The document discusses the setup and configuration of an intrusion prevention system (IPS) using Snort and iptables on a Linux-based system. It provides detailed instructions on installing necessary libraries, the Linux kernel, Snort, iptables, and Snort rulesets. The IPS can be configured in either inline or flex-response mode using Snort. Iptables is used to create packet queues that allow for mono-queue or multi-queue IPS configurations with single or multiple processing queues.
An intrusion prevention system (IPS) like Snort can operate in either inline or flexible response mode. Flexible response mode replicates all inbound traffic to a "mirror port" using a network switch. The IPS analyzes this mirrored traffic and sends RST packets to terminate any connections that match drop rules, allowing it to respond proportionately to threats without blocking the network flow. While inline mode can block attacks faster, flexible response is preferable when latency is too high or the IPS is passive, making its efficiency dependent on CPU and memory resources.
This document provides an overview and comparison of Suricata and Snort intrusion detection systems. It discusses features like performance, rule writing, and capabilities. PF_ring and netsniff-ng are introduced as tools for improving packet capture speed. The document also demonstrates how to write Snort rules specifying actions, protocols, IP addresses, ports, directions and other options.
- Snort is an open source network intrusion detection system (IDS) that was created in 1998 and has continued to evolve, with a focus on detection capacity, speed and output plugin functionality.
- Snort examines packet flows and compares them to configured rule sets, utilizing variables, preprocessors and output plugins. Common preprocessors perform functions like stream reassembly and portscan detection.
- Output is configured through plugins to perform actions like logging to files or databases. Signatures use a standardized language to define common network attacks and anomalies.
- Unified log files were created to offload alerting from Snort to other applications, improving performance for detection. Compatible spool readers like Barnyard and Mudpit can
The document discusses implementing a mesh network between Nokia Internet Tablets and OLPC/XO devices. It outlines upgrading the devices' mesh drivers and kernels to enable the heterogeneous mesh network, including patching other needed drivers. It then describes testing the mesh network by establishing IP connectivity between devices located close together and using intermediate devices to route packets for those further apart.
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
Snort is an open source network intrusion detection and prevention system that monitors network traffic and compares it against a ruleset to detect anomalous activity. It works on the network, transport, and application layers to analyze packet headers, payloads, and apply detection rules using a string matching algorithm. Snort includes components like a packet decoder, preprocessors, detection engine, and output modules. The detection engine applies rules to packets in priority order to detect known intrusions based on signatures as well as potential new attacks. Improving Snort involves optimizing its rule processing, offloading work to hardware, and developing better detection algorithms.
This document summarizes IPsec VPN design options and management. It discusses site-to-site and remote access VPN topologies using IPsec, including full mesh, DMVPN, and IPsec over GRE. It also covers high availability using DPD, HSRP+, and routing protocols. Other topics include split tunneling, device placement with integrated firewalls, and general IPsec management.
N2OS is an open source network operating system that aims to reduce costs for new network equipment designs by being independent of switching silicon vendors. It supports both open hardware switches and vendor proprietary hardware. N2OS provides layer 2, 3, and OpenFlow 1.x protocols and has been installed on switches from manufacturers like Edgecore that use chips from Broadcom and Intel. The latest version of N2OS integrates with Open Network Linux and Switch Abstraction Interface to support OpenFlow and programmable switches on both open and Intel hardware.
An intrusion prevention system (IPS) like Snort can operate in either inline or flexible response mode. Flexible response mode replicates all inbound traffic to a "mirror port" using a network switch. The IPS analyzes this mirrored traffic and sends RST packets to terminate any connections that match drop rules, allowing it to respond proportionately to threats without blocking the network flow. While inline mode can block attacks faster, flexible response is preferable when latency is too high or the IPS is passive, making its efficiency dependent on CPU and memory resources.
This document provides an overview and comparison of Suricata and Snort intrusion detection systems. It discusses features like performance, rule writing, and capabilities. PF_ring and netsniff-ng are introduced as tools for improving packet capture speed. The document also demonstrates how to write Snort rules specifying actions, protocols, IP addresses, ports, directions and other options.
- Snort is an open source network intrusion detection system (IDS) that was created in 1998 and has continued to evolve, with a focus on detection capacity, speed and output plugin functionality.
- Snort examines packet flows and compares them to configured rule sets, utilizing variables, preprocessors and output plugins. Common preprocessors perform functions like stream reassembly and portscan detection.
