Mitigando ataques com_snort

  • 626 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
626
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
31
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Reducing network attacks with Snort cleber brandao cleber.brandao[nospam]locaweb.com.brsexta-feira, 18 de novembro de 11
  • 2. Agenda • What is an IDS • Types of attack • Snort structure • How snort works • Preprocessors • Output plugins • Operation modes • Positioning • Q&Asexta-feira, 18 de novembro de 11
  • 3. What is an IDS? • Intrusion Detection System • Layer 7 analysis • Just a sensor • IPS can drop packets • Pattern match or behaviorsexta-feira, 18 de novembro de 11
  • 4. Types of attacksexta-feira, 18 de novembro de 11
  • 5. External attackssexta-feira, 18 de novembro de 11
  • 6. Internal attackssexta-feira, 18 de novembro de 11
  • 7. Unstructured attackssexta-feira, 18 de novembro de 11
  • 8. Structured attackssexta-feira, 18 de novembro de 11
  • 9. Understanding the Snort • Created in 1998 just like sniff • Becomes as IDS in 1999 • Last version 2.9.1.2sexta-feira, 18 de novembro de 11
  • 10. How snort workssexta-feira, 18 de novembro de 11
  • 11. Preproccessors • sfPortScan • Frag3 • httpInspectsexta-feira, 18 de novembro de 11
  • 12. sfPortscan • Half connection scans • Decoy scans • Distributed scans • Port sweep scanssexta-feira, 18 de novembro de 11
  • 13. Frag3 • Detect anomalies in fragmented packetssexta-feira, 18 de novembro de 11
  • 14. Frag3 evasionsexta-feira, 18 de novembro de 11
  • 15. Frag3 evasion (2)sexta-feira, 18 de novembro de 11
  • 16. httpInspect • HTTP normalizationsexta-feira, 18 de novembro de 11
  • 17. httpInspect (sample) • / = %2f • . = %2e • alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WEB-ATTACKS /usr/bin/id command attempt”;flow:to_server,established; content:”/usr/ bin/id”;nocase;classtype:web-application- attack;sid:1332;rev:7;) • %2fusr%2fbin%2fid = bybasssexta-feira, 18 de novembro de 11
  • 18. Output plugins • Databases (mysql, postgre, oracle) • Syslog • Pcap (tcpdump, wireshark) • Unified2sexta-feira, 18 de novembro de 11
  • 19. Operation modes • IDS • IPS • Sniffer • pcaps analysissexta-feira, 18 de novembro de 11
  • 20. Positioning • Sensor (port-mirror, network tap) • IPS (bridge, gateway) • Internal • Externalsexta-feira, 18 de novembro de 11
  • 21. Questions ?sexta-feira, 18 de novembro de 11
  • 22. Where to find me • Freenode - #securityguys, #snort-br • Security conferences • Buy me a Beer ;)sexta-feira, 18 de novembro de 11
  • 23. Thank you • www.locaweb.com.br • www.snort.org.br • www.snort.org • clebeerpub.blogspot.comsexta-feira, 18 de novembro de 11