Presentation is loading. Please wait.

Presentation is loading. Please wait.

Snort - Open Source Network Intrusion Detection System Survey.

Published byLilian Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "Snort - Open Source Network Intrusion Detection System Survey."— Presentation transcript:

1 Snort - Open Source Network Intrusion Detection System Survey

2 Outline What is Snort Snort operational modes NIDS mode Snort 1.X Snort 2.X Snort Rule Signature

3 What is Snort A “ lightweight ” network intrusion detection system with the capabilities of the sniffer, packet logger, network traffic analysis Can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks.

4 Snort Features Multi-operational packet processing tools Rules-based detection engine Small ~800k source Cross platform : Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc High speed of detection for a given attack on 100 Mbps networks Easy rules language, many reporting/logging options Free (GPL/Open Source Software) Libpcap-based sniffing interface Capability to filter traffic with Berkeley Packet Filter (BPF) commands Plug-in system are flexible Real-time alerting capability, with alerts being sent to syslog, Server Message Block (SMB) "WinPopup" messages, or a separate "alert" file.

5 Snort Operational Modes Operational modes are configured via command line –Default is NIDS mode if no command line switches Three main operational modes –Sniffer Mode –Packet Logger Mode –NIDS Mode

6 Packet Logger Mode Multiple packet logging options –Flat ASCII, tcpdump, XML, database, etc Log the data and post-processing to look the anomalous activities

7 Sniffer Mode Works much like tcpdump Decodes packets and dumps them to stdout Packet filtering interface available to shape displayed network traffic =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53..#..'..$....ANS 49 FF F0 I.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

8 NIDS Mode I Filtering Router (Perimeter Logs) Firewall (Perimeter Logs) Generic Server (Host-Based ID) (Snort 2.0) Network IDS (Snort) Internet Honeypot (Deception System) Statistical IDS (Snort)

9 NIDS Mode II Can use snort + plug-ins for both misuse detection and anomalous activity Can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis and normalization, etc Various output options available Multiple detection modes available –Rules/signature –Statistical anomaly –Protocol verification

10 Snort 1.x Architecture Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Packet Stream Sniffing Snort Data Flow Alerts/Logs

11 Snort 1.x Detection Engine Rule based detection engine Rules are detection elements which are combined to form the signature Detection rules in a two dimensional linked list –Chain Headers –Chain Options Wide range of detection capabilities –Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc.

12 Rule Header Alert tcp 1.1.1.1 any -> 2.2.2.2 any Rule Options (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Detection Engine: Rules Alert tcp 1.1.1.1 any -> 2.2.2.2 any Rule Node (flags: SF; msg: “SYN-FIN Scan”;) (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Option Node Internal Representation

13 Rule Node Rule Node Rule Node Rule Node Rule Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Detection Engine: Fully Populated

14 Snort 1.x Pro and Con Pro –Wide rules available (~1300 by June 2001) –Very high speed decoding and stateless intrusion detection 100Mbps is not too difficult –Flexibility & multi-platform Good choice for a number of applications in the rapid prototyping platform for new ideas in intrusion detection Con –Data structure and rule description language is limited at the protocol level Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard to describe HTTP, RPC, SMTP, etc –Tendency to write slow output plug-ins!

15 Snort 2.0 Multi-format rules input –DB, XML, etc Traffic decoders –Support arbitrary protocol, multi-path traffic flows –Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw, IP, ARP, TCP, UDP, ICMP Pluggable detection engines –Standard NIDS, Target-based IDS, Statistical IDS, Host-based IDS ~500% in pattern matching performance improvement reported in research work! Spooling output

16 Snort 2.0 Detection Engine Comparison – V 1.x Sip: 1.1.1.1 Dip: 2.2.2.2 Dp: 80 (flags: A+; content: “”foo”;) (flags: A+; content: “bar”;) (flags: A+; content: “baz”;) alert tcp

17 Snort 2.0 Detection Engine Comparison – V 2.0 content: “”foo”; content: “bar”; content: “baz”; alerttcp Dip: 2.2.2.2 Dip: 10.1.1.0/24 Flags: A+; Sip: 1.1.1.1 Dp: 80

18 Snort Signature Example SID 630messageSCAN synscan portscan Signature alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;) Summary A host has scanned the network looking for vulnerable servers. Impact Information leak, reconnaisance, preperation for automated attack such as worm propagation Detailed Information Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. Attack Scenarios This is a scanning tool that is often the precursor to a worm infection. Ease of Attack This scanner is fast and easy to use. It is readily available and was included with several worms. False Positives sscan, mscan, and several other tools used ID=39426 but the use of SYNFIN is unique to synscan [1.5|1.6] False Negatives NONE. Corrective Action Run flexresp with synscan kill. Contributors Don Smith Initial Research Josh Gray Edits References arachnids,441

19 Format of Snort Rule Language Rules Headers –Rule Actions alert, log, pass, activate, dynamic –Protocols –IP Addresses –Port Numbers –The Direction Operator –.. Rule Options –msg: " “ –logto: " " –… Content-list –multiple content strings to be specified in the place of a single content option

Download ppt "Snort - Open Source Network Intrusion Detection System Survey."

Similar presentations

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.

Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Modified slides from Martin Roesch Sourcefire Inc.

Modified slides from Martin Roesch Sourcefire Inc.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Martin Roesch Sourcefire Inc.. Topics Background –What is Snort? Using Snort Snort Architecture The Future of Snort and Snort 2.0.

Martin Roesch Sourcefire Inc.. Topics Background –What is Snort? Using Snort Snort Architecture The Future of Snort and Snort 2.0.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Similar presentations

Ads by Google