- Output is configured through plugins to perform actions like logging to files or databases. Signatures use a standardized language to define common network attacks and anomalies.
- Unified log files were created to offload alerting from Snort to other applications, improving performance for detection. Compatible spool readers like Barnyard and Mudpit can
The document discusses implementing a mesh network between Nokia Internet Tablets and OLPC/XO devices. It outlines upgrading the devices' mesh drivers and kernels to enable the heterogeneous mesh network, including patching other needed drivers. It then describes testing the mesh network by establishing IP connectivity between devices located close together and using intermediate devices to route packets for those further apart.
Snort is an open source network intrusion detection system (NIDS) that can perform network monitoring and packet logging. It analyzes network traffic in real-time and compares it to a rulebase to detect anomalous activity such as malware, attacks, and intrusions. Snort works by decoding packet headers and payloads and applying rules to detect patterns across the network, transport, and application layers. It can operate in three modes: sniffer, packet logger, and intrusion detection system. Rules are used to specify conditions that indicate malicious traffic and generate alerts.
Snort is an open source network intrusion detection and prevention system that monitors network traffic and compares it against a ruleset to detect anomalous activity. It works on the network, transport, and application layers to analyze packet headers, payloads, and apply detection rules using a string matching algorithm. Snort includes components like a packet decoder, preprocessors, detection engine, and output modules. The detection engine applies rules to packets in priority order to detect known intrusions based on signatures as well as potential new attacks. Improving Snort involves optimizing its rule processing, offloading work to hardware, and developing better detection algorithms.
This document summarizes IPsec VPN design options and management. It discusses site-to-site and remote access VPN topologies using IPsec, including full mesh, DMVPN, and IPsec over GRE. It also covers high availability using DPD, HSRP+, and routing protocols. Other topics include split tunneling, device placement with integrated firewalls, and general IPsec management.
N2OS is an open source network operating system that aims to reduce costs for new network equipment designs by being independent of switching silicon vendors. It supports both open hardware switches and vendor proprietary hardware. N2OS provides layer 2, 3, and OpenFlow 1.x protocols and has been installed on switches from manufacturers like Edgecore that use chips from Broadcom and Intel. The latest version of N2OS integrates with Open Network Linux and Switch Abstraction Interface to support OpenFlow and programmable switches on both open and Intel hardware.
In this talk Liran will discuss interrupt management in Linux, effective handling, how to defer work using tasklets, workqueues and timers. We'll learn how to handle interrupts in userspace and talk about the performance and latency aspects of each method as well as look at some examples from the kernel source.
Liran is the CTO at Mabel technology and co-founder of DiscoverSDK - Software Libraries directory and DiscoverCloud - Business Apps directory.
More than 20 years of training experience including courses in: Linux, Android, Real-time and Embedded systems, and many more.
linux operating system is spreading all over the world among users day after day, in this slide you can know more about linux operating system and specialy linux firewall which is called ip table.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Bridging the gap between hardware and software tracingChristian Babeux
For a numbers of years, silicon vendors have been providing hardware tracing facilities to embedded developers. By using these, developers can resolve performance and latency issues more quickly, resulting in shorter time to market. In this talk, we will cover the hardware based tracing facilities offered by various manufacturers and see how they differ from their software counterparts with respect to their instrumentation capabilities, transport mechanisms, output formats, etc. We will also show how joint hardware and software tracing can be used by developers to gain deeper insights in their applications’ behaviour. Finally, we will outline the on-going work within the Linux Trace Toolkit next generation (LTTng) project to enhance hardware tracing support and tracing data visualization.
The document discusses various attacks that are possible against the AoE (ATA over Ethernet) storage protocol due to its lack of authentication and security features. Some key attacks mentioned include replay attacks, unauthenticated disk access by reading and writing directly to disks, creating an AoE proxy to reroute traffic, and denial of service attacks. The document warns that AoE deployments could be vulnerable if not properly segmented from untrusted networks.
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
- The document discusses new capabilities in 3rd Gen Intel Xeon Scalable processors to enhance cryptographic operations, known as Intel Crypto Acceleration. It includes new instructions that help improve performance of encryption algorithms and enable stronger encryption with larger keys.
- Performance test results on workloads like NGINX, HAProxy, and TLS show speedups of up to 3x when utilizing the new crypto instructions compared to software encryption. This is achieved while maintaining high frequencies for the majority of workload cycles.
