Intrusion Detection Systems with Snort

1
Intrusion Detection Systems with Snort

• Hailun Yan
• 564-project

2
Outline

• IDS category
• Installation Procedure
• Components of Snort
• Most frequently used functions
• Testing of Snort/ACID

3
Components of Security System

• A security system consists
• Firewalls
• Intrusion detection systems (IDS)
• Vulnerability assessment tools

4
Category of IDS

• Network Intrusion Detection System (NIDS)
• Listens analyses traffic in a network
• Capture data package
• Compare with database signatures
• Host-based Intrusion Detection System (HIDS)
• Installed as an agent of a host
• Listens analyses system logs

5
Snort-based IDS
6
Single Sensor IDS
7
Multiple Sensor IDS
8
Installation

• Snort can be download from http//www.snort.org
• Supported platform includes
• Linux
• FreeBSD
• OpenBSD
• Solaris
• AIX
• HP-UX
• MacOS
• Windows

9
Installation (Cont.)

• Pre-installation
• Zlib1.2.1
• LibPcap0.7.2
• MySQL4.0.15
• Apache2.0.52 PHP4.3.3

10
Installation (Cont.)

• Install Snort
• gt tar xzvf snort-2.2.0 .tar.gz
• gt cd snort-2.2.0
• gt ./configure with-mysql/usr/local/mysql
• gt make
• gt make install

11
Installation (Cont.)

• Install rules and configuration file
• gt mkdir /etc/snort
• gt mkdir /var/log/snort
• gt cd rules
• gt cp /etc/snort
• gt cd ../etc
• gt cp snort.conf /etc/snort
• gt cp .config /etc/snort

12
Installation (Cont.)

• Snort Configuration (in snort.conf)
• var HOME_NET 192.168.0.0/24
• var RULE_PATH /etc/snort/
• output database log, mysql, usersnort
  passwordxxx dbnamesnort hostlocalhost

13
Installation (Cont.)

• Setting Up The Database In MySQL
• mysqlgt set password for root_at_localhostpassword(x
  xx)
• mysqlgt create database snort
• mysql gt grant insert, select on root,. to
  snort_at_localhost
• mysqlgt set password for snort_at_localhostpassword(
  xxx)
• mysqlgt grant create, insert, select, delete,
  update on snort. to snort_at_localhost
• mysqlgt grant create, insert, delete, select,
  update on snort. to snort
• mysqlgt exit
• shellgt /usr/local/mysql/bin/mysql u root p lt
  ./contrib./create_mysql snort
• Enter password xxx

14
Installation (Cont.)

• To display alert massages generated by Snort in a
  web browser
• Analysis Console for Intrusion Detection (Acid)
• JPGraph
• ADODB

15
Check to See If Everything Is Working

• gt /usr/local/apache/bin/apachectl start
• gt /usr/local/mysql/bin/mysqld_safe
• gt /usr/local/bin/snort c /etc/snort/snort.conf
  D
• gt ping yahoo.com

16
Output on ACID
17
Components of Snort

• A Snort-based IDS contains the following
  components
• Packet Decoder
• Preprocessors
• Detection Engine
• Logging and Alerting System
• Output Modules

18
Packet Detector

• Takes packets from different types of network
  interfaces
• Send the packets to the preprocessor
• Send the packets to the detection engine

19
Preprocessor

• Hackers use different techniques to fool an IDS
• Exact match You created a rule to find a
  signature httpd/conf in HTTP packets, a hacker
  can easily fool you by modifying the string as
  httpd/./conf or httpd../httpd/conf.
• A preprocessor can rearrange the string so that
  it is detectable by the IDS.
• Packets fragmentation Hackers can use
  fragmentation to hide a signature into several
  small units to fool the IDS.
• A Preprocessor can reassemble these small units
  first and send the whole packet to the detection
  engine for signature testing.

20
The Detection Engine

• Its responsibility is to detect if any intrusion
  activity exists in a packet.
• It can dissert a packet and apply rules on
  different parts of the packet.
• The IP header of the packet
• The Transport layer header e.g. TCP, UDP.
• The application layer level header e.g. DNS,
  FTP, SNMP, and SMTP
• Packet payload you can create a rule to find a
  string inside the data.

21
Logging and Alerting System

• The captured packet may be used to log the
  activity or generate an alert.
• Logs are kept in
• simple text files
• tcpdump-style files
• some other form
• log files are stored under /var/log/snort folder
  by default
• use l parameter to modify the log location

22
Output Modules

• Depending on the configuration, output modules
  can do things like the following
• Simply logging to /var/log/snort/alerts file
• Sending SNMP traps
• Sending messages to syslog facility
• Logging to a database like MySQL or Oracle.
• Generating XML output
• Modifying configuration on routers and firewalls
• Sending Server Message Block (SMB) messages to
  Microsoft Windows-based machines

23
Components of Snort
24
Snort Modes

• Snort operates in two basic modes
• Sniffer mode
• Log packages into log files
• Log files can be analyzed by tcpdump, snort etc.
• Simillar tools includes tcpdump, snoop etc.
• NIDS mode
• Rule-based IDS
• Generate alerts and saved into database
• Analyzed by ACID software package

25
Sniffing Mode

• gt snort -v

26
Sniffing Mode (Cont.)

• CtrlC, generate statistics before exiting Snort

27
Sniffing Mode (Cont.)

• Parameter e allows Snort to capture layer 2
  packets
• gt snort -ve

28
Sniffing Mode (Cont.)

• Parameter d allows Snort to capture payload
  information
• gt snort -vd

29
Network Intrusion Detection Mode

• It does not log each captured packet
• It applies rules on all captured packets
• It read the configuration file snort.conf and all
  other files included in it before start

30
Structure of A Rule

• A Snort rule is divided into two parts
• rule header
• information about what action a rule takes
• criteria for matching a rule against data packets
  
• rule options