SNORT Feed the Pig - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

SNORT Feed the Pig

Description:

A so-called Intrusion Detection System (IDS) ... Snort has a real- time alerting capability. ... Responsible for the actual signature detection. ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 15
Provided by: Vi83
Category:
Tags: snort | feed | pig | responsible

less

Transcript and Presenter's Notes

Title: SNORT Feed the Pig


1
SNORTFeed the Pig
  • Vicki Insixiengmay
  • Jon Krieger

2
What is SNORT?
  • A so-called Intrusion Detection System (IDS)
  • Analyzes IP-Network traffic online and records
    packets
  • Reduces the risk of intrusion

3
What is SNORT?
  • Five major components
  • Packet capturing mechanism
  • Snort relies on an external packet capturing
    library (libpcap) to sniff packets
  • Packets are passed into the packet decoder.
  • Translates specific protocol elements into an
    internal data structure.
  • After the decode is completed, traffic is handled
    by the preprocessors. Any number of pluggable
    preprocessors either examine or manipulate
    packets before handing them to the next
    component the detection engine.

4
What is SNORT?
  • The detection engine performs simple tests on a
    single aspect of each packet to detect
    intrusions.
  • The last component is the output plugins
  • Generates alerts to present suspicious activity

5
Snort Component Dataflow
6
What does Snort do?
  • Snort uses a flexible rules language to describe
    traffic that it should collect or pass, including
    a detection engine that utilizes a modular plugin
    architecture.
  • Snort has a real- time alerting capability.
    Alerts mechanisms for syslog, user specified
    files, a UNIX socket, or WinPopup messages to
    Windows clients using Samba's smbclient.

7
Packet Decoder
  • First internal component of Snort that a sniffed
    packet encounters.
  • Purpose
  • To strip off the various headers. It works by
    decoding up the TCP/IP stack, and placing the
    packet in a data structure. Packets are then
    routed to the preprocessors.

8
Preprocessors
  • Perform two fundamental functions
  • Manipulate packets so the detection engine can
    properly analyze them OR
  • Examine traffic for suspicious use that cannot be
    discovered by signature detection alone.
  • After traffic is run through the preprocessors,
    it is sent on to the detection engine.

9
Detection Engine
  • Responsible for the actual signature detection.
    Snort rules are loaded into the detection engine
    and are categorized in a tree-like data
    structure, which minimizes the number of tests
    the detection engine has to perform to discover
    malicious activity.
  • Snort writes intrusion data to any number of
    output plugins.

10
Output Plugins
  • The means Snort has to get data from the
    detection engine to user. Snort can be configured
    with multiple output plugins to better facilitate
    intrusion data management. Output plugins can
    range from simple comma-delimited output to
    complex relational database output.

11
Primary Uses
  • Snort has three primary uses
  • Sniffer Mode
  • Reads packets off of the network and displays
    them in continuous stream on the screen
  • ./snort -v
  • Packet Logger Mode
  • Records/logs packets to disk.
  • ./snort dev l ./log

12
Primary Uses
  • Network Intrusion Detection System (NIDS) mode
  • Analyzes network traffic for matches against
    user-defined rule set and performs actions based
    on what is shown
  • ./snort dev l ./log h 134.198.161.101/23 c
    snort.conf

13
Rules
  • Rule Header
  • Action, Protocol, IP Addresses and Ports
  • Rule Option
  • Alert Messages and Items to Look for
  • alert tcp any any -gt 192.168.1.0/24 111
    (content"00 01 86 a5" msg"mountd access")

14
References
  • http//www.informit.com/articles/article.asp?p101
    148
  • http//www.snort.org
Write a Comment
User Comments (0)
About PowerShow.com