Upload
martha-lane
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
The open source network intrusion detection system.
Secure System Administration & Certification
Ravindra Pendyala
The main distribution site for Snort is http://www.snort.org
IDS & History of Snort
What is Snort?
Features of Snort
Snort Modes
Compiling & Installing Snort
Snort Rules
Snort in different Modes
Using Snort
Third Party Enhancements
Conclusion
Intrusion: An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system.
NIDS: network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack).
NIDS & History of Snort...
Snort was a true case of a programmer scratching his own itch. Here was Marty Roesch with his home network, wanting to see who, if anyone, was trying to penetrate it. This was a small and simple detection system for home useInitial Release on Dec 22 1998 - snort-0.96.tar.gz
Latest Release on Oct 3 - snort-1.9.0.tar.gz
Martin Roesch is the founder and CTO of Sourcefire, Inc.
What is Snort?
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
Snort does NOT block intruders. Assumes a human is watching!!!
Snort in simple words …
• Automated tool to detect intrusions
• Works locally (reactionary) or network wide (preemptive)
• Preemptive IDS can use traffic monitoring or content monitoring
• Does NOT block intruders. Assumes a human is watching!!!
Operating Systems
i386 Sparc M68k/PPC
Alpha Other
X X X X X Linux
X X X OpenBSD
X X FreeBSD
X X Solaris
X X SunOS 4.1.X
X X HP-UX
X AIX
X IRIX
X TRU64
X MacOS X Server
X Win32
• “Lightweight”
• Free
• Portable
• Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win2K
• Configurable with easy setup
Snort Modes
• Packet sniffer
• Packet Logger
• Preemptive IDS
- Actively monitors network traffic in real time to match intrusion signatures and send alerts
On Red Hat Linux 7.2, as root:
• Download and install libpcap
• Download and install these three .rpm:
libnet-1.0.2a-1snort.i386.rpm
snort-1.8.4-1snort.i386.rpm
snort-postgresql+flexresp-1.8.4-1snort.i386.rpm
Create /var/log/snort directory
Files installed:
• /etc/snort contains conf and rule files
• /var/log/snort will contain logs
• /usr/sbin/snort contains snort binary
• For a quick test, execute this command within the /etc/snort directory: snort –A console
• From a separate machine, use nmap to generate events for Snort to detect: nmap –sP <snort_machine_IP_address>
Installing on Windows 2000
•Download and install winpcap
•Download & execute Snort184Win32.exe, select “typical” installation
•mkdir “c:\Program Files\Sourcefire\Snort\log”
Files installed in c:\Program Files
Files\Sourcefire\Snort:
• snort.conf
• \rules directory contains rules
• Snort.exe executable
To test, execute this command within the c:\Program Files\Sourcefire\Snort directory:
• snort –A console
From a separate machine, use nmap to generate events for Snort to detect:
• nmap –sP <snort_machine_IP_address>
You should see an alert like this:
03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
{ICMP} 129.244.70.17 -> 129.244.70.237
Installing Snort
Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS
• Sample rule
alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";)
Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged
• Elements before parentheses comprise ‘rule header’
• Elements in parentheses are ‘rule options’
• Rules can: Alert, Log, or Pass
• Used for IP, UDP, ICMP
• Source address / port
• Destination address / port
• Additional options
- This is where content matching can take place
• bad-traffic.rules exploit.rules scan.rules
• finger.rules ftp.rules telnet.rules
• smtp.rules rpc.rules rservices.rules
• dos.rules ddos.rules dns.rules
• tftp.rules web-cgi.rules web-coldfusion.rules
• web-frontpage.rules web-iis.rules web-misc.rules
• web-attacks.rules sql.rules x11.rules
• icmp.rules netbios.rules misc.rules
• backdoor.rules shellcode.rules policy.rules
• porn.rules info.rules icmp-info.rules
• virus.rules local.rules attack-responses.rules
Luckily you probably won’t have to write rules!
Snort Modes• Sniffer: snort –dvae will be display payloads,
be verbose, display arp traffic, and display link layer data
• Packet Logger: snort –b –l /var/log/snort will log binary data to the /var/log/snort
directory• NIDS: snort –b –l /var/log/snort –A full –c
/etc/snort/snort.conf will log binary data in the /var/log/snort directory, with full alerts in /var/log/snort/alert, reading the configuration file in /etc/snort
SnortSnarf www.silicondefense.com/software/snortsnarf/
• SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports
• Output intended for diagnostic inspection
• Silicon Defense also supplies sensors with commercial support
• Description and screenshot taken from SnortSnarf web
Analysis Console for Intrusion Databases (ACID)
• acidlab.sourceforge.net/
• PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools
• Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation.
• Description and screenshots taken from ACID web
Conclusions
Snort is a powerful tool, but maximizing its usefulness requires a trained operator
Snort is considered a superior NIDS when compared to most commercial systems
Snort is a wonderful low to no cost solution for businesses.
Snort, written in C, can compile and run on variety of different Operating Systems.
Snort.org
Securityfocus.com
Whitehats.com
Questions?