Click here to load reader

Snort The Lightweight Intrusion Detection System

  • View
    220

  • Download
    4

Embed Size (px)

Text of Snort The Lightweight Intrusion Detection System

  • SnortTheLightweight Intrusion Detection System

  • The other games in townHeavyweight systems:

    Stateful firewalls: Example: Checkpoint Firewall One

    Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR)

  • The Art of Intrusion Detection:Know the protocols.Watch the web.Set up your IDS monitor.Install and tune Snort.Set up your switches.Watch and process logs.

  • Know the protocols

  • Watch the web

  • Watch the webwww.snort.orgwww.securityfocus.comcsrc.nist.govwww.sans.orgwww.cert.org

  • Set up your IDS monitor

  • Set up your IDS monitorGeneric Intel CPUUNIX-like O/S with LIBPCAPThe software

  • Install and tune SnortCompileDownloadTune the rules

  • Set up your switchesUser PCCross-over jumperThe Default VLAN or ELANRemote SwitchLocal SwitchSnort BoxManagement VLAN

  • Set up your switchesremote-switch# set vlan 2 port 3/2remote-switch# set vlan 2 port 3/3remote-switch# set span 1 3/1 create

    local-switch# set vlan 2 port 4/1local-switch# set vlan 2 port 4/2

  • Watch and process logsThere are lots of PERL programs.Snort can send a WINPOPUP via SMB.Snort can log to an MSQL database.Get fancy by going through syslog.Tip: keep systems in sync with NTP.

  • Snort rule anatomyalert tcp any any - 10.1.1.0/24 80 \ (content: "/cgi-bin/phf"; msg: "PHF probe!";)

    alert tcp any any - 10.1.1.0/24 6000:6010 \ (msg: "X traffic";)

  • Snort rule anatomyIMAP attack:

  • Snort rule anatomyalert tcp any any - 192.168.1.0/24 143 \ (content:"|E8C0 FFFF FF|/bin/sh"; msg: \ "New IMAP Buffer Overflow detected!";)

  • Operational hintRun from /etc/inittab with respawn option:snort:5:respawn:/usr/local/bin/snort

    or a shell program:#!/bin/sh:while truedo /bin/date > /var/log/snort-restart.log /usr/local/bin/snortdone

  • Thank you