Transcript Recommendation of a Strategy

Snort:
Jason Booth – Intrusion Detection System
Overview
Snort / Drawbacks
IDS - Theory
IDS – Test
Practical IDS
Setup Scripts
Oink-Master
Snort-MySql
Log Files
Location
What is logged
What is SNORT?
Snort is an Intrusion Detection System. It generally
runs on a Bastion Server (Server with one purpose).
This helps to limit the possible attack points on the
Bastion Server.
Drawbacks
Slower network (more overhead)
The IDS can become an intrusion point in and of itself
Laws limit what can be logged from a packet.
IDS is only as good as its definition rules

A tcp/ip packet
What snort logs
[**] [1:1384:8] MISC UPnP malformed advertisement [**]
[Classification: Misc Attack] [Priority: 2]
02/23-10:20:29.041905 192.168.0.1:1900 -> 239.255.255.250:1900
UDP TTL:127 TOS:0x0 ID:17771 IpLen:20 DgmLen:346
Len: 318
[Xref => http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0877]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0876]
[Xref => http://www.securityfocus.com/bid/3723]
Snort Priority
Prioritizing with classification.config
config classification: successful-dos, Denial of
Service, 2
http://www.linux.com/articles/29830
What this means
Theory
Theory
Test
Practical IDS
➲
Choose a setup that is practical and cost
effective for yourself or business yet offer a
fast response to intrusions.
Setup Scripts
➲
➲
➲
/var/log/syslog for
a line that looks like this:
snort[1731]: Snort initialization completed successfully
(pid=1731)
Setup Scripts
➲
➲
/var/snort
Goto setup.txt file to demonstrate this.
SNORT Rules
➲
The rules are the vital part of snort. There
are various categories of rules shipped with
snort. They can be found in /etc/snort/,
ending with *.rules.
OinkMaster
“If you have many sensors, it can be a very difficult job
to keep all the
rules current on all of your sensors. A great tool for
this task is Oinkmaster”
➲
➲

(http://www.snort.org/docs/setup_guides/deb-snort-howto.pdf)
Snort-Mysql
➲Snort
supports mysql. In the
snort.confg








# vim /etc/snort/snort.conf
Find this line below, uncomment the line, and then add your appropriate
values:
output database: log, mysql, user=snort password=mypass
dbname=snort host=localhost
Go restart snort and verify its writing to the database. Easiest way is to
get into mysql and "select * from event" and you should see lots of events
if you still have the alerting going on for each packet or the icmp rule.
Or you can run this command:
# mysql -uroot -pmypassword -D snort -e "select count(*) from event"
Points of Reference
➲
➲
http://www.snort.org/docs/
Google it!





Snort
Snort-mysql
IDS
Linux and snort
Careers with IDS and snort
Mis. Section
➲
Snort in promiscuous mode
Poisoning the network
➲
I'm having a very anoying problem in my LAN: someone (or a virus?)
is sending ARP messages like the following (in human words):
➲
"I am computer with mac de:ad:de:ad:de:ad and with IP <victim's IP>
and I am asking everyone (destination MAC ff:ff:ff:ff:ff:ff): does
anyone else have this IP?"
http://www.webservertalk.com/message1217112.html
➲
Question?
➲
How does snot know its been penetrated?

It looks the packets and determines the payload.
Conclusion
➲
Snort is a versatile and strong network IDS
– tool. When used correctly a network
admin can have a great deal of network info
with low cost in overhead.