Presentation is loading. Please wait.

Presentation is loading. Please wait.

Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.

Published byPiers Andrews Modified over 9 years ago

Similar presentations

Presentation on theme: "Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko."— Presentation transcript:

1 Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko

2 Overview Snort Snort What is it? What is it? What does it do? What does it do? Features Features Nmap Nmap What is it? What is it? What does it do? What does it do? Features Features

3 What is Snort? IDS IDS Can also be configured to be an IPS Can also be configured to be an IPS Software solution to IDS/IPS Software solution to IDS/IPS To be IPS, the sniffing machine needs 2 interfaces To be IPS, the sniffing machine needs 2 interfaces Network based Network based Switch – port mirroring Switch – port mirroring Hub – sniff all Hub – sniff all

4 Snort Network intrusion detection system Network intrusion detection system Real-time traffic analysis Real-time traffic analysis Packet logging Packet logging Detects OS fingerprinting attempts Detects OS fingerprinting attempts Protocol implementation details Protocol implementation details

5 Components in Snort External packet – capture library External packet – capture library Packet decoder – translates protocol elements into an internal data structure Packet decoder – translates protocol elements into an internal data structure Preprocessors – examine/manipulate packets for detection engine Preprocessors – examine/manipulate packets for detection engine Detection engine – tests single elements of packets Detection engine – tests single elements of packets Output plugins – generates alerts Output plugins – generates alerts

6

7 1. Capturing traffic (libpcap/WinPcap) Sniffs line and gets raw packets off the network Sniffs line and gets raw packets off the network Raw packets needed to detect various attacks Raw packets needed to detect various attacks Can only process one packet at a time Can only process one packet at a time We use WinPcap  Windows Packet Capturing We use WinPcap  Windows Packet Capturing Captures packets traveling across a network Captures packets traveling across a network

8 2. Packet decoder Series of decoders that each decode specific protocol elements Series of decoders that each decode specific protocol elements Data structure is filled up with decoded packet data Data structure is filled up with decoded packet data Data structures passed to preprocessors and the detection engine Data structures passed to preprocessors and the detection engine

9 3a. Preprocessors Two types Two types Examine packets Examine packets -Used for non-signature based attacks Modify packets in preparation for detection engine Modify packets in preparation for detection engine -Normalize traffic Packets cycle through all preprocessors Packets cycle through all preprocessors Keeps attackers from hiding other traffic Keeps attackers from hiding other traffic Multiple violations may be seen this way Multiple violations may be seen this way

10 3b. Preprocessors Fragmentation Fragmentation Malicious traffic Malicious traffic Modify packet headers Modify packet headers DoS – Ping of Death DoS – Ping of Death Stateful inspections Stateful inspections Stateless connections Stateless connections SYN-ACK (connection not complete) SYN-ACK (connection not complete) IP protocol checks – beyond TCP IP protocol checks – beyond TCP

11 4. Detection engine Uses a decision tree Uses a decision tree Eg) if the packet is TCP, the packet is passed to the portion that deals with TCP Eg) if the packet is TCP, the packet is passed to the portion that deals with TCP The first signature that matches is applied, the next packet is analyzed The first signature that matches is applied, the next packet is analyzed Priority is very important Priority is very important High level attacks must be prioritized currently High level attacks must be prioritized currently

12 5. Output plugins Dumps alert data to a file/resource Dumps alert data to a file/resource Unified format Unified format One of many options One of many options Fastest possible Fastest possible Alert file – Attack summary, IPs, protocol used, etc listed Alert file – Attack summary, IPs, protocol used, etc listed Packet file – actual packet info Packet file – actual packet info Database, file dumps, external applications Database, file dumps, external applications

13 snort_inline turns Snort into IPS Set up rules to drop packets Set up rules to drop packets Set up alerts to log attacks Set up alerts to log attacks Set up rules to cut connection Set up rules to cut connection TCP reset for example TCP reset for example drop tcp any any -> any 80 (classtype:attempted- user; msg:"Port 80 connection initiated";) drop tcp any any -> any 80 (classtype:attempted- user; msg:"Port 80 connection initiated";)

14 General rule structure _action _protocol _ip1 _direction _ip2 (options) _action _protocol _ip1 _direction _ip2 (options)

15 _action options _action _protocol _ip1 _direction _ip2 (options) _action _protocol _ip1 _direction _ip2 (options) alert - generate an alert using the selected alert method, and then log the packet alert - generate an alert using the selected alert method, and then log the packet log - log the packet log - log the packet pass - ignore the packet pass - ignore the packet activate - alert and then turn on another dynamic rule activate - alert and then turn on another dynamic rule dynamic - remain idle until activated by an activate rule, then act as a log rule dynamic - remain idle until activated by an activate rule, then act as a log rule

16 _protocol options _action _protocol _ip1 _direction _ip2 (options) _action _protocol _ip1 _direction _ip2 (options) TCP, IP, UDP, ICMP (, TCP, IP, UDP, ICMP (, ARP, IGRP, GRE, OSPF, RIP, IPX)

17 _action _protocol _ip1 _direction _ip2 (options) _action _protocol _ip1 _direction _ip2 (options) IP address/netmask, port, ! to negate IP address/netmask, port, ! to negate Any, individual ip Any, individual ip alert tcp any any -> 192.168.1.0/24 111 _ip options IP address netmask port

