Snort
Download
1 / 17

Snort - PowerPoint PPT Presentation


  • 217 Views
  • Uploaded on

Snort. The Lightweight Intrusion Detection System. The other games in town. Heavyweight systems: Stateful firewalls: Example: Checkpoint Firewall One Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR). The Art of Intrusion Detection:.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Snort' - vanya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Snort

Snort

The

Lightweight Intrusion Detection System


The other games in town
The other games in town

Heavyweight systems:

Stateful firewalls:

Example: Checkpoint Firewall One

Commercial network intrusion detection systems:

Example: Network Flight Recorder (NFR)


The art of intrusion detection
The Art of Intrusion Detection:

  • Know the protocols.

  • Watch the web.

  • Set up your IDS monitor.

  • Install and tune Snort.

  • Set up your switches.

  • Watch and process logs.




Watch the web1
Watch the web

www.snort.org

www.securityfocus.com

csrc.nist.gov

www.sans.org

www.cert.org



Set up your ids monitor1
Set up your IDS monitor

Generic Intel CPU

The software

UNIX-like O/S with LIBPCAP


Install and tune snort
Install and tune Snort

Download

Tune the rules

Compile


Set up your switches
Set up your switches

Remote Switch

Local Switch

Cross-over jumper

Management VLAN

User PC

Snort Box

The Default VLAN or ELAN


Set up your switches1
Set up your switches

remote-switch# set vlan 2 port 3/2

remote-switch# set vlan 2 port 3/3

remote-switch# set span 1 3/1 create

local-switch# set vlan 2 port 4/1

local-switch# set vlan 2 port 4/2


Watch and process logs
Watch and process logs

  • There are lots of PERL programs.

  • Snort can send a WINPOPUP via SMB.

  • Snort can log to an MSQL database.

  • Get fancy by going through syslog.

  • Tip: keep systems in sync with NTP.


Snort rule anatomy
Snort rule anatomy

alert tcp any any - 10.1.1.0/24 80 \

(content: "/cgi-bin/phf"; msg: "PHF probe!";)

alert tcp any any - 10.1.1.0/24 6000:6010 \

(msg: "X traffic";)


Snort rule anatomy1
Snort rule anatomy

IMAP attack:


Snort rule anatomy2
Snort rule anatomy

alert tcp any any - 192.168.1.0/24 143 \

(content:"|E8C0 FFFF FF|/bin/sh"; msg: \

"New IMAP Buffer Overflow detected!";)


Operational hint
Operational hint

Run from /etc/inittab with respawn option:

snort:5:respawn:/usr/local/bin/snort

or a shell program:

#!/bin/sh

:

while true

do

/bin/date > /var/log/snort-restart.log

/usr/local/bin/snort

done



ad