- The document dives into details of how the new crypto instructions map to different frequency levels, and how 3rd Gen Xeon Scalable processors have reduced frequency impacts compared to previous generations when executing these instructions.
IPSec is an open standard protocol suite that provides security services like data confidentiality, integrity, and authentication for IP communications. It operates at the network layer and can be used to secure communication between hosts, network devices, and between hosts and devices. The key components of IPSec include Internet Key Exchange (IKE) for setting up Security Associations (SA), the Authentication Header (AH) for data integrity and authentication, and the Encapsulating Security Payload (ESP) for confidentiality, integrity, and authentication.
In computing ,a futex is a linux kernel system call that programmers can use to implement basic locking, or as a building block for higher-level locking abstractions such as posix mutexes or condition variables.
Stefan Schmidt from the Open Source Group discusses the current and future status of IEEE 802.15.4 and 6LoWPAN in the linux kernel in this presentation for the 2015 Embedded Linux Conference.
This document provides an outline for a TinyOS tutorial that introduces the TinyOS operating system and development environment. It covers the hardware primer, introduction to TinyOS, installation and configuration, NesC syntax, network communication, sensor data acquisition, debugging techniques, and concludes with an overview of the Agilla mobile agent system. The outline includes 10 sections that will guide students through understanding the TinyOS hardware platforms, programming model, components, interfaces, and building/installing applications.
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Linaro
Session ID: SFO17-112
Session Name: Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Speaker: Maureen Helm
Track: LITE
★ Session Summary ★
The Zephyr OS is a small, scalable RTOS that supports a wide variety of SoCs, many of which have existing HALs provided by the SoC vendors, especially in the ARM Cortex-M world. These HALs provide peripheral register definitions and in many cases, include bare metal peripheral drivers. Rather than reinventing the wheel, the Zephyr Project decided to proactively reuse these vendor HALs whenever possible. This session will cover how and why the Zephyr Project uses SoC vendor HALs, what are the common problems, and how to address them.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-112/
Presentation:
Video: https://www.youtube.com/watch?v=hHcnw4xu_Mo
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/102696
New Zephyr features: LWM2M / FOTA Framework - SFO17-113Linaro
Session ID: SFO17-113
Session Name: New Zephyr features: LWM2M / FOTA Framework - SFO17-113
Speaker: Marti Bolivar - David Brown - Ricardo Salveti - Mike Scott
Track: LTD
★ Session Summary ★
Zephyr is changing at an alarming pace and we would like to provide some insights to a few of the areas we have been working. MCUBOOT Secure bootloader integration, FOTA, DeviceTree and LWM2M enabling secure client to cloud capabilities
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-113/
Presentation:
Video: https://www.youtube.com/watch?v=VOv0-d5T99o
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
The document discusses improvements to the implementation of futexes (fast userspace mutexes) in the Linux kernel to improve scaling on multicore systems. Some key issues with the original futex implementation are a global hash table that does not scale well with NUMA, hash collisions, and contention on hash bucket locks. Improvements discussed include using per-process or per-thread hash tables to address NUMA issues, improving hashing to reduce collisions, releasing hash bucket locks before waking tasks to allow concurrent wakeups, and replacing spinlocks with queued/MCS locks to reduce cacheline bouncing under contention. These changes aim to improve futex performance and scalability as the number of cores in systems increases.
Aircrack-ng is a suite of tools used to recover wireless encryption keys. It consists of a detector, packet sniffer, and cracker for WEP and WPA/WPA2-PSK encryption. It works with wireless network interfaces in monitor mode to sniff 802.11 traffic. Aircrack-ng can recover WEP keys by capturing packets with airodump-ng and then using statistical attacks like PTW or FMS/Korek cracking methods to determine the encryption key from the captured initialization vectors.
Cellular technology with Embedded Linux - COSCUP 2016SZ Lin
This document provides steps and information for building your own Internet of Things (IoT) device using cellular technology. It discusses selecting a cellular module, enabling the device driver and utilities, and understanding cellular network generations and protocols like AT commands, QMI and MBIM. The document also addresses frequently asked questions about establishing connections and troubleshooting issues. Overall it serves as a guide for getting hands-on experience developing cellular-connected IoT devices.
