snort intrusion detection system
Download
Skip this Video
Download Presentation
Snort Intrusion Detection System

Loading in 2 Seconds...

play fullscreen
1 / 26

Snort Intrusion Detection System - PowerPoint PPT Presentation


  • 216 Views
  • Uploaded on

Snort Intrusion Detection System. www.snort.org. Outline. What is snort? What can it do? How is it installed? How is it configured? How is it used?. History. First released in 1998 by Martin Roesch Originally intended to be a lightweight intrusion detection technology. Has evolved ...

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Snort Intrusion Detection System' - brooke-fowler


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • What is snort?
  • What can it do?
  • How is it installed?
  • How is it configured?
  • How is it used?
history
History
  • First released in 1998 by Martin Roesch
  • Originally intended to be a lightweight intrusion detection technology.
  • Has evolved ...
  • 3 Million downloads
  • 225k active users.
capabilities
Capabilities

Four modes of operation

Packet Sniffer mode

Packet Logger mode

Network Intrusion Detection Mode

Network Intrusion Prevention

cs490ns - cotter

4

capabilities1
Capabilities
  • Packet Sniffer mode
    • Read packets (based on rules) and display on console
    • ./snort -dev
  • Packet Logger
    • Log all packets into a local log, organized into directories by IP address
    • ./snort –dev –l ./log
    • ./snort –dev –l ./log –h 192.168.1.0/24
capabilities2
Capabilities
  • NIDS Mode
    • Scan packets for a given combination of parameters
    • Output options – ASCII / binary (tcpdump format)
    • ./snort –d –l ./log –h 192.168.1.0/24 –c snort.conf
snort rule
Snort Rule

alert tcp any any -> $Home 80 (flags:S; msg:“Port 80 SYN”;)

  • Action Field
    • alert, log, pass, activate, dynamic
  • Protocol Field
    • tcp, udp, icmp, ip
  • Source / Destination address and port
    • direction indicator
  • Rule Options
    • msg, logto, id, dsize, seq, ack, flags, content, session
example rules
Example Rules

alert tcp any any -> 192.168.5.0/24 21 \

(msg: “attempted anonymous ftp access”; \

content: “anonymous”; offset: 5;)

alert tcp any any -> any any (msg: “Null Scan”; \

flags: 0)

log tcp any any <> 192.168.5.0/24 21 \

(session: printable;)

alert udp any any -> 192.168.5.0/24 31337 \

(msg: “Back Orifice”;)

rule types
Rule Types
  • Alert Rules
  • Pass Rules
  • Log Rules
  • Safe Order: Alert, Pass, Log
  • Efficient Order: Pass, Alert, Log
installing snort
Installing Snort
  • Locating the IDS relative to network
    • Place Snort outside of firewall
    • Place Snort just inside firewall
    • Place Snort on critical systems (host based)
  • Install software
    • Download source or binaries from snort.org
      • Windows / Linux
    • Compile and/or install.
      • /etc/snort (configuration files)
      • /usr/sbin (executable program)
      • /var/log/snort (typical log file directory)
etc snort snort conf
/etc/snort/snort.conf
  • Serves as a default configuration
    • (once home network has been identified)
  • Data Types
    • include (similar to programming includes)
      • include: reference.config
    • preprocessor (functional modules)
      • preprocessor frag3
    • var (variables)
      • var HOME_NET 192.168.1.0/24
    • config (configure various options)
      • config disable_tcpopt_obsolete_alerts
snort conf setup
snort.conf setup

1) Set the variables for your network

2) Configure dynamic loaded libraries

3) Configure preprocessors

4) Configure output plugins

5) Add any runtime config directives

6) Customize your rule set

snort conf setup1
snort.conf setup
  • Set the variables for your network
    • var HOME_NET [10.1.1.0/24,192.168.1.0/24]
    • var EXTERNAL_NET any
    • var DNS_SERVERS $HOME_NET
    • var HTTP_SERVERS $HOME_NET
    • var HTTP_PORTS 80
    • var ORACLE_PORTS 1521
    • var RULE_PATH /etc/snort/rules
snort conf setup2
snort.conf setup

