Upload
charlotte-russell
View
249
Download
1
Tags:
Embed Size (px)
Citation preview
Snort Intrusion Snort Intrusion detection systemdetection system
Charles BeckmannAnthony Magee
Vijay Iyer
3
SoftwareSoftware
Debian 5.0 - Robust and stable platform with large community support
IPtables - Popular and preferred on Debian Snort - Open source, mature, rule driven
IDS Guardian Active Response - Active firewall
modification scripts for several firewall programs (not to be confused with DansGuardian)
SnortSnort
Network intrusion detection and prevention system (IDS)
Analyzes incoming traffic for signs of attack Protocol analysis Heuristic content matching Rule based
Report generation
5
Guardian Active ResponseGuardian Active Response
Designed for Snort Whitelist for preventing unwanted
blocking Written is Perl Supports watching multiple IPs
6
IPtablesIPtables
Default firewall controller for Debian Simple to use Provides fine grained control when
needed Example rule to drop all MySQL traffic to a
specific machine iptables -A FORWARD -p tcp -m tcp -s 0.0.0.0/0 -d
<some IP> --dport 3306 -m state --state NEW -j DROP
Motivations:Motivations:Why do we need Snort?Why do we need Snort?
Many forms of attack can go completely undetected by casual observation
Many modern attacks, such as DDOS, are impossible to prevent or contain using static firewall rules
We need a cheap and automated solution
Motivations:Motivations:Why use Guardian?Why use Guardian?
Uses snort logs to dynamically block threats
Setup & IntegrationSetup & Integration
Installed on a dedicated machine: The Acronym Friendly Vast Lab Intrusion Detection and Prevention System (AFVLIDPS)
Passive connection to hub sniffs incoming traffic without incurring additional delay
There is a delay, however, between the start of the attack and the Guardian response
11
RulesRules
Avoid service interruptions due to false positives
Creating rules requires nontrivial amounts of data and analysis
Quality of Service Restrict to times of day Restrict based on attack frequency Staged restrictions
PerformancePerformance
Guardian can read the logs quickly MySQL logs are used to view reports and
do not affect speed of system QoS - Quality of Service
Block all potentially harmful traffic? Limit harmful traffic? Leak a little traffic from harmful sources?
ReferencesReferences
“Design Of an Autonomous Anti DDos network” by Angel Cearns
http://www.snort.org http://www.iptables.org http://www.chaotic.org/guardian/
14