Snort Intrusion Detection System - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Snort Intrusion Detection System

Description:

Snort Intrusion Detection System www.snort.org cs490ns - cotter * Capabilities Packet Sniffer mode Read packets (based on rules) and display on console ./snort -dev ... – PowerPoint PPT presentation

Number of Views:208
Avg rating:3.0/5.0
Slides: 27
Provided by: BobCo54
Category:

less

Transcript and Presenter's Notes

Title: Snort Intrusion Detection System


1
SnortIntrusion Detection System
  • www.snort.org

2
Outline
  • What is snort?
  • What can it do?
  • How is it installed?
  • How is it configured?
  • How is it used?

3
History
  • First released in 1998 by Martin Roesch
  • Originally intended to be a lightweight intrusion
    detection technology.
  • Has evolved ...
  • 3 Million downloads
  • 225k active users.

4
Capabilities
  • Four modes of operation
  • Packet Sniffer mode
  • Packet Logger mode
  • Network Intrusion Detection Mode
  • Network Intrusion Prevention

cs490ns - cotter
4
5
Capabilities
  • Packet Sniffer mode
  • Read packets (based on rules) and display on
    console
  • ./snort -dev
  • Packet Logger
  • Log all packets into a local log, organized into
    directories by IP address
  • ./snort dev l ./log
  • ./snort dev l ./log h 192.168.1.0/24

6
Capabilities
  • NIDS Mode
  • Scan packets for a given combination of
    parameters
  • Output options ASCII / binary (tcpdump format)
  • ./snort d l ./log h 192.168.1.0/24 c
    snort.conf

7
Snort Rule
  • alert tcp any any -gt Home 80 (flagsS msgPort
    80 SYN)
  • Action Field
  • alert, log, pass, activate, dynamic
  • Protocol Field
  • tcp, udp, icmp, ip
  • Source / Destination address and port
  • direction indicator
  • Rule Options
  • msg, logto, id, dsize, seq, ack, flags, content,
    session

8
Example Rules
  • alert tcp any any -gt 192.168.5.0/24 21 \
  • (msg attempted anonymous ftp access \
  • content anonymous offset 5)
  • alert tcp any any -gt any any (msg Null Scan \
  • flags 0)
  • log tcp any any ltgt 192.168.5.0/24 21 \
  • (session printable)
  • alert udp any any -gt 192.168.5.0/24 31337 \
  • (msg Back Orifice)

9
Rule Types
  • Alert Rules
  • Pass Rules
  • Log Rules
  • Safe Order Alert, Pass, Log
  • Efficient Order Pass, Alert, Log

10
Installing Snort
  • Locating the IDS relative to network
  • Place Snort outside of firewall
  • Place Snort just inside firewall
  • Place Snort on critical systems (host based)
  • Install software
  • Download source or binaries from snort.org
  • Windows / Linux
  • Compile and/or install.
  • /etc/snort (configuration files)
  • /usr/sbin (executable program)
  • /var/log/snort (typical log file directory)

11
/etc/snort/snort.conf
  • Serves as a default configuration
  • (once home network has been identified)
  • Data Types
  • include (similar to programming includes)
  • include reference.config
  • preprocessor (functional modules)
  • preprocessor frag3
  • var (variables)
  • var HOME_NET 192.168.1.0/24
  • config (configure various options)
  • config disable_tcpopt_obsolete_alerts

12
snort.conf setup
  • 1) Set the variables for your network
  • 2) Configure dynamic loaded libraries
  • 3) Configure preprocessors
  • 4) Configure output plugins
  • 5) Add any runtime config directives
  • 6) Customize your rule set

13
snort.conf setup
  • Set the variables for your network
  • var HOME_NET 10.1.1.0/24,192.168.1.0/24
  • var EXTERNAL_NET any
  • var DNS_SERVERS HOME_NET
  • var HTTP_SERVERS HOME_NET
  • var HTTP_PORTS 80
  • var ORACLE_PORTS 1521
  • var RULE_PATH /etc/snort/rules

14
snort.conf setup
  • Configure dynamic loaded libraries
  • Located in /usr/lib/snort-2.x.x_dynamicpreprocesso
    r
  • libsf_dcerpc_preproc.so
  • libsf_dcerpc_preproc.so.0
  • libsf_dns_preproc.so
  • libsf_dns_preproc.so.0
  • libsf_ftptelnet_preproc.so
  • libsf_ftptelnet_preproc.so.0

15
snort.conf setup
  • Configure preprocessors
  • preprocessor flow stats_interval 0 hash 2
  • preprocessor frag3_global max_frags 65536
  • preprocessor frag3_engine policy first
    detect_anomalies
  • preprocessor stream4 disable_evasion_alerts
  • preprocessor rpc_decode 111 32771
  • preprocessor bo

