17
Snor Snor t t The The Lightweight Intrusion Lightweight Intrusion Detection System Detection System

Snort The Lightweight Intrusion Detection System

Embed Size (px)

Citation preview

SnortSnort

TheThe

Lightweight Intrusion Lightweight Intrusion Detection SystemDetection System

The other games in townThe other games in town

Heavyweight systems:Heavyweight systems:

Stateful firewalls:Stateful firewalls:

Example: Checkpoint Firewall OneExample: Checkpoint Firewall One

Commercial network intrusion detection Commercial network intrusion detection systems:systems:

Example: Network Flight Recorder Example: Network Flight Recorder (NFR)(NFR)

The Art of Intrusion The Art of Intrusion Detection:Detection:

Know the protocols.Know the protocols. Watch the web.Watch the web. Set up your IDS monitor.Set up your IDS monitor. Install and tune Snort.Install and tune Snort. Set up your switches.Set up your switches. Watch and process logs.Watch and process logs.

Know the protocolsKnow the protocols

Watch the webWatch the web

Watch the webWatch the web

www.snort.orgwww.snort.orgwww.securityfocus.comwww.securityfocus.comcsrc.nist.govcsrc.nist.govwww.sans.orgwww.sans.orgwww.cert.orgwww.cert.org

Set up your IDS monitorSet up your IDS monitor

Set up your IDS monitorSet up your IDS monitor

Generic Intel CPUGeneric Intel CPU

UNIX-like O/S with LIBPCAPUNIX-like O/S with LIBPCAP

TheThe software software

Install and tune SnortInstall and tune Snort

CompileCompile

DownloadDownload Tune the rulesTune the rules

Set up your switchesSet up your switches

User PCUser PC

Cross-over jumperCross-over jumper

The Default VLAN or ELANThe Default VLAN or ELAN

Remote SwitchRemote Switch Local SwitchLocal Switch

Snort BoxSnort Box

Management VLANManagement VLAN

Set up your switchesSet up your switches

remote-switch# set vlan 2 port 3/2remote-switch# set vlan 2 port 3/2remote-switch# set vlan 2 port 3/3remote-switch# set vlan 2 port 3/3remote-switch# set span 1 3/1 createremote-switch# set span 1 3/1 create

local-switch# set vlan 2 port 4/1local-switch# set vlan 2 port 4/1local-switch# set vlan 2 port 4/2 local-switch# set vlan 2 port 4/2

Watch and process logsWatch and process logs

There are lots of PERL programs.There are lots of PERL programs. Snort can send a WINPOPUP via Snort can send a WINPOPUP via

SMB.SMB. Snort can log to an MSQL database.Snort can log to an MSQL database. Get fancy by going through syslog.Get fancy by going through syslog. Tip: keep systems in sync with NTP.Tip: keep systems in sync with NTP.

Snort rule anatomySnort rule anatomy

alert tcp any any - 10.1.1.0/24 80 \alert tcp any any - 10.1.1.0/24 80 \ (content: "/cgi-bin/phf"; msg: "PHF probe!";) (content: "/cgi-bin/phf"; msg: "PHF probe!";)

alert tcp any any - 10.1.1.0/24 6000:6010 \alert tcp any any - 10.1.1.0/24 6000:6010 \

(msg: "X traffic";) (msg: "X traffic";)

Snort rule anatomySnort rule anatomyIMAP attack:IMAP attack:

Snort rule anatomySnort rule anatomy

alert tcp any any - 192.168.1.0/24 143 \alert tcp any any - 192.168.1.0/24 143 \

(content:"|E8C0 FFFF FF|/bin/sh"; msg: \(content:"|E8C0 FFFF FF|/bin/sh"; msg: \

"New IMAP Buffer Overflow detected!";) "New IMAP Buffer Overflow detected!";)

Operational hintOperational hint

Run from /etc/inittab with respawn option:Run from /etc/inittab with respawn option:snort:5:respawn:/usr/local/bin/snortsnort:5:respawn:/usr/local/bin/snort

or a shell program:or a shell program:#!/bin/sh#!/bin/sh

::

while truewhile true

dodo

/bin/date > /var/log/snort-restart.log/bin/date > /var/log/snort-restart.log

/usr/local/bin/snort/usr/local/bin/snort

donedone

Thank youThank you