Presentation is loading. Please wait.

Presentation is loading. Please wait.

Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2.4.4.

Published byPatricia Doyle Modified over 8 years ago

Similar presentations

Presentation on theme: "Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2.4.4."— Presentation transcript:

1 Snort Intrusion Detection

2 What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2.4.4 as of April 17th, 2006

3 Features Small Package – 2.7 M for source Cross Platform Open Source Backed by Sourcefire Fast (High rate of detection on average networks) Configurable

4 Design Packet Analysis Pipline Data Acquisition DecodePreprocess DetectAction

5 Design Engine Uses Rules to form “signatures” Modular Detection elements to form specific signatures Detect Anomaly Activity Easily updateable

6 Different Modes Packet Sniffer Packet Logger NIDS Mode Inline Mode

7 Rules Two Parts – Rule Header – Rule Options

8 Rule Header alert tcp $BAD any -> $GOOD any Rule action Protocol Src. CIDR Src. Port Direction Dest. CIDR Dest. Port alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any

9 Rule Options (flags: SF; msg: “SYN-FIN scan”;) KeywordSeparatorArgumentDelimiter

10 Common Rule Options IP TTL IP ID Fragment size TCP Flags TCP Ack number TCP Seq number Payload size Content Content offset Content depth Session recording ICMP type ICMP code Alternate log files

11 Make Custom Rules Detect String alert tcp any any -> any any \ (content: clemson; msg: detected clemson!;)

12 Output Log all the alerts Real-time alerts Several different types – Syslog – Plain text – Databases – Unified output

13 Common Options OptionDescription -A fastFast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports. -A fullFull alert mode. This is the default alert mode and will be used automatically if you do not specify a mode. -A unsockSends alerts to a UNIX socket that another program can listen on. -A noneTurns off alerting. -A console Sends “fast-style” alerts to the console (screen). -A cmgGenerates “cmg style” alerts.

14 Tools for Snort Acid SnortSnarf Snort Alert Monitor (SAM) Snortalog Guardian DeMarc PureSecure IDSCenter (Windoze)

15 Resources Snort.org – www.snort.org/dl (downloads) www.snort.org/dl BleedingEdge – www.bleedingsnort.com/ Sourcefire – www.sourcefire.com

Download ppt "Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2.4.4."

Similar presentations

APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim,

APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.

IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.

Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Introduction to Snort’s Working and configuration file

Introduction to Snort’s Working and configuration file
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Similar presentations

Ads by Google