16
snort.conf setup
  • Configure output plugins
  • output alert_syslog LOG_AUTH LOG_ALERT
  • output database log, mssql, dbnamesnort
    \usersnort passwordtest
  • output alert_unified filename snort.alert, limit
    128
  • ruletype suspicious type log output
    log_tcpdump suspicious.log
  • suspicious tcp HOME_NET any -gt HOME_NET 6667 \
    (msg"Internal IRC Server")

17
snort.conf setup
  • Add any runtime config directives
  • config ignore_ports tcp 21 66676671 1356
  • config ignore_ports udp 117 53
  • config disable_decode_alerts
  • config disable_tcpopt_obsolete_alerts

18
snort.conf setup
  • Customize your rule set
  • include RULE_PATH/local.rules
  • include RULE_PATH/bad-traffic.rules
  • include RULE_PATH/exploit.rules
  • include RULE_PATH/scan.rules
  • include RULE_PATH/finger.rules
  • include RULE_PATH/ftp.rules
  • (More than 50 sets of rules defined)

19
bad-traffic rules
  • 12 rules in test rule set
  • alert tcp EXTERNAL_NET any ltgt HOME_NET 0
    (msg"BAD-TRAFFIC tcp port 0 traffic"
    flowstateless classtypemisc-activity sid524
    rev8)
  • Capture any incoming traffic to port 0 of any LAN
    HOME_NET machine.
  • More information given in signature file 524.txt

20
Signature 524.txt
  • Rule
  • --
  • Sid 524
  • --
  • Summary
  • This event is generated when TCP traffic to port
    0 is detected. This should not be seen in normal
    TCP communications.
  • --
  • Impact
  • Possible reconnaisance. This may be an attempt to
    verify the existance of a host or hosts at a
    particular address or address range.
  • --
  • Detailed Information
  • TCP traffic to port 0 is not valid under normal
    circumstances.
  • an indicator of unauthorized network use,
    reconnaisance activity or system compromise.
    These rules may also generate an event due to
    improperly configured network devices.
  • --
  • Affected Systems
  • Any
  • --
  • Attack Scenarios
  • The attacker could send packets to a host with a
    destination port of 0. The attacker might also be
    using hping to verify the existance of a host as
    a prelude to an attack.
  • --
  • Ease of Attack
  • Simple
  • --
  • False Positives
  • None Known
  • --
  • False Negatives
  • None Known
  • --
  • Corrective Action
  • Disallow TCP traffic to port 0.
  • --
  • Contributors
  • Original rule writer unknown
  • Sourcefire Vulnerability Research Team
  • Nigel Houghton nigel.houghton_at_sourcefire.com

21
Certified Rules for Snort
  • http//www.snort.org/pub-bin/downloads.cgi
  • Subscription User Rules
  • Available immediately upon release
  • Registered User Rules
  • Same rules, but released with a 30 day delay
  • Unregistered User Rules
  • Single set of rules for each snort release
    (mostly for testing purposes).

22
Typical Installations
  • Used in any of the configurations discussed in
    IDS lecture
  • Installation may be configured with several Snort
    sensors
  • outside network
  • monitoring traffic just inside firewall
  • monitoring key servers

23
Inline Mode
  • Configure Snort to receive packets from iptables
    rather than libpcap.
  • Separate capability that must be explicitly
    installed.
  • Adds 3 new rule types
  • Drop iptables drops packet and snort logs
  • Reject iptables rejects packet and snort logs
  • Sdrop iptables will drop packet. No logging.

24
Inline Mode
  • Start iptables
  • iptables A OUTPUT p tcp dport j QUEUE
  • Traffic is routed to QUEUE, where it can be
    captured by snort_inline
  • Start Snort
  • snort_inline QDc ../etc/drop.conf l
    /var/log/snort
  • -Q get packets from iptables
  • -D run in daemon mode
  • -c specify configuration file
  • -l specify log file

25
Complex installations
  • Use Snort to monitor traffic and log suspicious
    or dangerous traffic.
  • Store information in binary format
  • Much faster than ascii storage.
  • Store information to a database
  • mysql, postgresql, oracle, MS sql, ODBC
  • Much easier to process / analyze data
  • Use data analysis front-ends to examine logs
  • Barnyard (www.snort.org)
  • BASE (Basic Analysis and Security Engine)

26
Summary
  • Snort is a powerful tool for monitoring network
    traffic for anomalies that might indicate network
    intrusion
  • Can be used in several different configurations
  • Well supported
  • Code Base
  • Rules Sets
Write a Comment
User Comments (0)
About PowerShow.com