Snort Intrusion Detection

Download Report

Transcript Snort Intrusion Detection

Snort
Intrusion Detection
What is Snort




Packet Analysis Tool
Most widely deployed NIDS
Initial release by Marty Roesch in 1998
Current version 2.4.4 as of April 17th, 2006
Features






Small Package – 2.7 M for source
Cross Platform
Open Source
Backed by Sourcefire
Fast (High rate of detection on average
networks)
Configurable
Design

Packet Analysis Pipline
Data
Acquisition
Decode
Preprocess
Detect
Action
Design Engine




Uses Rules to form “signatures”
Modular Detection elements to form specific
signatures
Detect Anomaly Activity
Easily updateable
Different Modes




Packet Sniffer
Packet Logger
NIDS Mode
Inline Mode
Rules

Two Parts
–
–
Rule Header
Rule Options
Rule Header
alert tcp $BAD any -> $GOOD any
Dest. Port
Rule action
Protocol
Dest. CIDR
Direction
Src. CIDR
Src. Port
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any
Rule Options
(flags: SF; msg: “SYN-FIN scan”;)
Keyword
Separator
Argument
Delimiter
Common Rule Options







IP TTL
IP ID
Fragment size
TCP Flags
TCP Ack number
TCP Seq number
Payload size







Content
Content offset
Content depth
Session recording
ICMP type
ICMP code
Alternate log files
Make Custom Rules

Detect String
alert tcp any any -> any any \
(content: clemson; msg: detected clemson
Output



Log all the alerts
Real-time alerts
Several different types
–
–
–
–
Syslog
Plain text
Databases
Unified output
Common Options

Option
-A fast

-A full

-A unsock

-A none
-A console
-A cmg



Description
Fast alert mode. Writes the alert in a simple format
with a timestamp, alert message, source and
destination IPs/ports.
Full alert mode. This is the default alert mode and
will be used automatically if you do not
specify a mode.
Sends alerts to a UNIX socket that another
program can listen on.
Turns off alerting.
Sends “fast-style” alerts to the console (screen).
Generates “cmg style” alerts.
Tools for Snort







Acid
SnortSnarf
Snort Alert Monitor (SAM)
Snortalog
Guardian
DeMarc PureSecure
IDSCenter (Windoze)
Resources

Snort.org
–

BleedingEdge
–

www.snort.org/dl (downloads)
www.bleedingsnort.com/
Sourcefire
–
www.sourcefire.com