop Inline Initialization – inline_flag variable is used to toggle the use of inline functionality in Snort Inline Detection – To receive packets from ipqueue or ipfw, calls to the IpqLoop() and IpfwLoop() functions are added to the SnortMain() function

12 Writing Snort Rules Snort uses a simple, lightweight rules description language that is both flexible and powerful The Rule Header (fields) – Rule action – Protocol – IP address – Port information – Directional operator Rule Options – Specify exactly what to match and what to display after a successful match

13 Writing Snort Rules (cont’d.) These are all available Snort rule options.

14 Writing Snort Rules (cont’d.) Writing Good Snort Rules – Develop effective content-matching strings – Catch the vulnerability, not the exploit – Catch the oddities of the protocol in the rule – Optimize the rules

15 Snort Tools IDS Policy Manager – Written to manage Snort IDS sensors in a distributed environment Snort Rules Subscription – Sourcefire, the company behind Snort, uses a registration and subscription model for distribution of new rules Honeynet Security Console – Analysis tool to view events on a personal network or honeynet

16 Snort Tools (cont’d.) IDS Policy Manager configures Snort with a graphical user interface.

17 Snort Tools (cont’d.) Honeynet Security Console displays and analyzes events from several IDS programs.

18 Summary Snort is a powerful intrusion detection system (IDS) and traffic analyzer A Snort configuration file has four major components: – Variables – Preprocessors – Output plug-ins – Rules A Snort rule contains a rule header and rule options Users can write their own Snort rules either manually or with the assistance of tools

19 Summary (cont’d.) A three-homed firewall DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN Authentication may not be desired if a network is publicly accessible An access point is a layer-2 device that serves as an interface between the wireless network and the wired network

Download ppt "Penetration Testing Security Analysis and Advanced Tools: Snort."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.

Martin Roesch Sourcefire Inc.
Introduction to Snort’s Working and configuration file

Introduction to Snort’s Working and configuration file
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.

Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Similar presentations

Ads by Google