Professional Documents
Culture Documents
3 Million Downloads
225,000 Active Users
Why Run an IDS?
Provide an Audit Trail
Data Analysis
Research
Because you can
To Detect ...
Layout by orngjce223, CC-BY
What can an IDS do?
Detect
Skiddies
Worms
Other Potential Threats
DOS Attack
Create Alerts
Create False Positives / False Negative
Layout by orngjce223, CC-BY
Configure
Download / Write Rules
Layout by orngjce223, CC-BY
Install Rules
Run!
Using Snort
Test your configuration file
snort -T -c /etc/snort/snort.cfg
Using as an IDS
snort -c /etc/snort/snort.conf -i ethX
Packet Sniffer (tcpdump -vvi ethX)
snort -v -i ethX
Layout by orngjce223, CC-BY
Output
Log File
Tcpdump format
Plaintext
Binary (for reading with Barnyard)
Syslog/ng
stdout
SQL (postgres, mySQL)
Layout by orngjce223, CC-BY
Graphical Clients
ACID (Analysis Console for Intrusion Detection)
Many others
Writing Rules
Setup Your Rule Path
include $RULE_PATH/<rule_file>.rules
Log / alert
log tcp 192.168.1.18/32 any -> any 80
(msg:"eBaying"; uricontent:"ebay.com";)
alert tcp $EXTERNAL_NET any -> 172.16.30.7
25 (msg:"Found hacking reference in e-mail";
content:"hacking";)
Layout by orngjce223, CC-BY
Regular Expressions!
alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"SQL
Injection - Paranoid";
flow:to_server,established;uricontent:".ph
p";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i";
classtype:Web-application-attack;
sid:9099; rev:5;)
SQL Injection '-- Attack
Layout by orngjce223, CC-BY
Nikto http://www.cirt.net/nikto2
Make Sure Perl's installed
wget http://www.cirt.net/nikto/nikto-current.tar.gz
tar xvzf nikto-current.tar.gz
perl nikto.pl -h 192.168.X.X
On Snort Box:
snort -c /etc/snort/snort.conf -i wlan0
Layout by orngjce223, CC-BY
Developments
IP Blacklist depending on Reputation
http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-sno
SAM (Snort Alert Monitor)
E-Mail, Audio/Visual Warnings
http://projects.darkaslight.com/projects/show/sam
Pscan
Plugin to Portscan on certain keywords
http://sourceforge.net/projects/pscan-plugin/
BlockIt
Layout by orngjce223, CC-BY