Snort Class- V2

23
1 SNORT SNORT

description

ppt

Transcript of Snort Class- V2

Page 1: Snort Class- V2

1

SNORTSNORT

Page 2: Snort Class- V2

2

A PreviewA Preview

NIDS vs. HIDSNIDS vs. HIDS NIDS: Pattern matchingNIDS: Pattern matching HIDS: Log Monitoring, File Integrity CheckingHIDS: Log Monitoring, File Integrity Checking

Page 3: Snort Class- V2

3

Criteria For Software NIDSCriteria For Software NIDS

Only as secure as the OSOnly as secure as the OS Logging to a different log serverLogging to a different log server Tuning (all IDS)Tuning (all IDS) Ease of Monitoring (all IDS)Ease of Monitoring (all IDS) AlarmAlarm Response capability: kill a connection, log Response capability: kill a connection, log

(Honeynets)(Honeynets)

Page 4: Snort Class- V2

4

A Common Network TopologyA Common Network Topology

Page 5: Snort Class- V2

5

Location of NIDSLocation of NIDS

In the External DMZIn the External DMZ In the Internal DMZIn the Internal DMZ In the protected networkIn the protected network Before resource serversBefore resource servers In front/behind a firewallIn front/behind a firewall

Page 6: Snort Class- V2

6

What is Snort?What is Snort?

A Sniffer like EtherealA Sniffer like Ethereal A packet-logger like tcpdumpA packet-logger like tcpdump A Intrusion Detection System like CISCO IDS A Intrusion Detection System like CISCO IDS

(Type of IDS?)(Type of IDS?)

Page 7: Snort Class- V2

7

How to Use Snort?How to Use Snort?

Download Download Snort-2.3.0RC2Snort-2.3.0RC2 from from www.snort.orgwww.snort.org

Install Snort as shown in the documentInstall Snort as shown in the document Create the folder /etc/snort and copy some Create the folder /etc/snort and copy some

important configuration files to that folderimportant configuration files to that folder Create folder /var/log/snortCreate folder /var/log/snort

Page 8: Snort Class- V2

8

How to Use Snort? How to Use Snort? (cont’d)(cont’d)

Pointing to the rule path in Pointing to the rule path in snort.confsnort.conf file file Specify the HOME network and EXTERNAL Specify the HOME network and EXTERNAL

networknetwork Test run the snort configurationTest run the snort configuration snort daemonsnort daemon

Page 9: Snort Class- V2

9

More Advanced Configuration More Advanced Configuration of Snortof Snort

The Snort InternalsThe Snort Internals Packet DecoderPacket Decoder PreprocessorPreprocessor Detection EngineDetection Engine

Page 10: Snort Class- V2

10

Preprocessor ConfigurationsPreprocessor Configurations

Preprocessor Configuration in Preprocessor Configuration in snort.confsnort.conf frag2 – Detects packet fragmentationfrag2 – Detects packet fragmentation stream4 – Self protection against Snot and Slickstream4 – Self protection against Snot and Slick http_inspect – Web Traffichttp_inspect – Web Traffic rpc_decode – RPC trafficrpc_decode – RPC traffic flow_portscan – Statistical details (not used)flow_portscan – Statistical details (not used) sfportscan – Detect port scanning activities.sfportscan – Detect port scanning activities. perfmonitor – Self assessment (not used)perfmonitor – Self assessment (not used)

Page 11: Snort Class- V2

11

Other Important Parts ofOther Important Parts of Snort.confSnort.conf

Output plugins, e.g. logging to a SQL Output plugins, e.g. logging to a SQL database.database.

Including specific rules files for signature Including specific rules files for signature comparisonscomparisons

Page 12: Snort Class- V2

12

A Note on Usual Logging A Note on Usual Logging MethodsMethods

-l switch to run from command line-l switch to run from command line Default log directory when using running as a Default log directory when using running as a

NIDSNIDS Hierarchical LoggingHierarchical Logging Two Logging ModesTwo Logging Modes

1.1. ASCII (i.e. plain text)ASCII (i.e. plain text) Inode problemInode problem

2.2. BinaryBinary

Page 13: Snort Class- V2

13

Inode - ExampleInode - Example

Page 14: Snort Class- V2

14

Logging- ExamplesLogging- Examples

Page 15: Snort Class- V2

15

Logging- Examples Logging- Examples (cont’d)(cont’d)

Page 16: Snort Class- V2

16

Understanding Snort RulesUnderstanding Snort Rules

alert tcp $EXTERNAL_NET any -> $HOME_NET anyalert tcp $EXTERNAL_NET any -> $HOME_NET any ((msg:“SCAN SYN FIN”; flags:SF;msg:“SCAN SYN FIN”; flags:SF;\\

reference:arachnids,198; classtype:attempted-reference:arachnids,198; classtype:attempted-recon;\recon;\

sid:624; rev:1;sid:624; rev:1; ) )

Page 17: Snort Class- V2

17

Logging- Examples Logging- Examples (cont’d)(cont’d)

Page 18: Snort Class- V2

18

Types of the Rule OptionsTypes of the Rule Options

Metadata – referenceMetadata – reference Payload Detection – contentPayload Detection – content Non-Payload Detection – packet Non-Payload Detection – packet

characteristics like size, fragmentscharacteristics like size, fragments Post Detection – log to a particular file, kill Post Detection – log to a particular file, kill

conectionsconections

Page 19: Snort Class- V2

19

Use of Metadata – Search with Use of Metadata – Search with reference arachnids,198 reference arachnids,198

Page 20: Snort Class- V2

20

Information Sharing with Information Sharing with MetadataMetadata

Web sites with information on security Web sites with information on security vulnerabilities:vulnerabilities: CVE (Common Vulnerability Exposures)CVE (Common Vulnerability Exposures)

cve.mitre.orgcve.mitre.org CERTCERT

http://www.cert.org/nav/index_red.htmlhttp://www.cert.org/nav/index_red.html

Page 21: Snort Class- V2

21

Uses of NIDSUses of NIDS

Detect network based attacksDetect network based attacks Detect host based vulnerabilities based on Detect host based vulnerabilities based on

responses (a typical response of a buffer-responses (a typical response of a buffer-overflow)overflow)

Test existing security policy loop holesTest existing security policy loop holes

Page 22: Snort Class- V2

22

Disadvantages and FutureDisadvantages and Future

Human ResourceHuman Resource Encrypted trafficEncrypted traffic Switched networks – port mirroringSwitched networks – port mirroring False positivesFalse positives Damage already occurredDamage already occurred

Future: - IPS (Intrusion Prevention Systems)Future: - IPS (Intrusion Prevention Systems)

Page 23: Snort Class- V2

23

DeliverablesDeliverables

Read the 2 documents on SnortRead the 2 documents on Snort Install Snort and test its response to an Install Snort and test its response to an

nmap/nessus scannmap/nessus scan Submit a word file with a snap shot of the log files Submit a word file with a snap shot of the log files

(ASCII and Binary) and a snippet of the alert file (ASCII and Binary) and a snippet of the alert file with a brief explanation of the kind of scan and with a brief explanation of the kind of scan and the results the results

Research and Understand each of the followingResearch and Understand each of the following ActivateActivate and and Dynamic Dynamic Actions (snort_manual.pdf)Actions (snort_manual.pdf) Possible responses by Snort (snort_manual.pdf)Possible responses by Snort (snort_manual.pdf) Slick and SnotSlick and Snot

Try to understand the rulesTry to understand the rules