Professional Documents
Culture Documents
Intrusion Detection
Instructor:
M. Hassan Nasir
Lecture # 02
ID Products and
Components
OUTLINE
▪ Selection of IDS Tool
▪ IDS Tools
▪ Snort
▪ Installation
▪ Configuration
▪ Testing
Selecting IDS Tool
Management
Network / Information
System Security
Admin Team
Selecting
IDS
Database Owner of
Admin Critical Data
Selecting IDS Tools
IDS
IBM
Snort Zeek Suricata OSSEC Samhain Solarwinds Sagan Splunk
QRadar
Snort
• Leading NIDS
• Windows/ Linux Based
• Signature/Rule Based
• Customizable
• Packet Logging, Sniffing as well as ID
• Supports TCP, UDP, ICMP, & IP
Components of Snort
Packet decoder
• Decoding is one of the first processes a packet
goes through in Snort.
• The decoder operations:
▫ Determine underlying protocols
▫ Location of the payload/application-data in the
packet (which it doesn’t try to decode)
▫ Size of this payload for use by the preprocessor
and detection engines.
▫ Inspects Packet Header for anomaly.
Preprocessor
• snort -V
Testing Configuration
• Snort –i 1 –c c:\snort\etc\snort.conf –T (Windows)
• Snort –i eth0 ./snort.conf –T (Linux)
Running Snort
• Snort –i 1 –c c:\snort\etc\snort.conf –A console (win)
• Snort –i eth0 ./snort.conf –A console (Linux)
Running Snort (Cont…’d)
• Ctrl + C to exit
Running Snort (Linux)