80 likes | 189 Views
Snort: Overview Chris Copeland. What is an Intrusion Detection System (IDS)?. An intrusion detection system is any system which can identify a network intrusion or network penetration. The primary objective of an IDS is to alert when intrusion takes place . IDS come in two methodologies:
E N D
What is an Intrusion Detection System (IDS)? • An intrusion detection system is any system which can identify a network intrusion or network penetration. The primary objective of an IDS is to alert when intrusion takes place . • IDS come in two methodologies: • Host (HIDS) • Network (NIDS)
What is Snort? • Snort is a network intrusion detection system • NIDS • Developed from older UNIX tools • Written By Marty Roesch • TCPDump • Runs on multiple platforms • Open source http://www.snort.org/
How Snort Functions as an IDS Sniffer Mode: reads packets only Packet Logger Mode: Logs packet information to local disk NIDS Mode: Packet capture and analysis
Snort Rules • A rule is any “guideline” which Snort looks for in the NIDS mode. • Example: rule for any attempt at ToolTalk alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg:"RPC tooltalk TCP overflow attempt"; \ flow:to_server,established; \ content:"|00 00 00 02|"; depth:4; offset:12;\ content:"|00 01 86 F3|"; depth:4; offset:16; \ content:"|00 00 00 07|"; within:4; distance:4; \ byte_jump:4,4,relative,align; \ byte_jump:4,4,relative,align; \ byte_test:4,>,128,0,relative; \ content:"|00 00 00 00|"; depth:4; offset:8; \ reference:bugtraq,122; \ reference:cve,1999-0003; \ classtype:misc-attack; sid:1965; rev:8;)
Known Issues: • Massive Amounts of Data • False Alarms due to outdated rules • Missed Alerts Sample Snort Log Entry 10/29-11:08:20.852840 192.168.246.37 -> 192.168.246.12ICMP TTL:128 TOS:0x0 ID:17878 IpLen:20 DgmLen:40Type:14 Code:0 ID: 25124 Seq: 0 TIMESTAMP REPLY:Orig: 4259537666 Rtime: 40100906 Ttime: 4010090662 24 00 00 02 63 E3 FD 2A E4 63 02 2A E4 63 02 b$...c..*.c.*.c.
Snort Tools and Add-Ons • ACID (Analysis Console for Intrusion Database) • PHP based, Database driven, and Web Delivered
Conclusion • Host or Network IDS • Rule versus Signature Detection • Multi-Platform • Open Source Supported • Low TCO for Security/Network Admins