1 / 12

Snort: A Network Intrusion Detection Software

Snort: A Network Intrusion Detection Software. Matt Gustafson Becky Smith CS691 Semester Project Spring 2003. Intrusion Detection Systems are used to discover “attempts to comprise the confidentiality, integrity, and availability… of a computer or network.” (Bace, p.5)

shing
Download Presentation

Snort: A Network Intrusion Detection Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003

  2. Intrusion Detection Systems are used to discover “attempts to comprise the confidentiality, integrity, and availability… of a computer or network.” (Bace, p.5) Snort is a Network IDS with three modes: sniffer, packet logger, and network intrusion detection. Snort can also run in the background as a daemon. Analysis Console for Intrusion Databases (ACID) is a viewer for IDSs which supplies a web based interface for monitoring and analyzing possible intrusions.

  3. Why choose Snort? When deciding what type of IDS to incorporate, there are two main requirements to consider: • Accountability – Who attacked? • Response – What action to take when an attack is found? Snort focuses on response because accountability is difficult to accomplish due to techniques such as IP Masquerading. Snort is easy to maintain and administrate. Snort can monitor small or large networks. Snort contains multiple output options. For instance, unsock, sends alerts to a UNIX socket that a program can listen on (i.e. firewall).

  4. Figure 1 from Snort Installation Manual (Scott, p. 7)

  5. Figure 2 from Snort Installation Manual (Scott, p. 7)

  6. Redhat 8.0 ftp://ftp.redhat.com Snort v2.0, Snort Daemon http://www.snort.org/dl/ MySQL v3.23.52 http://www.mysql.com/downloads/mysql-3.23.html Webmin v.99 http://www.webmin.com/ NetSSLeay v1.20 http://symlabs.com/Net_SSLeay/ ACID v0.9.6b23 http://acidlab.sourceforge.net/ OpenSSL v1-0.9.7b http://www.openssl.org/ PHP v 4.1.2-7.3.6 ftp://updates.redhat.com/8.0/en/os/i386/ ADODB v 2.50 http://php.weblogs.com/adodb PHPLOT v4.4.6 http://www.phplot.com/ GD v1.8.4 http://www.boutell.com/gd/ Mozilla http://www.mozilla.org/ Snort Webmin module v1.08 http://msbnetworks.net/snort/ Software Required to run Snort

  7. Configuring and Operating Snort • Install all recommended software and snort. • Configure SSL Encryption with Webmin http://<snortmachinename>:10000/ • Setup Module Configuration from the Snort IDS Admin. • Decide what options to run Snort with. • Specify location of Snort configuration file and rule files. • Create a MySQL database for Snort. • Setup appropriate users and passwords for Snort, MySQL, and ACID. • Edit the snortd daemon file to project same information from step 3. • Start the snortd daemon. • Login to ACID: http://<snortmachinename>/acid/

  8. Primary Methods to IDS Analysis • Misuse Detection • Misuse detection looks for signatures (patterns for known attacks) within network activity. Many misuse detectors minimize the number of false positives. Snort provides a large base-line of rules for detecting many well-known attack signatures and issues new releases frequently. Snort also allows development of unique rules by the network’s administrator. • Anomaly Detection • Anomaly detection responses to abnormal events on a network. These detectors create profiles of the network that contain normal activities. The downfall to Anomaly detection is that it produces an extremely large number of false positives. It also requires a large history of network activities to build the profiles. Snort also does some Anomaly Detection but it is based on the rules not history.

  9. Snort rules are made up of two parts: rule header and rule options. The header consists of: the action, protocol, source and destination IPs and netmasks, and source and destination ports. The options section consists of: alert messages and portions of the packet to examine for intrusion. Syntax: <action> <protocol> <src IP/mask> <port> -> <dest IP/mask> <port> (msg: <alert message>; content:”search packet for”; … etc) Format of Snort Rules

  10. Some of the Rules We Wrote A Scan Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags: A; ack: 0; tag: host, 500, packets, src; msg: “NMAP TCP ping”;) A Local Rule: pass tcp $HOME_NET any -> 128.198.1.250 53 (msg: “DNS zone transfer – Transfer uccs.edu domain:; flags: A+; content: “|00 00 FC|”; offset: 13; reference: arachmids, 212; classtype: attempted-recon; sid: 255; rev:5;)

  11. IDS Responses to Detection • IDSs are not designed to response to or counter an attack. They merely notify and log the possible intrusions. Some more powerful IDS, like Snort, can alert specific Intrusion Response Systems to an attack. Data collected from IDSs can aid in Intrusion Prevention methods as well. An IDS alone is not enough to protect your network, but it is a main collaborator in your system’s security.

  12. Conclusion • Snort is a well written and designed Network IDS. • Snort is free and enormously flexible. • Snort is easy to manage and configure. • Snort works for small or large networks.

More Related