Introduction to Snort
•Download as PPTX, PDF•
0 likes•785 views
Snort is an open-source network intrusion detection and prevention system that performs real-time traffic analysis and packet logging on IP networks. It can detect a variety of attacks through protocol analysis, content searching, and matching. Snort functions in sniffer, packet logger, and intrusion detection modes. As a network intrusion detection system, it monitors network traffic and compares it to a database of attack signatures. Snort rules are used to detect suspicious activity and are organized into categories covering web, SQL, shellcode attacks and more.
More Related Content
What's hot
What's hot (20)
Similar to Introduction to Snort
Similar to Introduction to Snort (20)
More from Hossein Yavari
More from Hossein Yavari (20)
Recently uploaded
Recently uploaded (20)
Introduction to Snort
- 2. What is the Snort? • Snort is an open-source network Intrusion Detection and Prevention System (NIDS/IPS). • The de facto standard of intrusion detection tools. • Capable of performing real-time traffic analysis and packet logging on IP networks. • It can perform: • Protocol analysis • Content searching/matching • Detection a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
- 3. What is NIDS? • There are two prominent locations for any type of activity within a system: on endpoints and between them. • So, there are two types of intrusion detection systems: • The host-based IDS (HIDS) • The network intrusion detection system (NIDS). Source: https://www.comparitech.com/net-admin/network-intrusion- detection-tools/
- 4. What is the (N)IDS/IPS? Source: https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system
- 5. Snort Architecture Source: Alserhani, F., Akhlaq, M., Awan, I., Cullen, A.J., Mellor, J.E., & Mirchandani, P. (2009). Snort Performance Evaluation.
- 6. Snort Modes Sniffer Mode It works as a packet capture system that shows passing traffic in a viewer in the Snort console, same tcpdump. Packet Logger Mode This option writes collected packets includes data and headers to file. Intrusion Detection Mode This is the distinctive use for Snort and sets it apart from all other packet sniffers to make it a defense system rather than just a tool for research.
- 7. How we use the Snort?
- 8. Snort Rules • Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS. • 4050 community rules in last version (v3.0) • Various rules categories: • web-frontpage.rules web-iis.rules web-misc.rules • web-attacks.rules sql.rules x11.rules • icmp.rules netbios.rules misc.rules • backdoor.rules shellcode.rules policy.rules • porn.rules info.rules icmp-info.rules
- 9. Snort Rules (Cont.) > alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server
- 10. Snort Deployment Options • In addition to source code, packages are available to get running on Fedora, CentOS, FreeBSD, and Windows.
- 11. Thank You!