Snort Class- V2
description
Transcript of Snort Class- V2
1
SNORTSNORT
2
A PreviewA Preview
NIDS vs. HIDSNIDS vs. HIDS NIDS: Pattern matchingNIDS: Pattern matching HIDS: Log Monitoring, File Integrity CheckingHIDS: Log Monitoring, File Integrity Checking
3
Criteria For Software NIDSCriteria For Software NIDS
Only as secure as the OSOnly as secure as the OS Logging to a different log serverLogging to a different log server Tuning (all IDS)Tuning (all IDS) Ease of Monitoring (all IDS)Ease of Monitoring (all IDS) AlarmAlarm Response capability: kill a connection, log Response capability: kill a connection, log
(Honeynets)(Honeynets)
4
A Common Network TopologyA Common Network Topology
5
Location of NIDSLocation of NIDS
In the External DMZIn the External DMZ In the Internal DMZIn the Internal DMZ In the protected networkIn the protected network Before resource serversBefore resource servers In front/behind a firewallIn front/behind a firewall
6
What is Snort?What is Snort?
A Sniffer like EtherealA Sniffer like Ethereal A packet-logger like tcpdumpA packet-logger like tcpdump A Intrusion Detection System like CISCO IDS A Intrusion Detection System like CISCO IDS
(Type of IDS?)(Type of IDS?)
7
How to Use Snort?How to Use Snort?
Download Download Snort-2.3.0RC2Snort-2.3.0RC2 from from www.snort.orgwww.snort.org
Install Snort as shown in the documentInstall Snort as shown in the document Create the folder /etc/snort and copy some Create the folder /etc/snort and copy some
important configuration files to that folderimportant configuration files to that folder Create folder /var/log/snortCreate folder /var/log/snort
8
How to Use Snort? How to Use Snort? (cont’d)(cont’d)
Pointing to the rule path in Pointing to the rule path in snort.confsnort.conf file file Specify the HOME network and EXTERNAL Specify the HOME network and EXTERNAL
networknetwork Test run the snort configurationTest run the snort configuration snort daemonsnort daemon
9
More Advanced Configuration More Advanced Configuration of Snortof Snort
The Snort InternalsThe Snort Internals Packet DecoderPacket Decoder PreprocessorPreprocessor Detection EngineDetection Engine
10
Preprocessor ConfigurationsPreprocessor Configurations
Preprocessor Configuration in Preprocessor Configuration in snort.confsnort.conf frag2 – Detects packet fragmentationfrag2 – Detects packet fragmentation stream4 – Self protection against Snot and Slickstream4 – Self protection against Snot and Slick http_inspect – Web Traffichttp_inspect – Web Traffic rpc_decode – RPC trafficrpc_decode – RPC traffic flow_portscan – Statistical details (not used)flow_portscan – Statistical details (not used) sfportscan – Detect port scanning activities.sfportscan – Detect port scanning activities. perfmonitor – Self assessment (not used)perfmonitor – Self assessment (not used)
11
Other Important Parts ofOther Important Parts of Snort.confSnort.conf
Output plugins, e.g. logging to a SQL Output plugins, e.g. logging to a SQL database.database.
Including specific rules files for signature Including specific rules files for signature comparisonscomparisons
12
A Note on Usual Logging A Note on Usual Logging MethodsMethods
-l switch to run from command line-l switch to run from command line Default log directory when using running as a Default log directory when using running as a
NIDSNIDS Hierarchical LoggingHierarchical Logging Two Logging ModesTwo Logging Modes
1.1. ASCII (i.e. plain text)ASCII (i.e. plain text) Inode problemInode problem
2.2. BinaryBinary
13
Inode - ExampleInode - Example
14
Logging- ExamplesLogging- Examples
15
Logging- Examples Logging- Examples (cont’d)(cont’d)
16
Understanding Snort RulesUnderstanding Snort Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET anyalert tcp $EXTERNAL_NET any -> $HOME_NET any ((msg:“SCAN SYN FIN”; flags:SF;msg:“SCAN SYN FIN”; flags:SF;\\
reference:arachnids,198; classtype:attempted-reference:arachnids,198; classtype:attempted-recon;\recon;\
sid:624; rev:1;sid:624; rev:1; ) )
17
Logging- Examples Logging- Examples (cont’d)(cont’d)
18
Types of the Rule OptionsTypes of the Rule Options
Metadata – referenceMetadata – reference Payload Detection – contentPayload Detection – content Non-Payload Detection – packet Non-Payload Detection – packet
characteristics like size, fragmentscharacteristics like size, fragments Post Detection – log to a particular file, kill Post Detection – log to a particular file, kill
conectionsconections
19
Use of Metadata – Search with Use of Metadata – Search with reference arachnids,198 reference arachnids,198
20
Information Sharing with Information Sharing with MetadataMetadata
Web sites with information on security Web sites with information on security vulnerabilities:vulnerabilities: CVE (Common Vulnerability Exposures)CVE (Common Vulnerability Exposures)
cve.mitre.orgcve.mitre.org CERTCERT
http://www.cert.org/nav/index_red.htmlhttp://www.cert.org/nav/index_red.html
21
Uses of NIDSUses of NIDS
Detect network based attacksDetect network based attacks Detect host based vulnerabilities based on Detect host based vulnerabilities based on
responses (a typical response of a buffer-responses (a typical response of a buffer-overflow)overflow)
Test existing security policy loop holesTest existing security policy loop holes
22
Disadvantages and FutureDisadvantages and Future
Human ResourceHuman Resource Encrypted trafficEncrypted traffic Switched networks – port mirroringSwitched networks – port mirroring False positivesFalse positives Damage already occurredDamage already occurred
Future: - IPS (Intrusion Prevention Systems)Future: - IPS (Intrusion Prevention Systems)
23
DeliverablesDeliverables
Read the 2 documents on SnortRead the 2 documents on Snort Install Snort and test its response to an Install Snort and test its response to an
nmap/nessus scannmap/nessus scan Submit a word file with a snap shot of the log files Submit a word file with a snap shot of the log files
(ASCII and Binary) and a snippet of the alert file (ASCII and Binary) and a snippet of the alert file with a brief explanation of the kind of scan and with a brief explanation of the kind of scan and the results the results
Research and Understand each of the followingResearch and Understand each of the following ActivateActivate and and Dynamic Dynamic Actions (snort_manual.pdf)Actions (snort_manual.pdf) Possible responses by Snort (snort_manual.pdf)Possible responses by Snort (snort_manual.pdf) Slick and SnotSlick and Snot
Try to understand the rulesTry to understand the rules