Snort The Lightweight Intrusion Detection System

SnortTheLightweight Intrusion Detection System

The other games in townHeavyweight systems:

Stateful firewalls: Example: Checkpoint Firewall One

Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR)

The Art of Intrusion Detection:Know the protocols.Watch the web.Set up your IDS monitor.Install and tune Snort.Set up your switches.Watch and process logs.

Know the protocols

Watch the web

Watch the webwww.snort.orgwww.securityfocus.comcsrc.nist.govwww.sans.orgwww.cert.org

Set up your IDS monitor

Set up your IDS monitorGeneric Intel CPUUNIX-like O/S with LIBPCAPThe software

Install and tune SnortCompileDownloadTune the rules

Set up your switchesUser PCCross-over jumperThe Default VLAN or ELANRemote SwitchLocal SwitchSnort BoxManagement VLAN

Set up your switchesremote-switch# set vlan 2 port 3/2remote-switch# set vlan 2 port 3/3remote-switch# set span 1 3/1 create

local-switch# set vlan 2 port 4/1local-switch# set vlan 2 port 4/2

Watch and process logsThere are lots of PERL programs.Snort can send a WINPOPUP via SMB.Snort can log to an MSQL database.Get fancy by going through syslog.Tip: keep systems in sync with NTP.

Snort rule anatomyalert tcp any any - 10.1.1.0/24 80 \ (content: "/cgi-bin/phf"; msg: "PHF probe!";)

alert tcp any any - 10.1.1.0/24 6000:6010 \ (msg: "X traffic";)

Snort rule anatomyIMAP attack:

Snort rule anatomyalert tcp any any - 192.168.1.0/24 143 \ (content:"|E8C0 FFFF FF|/bin/sh"; msg: \ "New IMAP Buffer Overflow detected!";)

Operational hintRun from /etc/inittab with respawn option:snort:5:respawn:/usr/local/bin/snort

or a shell program:#!/bin/sh:while truedo /bin/date > /var/log/snort-restart.log /usr/local/bin/snortdone

Thank you