Presentation is loading. Please wait.

Presentation is loading. Please wait.

Snort & ACID Low cost, highly configurable IDS by Patrick Southcott

Published byGreyson Moody Modified over 10 years ago

Similar presentations

Presentation on theme: "Snort & ACID Low cost, highly configurable IDS by Patrick Southcott"— Presentation transcript:

1 Snort & ACID Low cost, highly configurable IDS by Patrick Southcott southcottus@yahoo.com http://www.patricksouthcott.com

2 Large topic, General outline: 1.What is snort? 2.Where does an IDS fit in the network? 3.Snort 2.0, Marty and Sourcefire.com 4.Snort system overview –config file –rules (custom & public) 5.ACID : opensource, web-based, simple alert management. 6.PROS & CONS of snort as an IDS. 7.Building a snort sensor on Redhat9.

3 What is Snort? Snort is an application which listens to network traffic and uses rules to determine if it sees particular types of traffic. It logs, alerts for and listens to network traffic. The System Architecture consists of these main parts: Sniffer Promiscuous Mode NIC Preprocessor frag2, stream4, http_decode Detection Engine Using Rules Logging and Alerting plugins log mysql, alert smb Packets on the wire Snort Detection Process Records in a SQL db

4 Snort in the larger picture Snort sensors can be placed on any network device. Hubs work best. Sensors may log to a central database over secure tunnels or private media. Management console using ACID.

5 Network Overview sensor DMZ hosts Internet Router / firewall DMZ sensor Router / firewall Private LAN IDS network Management Console

6 IDS in Perspective Management / Executive System Admin Network Admin / Analyst low TCO (End-to-end, openness) Wants reports which show ROE Configures and runs everything. Routers, firewalls, servers. Endless game to keep up-to-date. Wants to be user of IDS High quality data Auto-response to new vulnerabilities. Maintains network Event Correlation Broad -> Specific Tune rules

7 Marty Roesch and Sourcefire Created snort in 1998. Sourcefire sells IDS boxes which they install, configure and support. Different security needs may involve specific tuning to customers network. Sourcefire is the major commercial supporter of snort. Gig speeds with multiprocessors and linux –same kernel, custom drivers, minimal footprint demo-sensor.sourcefire.com

8 Snort Usage Run on Console Run as Daemon $./snort –c snort.conf –l /home/snort/snort_spool/ $./snort –D –c snort.conf –l home/snort/snort_spool/ Snort Config File: config daemon $./snort –l /home/snort/snort_spool/ Running in packet logging mode Log directory = /snort/snort_spool/ Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0rc4 (Build 70) By Martin Roesch (roesch@sourcefire.com, www.snort.org) Shell output from snort init.:

9 Snort Console Output ================================================================ Snort analyzed 4 out of 4 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 4 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 4 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ================================================================ Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ================================================================ Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ….

10 Snort Configuration File var HOME_NET var EXTERNAL_NET var FOO_SERVERS config interface: eth0 config set_uid: snort config dump_payload config daemon preprocessor frag2 preprocessor stream4 preprocessor portscan2 output database: log, mysql, user=snort password=foobar dbname=snort host=localhost Variables Configuration Preprocessor Output SQL Database Each bullet is a line in the config file. Variables are used in the files with the snort rules.

11 Snort Preprocessors Frag2 Preprocessor –snort.conf: preprocessor frag2 –packet fragmentation can lead to the IDS missing packets or getting different ones than the host gets. This cleans fragmented packets. The stream4 Preprocessor –snort can keep track of tcp sessions. stateful –detection of stealth scans from software like nmap. Portscan and portscan2 Preprocessors –detection of single host access to many ports.

12 Snort Rules... include $RULE_PATH/local.rules local.rules : snort.conf : Rules to log all tcp, udp and icmp traffic. activate tcp any any -> any 23 (activates: 23; msg:Potential Telnet Login Credentials Logged;) dynamic tcp any any -> any 23 (activated_by: 23; count:20;) log tcp any any -> any any (msg: tcp traffic;) log udp any any -> any any (msg: udp traffic;) log icmp any any -> any any (msg: icmp traffic;)

