Snort - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Snort

Description:

d Dump the app layer data when displaying -e Display the link layer packet headers ... In packet logger mode, snort just logs the packet which can later be used for ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 14
Provided by: surajL
Category:
Tags: dump | snort | the

less

Transcript and Presenter's Notes

Title: Snort


1
Snort
  • Introduction to Snorts Working and configuration
    file

2
Three modes of snort
  • Snort can be configured in three modes
  • Sniffer
  • Packet Logger
  • Network Intrusion Detection System

3
Sniffer mode
  • In sniffer mode, snort act as a sniffer like
    tcpdump, ethereal
  • Following options of snort are useful for sniffer
    mode.
  • -d Dump the app layer data when displaying
  • -e Display the link layer packet headers
  • -v prints packet to the console

4
Packet logger mode
  • In packet logger mode, snort just logs the packet
    which can later be used for running analysis,
    NIDS mode of snort and otherwise
  • Following options of snort are useful for sniffer
    mode.
  • -l Followed by directory this will log the
    packets to particular directory
  • -dev Can also be used for logger mode, but they
    are slow.
  • -b logs the packets in binary. This is
    recommended for packet logger mode, as it is fast

5
NIDS mode
  • NIDS mode is started with -c snort.conf
  • Different ways to start snort are following
  • snort -devl ./log -h 192.168.1.0/24 -c snort.conf
  • snort -bl ./log -h 192.168.1.0/24 -c snort.conf
  • snort -b -A fast -c snort.conf
  • snort -b -l ./log -c snort.conf o

6
Snort.conf
  • Configuration File defines the following
  • Network Variables
  • Preprocessors and their variables
  • Classification Files
  • Reference Files
  • Rules

7
Snort.conf (II)
  • Network Variables
  • Different network variables are set. Examples
    are given below
  • var HTTP_PORTS 80
  • var TELNET_SERVERS 10.1.1.1/29

8
Snort.conf (III)
  • Preprocessors
  • Pre-compiled set of functions which handle
    detection. Preprocessors are fast but cannot be
    used from within a rule.

9
Snort.conf (IV)
  • Classification File
  • In this file, priorities are stored for
    different attacks. 1 means highest priority or
    dangerous attack.
  • Sample from classification file
  • config classification attempted-dos,Attempted
    Denial of Service,2
  • config classification successful-dos,Denial of
    Service,2
  • config classification attempted-user,Attempted
    User Privilege Gain,1
  • config classification unsuccessful-user,Unsuccess
    ful User Privilege Gain,1

10
Snort.conf (V)
  • Reference File
  • This includes reference URLs for different
    software. The reference is defined in rules, so
    that a URL is also displayed for administrators
    to rectify the problem.

11
Snort.conf (VI)
  • Rules
  • Rules are defined in several files which are
    included in snort.conf. The updated set of rules
    can be downloaded from snort.org

12
Modify Snort
  • Snort provides three mechanisms to modify its
    functionality.
  • Plug-ins
  • Two types of plug-ins
  • Output plug-ins
  • Detection plug-ins
  • Preprocessors
  • Source Code Modification

13
The End
Write a Comment
User Comments (0)
About PowerShow.com