Snort Intrusion Detection
Download
Report
Transcript Snort Intrusion Detection
Snort
Intrusion Detection
What is Snort
Packet Analysis Tool
Most widely deployed NIDS
Initial release by Marty Roesch in 1998
Current version 2.4.4 as of April 17th, 2006
Features
Small Package – 2.7 M for source
Cross Platform
Open Source
Backed by Sourcefire
Fast (High rate of detection on average
networks)
Configurable
Design
Packet Analysis Pipline
Data
Acquisition
Decode
Preprocess
Detect
Action
Design Engine
Uses Rules to form “signatures”
Modular Detection elements to form specific
signatures
Detect Anomaly Activity
Easily updateable
Different Modes
Packet Sniffer
Packet Logger
NIDS Mode
Inline Mode
Rules
Two Parts
–
–
Rule Header
Rule Options
Rule Header
alert tcp $BAD any -> $GOOD any
Dest. Port
Rule action
Protocol
Dest. CIDR
Direction
Src. CIDR
Src. Port
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any
Rule Options
(flags: SF; msg: “SYN-FIN scan”;)
Keyword
Separator
Argument
Delimiter
Common Rule Options
IP TTL
IP ID
Fragment size
TCP Flags
TCP Ack number
TCP Seq number
Payload size
Content
Content offset
Content depth
Session recording
ICMP type
ICMP code
Alternate log files
Make Custom Rules
Detect String
alert tcp any any -> any any \
(content: clemson; msg: detected clemson
Output
Log all the alerts
Real-time alerts
Several different types
–
–
–
–
Syslog
Plain text
Databases
Unified output
Common Options
Option
-A fast
-A full
-A unsock
-A none
-A console
-A cmg
Description
Fast alert mode. Writes the alert in a simple format
with a timestamp, alert message, source and
destination IPs/ports.
Full alert mode. This is the default alert mode and
will be used automatically if you do not
specify a mode.
Sends alerts to a UNIX socket that another
program can listen on.
Turns off alerting.
Sends “fast-style” alerts to the console (screen).
Generates “cmg style” alerts.
Tools for Snort
Acid
SnortSnarf
Snort Alert Monitor (SAM)
Snortalog
Guardian
DeMarc PureSecure
IDSCenter (Windoze)
Resources
Snort.org
–
BleedingEdge
–
www.snort.org/dl (downloads)
www.bleedingsnort.com/
Sourcefire
–
www.sourcefire.com