Mitigando ataques com_snort
Upcoming SlideShare
Loading in...5
×
 

Mitigando ataques com_snort

on

  • 687 views

 

Statistics

Views

Total Views
687
Views on SlideShare
685
Embed Views
2

Actions

Likes
3
Downloads
30
Comments
0

1 Embed 2

http://us-w1.rockmelt.com 2

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Mitigando ataques com_snort Mitigando ataques com_snort Presentation Transcript

  • Reducing network attacks with Snort cleber brandao cleber.brandao[nospam]locaweb.com.brsexta-feira, 18 de novembro de 11
  • Agenda • What is an IDS • Types of attack • Snort structure • How snort works • Preprocessors • Output plugins • Operation modes • Positioning • Q&Asexta-feira, 18 de novembro de 11
  • What is an IDS? • Intrusion Detection System • Layer 7 analysis • Just a sensor • IPS can drop packets • Pattern match or behaviorsexta-feira, 18 de novembro de 11
  • Types of attacksexta-feira, 18 de novembro de 11
  • External attackssexta-feira, 18 de novembro de 11
  • Internal attackssexta-feira, 18 de novembro de 11
  • Unstructured attackssexta-feira, 18 de novembro de 11
  • Structured attackssexta-feira, 18 de novembro de 11
  • Understanding the Snort • Created in 1998 just like sniff • Becomes as IDS in 1999 • Last version 2.9.1.2sexta-feira, 18 de novembro de 11
  • How snort workssexta-feira, 18 de novembro de 11
  • Preproccessors • sfPortScan • Frag3 • httpInspectsexta-feira, 18 de novembro de 11
  • sfPortscan • Half connection scans • Decoy scans • Distributed scans • Port sweep scanssexta-feira, 18 de novembro de 11
  • Frag3 • Detect anomalies in fragmented packetssexta-feira, 18 de novembro de 11
  • Frag3 evasionsexta-feira, 18 de novembro de 11
  • Frag3 evasion (2)sexta-feira, 18 de novembro de 11
  • httpInspect • HTTP normalizationsexta-feira, 18 de novembro de 11
  • httpInspect (sample) • / = %2f • . = %2e • alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WEB-ATTACKS /usr/bin/id command attempt”;flow:to_server,established; content:”/usr/ bin/id”;nocase;classtype:web-application- attack;sid:1332;rev:7;) • %2fusr%2fbin%2fid = bybasssexta-feira, 18 de novembro de 11
  • Output plugins • Databases (mysql, postgre, oracle) • Syslog • Pcap (tcpdump, wireshark) • Unified2sexta-feira, 18 de novembro de 11
  • Operation modes • IDS • IPS • Sniffer • pcaps analysissexta-feira, 18 de novembro de 11
  • Positioning • Sensor (port-mirror, network tap) • IPS (bridge, gateway) • Internal • Externalsexta-feira, 18 de novembro de 11
  • Questions ?sexta-feira, 18 de novembro de 11
  • Where to find me • Freenode - #securityguys, #snort-br • Security conferences • Buy me a Beer ;)sexta-feira, 18 de novembro de 11
  • Thank you • www.locaweb.com.br • www.snort.org.br • www.snort.org • clebeerpub.blogspot.comsexta-feira, 18 de novembro de 11