Transcript Intrusion Detection: Snort

Intrusion Detection:
Snort
Basics: History

Snort was developed in 1998 by Martin
Roesch.
 It was intended to be an open-source
technology, and remains as such.
 Originally, it was a “lightweight” intrusion
detection system. Now, it has expanded to
include features that can hardly be called
“lightweight.”
Basics: History

Snort is now the de facto standard in
intrusion detection and prevention.
 It is one of the most flexible and variable
threat detection systems available.
 It is available for Windows, Linux, Unix,
and other more obscure operating systems.
Basics: About

Snort is primarily a network intrusion
detection system (IDS).
– IDS: an application that performs traffic
analysis (packets going across a network),
packet logging, attack/intrusion alerting, port
scans, and many other types of infringements
on an IP network.
Basics: About

Snort has the capability to detect a variety
of attacks on an IP network, including:
– Buffer overflows
– Stealth port scans
– CGI attacks
– SMB (server message block) probes
– OS fingerprinting
Setup

Snort can be obtained from
www.winsnort.com or www.snort.org.
 Snort requires WinPCap 3.0. The newest
version (3.1) will not work with Snort.
WinPCap is a packet-capturing tool (not a
standalone application; a tool required by
most IDSs). It can be obtained from
winpcap.polito.it.
Setup

Once Snort and WinPCap have been
installed, the snort.conf (configuration file)
must be edited.
 Within the file, the only change required is
that of the location of the RULES files.
This is normally c:\snort\rules\.
 Other changes to snort.conf are up to the
user – such as the IP addresses to watch, etc
Running Snort

Once snort.conf is edited properly, choose
RUN and enter:
– C:\Snort\bin\snort.exe {any flags go here}
– The next slide tells you what flags are what. (A
flag is a variable used to indicate a true or false
value; that is, a flag tells the program what
options you want to employ.)
Running Snort

Many flags are available for use. In our testing,
we’ve come up with some that work well together:
– d dumps APPLICATION LAYER data
– e dumps DATA LINK LAYER data
– v is visual mode; this flag keeps Snort’s activities
visible in the terminal box.
– l is required to log the packets. Usage: -l c:\Snort\log\.
It will create a logfile.
– O puts IP addresses in the format xx.xx.xx.xx.
– C drops all hex data and reports only ASCII data. This
is useful to trim the fat, as it were, off your log files.
Running Snort

So the proper usage would be something
like this, in the RUN dialog box:
– C:\Snort\bin\snort.exe –devOC –l c:\Snort\log\

This will run Snort and display a visual
output, dumping application and data link
layer data, logging the packets that travel
across the network to c:\Snort\log\snort.log.
Here is what a standard logfile
looks like:






05/11-22:09:39.472302 192.168.234.209:2414 ->
192.168.235.254:8905
UDP TTL:128 TOS:0x0 ID:8280 IpLen:20 DgmLen:59
Len: 31
00 00 00 1F 01 01 11 DB 87 50 BC 56 56 34 5A E8
.........P.VV4Z.
46 62 7B C9 56 AD 16 EB 7A F5 72 04 1E D4 18
Fb{.V...z.r....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Breakdown

Here is a breakdown of what Snort reports in the
log file:
– Date / Time
– Source IP (source of packet)
– Destination IP (destination of packet – often
–
–
–
–
–
xx.xx.xx.255, which is a broadcast to all computers on
xx.xx.xx.xx)
TTL (Time-to-Live) for packet in ms
TOS (Types of Service – indicates priority given to
packet contents)
Packet ID number
IP length
DMG length
Alerting

The rules files (several come with Snort, several
more are available from various resources on the
Internet) contain information about when to send
off an alert. (You can set in the snort.conf file
which rules will be turned on or off.)
 When Snort finds a packet that violates a rule that
you have turned on, it will notify you via dialog
box.
For whom?

Snort is a non-commercial enterprise, and as
such, is not suited for commercial uses.
That said, it could definitely be of use to
commercial organizations.
 For personal use, Snort has many possible
uses, especially for the paranoid.
Questions?

Ask them. We’ll do our best.