snort class- v2
DESCRIPTION
pptTRANSCRIPT
![Page 1: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/1.jpg)
1
SNORTSNORT
![Page 2: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/2.jpg)
2
A PreviewA Preview
NIDS vs. HIDSNIDS vs. HIDS NIDS: Pattern matchingNIDS: Pattern matching HIDS: Log Monitoring, File Integrity CheckingHIDS: Log Monitoring, File Integrity Checking
![Page 3: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/3.jpg)
3
Criteria For Software NIDSCriteria For Software NIDS
Only as secure as the OSOnly as secure as the OS Logging to a different log serverLogging to a different log server Tuning (all IDS)Tuning (all IDS) Ease of Monitoring (all IDS)Ease of Monitoring (all IDS) AlarmAlarm Response capability: kill a connection, log Response capability: kill a connection, log
(Honeynets)(Honeynets)
![Page 4: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/4.jpg)
4
A Common Network TopologyA Common Network Topology
![Page 5: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/5.jpg)
5
Location of NIDSLocation of NIDS
In the External DMZIn the External DMZ In the Internal DMZIn the Internal DMZ In the protected networkIn the protected network Before resource serversBefore resource servers In front/behind a firewallIn front/behind a firewall
![Page 6: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/6.jpg)
6
What is Snort?What is Snort?
A Sniffer like EtherealA Sniffer like Ethereal A packet-logger like tcpdumpA packet-logger like tcpdump A Intrusion Detection System like CISCO IDS A Intrusion Detection System like CISCO IDS
(Type of IDS?)(Type of IDS?)
![Page 7: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/7.jpg)
7
How to Use Snort?How to Use Snort?
Download Download Snort-2.3.0RC2Snort-2.3.0RC2 from from www.snort.orgwww.snort.org
Install Snort as shown in the documentInstall Snort as shown in the document Create the folder /etc/snort and copy some Create the folder /etc/snort and copy some
important configuration files to that folderimportant configuration files to that folder Create folder /var/log/snortCreate folder /var/log/snort
![Page 8: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/8.jpg)
8
How to Use Snort? How to Use Snort? (cont’d)(cont’d)
Pointing to the rule path in Pointing to the rule path in snort.confsnort.conf file file Specify the HOME network and EXTERNAL Specify the HOME network and EXTERNAL
networknetwork Test run the snort configurationTest run the snort configuration snort daemonsnort daemon
![Page 9: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/9.jpg)
9
More Advanced Configuration More Advanced Configuration of Snortof Snort
The Snort InternalsThe Snort Internals Packet DecoderPacket Decoder PreprocessorPreprocessor Detection EngineDetection Engine
![Page 10: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/10.jpg)
10
Preprocessor ConfigurationsPreprocessor Configurations
Preprocessor Configuration in Preprocessor Configuration in snort.confsnort.conf frag2 – Detects packet fragmentationfrag2 – Detects packet fragmentation stream4 – Self protection against Snot and Slickstream4 – Self protection against Snot and Slick http_inspect – Web Traffichttp_inspect – Web Traffic rpc_decode – RPC trafficrpc_decode – RPC traffic flow_portscan – Statistical details (not used)flow_portscan – Statistical details (not used) sfportscan – Detect port scanning activities.sfportscan – Detect port scanning activities. perfmonitor – Self assessment (not used)perfmonitor – Self assessment (not used)
![Page 11: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/11.jpg)
11
Other Important Parts ofOther Important Parts of Snort.confSnort.conf
Output plugins, e.g. logging to a SQL Output plugins, e.g. logging to a SQL database.database.
Including specific rules files for signature Including specific rules files for signature comparisonscomparisons
![Page 12: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/12.jpg)
12
A Note on Usual Logging A Note on Usual Logging MethodsMethods
-l switch to run from command line-l switch to run from command line Default log directory when using running as a Default log directory when using running as a
NIDSNIDS Hierarchical LoggingHierarchical Logging Two Logging ModesTwo Logging Modes
1.1. ASCII (i.e. plain text)ASCII (i.e. plain text) Inode problemInode problem
2.2. BinaryBinary
![Page 13: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/13.jpg)
13
Inode - ExampleInode - Example
![Page 14: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/14.jpg)
14
Logging- ExamplesLogging- Examples
![Page 15: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/15.jpg)
15
Logging- Examples Logging- Examples (cont’d)(cont’d)
![Page 16: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/16.jpg)
16
Understanding Snort RulesUnderstanding Snort Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET anyalert tcp $EXTERNAL_NET any -> $HOME_NET any ((msg:“SCAN SYN FIN”; flags:SF;msg:“SCAN SYN FIN”; flags:SF;\\
reference:arachnids,198; classtype:attempted-reference:arachnids,198; classtype:attempted-recon;\recon;\
sid:624; rev:1;sid:624; rev:1; ) )
![Page 17: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/17.jpg)
17
Logging- Examples Logging- Examples (cont’d)(cont’d)
![Page 18: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/18.jpg)
18
Types of the Rule OptionsTypes of the Rule Options
Metadata – referenceMetadata – reference Payload Detection – contentPayload Detection – content Non-Payload Detection – packet Non-Payload Detection – packet
characteristics like size, fragmentscharacteristics like size, fragments Post Detection – log to a particular file, kill Post Detection – log to a particular file, kill
conectionsconections
![Page 19: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/19.jpg)
19
Use of Metadata – Search with Use of Metadata – Search with reference arachnids,198 reference arachnids,198
![Page 20: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/20.jpg)
20
Information Sharing with Information Sharing with MetadataMetadata
Web sites with information on security Web sites with information on security vulnerabilities:vulnerabilities: CVE (Common Vulnerability Exposures)CVE (Common Vulnerability Exposures)
cve.mitre.orgcve.mitre.org CERTCERT
http://www.cert.org/nav/index_red.htmlhttp://www.cert.org/nav/index_red.html
![Page 21: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/21.jpg)
21
Uses of NIDSUses of NIDS
Detect network based attacksDetect network based attacks Detect host based vulnerabilities based on Detect host based vulnerabilities based on
responses (a typical response of a buffer-responses (a typical response of a buffer-overflow)overflow)
Test existing security policy loop holesTest existing security policy loop holes
![Page 22: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/22.jpg)
22
Disadvantages and FutureDisadvantages and Future
Human ResourceHuman Resource Encrypted trafficEncrypted traffic Switched networks – port mirroringSwitched networks – port mirroring False positivesFalse positives Damage already occurredDamage already occurred
Future: - IPS (Intrusion Prevention Systems)Future: - IPS (Intrusion Prevention Systems)
![Page 23: Snort Class- V2](https://reader031.vdocuments.us/reader031/viewer/2022020122/552cacbf55034658158b486d/html5/thumbnails/23.jpg)
23
DeliverablesDeliverables
Read the 2 documents on SnortRead the 2 documents on Snort Install Snort and test its response to an Install Snort and test its response to an
nmap/nessus scannmap/nessus scan Submit a word file with a snap shot of the log files Submit a word file with a snap shot of the log files
(ASCII and Binary) and a snippet of the alert file (ASCII and Binary) and a snippet of the alert file with a brief explanation of the kind of scan and with a brief explanation of the kind of scan and the results the results
Research and Understand each of the followingResearch and Understand each of the following ActivateActivate and and Dynamic Dynamic Actions (snort_manual.pdf)Actions (snort_manual.pdf) Possible responses by Snort (snort_manual.pdf)Possible responses by Snort (snort_manual.pdf) Slick and SnotSlick and Snot
Try to understand the rulesTry to understand the rules