Snort Intrusion Detection System. www.snort.org. Outline. What is snort? What can it do? How is it installed? How is it configured? How is it used?. History. First released in 1998 by Martin Roesch Originally intended to be a lightweight intrusion detection technology. Has evolved ...
Four modes of operation
Packet Sniffer mode
Packet Logger mode
Network Intrusion Detection Mode
Network Intrusion Prevention
cs490ns - cotter
alert tcp any any -> $Home 80 (flags:S; msg:“Port 80 SYN”;)
alert tcp any any -> 192.168.5.0/24 21 \
(msg: “attempted anonymous ftp access”; \
content: “anonymous”; offset: 5;)
alert tcp any any -> any any (msg: “Null Scan”; \
log tcp any any <> 192.168.5.0/24 21 \
alert udp any any -> 192.168.5.0/24 31337 \
(msg: “Back Orifice”;)
1) Set the variables for your network
2) Configure dynamic loaded libraries
3) Configure preprocessors
4) Configure output plugins
5) Add any runtime config directives
6) Customize your rule set
Configure dynamic loaded libraries
Configure output plugins
This event is generated when TCP traffic to port 0 is detected. This should not be seen in normal TCP communications.
Possible reconnaisance. This may be an attempt to verify the existance of a host or hosts at a particular address or address range.
TCP traffic to port 0 is not valid under normal circumstances.
an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices.
The attacker could send packets to a host with a destination port of 0. The attacker might also be using hping to verify the existance of a host as a prelude to an attack.
Ease of Attack:
Disallow TCP traffic to port 0.
Original rule writer unknown
Sourcefire Vulnerability Research Team
Nigel Houghton [email protected]