![Page 1: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/1.jpg)
Snort:
Jason Booth – Intrusion Detection System
![Page 2: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/2.jpg)
Overview
Snort / DrawbacksIDS - TheoryIDS – TestPractical IDSSetup ScriptsOink-MasterSnort-MySqlLog FilesLocationWhat is logged
![Page 3: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/3.jpg)
What is SNORT?
Snort is an Intrusion Detection System. It generally runs on a Bastion Server (Server with one purpose).
This helps to limit the possible attack points on the Bastion Server.
![Page 4: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/4.jpg)
Drawbacks
Slower network (more overhead)The IDS can become an intrusion point in and of itselfLaws limit what can be logged from a packet.IDS is only as good as its definition rules
![Page 5: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/5.jpg)
A tcp/ip packet
![Page 6: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/6.jpg)
What snort logs
[**] [1:1384:8] MISC UPnP malformed advertisement [**][Classification: Misc Attack] [Priority: 2] 02/23-10:20:29.041905 192.168.0.1:1900 -> 239.255.255.250:1900UDP TTL:127 TOS:0x0 ID:17771 IpLen:20 DgmLen:346Len: 318[Xref => http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0877][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0876][Xref => http://www.securityfocus.com/bid/3723][Xref => http://www.securityfocus.com/bid/3723]
![Page 7: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/7.jpg)
Snort Priority
Prioritizing with classification.config
config classification: successful-dos, Denial of Service, 2
http://www.linux.com/articles/29830
![Page 8: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/8.jpg)
What this means
![Page 9: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/9.jpg)
Theory
![Page 10: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/10.jpg)
Theory
![Page 11: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/11.jpg)
Test
![Page 12: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/12.jpg)
Practical IDS
➲ Choose a setup that is practical and cost effective for yourself or business yet offer a fast response to intrusions.
![Page 13: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/13.jpg)
Setup Scripts
➲ /var/log/syslog for➲ a line that looks like this:➲ snort[1731]: Snort initialization completed successfully
(pid=1731)
![Page 14: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/14.jpg)
Setup Scripts
➲ /var/snort➲ Goto setup.txt file to demonstrate this.
![Page 15: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/15.jpg)
SNORT Rules
➲ The rules are the vital part of snort. There are various categories of rules shipped with snort. They can be found in /etc/snort/, ending with *.rules.
![Page 16: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/16.jpg)
OinkMaster
➲ “If you have many sensors, it can be a very difficult job to keep all the
➲ rules current on all of your sensors. A great tool for this task is Oinkmaster”
(http://www.snort.org/docs/setup_guides/deb-snort-howto.pdf)
![Page 17: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/17.jpg)
Snort-Mysql
➲Snort supports mysql. In the snort.confg
# vim /etc/snort/snort.conf Find this line below, uncomment the line, and then add your appropriate
values: output database: log, mysql, user=snort password=mypass
dbname=snort host=localhost Go restart snort and verify its writing to the database. Easiest way is to get into mysql and "select * from event" and you should see lots of events if you still have the alerting going on for each packet or the icmp rule. Or you can run this command: # mysql -uroot -pmypassword -D snort -e "select count(*) from event"
![Page 18: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/18.jpg)
Points of Reference
➲ http://www.snort.org/docs/➲ Google it!
Snort Snort-mysql IDS Linux and snort Careers with IDS and snort
![Page 19: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/19.jpg)
Mis. Section➲ Snort in promiscuous mode
![Page 20: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/20.jpg)
Poisoning the network
➲ I'm having a very anoying problem in my LAN: someone (or a virus?) is sending ARP messages like the following (in human words):
➲ "I am computer with mac de:ad:de:ad:de:ad and with IP <victim's IP> and I am asking everyone (destination MAC ff:ff:ff:ff:ff:ff): does anyone else have this IP?"
➲ http://www.webservertalk.com/message1217112.html
![Page 21: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/21.jpg)
Question?
➲ How does snot know its been penetrated? It looks the packets and determines the payload.
![Page 22: Snort: Jason Booth – Intrusion Detection System. Overview Snort / Drawbacks IDS - Theory IDS – Test Practical IDS Setup Scripts Oink-Master Snort-MySql](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e725503460f94b71a08/html5/thumbnails/22.jpg)
Conclusion
➲ Snort is a versatile and strong network IDS – tool. When used correctly a network admin can have a great deal of network info with low cost in overhead.