Snort_inline is an intrusion prevention system that can be configured to operate inline by parsing network traffic through two network cards in bridge mode. This allows Snort_inline to detect threats in real-time and drop malicious traffic. The document discusses how to configure Snort_inline for different network environments like internal LANs, DMZs, and mixed networks by adjusting preprocessing rules and Snort rules. It also describes tools for monitoring Snort alerts and managing intrusion detection rules.
This document provides an overview of networking and security concepts including the OSI model, functions of common network devices like routers, switches, firewalls and IDS/IPS systems. It describes technologies like NAT, VPNs, encryption, file integrity monitoring and SIEM. It also includes brief introductions to Linux, the CCNA and a case study on site-to-site VPN deployment considerations.
In this talk Liran will discuss interrupt management in Linux, effective handling, how to defer work using tasklets, workqueues and timers. We'll learn how to handle interrupts in userspace and talk about the performance and latency aspects of each method as well as look at some examples from the kernel source.
Liran is the CTO at Mabel technology and co-founder of DiscoverSDK - Software Libraries directory and DiscoverCloud - Business Apps directory.
More than 20 years of training experience including courses in: Linux, Android, Real-time and Embedded systems, and many more.
linux operating system is spreading all over the world among users day after day, in this slide you can know more about linux operating system and specialy linux firewall which is called ip table.
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishing extranet and intranet connectivity with partners
Enhancing electronic commerce security
Bridging the gap between hardware and software tracingChristian Babeux
For a numbers of years, silicon vendors have been providing hardware tracing facilities to embedded developers. By using these, developers can resolve performance and latency issues more quickly, resulting in shorter time to market. In this talk, we will cover the hardware based tracing facilities offered by various manufacturers and see how they differ from their software counterparts with respect to their instrumentation capabilities, transport mechanisms, output formats, etc. We will also show how joint hardware and software tracing can be used by developers to gain deeper insights in their applications’ behaviour. Finally, we will outline the on-going work within the Linux Trace Toolkit next generation (LTTng) project to enhance hardware tracing support and tracing data visualization.
The document discusses various attacks that are possible against the AoE (ATA over Ethernet) storage protocol due to its lack of authentication and security features. Some key attacks mentioned include replay attacks, unauthenticated disk access by reading and writing directly to disks, creating an AoE proxy to reroute traffic, and denial of service attacks. The document warns that AoE deployments could be vulnerable if not properly segmented from untrusted networks.
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
- The document discusses new capabilities in 3rd Gen Intel Xeon Scalable processors to enhance cryptographic operations, known as Intel Crypto Acceleration. It includes new instructions that help improve performance of encryption algorithms and enable stronger encryption with larger keys.
- Performance test results on workloads like NGINX, HAProxy, and TLS show speedups of up to 3x when utilizing the new crypto instructions compared to software encryption. This is achieved while maintaining high frequencies for the majority of workload cycles.
- The document dives into details of how the new crypto instructions map to different frequency levels, and how 3rd Gen Xeon Scalable processors have reduced frequency impacts compared to previous generations when executing these instructions.
IPSec is an open standard protocol suite that provides security services like data confidentiality, integrity, and authentication for IP communications. It operates at the network layer and can be used to secure communication between hosts, network devices, and between hosts and devices. The key components of IPSec include Internet Key Exchange (IKE) for setting up Security Associations (SA), the Authentication Header (AH) for data integrity and authentication, and the Encapsulating Security Payload (ESP) for confidentiality, integrity, and authentication.
In computing ,a futex is a linux kernel system call that programmers can use to implement basic locking, or as a building block for higher-level locking abstractions such as posix mutexes or condition variables.
Stefan Schmidt from the Open Source Group discusses the current and future status of IEEE 802.15.4 and 6LoWPAN in the linux kernel in this presentation for the 2015 Embedded Linux Conference.
This document provides an outline for a TinyOS tutorial that introduces the TinyOS operating system and development environment. It covers the hardware primer, introduction to TinyOS, installation and configuration, NesC syntax, network communication, sensor data acquisition, debugging techniques, and concludes with an overview of the Agilla mobile agent system. The outline includes 10 sections that will guide students through understanding the TinyOS hardware platforms, programming model, components, interfaces, and building/installing applications.
