Scribd
Upload
2 views

Snort_2

Uploaded by

brahimnewghazi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
2 views

Snort_2

Uploaded by

brahimnewghazi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 15

Snort

Intrusion Detection
What is Snort

 Packet Analysis Tool


 Most widely deployed NIDS
 Initial release by Marty Roesch in 1998
 Current version 2.4.4 as of April 17th, 2006
Features

 Small Package – 2.7 M for source


 Cross Platform
 Open Source
 Backed by Sourcefire
 Fast (High rate of detection on average
networks)
 Configurable
Design

 Packet Analysis Pipline

Data
Acquisition Decode Preprocess Detect Action
Design Engine

 Uses Rules to form “signatures”


 Modular Detection elements to form specific
signatures
 Detect Anomaly Activity
 Easily updateable
Different Modes

 Packet Sniffer
 Packet Logger
 NIDS Mode
 Inline Mode
Rules

 Two Parts
– Rule Header
– Rule Options
Rule Header

alert tcp $BAD any -> $GOOD any

Rule action Dest. Port


Protocol Dest. CIDR
Src. CIDR Direction
Src. Port
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any
Rule Options

(flags: SF; msg: “SYN-FIN scan”;)

Keyword Separator Argument Delimiter


Common Rule Options

 IP TTL  Content
 IP ID  Content offset
 Fragment size  Content depth
 TCP Flags  Session recording
 TCP Ack number  ICMP type
 TCP Seq number  ICMP code
 Payload size  Alternate log files
Make Custom Rules

 Detect String
alert tcp any any -> any any \
(content: clemson; msg: detected clemson!;)
Output

 Log all the alerts


 Real-time alerts
 Several different types
– Syslog
– Plain text
– Databases
– Unified output
Common Options
 Option Description
 -A fast Fast alert mode. Writes the alert in a simple format
with a timestamp, alert message, source and
destination IPs/ports.
 -A full Full alert mode. This is the default alert mode and
will be used automatically if you do not
specify a mode.
 -A unsock Sends alerts to a UNIX socket that another
program can listen on.
 -A noneTurns off alerting.
 -A console Sends “fast-style” alerts to the console
(screen).
 -A cmg Generates “cmg style” alerts.
Tools for Snort

 Acid
 SnortSnarf
 SnortAlert Monitor (SAM)
 Snortalog
 Guardian
 DeMarc PureSecure
 IDSCenter (Windoze)
Resources

 Snort.org
– www.snort.org/dl (downloads)
 BleedingEdge
– www.bleedingsnort.com/
 Sourcefire
– www.sourcefire.com

You might also like