Upload
evan-robertson
View
249
Download
4
Embed Size (px)
Citation preview
The other games in townThe other games in town
Heavyweight systems:Heavyweight systems:
Stateful firewalls:Stateful firewalls:
Example: Checkpoint Firewall OneExample: Checkpoint Firewall One
Commercial network intrusion detection Commercial network intrusion detection systems:systems:
Example: Network Flight Recorder Example: Network Flight Recorder (NFR)(NFR)
The Art of Intrusion The Art of Intrusion Detection:Detection:
Know the protocols.Know the protocols. Watch the web.Watch the web. Set up your IDS monitor.Set up your IDS monitor. Install and tune Snort.Install and tune Snort. Set up your switches.Set up your switches. Watch and process logs.Watch and process logs.
Watch the webWatch the web
www.snort.orgwww.snort.orgwww.securityfocus.comwww.securityfocus.comcsrc.nist.govcsrc.nist.govwww.sans.orgwww.sans.orgwww.cert.orgwww.cert.org
Set up your IDS monitorSet up your IDS monitor
Generic Intel CPUGeneric Intel CPU
UNIX-like O/S with LIBPCAPUNIX-like O/S with LIBPCAP
TheThe software software
Install and tune SnortInstall and tune Snort
CompileCompile
DownloadDownload Tune the rulesTune the rules
Set up your switchesSet up your switches
User PCUser PC
Cross-over jumperCross-over jumper
The Default VLAN or ELANThe Default VLAN or ELAN
Remote SwitchRemote Switch Local SwitchLocal Switch
Snort BoxSnort Box
Management VLANManagement VLAN
Set up your switchesSet up your switches
remote-switch# set vlan 2 port 3/2remote-switch# set vlan 2 port 3/2remote-switch# set vlan 2 port 3/3remote-switch# set vlan 2 port 3/3remote-switch# set span 1 3/1 createremote-switch# set span 1 3/1 create
local-switch# set vlan 2 port 4/1local-switch# set vlan 2 port 4/1local-switch# set vlan 2 port 4/2 local-switch# set vlan 2 port 4/2
Watch and process logsWatch and process logs
There are lots of PERL programs.There are lots of PERL programs. Snort can send a WINPOPUP via Snort can send a WINPOPUP via
SMB.SMB. Snort can log to an MSQL database.Snort can log to an MSQL database. Get fancy by going through syslog.Get fancy by going through syslog. Tip: keep systems in sync with NTP.Tip: keep systems in sync with NTP.
Snort rule anatomySnort rule anatomy
alert tcp any any - 10.1.1.0/24 80 \alert tcp any any - 10.1.1.0/24 80 \ (content: "/cgi-bin/phf"; msg: "PHF probe!";) (content: "/cgi-bin/phf"; msg: "PHF probe!";)
alert tcp any any - 10.1.1.0/24 6000:6010 \alert tcp any any - 10.1.1.0/24 6000:6010 \
(msg: "X traffic";) (msg: "X traffic";)
Snort rule anatomySnort rule anatomy
alert tcp any any - 192.168.1.0/24 143 \alert tcp any any - 192.168.1.0/24 143 \
(content:"|E8C0 FFFF FF|/bin/sh"; msg: \(content:"|E8C0 FFFF FF|/bin/sh"; msg: \
"New IMAP Buffer Overflow detected!";) "New IMAP Buffer Overflow detected!";)
Operational hintOperational hint
Run from /etc/inittab with respawn option:Run from /etc/inittab with respawn option:snort:5:respawn:/usr/local/bin/snortsnort:5:respawn:/usr/local/bin/snort
or a shell program:or a shell program:#!/bin/sh#!/bin/sh
::
while truewhile true
dodo
/bin/date > /var/log/snort-restart.log/bin/date > /var/log/snort-restart.log
/usr/local/bin/snort/usr/local/bin/snort
donedone