Scribd Logo
Upload

Welcome to Scribd!

  • Snort IDS Introduction

    Uploaded by

    Owen JH
    2K views13 pages
    Presentation that I presented at a local security meeting about the Snort IDS. Not much on its own but gives an introduction on Snort with a few slides about IDS's a few on writing Snort Rules. The demonstration slide is where I did a demonstration that failed, but it worked at home using Nikto. The additional resources slide shows some great resources for learning more about the Snort IDS.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    ODP, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Presentation that I presented at a local security meeting about the Snort IDS. Not much on its own but gives an introduction on Snort with a few slides about IDS's a few on writing Snort Rules. The demonstration slide is where I did a demonstration that failed, but it worked at home using Nikto. The additional resources slide shows some great resources for learning more about the Snort IDS.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as ODP, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2K views13 pages

    Snort IDS Introduction

    Uploaded by

    Owen JH
    Presentation that I presented at a local security meeting about the Snort IDS. Not much on its own but gives an introduction on Snort with a few slides about IDS's a few on writing Snort Rules. The demonstration slide is where I did a demonstration that failed, but it worked at home using Nikto. The additional resources slide shows some great resources for learning more about the Snort IDS.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as ODP, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 13

    Snort

    Using version 2.8.1


    (Newest: 2.8.4.1)
    Layout by orngjce223, CC-BY
    Snort
    Open Source Network IDS / Network IPS
    Commercially Developed by SourceFire
    Commercial Services by SourceFire
    Hardware / Software / Certification / Rule
    Updates
    SourceFire Vulnerability Research Team
    (VRT)
    Layout by orngjce223, CC-BY

    3 Million Downloads
    225,000 Active Users
    Why Run an IDS?
    Provide an Audit Trail
    Data Analysis
    Research
    Because you can
    To Detect ...
    Layout by orngjce223, CC-BY
    What can an IDS do?
    Detect
    Skiddies
    Worms
    Other Potential Threats
    DOS Attack
    Create Alerts
    Create False Positives / False Negative
    Layout by orngjce223, CC-BY

    Attacks that aren't


    Missed attacks due to evasion / dos
    Signatures
    Signature Detection
    Created by known traffic patterns that match
    rules
    Low on false positives
    May miss new / unknown attacks 0-Day. (false
    negative)
    Anomaly Detection
    “Learns” what's normal, throws a fit when
    something isn't normal.
    Layout by orngjce223, CC-BY

    High on false positives


    Low on false negatives (less likely not to alert
    on a 0-Day)
    Installing Snort
    Download Binaries (Windows / Linux)
    http://www.snort.org/downloads
    OR
    Install from Repository

    Configure
    Download / Write Rules
    Layout by orngjce223, CC-BY

    Install Rules
    Run!
    Using Snort
    Test your configuration file
    snort -T -c /etc/snort/snort.cfg
    Using as an IDS
    snort -c /etc/snort/snort.conf -i ethX
    Packet Sniffer (tcpdump -vvi ethX)
    snort -v -i ethX
    Layout by orngjce223, CC-BY
    Output
    Log File
    Tcpdump format
    Plaintext
    Binary (for reading with Barnyard)
    Syslog/ng
    stdout
    SQL (postgres, mySQL)
    Layout by orngjce223, CC-BY

    Graphical Clients
    ACID (Analysis Console for Intrusion Detection)
    Many others
    Writing Rules
    Setup Your Rule Path
    include $RULE_PATH/<rule_file>.rules
    Log / alert
    log tcp 192.168.1.18/32 any -> any 80
    (msg:"eBaying"; uricontent:"ebay.com";)
    alert tcp $EXTERNAL_NET any -> 172.16.30.7
    25 (msg:"Found hacking reference in e-mail";
    content:"hacking";)
    Layout by orngjce223, CC-BY
    Regular Expressions!
    alert tcp $EXTERNAL_NET any ->
    $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
    Injection - Paranoid";
    flow:to_server,established;uricontent:".ph
    p";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i";
    classtype:Web-application-attack;
    sid:9099; rev:5;)
    SQL Injection '-- Attack
    Layout by orngjce223, CC-BY

    More SQL Injection / XSS


    http://www.securityfocus.com/infocus/1768
    Demonstration

    Nikto http://www.cirt.net/nikto2
    Make Sure Perl's installed
    wget http://www.cirt.net/nikto/nikto-current.tar.gz
    tar xvzf nikto-current.tar.gz
    perl nikto.pl -h 192.168.X.X

    On Snort Box:
    snort -c /etc/snort/snort.conf -i wlan0
    Layout by orngjce223, CC-BY
    Developments
    IP Blacklist depending on Reputation
    http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-sno
    SAM (Snort Alert Monitor)
    E-Mail, Audio/Visual Warnings
    http://projects.darkaslight.com/projects/show/sam
    Pscan
    Plugin to Portscan on certain keywords
    http://sourceforge.net/projects/pscan-plugin/
    BlockIt
    Layout by orngjce223, CC-BY

    Modify Firewall Rules (IPTables, IPChains, IPFWADM,


    IPFilter, PF, or Checkpoint)
    http://www.teknofx.com/
    Additional Resources
    Community Maintained Signatures
    http://www.emergingthreats.net/
    Snort for Dummies (ISBN:9780764568350)
    Cheat Sheet
    Good General Introduction
    Snort.org/docs
    Manual, FAQ, Webinar recordings / slides
    Layout by orngjce223, CC-BY

    Google

    You might also like