Reducing network                 attacks with Snort                                          cleber brandao               ...
Agenda                     • What is an IDS                     • Types of attack                     • Snort structure   ...
What is an IDS?              • Intrusion Detection System              • Layer 7 analysis              • Just a sensor    ...
Types of attacksexta-feira, 18 de novembro de 11
External attackssexta-feira, 18 de novembro de 11
Internal attackssexta-feira, 18 de novembro de 11
Unstructured attackssexta-feira, 18 de novembro de 11
Structured attackssexta-feira, 18 de novembro de 11
Understanding the                                         Snort                     • Created in 1998 just like sniff     ...
How snort workssexta-feira, 18 de novembro de 11
Preproccessors                     • sfPortScan                     • Frag3                     • httpInspectsexta-feira, ...
sfPortscan                     • Half connection scans                     • Decoy scans                     • Distributed...
Frag3                     • Detect anomalies in fragmented packetssexta-feira, 18 de novembro de 11
Frag3 evasionsexta-feira, 18 de novembro de 11
Frag3 evasion (2)sexta-feira, 18 de novembro de 11
httpInspect                     • HTTP normalizationsexta-feira, 18 de novembro de 11
httpInspect (sample)                     • / = %2f                     • . = %2e                     •       alert tcp $EX...
Output plugins                     • Databases (mysql, postgre, oracle)                     • Syslog                     •...
Operation modes                     • IDS                     • IPS                     • Sniffer                     • pc...
Positioning                     • Sensor (port-mirror, network tap)                     • IPS (bridge, gateway)           ...
Questions ?sexta-feira, 18 de novembro de 11
Where to find me                     • Freenode - #securityguys, #snort-br                     • Security conferences      ...
Thank you             • www.locaweb.com.br             • www.snort.org.br             • www.snort.org             • clebee...
Upcoming SlideShare
Loading in …5
×

Mitigando ataques com_snort

1,010 views

Published on

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,010
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
39
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Mitigando ataques com_snort

  1. 1. Reducing network attacks with Snort cleber brandao cleber.brandao[nospam]locaweb.com.brsexta-feira, 18 de novembro de 11
  2. 2. Agenda • What is an IDS • Types of attack • Snort structure • How snort works • Preprocessors • Output plugins • Operation modes • Positioning • Q&Asexta-feira, 18 de novembro de 11
  3. 3. What is an IDS? • Intrusion Detection System • Layer 7 analysis • Just a sensor • IPS can drop packets • Pattern match or behaviorsexta-feira, 18 de novembro de 11
  4. 4. Types of attacksexta-feira, 18 de novembro de 11
  5. 5. External attackssexta-feira, 18 de novembro de 11
  6. 6. Internal attackssexta-feira, 18 de novembro de 11
  7. 7. Unstructured attackssexta-feira, 18 de novembro de 11
  8. 8. Structured attackssexta-feira, 18 de novembro de 11
  9. 9. Understanding the Snort • Created in 1998 just like sniff • Becomes as IDS in 1999 • Last version 2.9.1.2sexta-feira, 18 de novembro de 11
  10. 10. How snort workssexta-feira, 18 de novembro de 11
  11. 11. Preproccessors • sfPortScan • Frag3 • httpInspectsexta-feira, 18 de novembro de 11
  12. 12. sfPortscan • Half connection scans • Decoy scans • Distributed scans • Port sweep scanssexta-feira, 18 de novembro de 11
  13. 13. Frag3 • Detect anomalies in fragmented packetssexta-feira, 18 de novembro de 11
  14. 14. Frag3 evasionsexta-feira, 18 de novembro de 11
  15. 15. Frag3 evasion (2)sexta-feira, 18 de novembro de 11
  16. 16. httpInspect • HTTP normalizationsexta-feira, 18 de novembro de 11
  17. 17. httpInspect (sample) • / = %2f • . = %2e • alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WEB-ATTACKS /usr/bin/id command attempt”;flow:to_server,established; content:”/usr/ bin/id”;nocase;classtype:web-application- attack;sid:1332;rev:7;) • %2fusr%2fbin%2fid = bybasssexta-feira, 18 de novembro de 11
  18. 18. Output plugins • Databases (mysql, postgre, oracle) • Syslog • Pcap (tcpdump, wireshark) • Unified2sexta-feira, 18 de novembro de 11
  19. 19. Operation modes • IDS • IPS • Sniffer • pcaps analysissexta-feira, 18 de novembro de 11
  20. 20. Positioning • Sensor (port-mirror, network tap) • IPS (bridge, gateway) • Internal • Externalsexta-feira, 18 de novembro de 11
  21. 21. Questions ?sexta-feira, 18 de novembro de 11
  22. 22. Where to find me • Freenode - #securityguys, #snort-br • Security conferences • Buy me a Beer ;)sexta-feira, 18 de novembro de 11
  23. 23. Thank you • www.locaweb.com.br • www.snort.org.br • www.snort.org • clebeerpub.blogspot.comsexta-feira, 18 de novembro de 11

×