Configure dynamic loaded libraries

  • Located in /usr/lib/snort-2.x.x_dynamicpreprocessor
    • libsf_dcerpc_preproc.so
    • libsf_dcerpc_preproc.so.0
    • libsf_dns_preproc.so
    • libsf_dns_preproc.so.0
    • libsf_ftptelnet_preproc.so
    • libsf_ftptelnet_preproc.so.0
    • :
    • :
snort conf setup3
snort.conf setup
  • Configure preprocessors
    • preprocessor flow: stats_interval 0 hash 2
    • preprocessor frag3_global: max_frags 65536
    • preprocessor frag3_engine: policy first detect_anomalies
    • preprocessor stream4: disable_evasion_alerts
    • preprocessor rpc_decode: 111 32771
    • preprocessor bo
snort conf setup4
snort.conf setup

Configure output plugins

  • output alert_syslog: LOG_AUTH LOG_ALERT
  • output database: log, mssql, dbname=snort \user=snort password=test
  • output alert_unified: filename snort.alert, limit 128
  • ruletype suspicious{ type log output log_tcpdump: suspicious.log}
  • suspicious tcp $HOME_NET any -> $HOME_NET 6667 \ (msg:"Internal IRC Server";)
snort conf setup5
snort.conf setup
  • Add any runtime config directives
    • config ignore_ports: tcp 21 6667:6671 1356
    • config ignore_ports: udp 1:17 53
    • config disable_decode_alerts
    • config disable_tcpopt_obsolete_alerts
snort conf setup6
snort.conf setup
  • Customize your rule set
    • include $RULE_PATH/local.rules
    • include $RULE_PATH/bad-traffic.rules
    • include $RULE_PATH/exploit.rules
    • include $RULE_PATH/scan.rules
    • include $RULE_PATH/finger.rules
    • include $RULE_PATH/ftp.rules
  • (More than 50 sets of rules defined)
bad traffic rules
bad-traffic rules
  • 12 rules in test rule set
  • alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
    • Capture any incoming traffic to port 0 of any LAN HOME_NET machine.
    • More information given in signature file 524.txt
signature 524 txt
Signature 524.txt

Rule:

--

Sid: 524

--

Summary:

This event is generated when TCP traffic to port 0 is detected. This should not be seen in normal TCP communications.

--

Impact:

Possible reconnaisance. This may be an attempt to verify the existance of a host or hosts at a particular address or address range.

--

Detailed Information:

TCP traffic to port 0 is not valid under normal circumstances.

an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices.

--

Affected Systems:

Any

--

Attack Scenarios:

The attacker could send packets to a host with a destination port of 0. The attacker might also be using hping to verify the existance of a host as a prelude to an attack.

--

Ease of Attack:

Simple

--

False Positives:

None Known

--

False Negatives:

None Known

--

Corrective Action:

Disallow TCP traffic to port 0.

--

Contributors:

Original rule writer unknown

Sourcefire Vulnerability Research Team

Nigel Houghton [email protected]

--

Additional References:

certified rules for snort
Certified Rules for Snort
  • http://www.snort.org/pub-bin/downloads.cgi
  • Subscription User Rules
    • Available immediately upon release
  • Registered User Rules
    • Same rules, but released with a 30 day delay
  • Unregistered User Rules
    • Single set of rules for each snort release (mostly for testing purposes).
typical installations
Typical Installations
  • Used in any of the configurations discussed in IDS lecture
  • Installation may be configured with several Snort sensors
    • outside network
    • monitoring traffic just inside firewall
    • monitoring key servers
inline mode
Inline Mode
  • Configure Snort to receive packets from iptables rather than libpcap.
  • Separate capability that must be explicitly installed.
  • Adds 3 new rule types
    • Drop –iptables drops packet and snort logs
    • Reject – iptables rejects packet and snort logs
    • Sdrop – iptables will drop packet. No logging.
inline mode1
Inline Mode
  • Start iptables
    • iptables –A OUTPUT –p tcp –dport –j QUEUE
    • Traffic is routed to QUEUE, where it can be captured by snort_inline
  • Start Snort
    • snort_inline –QDc ../etc/drop.conf –l /var/log/snort
      • -Q – get packets from iptables
      • -D – run in daemon mode
      • -c – specify configuration file
      • -l – specify log file
complex installations
Complex installations
  • Use Snort to monitor traffic and log suspicious or dangerous traffic.
  • Store information in binary format
    • Much faster than ascii storage.
  • Store information to a database
    • mysql, postgresql, oracle, MS sql, ODBC
    • Much easier to process / analyze data
  • Use data analysis front-ends to examine logs
    • Barnyard (www.snort.org)
    • BASE (Basic Analysis and Security Engine)
summary
Summary
  • Snort is a powerful tool for monitoring network traffic for anomalies that might indicate network intrusion
  • Can be used in several different configurations
  • Well supported
    • Code Base
    • Rules Sets
ad