1 / 20

Snort

Snort. Roy. INSA Lab. Outline. What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time. What is “ Snort ” ? . An open source network IDS Powerful Stand-alone real-time traffic analysis Packet logging on IP networks

ivan
Download Presentation

Snort

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort Roy INSA Lab.

  2. Outline • What is “Snort”? • Working modes • How to write snort rules ? • Snort plug-ins • It’s show time

  3. What is “Snort”? • An open source network IDS • Powerful • Stand-alone real-time traffic analysis • Packet logging on IP networks • Detect a variety of attacks and probes • Protocol analysis, content searching/matching • Log to a nicely organized, human-readable directory structure • Flexible • Rules language to describe traffic • Detection engine utilizes a modular plug-in architecture

  4. Snort Working Modes • Sniffer mode • Tcpdump, Commview • Packet logger mode • NIDS mode

  5. Snort Rules • Rules are similar as packet-filter expressions • Snort has 4 rule actions • activate - alert and then turn on another dynamic rule • dynamic - remain idle until activated by an activate rule , then act as a log rule • alert - generate an alert using the selected alert method, and then log the packet • pass - ignore the packet • log - log the packet Rule application order

  6. How to Write Snort Rules ? • Simple Snort Rule • alert tcp any any -> any any (content:”|00 01 86 a5|”; msg:”mountd access”;) • Advance Snort Rule • http://www.snort.org/docs/snort_manual/node14.html • Snort Rules Database http://www.snort.org/snort-db/ Rule Actions : alert, log, pass…etc Detial of rule Protocol: tcp udp icmp…etc Direction Operator: ->, <> destination port number destination ip address Source ip address Source port number

  7. Writing good rules 3C • Content matching • Catch the vulnerability, not the exploit • attacker changes the exploit slightly • Catch the oddities of the protocol in the rule • user root • alert tcp any any -> any any 21 (content:"user root";) • user root; user<tab>root • alert tcp any any -> any 21 (flow:to_server,established; content:"root"; pcre:"/user\s+root/i";)

  8. Snort Plug-ins • Preprocessors • Operate on packets after they’ve been received and decoded by snort before match rules. • Ex. http_decode, port scan, frag2, stream4 • Output modules • Any rule types you define can be specified to use a particular kind of output plug-in • Ex. Alert_fast, alert_syslog, database, xml

  9. Snort Working Architecture Snort Output module Rule Log Pass Alert Preprocessor Active

  10. Show time • Test environment • Download and install package • Case1.Nmap port scan • Case2.MSN chat messages

  11. Environment

  12. Before…Install • Require libpcre • http://www.pcre.org/ libpcap • http://sourceforge.net/projects/libpcap/

  13. Snort Go!!Go!!Go!! • Download • snort-2.1.3.tar.gz • http://www.snort.org/ • Install package

  14. Start Snort !! Edit snort.conf Wait some minutes

  15. View the results • Nice directory structure and file name

  16. Case1.Nmap Scan

  17. Case2.MSN chat message • Copy and past to create new rules • Add new rule file to snort.conf • include $RULE_PATH/msn.rules • Just execute “Snort” • Snort doesn’t include msn rules by default • Snort rule database • http://www.snort.org/snort-db/ • Using key word to search

  18. Enjoy the result

  19. Conclusions • Good rules get maximize efficiency and speed

  20. Reference • Writing rules • http://www.snort.org/docs/snort_manual/node14.html • Rule database • http://www.snort.org/snort-db/

More Related