13 Snort Rules web-iis.rules : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; \ content:"cmd.exe"; nocase; classtype:web-application-attack; \ sid:1002; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-IIS CodeRed v2 root.exe access"; \ flow:to_server,established; uricontent:"/root.exe";\ nocase; classtype:web-application-attack; \ reference:url,www.cert.org/advisories/CA-2001-19.html; \ sid:1256; rev:7;) # action = pass, log, alert, dynamic, activate # protocol = icmp, tcp, ip, udp action protocol source -> destination ( optional_rule_body )

14 Snort Rules Default rules for known bad packets. attack-responses.rules backdoor.rules bad-traffic.rules chat.rules ddos.rules deleted.rules DMZ.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules imap.rules info.rules local.rules misc.rules multimedia.rules mysql.rules netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules policy.rules pop2.rules pop3.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules smtp.rules snmp.rules sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules x11.rules

15 ACID to manage Alerts Sort and display alerts based on ip, port, date, unique alerts. Search alerts Display layer 3 and 4 packet data Graphs and statistics for alert frequency. Alert grouping, archiving, managing

16 Connecting mysql with stunnel Generate foo.pem for tunnel. openssl req -new -out stunnel.pem -keyout \ stunnel.pem -nodes -x509 -days 365 Cert = /foobar/stunnel.pem [mysqls] accept = 3307 connect = 3306 #!/bin/sh /usr/local/sbin/stunnel -c -d 3306 -r 10.1.5.1:3307 stunnel 4 with config ( stunnel.conf) stunnel 3.22 from shell prompt.

17 Snort IDS: PROs and CONs Powerful, specific rules to match packets. No backdoors Weakness quickly found & published. Rules actively published for detection of new worms etc. Open Source software developers know code will be checked. Fewer hacks. Snort/ACID is only part of a secure network. Does not record the success or failure of a detected intrusion Does nothing to stop an intrusion in progress. False sense of security. PROsCONs

18 Installing snort on RedHat 9

19 IDS component overview Open Source Network Intrusion Detection System (Snort) –snort-2.0.0rc4.tar.gz –mysql-4.0.12.tar.gz Analysis Console for Intrusion Databases (ACID) –apache_1.3.27.tar.gz –php-4.3.1.tar.gz –acid-0.9.6b23.tar.gz

20 Apache & php Setup./configure --prefix=/home/apache/apache_prefix/ -- activate-module=src/modules/php4/libphp4.a make && make install./configure --prefix=/home/apache/php_prefix --with- mysql --enable-bcmath --with-gd --enable-sockets --with- zlib-dir=/home/apache/php-4.3.1/zlib-1.1.4/ --with- apache=../apache_1.3.27 Php needs graphics libs: – zlib-1.1.4, libpng-1.2.5, gd-1.8.4, phplot-4.4.6

21 Snort System Setup mysql-4.0.12./configure --prefix=/home/snort/snort_prefix --enable-smbalerts --with-mysql Make && make check && make install; Webmin –snort-1.0.wbm

22 Create snort database & tables CREATE DATABASE snort;" | mysql -u root –p grant INSERT,SELECT on snort.* to snortusr@localhost; snortusr@localhost mysql -D snort -u root -p <./contrib/create_mysql

23 Snort Config Setup output database: log, mysql, user=snortusr password=foobar dbname=snort host=localhost Modify alert rules to personal taste

24 ACID Setup adodb331.zip in www_root tar zxfp acid-0.9.6b23.tar.gz –mv acid /var/www/html edit acid/acid_conf.php –$DBlib_path = "/var/www/html/adodb"; –$aler_dbname = "snort http://acid.foobar.com/acid/acid_main.php

Download ppt "Snort & ACID Low cost, highly configurable IDS by Patrick Southcott"

Similar presentations

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
The Internet Unit Information Systems, Higher. The Internet HTML Two sets of notes.

The Internet Unit Information Systems, Higher. The Internet HTML Two sets of notes.
1 Network Intrusion Detection System & Its Analyzer: Snort & ACID 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented.

1 Network Intrusion Detection System & Its Analyzer: Snort & ACID : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented.
Shining A Light on Open Source Software: Going Beyond LAMPP Serving Web Content Using Open Source Software.

Shining A Light on Open Source Software: Going Beyond LAMPP Serving Web Content Using Open Source Software.
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Security of Information Systems Network Defense

Security of Information Systems Network Defense
ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Analysis Console for Intrusion Databases Roy. Description ACID.

Analysis Console for Intrusion Databases Roy. Description ACID.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Similar presentations

Ads by Google