Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.

Published byJoseph Lambert Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project."— Presentation transcript:

1 Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project

2 Outline IDS category Installation Procedure Components of Snort Most frequently used functions Testing of Snort/ACID

3 Components of Security System A security system consists: Firewalls Intrusion detection systems (IDS) Vulnerability assessment tools

4 Category of IDS Network Intrusion Detection System (NIDS) Listens & analyses traffic in a network Capture data package Compare with database signatures Host-based Intrusion Detection System (HIDS) Installed as an agent of a host Listens & analyses system logs

5 Snort-based IDS

6 Single Sensor IDS

7 Multiple Sensor IDS

8 Installation Snort can be download from http://www.snort.org http://www.snort.org Supported platform includes: Linux FreeBSD OpenBSD Solaris AIX HP-UX MacOS Windows

9 Installation (Cont.) Pre-installation Zlib1.2.1 LibPcap0.7.2 MySQL4.0.15 Apache2.0.52 PHP4.3.3

10 Installation (Cont.) Install Snort #> tar –xzvf snort-2.2.0.tar.gz #> cd snort-2.2.0 #>./configure –with- mysql=/usr/local/mysql #> make #> make install

11 Installation (Cont.) Install rules and configuration file #> mkdir /etc/snort #> mkdir /var/log/snort #> cd rules #> cp * /etc/snort #> cd../etc #> cp snort.conf /etc/snort #> cp *.config /etc/snort

12 Installation (Cont.) Snort Configuration (in snort.conf) var HOME_NET 192.168.0.0/24 var RULE_PATH /etc/snort/ output database: log, mysql, user=snort password=xxx dbname=snort host=localhost

13 Installation (Cont.) Setting Up The Database In MySQL mysql> set password for root@localhost=password(‘xxx’); mysql> create database snort; mysql > grant insert, select on root,.* to snort@localhost; mysql> set password for snort@localhost=password(‘xxx’); mysql> grant create, insert, select, delete, update on snort.* to snort@localhost; mysql> grant create, insert, delete, select, update on snort.* to snort; mysql> exit shell> /usr/local/mysql/bin/mysql –u root –p <./contrib./create_mysql snort Enter password: xxx

14 Installation (Cont.) To display alert massages generated by Snort in a web browser Analysis Console for Intrusion Detection (Acid) JPGraph ADODB

15 Check to See If Everything Is Working #> /usr/local/apache/bin/apachectl start #> /usr/local/mysql/bin/mysqld_safe & #> /usr/local/bin/snort –c /etc/snort/snort.conf –D #> ping yahoo.com

16 Output on ACID

17 Components of Snort A Snort-based IDS contains the following components: Packet Decoder Preprocessors Detection Engine Logging and Alerting System Output Modules

18 Packet Detector Takes packets from different types of network interfaces Send the packets to the preprocessor Send the packets to the detection engine

19 Preprocessor Hackers use different techniques to fool an IDS Exact match: You created a rule to find a signature “httpd/conf” in HTTP packets, a hacker can easily fool you by modifying the string as “httpd/./conf” or “httpd../httpd/conf”. A preprocessor can rearrange the string so that it is detectable by the IDS. Packets fragmentation: Hackers can use fragmentation to hide a signature into several small units to fool the IDS. A Preprocessor can reassemble these small units first and send the whole packet to the detection engine for signature testing.

20 The Detection Engine Its responsibility is to detect if any intrusion activity exists in a packet. It can dissert a packet and apply rules on different parts of the packet. The IP header of the packet The Transport layer header: e.g. TCP, UDP. The application layer level header: e.g. DNS, FTP, SNMP, and SMTP Packet payload: you can create a rule to find a string inside the data.

21 Logging and Alerting System The captured packet may be used to log the activity or generate an alert. Logs are kept in simple text files tcpdump-style files some other form log files are stored under /var/log/snort folder by default use –l parameter to modify the log location

22 Output Modules Depending on the configuration, output modules can do things like the following: Simply logging to /var/log/snort/alerts file Sending SNMP traps Sending messages to syslog facility Logging to a database like MySQL or Oracle. Generating XML output Modifying configuration on routers and firewalls Sending Server Message Block (SMB) messages to Microsoft Windows-based machines

23 Components of Snort

24 Snort Modes Snort operates in two basic modes: Sniffer mode Log packages into log files Log files can be analyzed by tcpdump, snort etc. Simillar tools includes tcpdump, snoop etc. NIDS mode Rule-based IDS Generate alerts and saved into database Analyzed by ACID software package

25 #> snort -v Sniffing Mode

26 Sniffing Mode (Cont.) Ctrl+C, generate statistics before exiting Snort

27 Sniffing Mode (Cont.) Parameter e allows Snort to capture layer 2 packets #> snort -ve

28 Sniffing Mode (Cont.) Parameter d allows Snort to capture payload information #> snort -vd

29 Network Intrusion Detection Mode It does not log each captured packet It applies rules on all captured packets It read the configuration file snort.conf and all other files included in it before start

30 Structure of A Rule A Snort rule is divided into two parts: rule header information about what action a rule takes criteria for matching a rule against data packets rule options

Download ppt "Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project."

Similar presentations

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Installation of SNORT, APACHE, PHP, MYSQL and SnortReport.

Installation of SNORT, APACHE, PHP, MYSQL and SnortReport.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Analysis Console for Intrusion Databases Roy. Description ACID.

Analysis Console for Intrusion Databases Roy. Description ACID.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Web Server Administration

Web Server Administration
Optinuity Confidential. All rights reserved. C2O Configuration Requirements.

Optinuity Confidential. All rights reserved. C2O Configuration Requirements.
Introduction to Snort’s Working and configuration file

Introduction to Snort’s Working and configuration file
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.

Information Networking Security and Assurance Lab National Chung Cheng University Analysis Console for Intrusion Databases.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

Similar presentations

Ads by Google