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Linaro
Session ID: SFO17-112
Session Name: Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Speaker: Maureen Helm
Track: LITE
★ Session Summary ★
The Zephyr OS is a small, scalable RTOS that supports a wide variety of SoCs, many of which have existing HALs provided by the SoC vendors, especially in the ARM Cortex-M world. These HALs provide peripheral register definitions and in many cases, include bare metal peripheral drivers. Rather than reinventing the wheel, the Zephyr Project decided to proactively reuse these vendor HALs whenever possible. This session will cover how and why the Zephyr Project uses SoC vendor HALs, what are the common problems, and how to address them.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-112/
Presentation:
Video: https://www.youtube.com/watch?v=hHcnw4xu_Mo
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/102696
New Zephyr features: LWM2M / FOTA Framework - SFO17-113Linaro
Session ID: SFO17-113
Session Name: New Zephyr features: LWM2M / FOTA Framework - SFO17-113
Speaker: Marti Bolivar - David Brown - Ricardo Salveti - Mike Scott
Track: LTD
★ Session Summary ★
Zephyr is changing at an alarming pace and we would like to provide some insights to a few of the areas we have been working. MCUBOOT Secure bootloader integration, FOTA, DeviceTree and LWM2M enabling secure client to cloud capabilities
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-113/
Presentation:
Video: https://www.youtube.com/watch?v=VOv0-d5T99o
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
The document discusses improvements to the implementation of futexes (fast userspace mutexes) in the Linux kernel to improve scaling on multicore systems. Some key issues with the original futex implementation are a global hash table that does not scale well with NUMA, hash collisions, and contention on hash bucket locks. Improvements discussed include using per-process or per-thread hash tables to address NUMA issues, improving hashing to reduce collisions, releasing hash bucket locks before waking tasks to allow concurrent wakeups, and replacing spinlocks with queued/MCS locks to reduce cacheline bouncing under contention. These changes aim to improve futex performance and scalability as the number of cores in systems increases.
Aircrack-ng is a suite of tools used to recover wireless encryption keys. It consists of a detector, packet sniffer, and cracker for WEP and WPA/WPA2-PSK encryption. It works with wireless network interfaces in monitor mode to sniff 802.11 traffic. Aircrack-ng can recover WEP keys by capturing packets with airodump-ng and then using statistical attacks like PTW or FMS/Korek cracking methods to determine the encryption key from the captured initialization vectors.
Cellular technology with Embedded Linux - COSCUP 2016SZ Lin
This document provides steps and information for building your own Internet of Things (IoT) device using cellular technology. It discusses selecting a cellular module, enabling the device driver and utilities, and understanding cellular network generations and protocols like AT commands, QMI and MBIM. The document also addresses frequently asked questions about establishing connections and troubleshooting issues. Overall it serves as a guide for getting hands-on experience developing cellular-connected IoT devices.
Snort_inline is an intrusion prevention system that can be configured to operate inline by parsing network traffic through two network cards in bridge mode. This allows Snort_inline to detect threats in real-time and drop malicious traffic. The document discusses how to configure Snort_inline for different network environments like internal LANs, DMZs, and mixed networks by adjusting preprocessing rules and Snort rules. It also describes tools for monitoring Snort alerts and managing intrusion detection rules.
This document provides an overview of networking and security concepts including the OSI model, functions of common network devices like routers, switches, firewalls and IDS/IPS systems. It describes technologies like NAT, VPNs, encryption, file integrity monitoring and SIEM. It also includes brief introductions to Linux, the CCNA and a case study on site-to-site VPN deployment considerations.
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Disha Bedi
Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)
Here are the answers to the questions in bold red typeface:
1. What is a WAN?
**A WAN (wide area network) is a geographically dispersed telecommunication network that interconnects multiple computer networks and LANs (local area networks).**
2. What are the main components of a WAN?
**The main components of a WAN include routers, switches, firewalls, servers, and transmission media like fiber optic cables, coaxial cables, leased lines, satellites, and microwave links.**
3. What are some common WAN technologies?
**Some common WAN technologies include Frame Relay, ATM, MPLS, DSL, cable modem,
Security Onion is a free and open source Linux distribution designed for network security monitoring that combines tools like Snort, Suricata, Bro, Sguil and Snorby into a single package for full packet capture, traffic analysis and forensic investigation capabilities. It aims to simplify deploying complex security tools by automatically configuring them and allowing analysts to seamlessly pivot between interfaces to trace network threats. Regular rule updates are also automated to keep detections current with emerging attacks.
