Click here to load reader

Snort Intrusion Detection System

  • View

  • Download

Embed Size (px)


Snort Intrusion Detection System. Outline. What is snort? What can it do? How is it installed? How is it configured? How is it used?. History. First released in 1998 by Martin Roesch Originally intended to be a lightweight intrusion detection technology. Has evolved ... - PowerPoint PPT Presentation

Text of Snort Intrusion Detection System

  • cs490ns - cotter*SnortIntrusion Detection

  • cs490ns - cotter*OutlineWhat is snort?What can it do?How is it installed?How is it configured?How is it used?

  • cs490ns - cotter*HistoryFirst released in 1998 by Martin RoeschOriginally intended to be a lightweight intrusion detection technology.Has evolved ...3 Million downloads225k active users.

  • cs490ns - cotter*CapabilitiesFour modes of operationPacket Sniffer modePacket Logger modeNetwork Intrusion Detection ModeNetwork Intrusion Prevention

  • CapabilitiesPacket Sniffer modeRead packets (based on rules) and display on console./snort -devPacket LoggerLog all packets into a local log, organized into directories by IP address./snort dev l ./log./snort dev l ./log h

  • CapabilitiesNIDS ModeScan packets for a given combination of parametersOutput options ASCII / binary (tcpdump format)./snort d l ./log h c snort.conf

  • cs490ns - cotter*Snort Rulealert tcp any any -> $Home 80 (flags:S; msg:Port 80 SYN;)

    Action Fieldalert, log, pass, activate, dynamicProtocol Fieldtcp, udp, icmp, ipSource / Destination address and portdirection indicatorRule Optionsmsg, logto, id, dsize, seq, ack, flags, content, session

  • cs490ns - cotter*Example Rulesalert tcp any any -> 21 \(msg: attempted anonymous ftp access; \content: anonymous; offset: 5;)alert tcp any any -> any any (msg: Null Scan; \flags: 0)log tcp any any 21 \(session: printable;)alert udp any any -> 31337 \(msg: Back Orifice;)

  • cs490ns - cotter*Rule TypesAlert RulesPass RulesLog Rules

    Safe Order: Alert, Pass, LogEfficient Order: Pass, Alert, Log

  • cs490ns - cotter*Installing SnortLocating the IDS relative to networkPlace Snort outside of firewallPlace Snort just inside firewallPlace Snort on critical systems (host based)Install softwareDownload source or binaries from snort.orgWindows / LinuxCompile and/or install./etc/snort (configuration files)/usr/sbin (executable program)/var/log/snort (typical log file directory)

  • cs490ns - cotter*/etc/snort/snort.confServes as a default configuration (once home network has been identified)Data Types include (similar to programming includes)include: reference.configpreprocessor (functional modules)preprocessor frag3var (variables)var HOME_NET (configure various options)config disable_tcpopt_obsolete_alerts

  • cs490ns - cotter*snort.conf setup 1) Set the variables for your network 2) Configure dynamic loaded libraries 3) Configure preprocessors 4) Configure output plugins 5) Add any runtime config directives 6) Customize your rule set

  • cs490ns - cotter*snort.conf setupSet the variables for your networkvar HOME_NET [,]var EXTERNAL_NET anyvar DNS_SERVERS $HOME_NETvar HTTP_SERVERS $HOME_NETvar HTTP_PORTS 80var ORACLE_PORTS 1521var RULE_PATH /etc/snort/rules

  • snort.conf setupConfigure dynamic loaded librariesLocated in /usr/lib/

  • cs490ns - cotter*snort.conf setupConfigure preprocessorspreprocessor flow: stats_interval 0 hash 2preprocessor frag3_global: max_frags 65536preprocessor frag3_engine: policy first detect_anomaliespreprocessor stream4: disable_evasion_alertspreprocessor rpc_decode: 111 32771preprocessor bo

  • cs490ns - cotter*snort.conf setupConfigure output pluginsoutput alert_syslog: LOG_AUTH LOG_ALERToutput database: log, mssql, dbname=snort \ user=snort password=testoutput alert_unified: filename snort.alert, limit 128ruletype suspicious { type log output log_tcpdump: suspicious.log }suspicious tcp $HOME_NET any -> $HOME_NET 6667 \ (msg:"Internal IRC Server";)

  • cs490ns - cotter*snort.conf setupAdd any runtime config directivesconfig ignore_ports: tcp 21 6667:6671 1356config ignore_ports: udp 1:17 53config disable_decode_alertsconfig disable_tcpopt_obsolete_alerts

  • cs490ns - cotter*snort.conf setupCustomize your rule setinclude $RULE_PATH/local.rulesinclude $RULE_PATH/bad-traffic.rulesinclude $RULE_PATH/exploit.rulesinclude $RULE_PATH/scan.rulesinclude $RULE_PATH/finger.rulesinclude $RULE_PATH/ftp.rules

    (More than 50 sets of rules defined)

  • cs490ns - cotter*bad-traffic rules12 rules in test rule setalert tcp $EXTERNAL_NET any $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)Capture any incoming traffic to port 0 of any LAN HOME_NET machine. More information given in signature file 524.txt

  • Signature 524.txtRule:--Sid: 524--Summary:This event is generated when TCP traffic to port 0 is detected. This should not be seen in normal TCP communications.--Impact:Possible reconnaisance. This may be an attempt to verify the existance of a host or hosts at a particular address or address range.--Detailed Information:TCP traffic to port 0 is not valid under normal circumstances.

    an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices.--Affected Systems:Any--

    Attack Scenarios:The attacker could send packets to a host with a destination port of 0. The attacker might also be using hping to verify the existance of a host as a prelude to an attack.--Ease of Attack:Simple--False Positives:None Known--False Negatives:None Known--Corrective Action:Disallow TCP traffic to port 0.--Contributors:Original rule writer unknownSourcefire Vulnerability Research TeamNigel Houghton [email protected] References:

    cs490ns - cotter*

  • cs490ns - cotter*Certified Rules for Snort User RulesAvailable immediately upon releaseRegistered User RulesSame rules, but released with a 30 day delayUnregistered User RulesSingle set of rules for each snort release (mostly for testing purposes).

  • cs490ns - cotter*Typical InstallationsUsed in any of the configurations discussed in IDS lectureInstallation may be configured with several Snort sensorsoutside networkmonitoring traffic just inside firewallmonitoring key servers

  • Inline ModeConfigure Snort to receive packets from iptables rather than libpcap.Separate capability that must be explicitly installed.Adds 3 new rule typesDrop iptables drops packet and snort logsReject iptables rejects packet and snort logsSdrop iptables will drop packet. No logging.

  • Inline ModeStart iptablesiptables A OUTPUT p tcp dport j QUEUETraffic is routed to QUEUE, where it can be captured by snort_inlineStart Snortsnort_inline QDc ../etc/drop.conf l /var/log/snort-Q get packets from iptables-D run in daemon mode-c specify configuration file-l specify log file

  • cs490ns - cotter*Complex installationsUse Snort to monitor traffic and log suspicious or dangerous traffic.Store information in binary format Much faster than ascii storage.Store information to a databasemysql, postgresql, oracle, MS sql, ODBCMuch easier to process / analyze dataUse data analysis front-ends to examine logsBarnyard ( (Basic Analysis and Security Engine)

  • cs490ns - cotter*SummarySnort is a powerful tool for monitoring network traffic for anomalies that might indicate network intrusionCan be used in several different configurationsWell supportedCode BaseRules Sets

    *cs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cottercs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cottercs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cotter*cs490ns - cotter

Search related