snort l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Snort PowerPoint Presentation
Download Presentation
Snort

Loading in 2 Seconds...

play fullscreen
1 / 20

Snort - PowerPoint PPT Presentation


  • 198 Views
  • Uploaded on

Snort. Roy. INSA Lab. Outline. What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time. What is “ Snort ” ? . An open source network IDS Powerful Stand-alone real-time traffic analysis Packet logging on IP networks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Snort' - ivan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
snort

Snort

Roy

INSA Lab.

outline
Outline
  • What is “Snort”?
  • Working modes
  • How to write snort rules ?
  • Snort plug-ins
  • It’s show time
what is snort
What is “Snort”?
  • An open source network IDS
  • Powerful
    • Stand-alone real-time traffic analysis
    • Packet logging on IP networks
    • Detect a variety of attacks and probes
    • Protocol analysis, content searching/matching
    • Log to a nicely organized, human-readable directory structure
  • Flexible
    • Rules language to describe traffic
    • Detection engine utilizes a modular plug-in architecture
snort working modes
Snort Working Modes
  • Sniffer mode
    • Tcpdump, Commview
  • Packet logger mode
  • NIDS mode
snort rules
Snort Rules
  • Rules are similar as packet-filter expressions
  • Snort has 4 rule actions
    • activate - alert and then turn on another dynamic rule
      • dynamic - remain idle until activated by an activate rule , then act as a log rule
    • alert - generate an alert using the selected alert method, and then log the packet
    • pass - ignore the packet
    • log - log the packet

Rule application order

how to write snort rules
How to Write Snort Rules ?
  • Simple Snort Rule
    • alert tcp any any -> any any (content:”|00 01 86 a5|”; msg:”mountd access”;)
  • Advance Snort Rule
  • http://www.snort.org/docs/snort_manual/node14.html
  • Snort Rules Database http://www.snort.org/snort-db/

Rule Actions : alert, log, pass…etc

Detial of rule

Protocol: tcp udp icmp…etc

Direction Operator: ->, <>

destination port number

destination ip address

Source ip address

Source port number

writing good rules
Writing good rules

3C

  • Content matching
  • Catch the vulnerability, not the exploit
    • attacker changes the exploit slightly
  • Catch the oddities of the protocol in the rule
    • user root
    • alert tcp any any -> any any 21 (content:"user root";)
      • user root; user<tab>root
    • alert tcp any any -> any 21 (flow:to_server,established; content:"root"; pcre:"/user\s+root/i";)
snort plug ins
Snort Plug-ins
  • Preprocessors
    • Operate on packets after they’ve been received and decoded by snort before match rules.
    • Ex. http_decode, port scan, frag2, stream4
  • Output modules
    • Any rule types you define can be specified to use a particular kind of output plug-in
    • Ex. Alert_fast, alert_syslog, database, xml
snort working architecture
Snort Working Architecture

Snort

Output

module

Rule

Log

Pass

Alert

Preprocessor

Active

show time
Show time
  • Test environment
  • Download and install package
  • Case1.Nmap port scan
  • Case2.MSN chat messages
before install
Before…Install
  • Require

libpcre

    • http://www.pcre.org/

libpcap

    • http://sourceforge.net/projects/libpcap/
snort go go go
Snort Go!!Go!!Go!!
  • Download
    • snort-2.1.3.tar.gz
    • http://www.snort.org/
  • Install package
start snort
Start Snort !!

Edit snort.conf

Wait some minutes

view the results
View the results
  • Nice directory structure and file name
case2 msn chat message
Case2.MSN chat message
  • Copy and past to create new rules
  • Add new rule file to snort.conf
    • include $RULE_PATH/msn.rules
  • Just execute “Snort”
  • Snort doesn’t include msn rules by default
  • Snort rule database
    • http://www.snort.org/snort-db/
  • Using key word to search
conclusions
Conclusions
  • Good rules get maximize efficiency and speed
reference
Reference
  • Writing rules
    • http://www.snort.org/docs/snort_manual/node14.html
  • Rule database
    • http://www.snort.org/snort-db/