Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.

Published byMolly McDaniel Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains."— Presentation transcript:

1 Intrusion Detection: Snort

2 Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains as such. Originally, it was a “lightweight” intrusion detection system. Now, it has expanded to include features that can hardly be called “lightweight.”

3 Basics: History Snort is now the de facto standard in intrusion detection and prevention. It is one of the most flexible and variable threat detection systems available. It is available for Windows, Linux, Unix, and other more obscure operating systems.

4 Basics: About Snort is primarily a network intrusion detection system (IDS). – IDS: an application that performs traffic analysis (packets going across a network), packet logging, attack/intrusion alerting, port scans, and many other types of infringements on an IP network.

5 Basics: About Snort has the capability to detect a variety of attacks on an IP network, including: – Buffer overflows – Stealth port scans – CGI attacks – SMB (server message block) probes – OS fingerprinting

6 Setup Snort can be obtained from www.winsnort.com or www.snort.org. www.winsnort.comwww.snort.org Snort requires WinPCap 3.0. The newest version (3.1) will not work with Snort. WinPCap is a packet-capturing tool (not a standalone application; a tool required by most IDSs). It can be obtained from winpcap.polito.it.

7 Setup Once Snort and WinPCap have been installed, the snort.conf (configuration file) must be edited. Within the file, the only change required is that of the location of the RULES files. This is normally c:\snort\rules\. Other changes to snort.conf are up to the user – such as the IP addresses to watch, etc

8 Running Snort Once snort.conf is edited properly, choose RUN and enter: – C:\Snort\bin\snort.exe {any flags go here} – The next slide tells you what flags are what. (A flag is a variable used to indicate a true or false value; that is, a flag tells the program what options you want to employ.)

9 Running Snort Many flags are available for use. In our testing, we’ve come up with some that work well together: – d dumps APPLICATION LAYER data – e dumps DATA LINK LAYER data – v is visual mode; this flag keeps Snort’s activities visible in the terminal box. – l is required to log the packets. Usage: -l c:\Snort\log\. It will create a logfile. – O puts IP addresses in the format xx.xx.xx.xx. – C drops all hex data and reports only ASCII data. This is useful to trim the fat, as it were, off your log files.

10 Running Snort So the proper usage would be something like this, in the RUN dialog box: – C:\Snort\bin\snort.exe –devOC –l c:\Snort\log\ This will run Snort and display a visual output, dumping application and data link layer data, logging the packets that travel across the network to c:\Snort\log\snort.log.

11

12 Here is what a standard logfile looks like: 05/11-22:09:39.472302 192.168.234.209:2414 -> 192.168.235.254:8905 UDP TTL:128 TOS:0x0 ID:8280 IpLen:20 DgmLen:59 Len: 31 00 00 00 1F 01 01 11 DB 87 50 BC 56 56 34 5A E8.........P.VV4Z. 46 62 7B C9 56 AD 16 EB 7A F5 72 04 1E D4 18 Fb{.V...z.r.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

13 Breakdown Here is a breakdown of what Snort reports in the log file: – Date / Time – Source IP (source of packet) – Destination IP (destination of packet – often xx.xx.xx.255, which is a broadcast to all computers on xx.xx.xx.xx) – TTL (Time-to-Live) for packet in ms – TOS (Types of Service – indicates priority given to packet contents) – Packet ID number – IP length – DMG length

14 Alerting The rules files (several come with Snort, several more are available from various resources on the Internet) contain information about when to send off an alert. (You can set in the snort.conf file which rules will be turned on or off.) When Snort finds a packet that violates a rule that you have turned on, it will notify you via dialog box.

15 For whom? Snort is a non-commercial enterprise, and as such, is not suited for commercial uses. That said, it could definitely be of use to commercial organizations. For personal use, Snort has many possible uses, especially for the paranoid.

16 Questions? Ask them. We’ll do our best.

Download ppt "Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains."

Similar presentations

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.

History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Martin Roesch Sourcefire Inc.

Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.

Log Analysis and Intrusion Detection By Srikrishna Gudavalli Venkata Naga Vamsi Krishna Ravi Kiran Yellepeddy.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

Similar presentations

Ads by Google