Your SlideShare is downloading. ×
Snort IPS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Snort IPS

2,234
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,234
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
63
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Snort – from IDS to IPS inline mode 1 Author: Simone Tino Università degli Studi di Catania Simone Tino Upgrading Snort IDS to inline mode for active control 03/12/2013
  • 2. 2 Snort capabilities  Detection and Prevention modes  Works on different network topologies  Traffic replication required for detection only (i.e. Port Mirroring)  Totally transparency to the hosts  Requires good CPU and Ram capabilities  Open Source Software  Customizable report formatting tools available (i.e. Barnyard2, MySQL, BASE, Placid)  Requires good configuration rules: TN and FP Simone Tino 03/12/2013
  • 3. IDS vs IPS 3 IDS IPS  Detection mode only  Active traffic control  Traffic replication required  “Original” traffic required  Decoupling detection and reaction  Detection and reaction support functionalities  IDS as a good assistant for network administration  Usually used for testing rules  No administrator assistance needed Simone Tino  Requires strict configuration  Two network cards bridging required 03/12/2013
  • 4. 4 Snort Intrusion Detection System • Port Mirroring required • Detection mode only Used to verify rules consistency Simone Tino 03/12/2013
  • 5. 5 Snort Intrusion Prevention System • Needs original traffic • Active traffic control Requires strict rules configuration Simone Tino 03/12/2013
  • 6. 6 Snort IPS Demo • Host 1: eth0: 192.0.0.2/24 • Host 2: eth0: 10.0.0.2/24 • Snort IPS: 2 network cards eth0: 192.0.0.3/24 eth1: 10.0.0.3/24  Communication between 2 different subnets  Snort IPS provides active and transparent control  Totally transparency to the hosts  Routing configuration required Simone Tino 03/12/2013
  • 7. Snort IPS - Demo 7 Simone Tino 03/12/2013
  • 8. 8 Configuration steps IDS works on a copy of the traffic. Company solutions based on Port Mirroring switch tool. IPS works on “original” traffic like firewalls. Typical installation between 2 networks. Simone Tino 03/12/2013
  • 9. 9 From IDS to IPS Iptables configuration implies packets to be redirected to userlevel. Here, Snort must be active to avoid packet-loss. Simone Tino 03/12/2013
  • 10. In the end… 10 Snort IPS can work in multiple modes. Snort inline with NFQ module is the more flexible and adaptable IPS solution. Using NFQ module in DAQ, many queues can be created; a Snort instance handles each queue (so, a different Snort rule set), where traffic can be redirected according to iptables rules. Simone Tino 03/12/2013