Upload
albina
View
54
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Penetration Testing Security Analysis and Advanced Tools:. Snort. Introduction to Snort Analysis. Snort Widely used, open-source, network-based intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks - PowerPoint PPT Presentation
Citation preview
Penetration Testing
Security Analysis and Advanced Tools:
Snort
Introduction to Snort Analysis
• Snort– Widely used, open-source, network-based
intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks
– Performs protocol analysis and content matching to detect a variety of attacks and probes such as: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more
Modes of Operation• Snort can be configured to run in the following
modes:– Packet Sniffer– Packet Logger– Network Intrusion Detection System– Inline
Features of Snort
• Features of Snort:– Protocol analysis– Content searching/matching– Real-time alerting capability– Can read a Tcpdump trace and run it against a rule set– Flexible rules language
• Snort can be configured to watch a network for a particular type of attack profile– It can alert the incident response team as soon as the
attack takes place
Configuring Snort• Snort is configured using the text file snort.conf– include keyword allows other rules files to be included
within the rules file• Variables– Used to define parameters for detection, specifically those
of the local network or specific servers or ports for inclusion or exclusion in the rules
• Snort Preprocessors– Offer additional detection capabilities– Port scan: TCP connection that attempts to send to more
than P ports in T seconds or as UDP packets sent to more than P ports in T seconds
Configuring Snort (cont’d.)
These are the different directives that can be used with the config command
Configuring Snort (cont’d.)
• Output Plug-ins– Allow Snort to be much more flexible in the
formatting and presentation of output to its users– Snort has nine output plug-ins:
• alert_syslog• alert_fast• alert_full• alert_unixsock• log_tcpdump• database• csv• unified• log_null
How Snort Works• Initializing Snort– Starting Up– Parsing the Configuration File
• Decoding– Execution begins at the ProcessPacket() function
when a new packet is received• Preprocessing– ProcessPacket() function tests to see the mode in
which Snort is running• Detection– Detection phase begins in the Detect() function
Content Matching• Snort uses a series of string matching and parsing
functions– Contained in the src/mstring.c and src/mstring.h files
in the Snort source tree• Detection engine slightly changes the way Snort
works by having the first phase be a setwise pattern match
• Some detection options, such as pcre and byte test, perform detection in the payload section of the packet, rather than using the setwise pattern-matching engine
The Stream4 Preprocessor
• stream4 module– Provides TCP stream reassembly and stateful analysis
capabilities to Snort– Gives large-scale users the ability to track many
simultaneous TCP streams– Set to handle 8,192 simultaneous TCP connections in
its default configuration• Stream4 contains two configurable modules:– Global Stream4 preprocessor– Stream4 reassemble preprocessor
Inline Functionality
• Implemented utilizing the iptables or ipfw firewall option to provide the functionality for a new set of rule types: drop, reject, and sdrop
• Inline Initialization– inline_flag variable is used to toggle the use of inline
functionality in Snort• Inline Detection– To receive packets from ipqueue or ipfw, calls to the
IpqLoop() and IpfwLoop() functions are added to the SnortMain() function
Writing Snort Rules• Snort uses a simple, lightweight rules description
language that is both flexible and powerful• The Rule Header (fields)– Rule action– Protocol– IP address– Port information– Directional operator
• Rule Options– Specify exactly what to match and what to display
after a successful match
Writing Snort Rules (cont’d.)
These are all available Snort rule options.
Writing Snort Rules (cont’d.)
• Writing Good Snort Rules– Develop effective content-matching strings– Catch the vulnerability, not the exploit– Catch the oddities of the protocol in the rule– Optimize the rules
Snort Tools
• IDS Policy Manager– Written to manage Snort IDS sensors in a distributed
environment• Snort Rules Subscription– Sourcefire, the company behind Snort, uses a
registration and subscription model for distribution of new rules
• Honeynet Security Console– Analysis tool to view events on a personal network or
honeynet
Snort Tools (cont’d.)
IDS Policy Manager configures Snort with a graphical user interface.
Snort Tools (cont’d.)
Honeynet Security Console displays and analyzes events from several IDS programs.
Summary
• Snort is a powerful intrusion detection system (IDS) and traffic analyzer
• A Snort configuration file has four major components:– Variables– Preprocessors– Output plug-ins– Rules
• A Snort rule contains a rule header and rule options• Users can write their own Snort rules either manually
or with the assistance of tools
Summary (cont’d.)• A three-homed firewall DMZ handles the traffic
between the internal network and firewall, as well as the traffic between the firewall and DMZ
• A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN
• Authentication may not be desired if a network is publicly accessible
• An access point is a layer-2 device that serves as an interface between the wireless network and the wired network