1 / 14

SNORT Feed the Pig

SNORT Feed the Pig. Vicki Insixiengmay Jon Krieger. What is SNORT?. A so-called Intrusion Detection System (IDS) Analyzes IP-Network traffic online and records packets Reduces the risk of intrusion. What is SNORT?. Five major components: Packet capturing mechanism

joie
Download Presentation

SNORT Feed the Pig

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SNORTFeed the Pig Vicki Insixiengmay Jon Krieger

  2. What is SNORT? • A so-called Intrusion Detection System (IDS) • Analyzes IP-Network traffic online and records packets • Reduces the risk of intrusion

  3. What is SNORT? • Five major components: • Packet capturing mechanism • Snort relies on an external packet capturing library (libpcap) to sniff packets • Packets are passed into the packet decoder. • Translates specific protocol elements into an internal data structure. • After the decode is completed, traffic is handled by the preprocessors. Any number of pluggable preprocessors either examine or manipulate packets before handing them to the next component: the detection engine.

  4. What is SNORT? • The detection engine performs simple tests on a single aspect of each packet to detect intrusions. • The last component is the output plugins • Generates alerts to present suspicious activity

  5. Snort Component Dataflow

  6. What does Snort do? • Snort uses a flexible rules language to describe traffic that it should collect or pass, including a detection engine that utilizes a modular plugin architecture. • Snort has a real- time alerting capability. Alerts mechanisms for syslog, user specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

  7. Packet Decoder • First internal component of Snort that a sniffed packet encounters. • Purpose: • To strip off the various headers. It works by decoding up the TCP/IP stack, and placing the packet in a data structure. Packets are then routed to the preprocessors.

  8. Preprocessors • Perform two fundamental functions: • Manipulate packets so the detection engine can properly analyze them OR • Examine traffic for suspicious use that cannot be discovered by signature detection alone. • After traffic is run through the preprocessors, it is sent on to the detection engine.

  9. Detection Engine • Responsible for the actual signature detection. Snort rules are loaded into the detection engine and are categorized in a tree-like data structure, which minimizes the number of tests the detection engine has to perform to discover malicious activity. • Snort writes intrusion data to any number of output plugins.

  10. Output Plugins • The means Snort has to get data from the detection engine to user. Snort can be configured with multiple output plugins to better facilitate intrusion data management. Output plugins can range from simple comma-delimited output to complex relational database output.

  11. Primary Uses • Snort has three primary uses: • Sniffer Mode • Reads packets off of the network and displays them in continuous stream on the screen • ./snort -v • Packet Logger Mode • Records/logs packets to disk. • ./snort –dev –l ./log

  12. Primary Uses • Network Intrusion Detection System (NIDS) mode • Analyzes network traffic for matches against user-defined rule set and performs actions based on what is shown • ./snort –dev –l ./log –h 134.198.161.101/23 –c snort.conf

  13. Rules • Rule Header • Action, Protocol, IP Addresses and Ports • Rule Option • Alert Messages and Items to Look for • alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"mountd access";)

  14. References • http://www.informit.com/articles/article.asp?p=101148 • http://www.snort.org

More Related