Professional Documents
Culture Documents
EDEI
Name
Assignment
Redes de computadora II
PROFESOR
PERIOD
Autumn 2015
Abstract
In this essay we will explain how Snort works, setting rules that help protect our
network from suspicious behavior in the net, and seeing its response when these
rules are triggered.
Keywords: Snort, network security, intrusion detection
Introduction
An IDS or Intrusion Detection System is a security tool that tries to detect or monitor
the events in a computer network.
Snort is an open source network intrusion detection system (IDS) capable of
performing real-time traffic analysis and packet-logging on IP networks. It can
perform protocol analysis, content searching & matching, and can be used to detect
a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI
attacks, SMB probes, OS fingerprinting attempts and more. Snort was created by
Martin Roesch in 1998.
Rules are based on detecting the actual vulnerability, not an exploit or a unique piece
of data. Developing a rule requires an acute understanding of how the vulnerability
actually works.
Snort has three primary uses. It can be used as a:
! straight packet sniffer like tcpdump or libpcap
! packet logger (useful for network traffic debugging and so on).
! full-blown network intrusion prevention system.
fragroute intercepts, modifies, and rewrites egress traffic destined for a specified
host, implementing most of the attacks described in the Secure Networks "Insertion,
Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of
January 1998.
It features a simple rule set language to delay, duplicate, drop, fragment, overlap,
print, reorder, segment, source-route, or otherwise monkey with all outbound
packets destined for a target host, with minimal support for randomized or
probabilistic behavior.
This tool was written in good faith to aid in the testing of network intrusion detection
systems, firewalls, and basic TCP/IP stack behavior.
PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the
Windows platform. PuTTY is open source software that is available with source
code and is developed and supported by a group of volunteers.
Description
How is our network designed?
In reality, the SSH and Telnet servers run inside the gateway computer, which
also is the host where we run Snort.
Firstly, because of the limitatons of IDSCenter, namely incompatibility with current
OS versions, we decided to deploy Snort in our Linux system.
The snort.conf rule file was created using vim in the terminal. Snort requires an SID
to be included in every rule.
Then Snort was launched directly, using the v switch for vebose output. The i
switch was also necessary to select the appropriate network interface:
> sudo snort i eth0 -v
Picture(3.Snort(Alert
In Picture 3 the terminal shows the snort alert log where snort saves the alert as
the event occur (/var/log/snort/alert.log). In real world applications, a
program will monitor this file for changes to trigger an event when an alert is raised.
The second and third rules were:
Picture(4.Second(Rule
Picture(6.Intruder(computer(configuration.
Since these rules are set to detect SSH and Telnet, we used PuTTY to initiate the
connections.
Rule no 4:
alert tcp any any -> $HOMENET :2600 (msg: TCP traffic in
range"; sid:4;)
Rule No. 5:
In this rule, the tcp log the traffic from any port less or equal to 6000.
alert UDP any any -> $HOMENET 5000: (msg: "UDP traffic in
range"; sid:5;)
Picture(8(Fifht(Rule
Picture(9(Configuration
Rules No 6.
alert tcp any any -> $HOMENET any (flags: A; ack: 0;
msg:"NMAP TCP Ping"; sid:6;)
Conclusions.
In conclusion, we learned how to perform an attack and how to detect when an
intruder is attempting one in the network. Furthermore, we could set some rules that
we learned in class which is fundamental in network administration and very
important in network security. The ability to perform an attack with the purpose of
knowing the different methods that a hacker could use against us can give us
experience in real scenarios in which we need to think like an intruder and keep our
network safe.
Bibliography.
Jeffrey Carr (2007-06-05). "Snort: Open Source Network Intrusion Prevention".
What does PuTTy means? Recovered from: http://www.putty.org
Snort User Manual. Recovered from: https://s3.amazonaws.com/snort-orgsite/production/document_files/files/000/000/051/original/snort_manual.pdf?AWSA
ccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1442863717&Signature=1eK9v
BSDrcGMDkwMGXkeiHta0cw%3D