Snort – from IDS to IPS inline mode
1

Author: Simone Tino

Università degli Studi di Catania

Simone Tino

Upgrading Snor...
2

Snort capabilities
 Detection and Prevention modes

 Works on different network topologies
 Traffic replication requ...
IDS vs IPS
3

IDS

IPS

 Detection mode only

 Active traffic control

 Traffic replication required

 “Original” traf...
4

Snort Intrusion Detection System
• Port Mirroring
required
• Detection mode only

Used to verify rules
consistency

Sim...
5

Snort Intrusion Prevention System
• Needs original traffic
• Active traffic control

Requires strict rules
configuratio...
6

Snort IPS Demo
• Host 1:
eth0: 192.0.0.2/24
• Host 2:
eth0: 10.0.0.2/24
• Snort IPS:
2 network cards
eth0: 192.0.0.3/24...
Snort IPS - Demo
7

Simone Tino

03/12/2013
8

Configuration steps
IDS works on a copy of
the traffic.
Company solutions
based on Port Mirroring
switch tool.
IPS work...
9

From IDS to IPS
Iptables configuration
implies packets to be
redirected to userlevel. Here, Snort must
be active to avo...
In the end…
10

Snort IPS can work in multiple modes.

Snort inline with NFQ module is the more flexible and adaptable
IPS...
Upcoming SlideShare
Loading in...5
×

Snort IPS

2,909

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,909
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
94
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Snort IPS

  1. 1. Snort – from IDS to IPS inline mode 1 Author: Simone Tino Università degli Studi di Catania Simone Tino Upgrading Snort IDS to inline mode for active control 03/12/2013
  2. 2. 2 Snort capabilities  Detection and Prevention modes  Works on different network topologies  Traffic replication required for detection only (i.e. Port Mirroring)  Totally transparency to the hosts  Requires good CPU and Ram capabilities  Open Source Software  Customizable report formatting tools available (i.e. Barnyard2, MySQL, BASE, Placid)  Requires good configuration rules: TN and FP Simone Tino 03/12/2013
  3. 3. IDS vs IPS 3 IDS IPS  Detection mode only  Active traffic control  Traffic replication required  “Original” traffic required  Decoupling detection and reaction  Detection and reaction support functionalities  IDS as a good assistant for network administration  Usually used for testing rules  No administrator assistance needed Simone Tino  Requires strict configuration  Two network cards bridging required 03/12/2013
  4. 4. 4 Snort Intrusion Detection System • Port Mirroring required • Detection mode only Used to verify rules consistency Simone Tino 03/12/2013
  5. 5. 5 Snort Intrusion Prevention System • Needs original traffic • Active traffic control Requires strict rules configuration Simone Tino 03/12/2013
  6. 6. 6 Snort IPS Demo • Host 1: eth0: 192.0.0.2/24 • Host 2: eth0: 10.0.0.2/24 • Snort IPS: 2 network cards eth0: 192.0.0.3/24 eth1: 10.0.0.3/24  Communication between 2 different subnets  Snort IPS provides active and transparent control  Totally transparency to the hosts  Routing configuration required Simone Tino 03/12/2013
  7. 7. Snort IPS - Demo 7 Simone Tino 03/12/2013
  8. 8. 8 Configuration steps IDS works on a copy of the traffic. Company solutions based on Port Mirroring switch tool. IPS works on “original” traffic like firewalls. Typical installation between 2 networks. Simone Tino 03/12/2013
  9. 9. 9 From IDS to IPS Iptables configuration implies packets to be redirected to userlevel. Here, Snort must be active to avoid packet-loss. Simone Tino 03/12/2013
  10. 10. In the end… 10 Snort IPS can work in multiple modes. Snort inline with NFQ module is the more flexible and adaptable IPS solution. Using NFQ module in DAQ, many queues can be created; a Snort instance handles each queue (so, a different Snort rule set), where traffic can be redirected according to iptables rules. Simone Tino 03/12/2013
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×