18 _direction options _action _protocol _ip1 _direction _ip2 (options) _action _protocol _ip1 _direction _ip2 (options) -> is from source to destination -> is from source to destination <> is from source to destination and destination to source <> is from source to destination and destination to source

19 Rule options _action _protocol _ip1 _direction _ip2 ( options ) _action _protocol _ip1 _direction _ip2 ( options ) alert tcp any any -> $HOME_NET 31337 (msg: "BLEEDING-EDGE ATTACK RESPONSE Potential root shell connection detected!"; flow: established,to_server; tag: session, 20, packets; classtype: bad-unknown; sid: 2001545; rev:2; ) alert tcp any any -> $HOME_NET 31337 (msg: "BLEEDING-EDGE ATTACK RESPONSE Potential root shell connection detected!"; flow: established,to_server; tag: session, 20, packets; classtype: bad-unknown; sid: 2001545; rev:2; )

20 Rule structure for wireless wifi ( ) wifi ( )

21 Rule options Rule options # Single MAC Address 00:DE:AD:BE:EF:00 # Single MAC Address 00:DE:AD:BE:EF:00 # MAC Address List [00:DE:AD:BE:EF:00, 00:DE:AD:C0:DE:00,....] # MAC Address List [00:DE:AD:BE:EF:00, 00:DE:AD:C0:DE:00,....]

22 Logs Using syslog logs Using syslog logs Sawmill Sawmill Logs need to be converted to plaintext to be processed Logs need to be converted to plaintext to be processed Web interface to analyze traffic Web interface to analyze traffic Windump -r _log_ -tt > _txtFile_ Windump -r _log_ -tt > _txtFile_

23 Snort Status DB connection is problematic for FreeBSD version DB connection is problematic for FreeBSD version Snort currently captures traffic and creates logs based on rules Snort currently captures traffic and creates logs based on rules Lab3 is now the sniffer box Lab3 is now the sniffer box WinPcap and Snort WinPcap and Snort Plugged into physical port FA0/23 Plugged into physical port FA0/23 Receiving all switch traffic Receiving all switch traffic

24 NMAP

25 Nmap Network Mapper Network Mapper Discovers services available on different hosts in a network Discovers services available on different hosts in a network Command line, GUI versions Command line, GUI versions Nmap and nmapfe packages in FreeBSD Nmap and nmapfe packages in FreeBSD

26 Features Enumerates ports on target machines Enumerates ports on target machines Identify services running on those ports Identify services running on those ports OS fingerprinting OS fingerprinting

27 Typical uses List services available on a machine List services available on a machine Run network security audit of machines Run network security audit of machines Identify computers that may be exploited Identify computers that may be exploited Audit individual machine security Audit individual machine security

28 nmapfe

29 Just the beginning… Nmap is one tool in an arsenal for black hat hackers Nmap is one tool in an arsenal for black hat hackers Prelude to exploitation tools Prelude to exploitation tools Metasploit - used for actual exploitation attempt Metasploit - used for actual exploitation attempt

30 Nmap command nmap –s~ -P~ -O -p 1-1024 134.198.161.* nmap –s~ -P~ -O -p 1-1024 134.198.161.* Scan Type Ping Type OS detection Port range IP range/address

31 Enumerate ports / services “Well-known” or “Interesting” ports “Well-known” or “Interesting” ports - 1-1024 - 65,535 total TCP & UDP ports Port/Protocol State Service Name Port/Protocol State Service Name

32 Types of scans http://www.secguru.com/nmap_cheatsheet http://www.secguru.com/nmap_cheatsheet http://www.secguru.com/nmap_cheatsheet sS (TCP SYN scan) – half open scan; stealthy sS (TCP SYN scan) – half open scan; stealthy SYN/ACK – listening; RST – non-listener SYN/ACK – listening; RST – non-listener sT (TCP connect scan) – uses system call to make connection; easily logged sT (TCP connect scan) – uses system call to make connection; easily logged sU (UDP scans) – sends empty UDP header to targeted ports; code returned indicates port state sU (UDP scans) – sends empty UDP header to targeted ports; code returned indicates port state sN; -sF; -sX (TCP Null, FIN, and Xmas scans) sN; -sF; -sX (TCP Null, FIN, and Xmas scans) If SYN, RST, ACK bits not set (TCP RFC) If SYN, RST, ACK bits not set (TCP RFC) Any incoming segment not containing RST causes a closed port to respond with an RST Any incoming segment not containing RST causes a closed port to respond with an RST No response if port is open No response if port is open

33 OS detection Uses TCP/IP fingerprinting Uses TCP/IP fingerprinting OS particular implementation of protocol indicates target host OS OS particular implementation of protocol indicates target host OS Checked against DB of known DB signatures Checked against DB of known DB signatures Why hide OS? Why hide OS? Black hat hackers might try OS specific exploits if known Black hat hackers might try OS specific exploits if known

34 http://www.csee.umbc.edu/~krishna/cs491n/s nort_manual.pdf http://www.csee.umbc.edu/~krishna/cs491n/s nort_manual.pdf

Download ppt "Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google