1. Snort Roy INSA Lab.

2. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time

3. What is “ Snort ” ? An open source network IDS Powerful Stand-alone real-time traffic analysis Packet logging on IP networks Detect a variety of attacks and probes Protocol analysis, content searching/matching Log to a nicely organized, human-readable directory structure Flexible Rules language to describe traffic Detection engine utilizes a modular plug-in architecture

4. Snort Working Modes Sniffer mode Tcpdump, Commview Packet logger mode NIDS mode

5. Snort Rules Rules are similar as packet-filter expressions Snort has 4 rule actions activate - alert and then turn on another dynamic rule dynamic - remain idle until activated by an activate rule, then act as a log rule alert - generate an alert using the selected alert method, and then log the packet pass - ignore the packet log - log the packet Rule application order

6. Advance Snort Rule http://www.snort.org/docs/snort_manual/n ode14.html Snort Rules Database http://www.snort.org/snort-db/ How to Write Snort Rules ? Simple Snort Rule alert tcp any any -> any any (content: ” |00 01 86 a5| ” ; msg: ” mountd access ” ;) Rule Actions : alert, log, pass … etc Protocol: tcp udp icmp … etc Source ip addressSource port number Direction Operator: ->, <> destination port number destination ip address Detial of rule

7. Writing good rules Content matching Catch the vulnerability, not the exploit attacker changes the exploit slightly Catch the oddities of the protocol in the rule user root alert tcp any any -> any any 21 (content:"user root";) user root; user root alert tcp any any -> any 21 (flow:to_server,established; content:"root"; pcre:"/user\s+root/i";) 3C

8. Snort Plug-ins Preprocessors Operate on packets after they ’ ve been received and decoded by snort before match rules. Ex. http_decode, port scan, frag2, stream4 Output modules Any rule types you define can be specified to use a particular kind of output plug-in Ex. Alert_fast, alert_syslog, database, xml

9. Snort Working Architecture Preprocessor Output module Alert Log Pass Active Rule Snort

10. Show time Test environment Download and install package Case1.Nmap port scan Case2.MSN chat messages

11. Environment

12. Before … Install Require libpcre http://www.pcre.org/ libpcap http://sourceforge.net/projects/libpcap/

13. Snort Go!!Go!!Go!! Download snort-2.1.3.tar.gz http://www.snort.org/ Install package

14. Start Snort !! Edit snort.conf Wait some minutes

15. View the results Nice directory structure and file name

16. Case1.Nmap Scan

17. Case2.MSN chat message Snort doesn ’ t include msn rules by default Snort rule database http://www.snort.org/snort-db/ Using key word to search Copy and past to create new rules Add new rule file to snort.conf include $RULE_PATH/msn.rules Just execute “ Snort ”

18. Enjoy the result

19. Conclusions Good rules get maximize efficiency and speed

20. Reference Writing rules http://www.snort.org/docs/snort_manual/node14.html Rule database http://www.snort.org/snort-db/