Presentation is loading. Please wait.

Presentation is loading. Please wait.

Snort The Lightweight Intrusion Detection System.

Published byEvan Robertson Modified over 8 years ago

Similar presentations

Presentation on theme: "Snort The Lightweight Intrusion Detection System."— Presentation transcript:

1 Snort The Lightweight Intrusion Detection System

2 The other games in town Heavyweight systems: Stateful firewalls: Example: Checkpoint Firewall One Example: Checkpoint Firewall One Commercial network intrusion detection systems: Example: Network Flight Recorder (NFR) Example: Network Flight Recorder (NFR)

3 The Art of Intrusion Detection: n Know n Know the protocols. n Watch n Watch the web. n Set n Set up your IDS monitor. n Install n Install and tune Snort. n Set n Set up your switches. n Watch n Watch and process logs.

4 Know the protocols

5 Watch the web

6 www.snort.orgwww.securityfocus.comcsrc.nist.govwww.sans.orgwww.cert.org

7 Set up your IDS monitor

8 Generic Intel CPU UNIX-like O/S with LIBPCAP The software

9 Install and tune Snort Compile Download Tune the rules

10 Set up your switches User PC Cross-over jumper The Default VLAN or ELAN Remote Switch Local Switch Snort Box Management VLAN

11 Set up your switches remote-switch# set vlan 2 port 3/2 remote-switch# set vlan 2 port 3/3 remote-switch# set span 1 3/1 create local-switch# set vlan 2 port 4/1 local-switch# set vlan 2 port 4/2

12 Watch and process logs n There are lots of PERL programs. n Snort can send a WINPOPUP via SMB. n Snort can log to an MSQL database. n Get fancy by going through syslog. n Tip: keep systems in sync with NTP.

13 Snort rule anatomy alert tcp any any - 10.1.1.0/24 80 \ (content: "/cgi-bin/phf"; msg: "PHF probe!";) (content: "/cgi-bin/phf"; msg: "PHF probe!";) alert tcp any any - 10.1.1.0/24 6000:6010 \ (msg: "X traffic";) (msg: "X traffic";)

14 Snort rule anatomy IMAP attack:

15 Snort rule anatomy alert tcp any any - 192.168.1.0/24 143 \ (content:"|E8C0 FFFF FF|/bin/sh"; msg: \ (content:"|E8C0 FFFF FF|/bin/sh"; msg: \ "New IMAP Buffer Overflow detected!";) "New IMAP Buffer Overflow detected!";)

16 Operational hint Run from /etc/inittab with respawn option: snort:5:respawn:/usr/local/bin/snort or a shell program: #!/bin/sh: while true do /bin/date > /var/log/snort-restart.log /bin/date > /var/log/snort-restart.log /usr/local/bin/snort /usr/local/bin/snortdone

17 Thank you

Download ppt "Snort The Lightweight Intrusion Detection System."

Similar presentations

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Department Of Computer Engineering

Department Of Computer Engineering
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala.

The open source network intrusion detection system. Secure System Administration & Certification Ravindra Pendyala.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance.

Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.
Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.

Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.

Similar presentations

Ads by Google