Transcript PowerPoint slides are available

an overview
Snort is an Intrusion Detection
System (IDS)
• Automated tools to detect intrusions
• Works locally (reactionary) or network wide
(preemptive)
• Preemptive IDS can use traffic monitoring
or content monitoring
• Does NOT block intruders. Assumes a
human is watching!!!
What IDS are available?
•
•
•
•
•
Cisco Secure IDS (Formerly NetRanger)
Network Flight Recorder
Realsecure (ISS)
SecureNet Pro
Snort!!!
Why pick Snort?
• “Lightweight”
• Free
• Portable
– Runs on HP-UX, Linux, AIX, Irix, *BSD,
Solaris, Win2K
• Configurable with easy setup
What can Snort do?
• Packet sniffer
• Packet Logger
• Preemptive IDS
– Actively monitors network traffic in real time
to match intrusion signatures and send alerts
Rules, Rules, Rules
alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024
(msg:"MISC source port 53 to <1024";)
• Rule alerts that anything from the external
network coming in from port 53 and going
to port 1024 should be flagged
• Can also alert based on packet content not
just source / destination ports
And more Rules
•
•
•
•
•
Rules can: Alert, Log, or Pass
Used for IP, UDP, ICMP
Source address / port
Destination address / port
Additional options
– This is where content matching can take place
Luckily you probably won’t have
to write rules!
What do the alerts look like?
[**] MISC source port 53 to <1024 [**]
05/21-16:30:07.697467 129.219.17.200:53 ->
129.219.XXX.XXX:1024
UDP TTL:253 TOS:0x0 ID:60955 IpLen:20 DgmLen:268 DF
Len: 248
• These can also be nicely formatted by
different parser programs
Installation
1. Install libcap
2. Install Snort
•
•
•
# ./configure
# make
# make install
3. Test
•
#snort -v
More resources
• Snort.org
• Securityfocus.com
• Whitehats.com
PSCS Implementation
By
Mark Peoples