Scribd Logo
Upload

Welcome to Scribd!

  • L83 en

    Uploaded by

    Ipin ITu AriPin
    43 views9 pages
    IPS tutorial

    Original Title

    L83.en

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IPS tutorial

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    43 views9 pages

    L83 en

    Uploaded by

    Ipin ITu AriPin
    IPS tutorial

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    IPS, Snort inline

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    Snort traditionally only rises alerts and logs traffic


    In IPS mode snort is able to drop packets
    The network flow must go through Snort; Snort inline
    ./snort -Q
    ./snort --daq-mode inline

    Packet Acquisition

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    DAQ: Data AcQuisition library


    The way Snort grabs the data packets
    Snort may use several DAQ-methods
    --daq-mode <mode>
    <mode> = read-file | passive | inline
    --daq <type>
    <type> = pcap | afpacket |

    nfq

    PCAP

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    PCAP = Packet CAPture library


    API for capturing network packets
    *nix implementation: libpcap
    Windows: WinPcap
    Used by: tcpdump, Wireshark, Snort, nmap, Bro, Suricata
    pcap is the default snort DAQ
    ./snort --daq pcap --daq-mode passive

    AFPACKET

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    Can run Snort in inline mode using afpacket


    ./snort --daq afpacket -i eth0:eth1
    Must have two network interfaces configured as a bridge,

    eth0:eth1

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    NFQ, NetFilter Queue

    snort is running in user mode (is not a kernel module)


    needs nfqueue kernel module
    iptables sends traffic to snort using the NFQUEUE target
    iptables -A FORWARD -j NFQUEUE
    sends all traffic to the NFQUEUE target
    Sends the packet from kernel space to user space (to snort)
    Snort may then decide to drop a packet
    Returns the other packets to the kernel, but not to netfilter
    All packets blocked if Snort is not running

    NFQ

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    snort --daq nfq --daq-var queue=0 -Q \


    -l /var/log/snort -c /usr/local/snort/etc/snort.conf

    daq nfq Use NFQ, NetFilter Queue


    daq-var queue=0 Default NFQ queue number
    -Q - inline mode
    iptables -A INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 2

    Snort IPS action

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    drop Tell iptables to drop the packet and log it via usual Snort

    means
    reject Tell iptables to drop the packet, log it via usual Snort

    means, and send a TCP reset if the protocol is TCP or an icmp


    port unreachable if the protocol is UDP
    sdrop The sdrop rule type will tell iptables to drop the packet.

    Nothing is logged

    replace

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    alert ip any any -> any 80 (msg:"replacing string passwd ";\


    content: "passwd"; replace: ".paswd" ; sid:1000001)
    The string matched by content: is replaced by the replace-string
    Snort must run in inline mode
    The number of characters of the replacement string must be

    exactly the same

    IPS
    Packet
    Acquisition
    PCAP
    AFPACKET
    NFQ
    NFQ
    IPS Action
    replace
    IPS procon

    Intrusion Prevension Systems:


    Stops and avoids attacks (not just alerts)
    PRO
    A false positive may block a legitimate user/host
    CON
    An attacker may try to cause some form of denial of service

    attack

    You might also like