1 / 8

Snort: Overview Chris Copeland

Snort: Overview Chris Copeland. What is an Intrusion Detection System (IDS)?. An intrusion detection system is any system which can identify a network intrusion or network penetration. The primary objective of an IDS is to alert when intrusion takes place . IDS come in two methodologies:

meryle
Download Presentation

Snort: Overview Chris Copeland

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort: OverviewChris Copeland

  2. What is an Intrusion Detection System (IDS)? • An intrusion detection system is any system which can identify a network intrusion or network penetration. The primary objective of an IDS is to alert when intrusion takes place . • IDS come in two methodologies: • Host (HIDS) • Network (NIDS)

  3. What is Snort? • Snort is a network intrusion detection system • NIDS • Developed from older UNIX tools • Written By Marty Roesch • TCPDump • Runs on multiple platforms • Open source http://www.snort.org/

  4. How Snort Functions as an IDS Sniffer Mode: reads packets only Packet Logger Mode: Logs packet information to local disk NIDS Mode: Packet capture and analysis

  5. Snort Rules • A rule is any “guideline” which Snort looks for in the NIDS mode. • Example: rule for any attempt at ToolTalk alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg:"RPC tooltalk TCP overflow attempt"; \ flow:to_server,established; \ content:"|00 00 00 02|"; depth:4; offset:12;\ content:"|00 01 86 F3|"; depth:4; offset:16; \ content:"|00 00 00 07|"; within:4; distance:4; \ byte_jump:4,4,relative,align; \ byte_jump:4,4,relative,align; \ byte_test:4,>,128,0,relative; \ content:"|00 00 00 00|"; depth:4; offset:8; \ reference:bugtraq,122; \ reference:cve,1999-0003; \ classtype:misc-attack; sid:1965; rev:8;)

  6. Known Issues: • Massive Amounts of Data • False Alarms due to outdated rules • Missed Alerts Sample Snort Log Entry 10/29-11:08:20.852840 192.168.246.37 -> 192.168.246.12ICMP TTL:128 TOS:0x0 ID:17878 IpLen:20 DgmLen:40Type:14  Code:0  ID: 25124  Seq: 0  TIMESTAMP REPLY:Orig: 4259537666 Rtime: 40100906  Ttime: 4010090662 24 00 00 02 63 E3 FD 2A E4 63 02 2A E4 63 02  b$...c..*.c.*.c.

  7. Snort Tools and Add-Ons • ACID (Analysis Console for Intrusion Database) • PHP based, Database driven, and Web Delivered

  8. Conclusion • Host or Network IDS • Rule versus Signature Detection • Multi-Platform • Open Source Supported • Low TCO for Security/Network Admins

More Related