Snort - PowerPoint PPT Presentation

About This Presentation
Title:

Snort

Description:

'Snort is an open source network intrusion detection system, capable of ... O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing ... – PowerPoint PPT presentation

Number of Views:386
Avg rating:3.0/5.0
Slides: 30
Provided by: Kauf
Category:
Tags: obfuscate | snort

less

Transcript and Presenter's Notes

Title: Snort


1
Snort ACID
2
  • SNORT

3
Overview
  • Tool Description
  • Where You Can Find it
  • Applicability to Forensics
  • Tool Use/Screen Views
  • Observations
  • Lessons Learned

4
Technical Description
  • What is Snort?
  • Snort is an open source network intrusion
    detection system, capable of performing real-time
    traffic analysis and packet logging on IP
    networks.
  • Performs protocol analysis, content
    searching/matching
  • Can detect all sorts of probes and attacks

5
Where to Find the Tool
  • Snort
  • www.snort.org

6
How Snort Supports Forensics
  • Snort is a packet sniffer on steroids.
  • Can be placed at different points in a network to
    provide real time information.
  • By logging alerts and rule violations, a systems
    administrator can be mindful of attacks in
    progress or research past incidents.

7
Snort Usage
  • Run from the command line or as a Windows
    Service.
  • Lots of options

8
Snort Options
  • USAGE snort -options ltfilter optionsgt
  • snort /SERVICE /INSTALL -options ltfilter
    optionsgt
  • snort /SERVICE /UNINSTALL
  • snort /SERVICE /SHOW
  • Options
  • -A Set alert mode fast, full,
    console, or none (alert file ale
  • rts only)
  • -b Log packets in tcpdump format
    (much faster!)
  • -c ltrulesgt Use Rules File ltrulesgt
  • -C Print out payloads with
    character data only (no hex)
  • -d Dump the Application Layer
  • -e Display the second layer
    header info
  • -E Log alert messages to NT
    Eventlog. (Win32 only)
  • -f Turn off fflush() calls after
    binary log writes
  • -F ltbpfgt Read BPF filters from file
    ltbpfgt
  • -h lthngt Home network lthngt
  • -i ltifgt Listen on interface ltifgt
  • -I Add Interface name to alert
    output
  • -k ltmodegt Checksum mode
    (all,noip,notcp,noudp,noicmp,none)

9
More Snort Options
  • -L ltfilegt Log to this tcpdump file
  • -n ltcntgt Exit after receiving ltcntgt
    packets
  • -N Turn off logging (alerts still
    work)
  • -o Change the rule testing order
    to PassAlertLog
  • -O Obfuscate the logged IP
    addresses
  • -p Disable promiscuous mode
    sniffing
  • -P ltsnapgt Set explicit snaplen of packet
    (default 1514)
  • -q Quiet. Don't show banner and
    status report
  • -r lttfgt Read and process tcpdump file
    lttfgt
  • -R ltidgt Include 'id' in
    snort_intfltidgt.pid file name
  • -s Log alert messages to syslog
  • -S ltnvgt Set rules file variable n
    equal to value v
  • -T Test and report on the current
    Snort configuration
  • -U Use UTC for timestamps
  • -v Be verbose
  • -V Show version number
  • -W Lists available interfaces.
    (Win32 only)
  • -w Dump 802.11 management and
    control frames
  • -X Dump the raw packet data
    starting at the link layer

10
Snort in Action
11
  • Snort Raw Output

12
  • Snort Logs Better Information

13
Observations of Snort - Good
  • FREE!
  • Large user base
  • Community provides constant rule updates
  • Free tools to provide log analysis and
    email/pager alerts

14
Observations of Snort - Bad
  • UNIX tool ported to Windows behaves like a UNIX
    tool
  • Difficult to configure
  • Cryptic command line driven interface
  • All configuration is driven by files
  • Lacks standardized support

15
Lessons Learned - Snort
  • You get what you pay for!
  • Documentation for running Snort on XP is
    inconsistent and out of date.
  • Since the solution comprises several free tools,
    each tool has separate issues with XP.

16
  • ACID

17
Overview
  • Tool Description
  • Where You Can Find it
  • Applicability to Forensics
  • Tool Use/Screen Views
  • Observations
  • Lessons Learned

18
Technical Description
  • What is ACID?
  • The Analysis Console for Intrusion Databases
    (ACID)
  • PHP-based analysis engine to search and process a
    database of security events generated by various
    IDSes, firewalls, and network monitoring tools.

19
Where to Find the Tool
  • ACID
  • http//acidlab.sourceforge.net/

20
How ACID Supports Forensics
  • ACID helps to make sense of Snort data in a
    visual manner.
  • Can help analyze trends and help filter out the
    noise by categorizing attacks and IP addresses.
  • Query-builder and search interface.
  • Can provide alerts when events occur.

21
ACID Usage
  • Acid runs as a set of PHP web pages under IIS or
    Apache.
  • Reports, alerts, and information is accessed
    through the web interface

22
ACID at Work
23

Alert Screen
24
Alert Screen - Detail
25
Alert Screen Graph
26
Observations of ACID - Good
  • FREE!
  • Nice graphical interface written in PHP,
    therefore user community to rely on.
  • Free tools to provide log analysis and
    email/pager alerts.
  • Helps sort through all the info from Snort.

27
Observations of ACID - ACID
  • Lacks standardized support
  • Lots of options to become familiar with

28
Lessons Learned ACID
  • You get what you pay for!
  • Configuration is file driven, no GUI.
  • Most documentation for running ACID pertains to
    Apache servers and took some searching to run on
    IIS.
  • Reliance on PHP means that any interesting
    aspects on running PHP on Windows had to be
    sorted through.

29
Summary
  • Both Snort and ACID are excellent tools for
    Intrusion Detection.
  • Open Source means (hopefully) constant
    improvements
  • Free tools for companies that cannot afford tools
    or services provided by other companies.
  • Can be time frustrating to deal with and requires
    an administrator with the time and expertise to
    master all the options and create a working
    system.
Write a Comment
User Comments (0)
About PowerShow.com