This document provides instructions for setting up a NetFlow collection and analysis system using Logstash, Elasticsearch, and Kibana. It explains what NetFlow is and discusses using Mikrotik routers and Logstash to collect NetFlow data. Logstash would process and index the NetFlow data into Elasticsearch for storage. Kibana could then be used to visualize and analyze the NetFlow data from Elasticsearch. The document concludes by providing step-by-step configuration instructions for Logstash, Elasticsearch, and Kibana to enable NetFlow collection, storage, and analysis.
Interop Tokyo 2014 SDI (Software Defined Infrustructure) ShowCase Seminoar Presentation. The presentation covers Neutron API models (L2/L3 and Advanced Network services), Neutron Icehouse Update and Juno topics.
The document discusses various tools and interfaces available in the Metasploit framework. It describes the purpose of tools like msfconsole, msfcli, msfrpcd, msfd, msfencode and msfpayload which can be used for tasks like exploitation, payload generation, encoding and interacting with the framework remotely. It also provides usage examples and basic syntax for many of these tools.
20151222_Interoperability with ML2: LinuxBridge, OVS and SDNSungman Jang
The document discusses interoperability between OpenStack Networking (Neutron) and different layer 2 networking technologies like LinuxBridge, Open vSwitch (OVS), and Software-Defined Networking (SDN) using the Modular Layer 2 (ML2) plugin framework. It provides background on LinuxBridge and OVS, describes the expected scenario of using ML2 with LinuxBridge and OVS mechanism drivers and type drivers like flat, VLAN, GRE, and VXLAN. It also briefly discusses the role of the ML2 plugin and mechanism drivers in code.
The document discusses integrating OpenStack Networking (Neutron) with Software Defined Networking (SDN) controllers. It describes how Neutron can use an SDN controller like ONOS instead of traditional mechanism drivers like Open vSwitch. The key components that would need to be modified are the mechanism driver, service plugin, and configuration. Five virtual machines or host machines running specific OpenStack and ONOS services are also needed to demonstrate the integration between Neutron and an SDN controller.
This chapter discusses iptables, the program used to configure Linux firewalls using Netfilter. Iptables provides more features than older programs like ipchains and allows packets to be filtered through built-in chains. The document explains how packets flow differently with Netfilter compared to older implementations, traversing a single chain rather than multiple chains. It also provides the basic syntax for iptables commands.
This document describes the software requirements and specifications for building network intrusion detection and prevention systems using Snort and Iptables. It outlines the system requirements including the operating system, firewall, and servers needed. It then describes the key tools used - Snort for intrusion detection, BASE for analyzing Snort alerts, Wireshark for packet analysis, Iptables for firewall rules, and scripting for automation. Finally, it provides an overview of the web development tools used to create interfaces for managing rule sets.
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
Architecting a private cloud to meet the use cases of its users can be a daunting task. How do you determine which of the many L2/L3 Neutron plugins and drivers to implement? Does network performance outweigh reliability? Are overlay networks just as performant as VLAN networks? The answers to these questions will drive the appropriate technology choice.
In this presentation, we will look at many of the common drivers built around the ML2 framework, including LinuxBridge, OVS, OVS+DPDK, SR-IOV, and more, and will provide performance data to help drive decisions around selecting a technology that's right for the situation. We will discuss our experience with some of these technologies, and the pros and cons of one technology over another in a production environment.
Manav Bhatia published several IETF standards to strengthen the security of routing protocols like IS-IS, OSPFv2, OSPFv3, and BFD. These protocols were vulnerable to denial of service attacks and traffic interception despite using authentication. The new standards defined stronger authentication mechanisms to protect routing protocol packets from attacks. Bhatia also introduced innovations like key identifiers and authentication trailers to enable secure validation of packets without relying on expensive encryption methods. He continues working in the IETF to further improve routing protocol security and address problems like replay attacks.
Stealthwatch is a network monitoring tool developed by Cisco that provides complete network visibility. It monitors all network traffic and host behavior, storing data for months. It detects anomalies like unauthorized data downloads or performance issues. Stealthwatch works by collecting IP flow data from network devices using the IPFIX protocol. It has several components, including the Stealthwatch Management Console for managing and viewing network data, FlowCollectors for aggregating flow data, and optional FlowSensors and UDP Directors to enhance data collection and routing. The tool detects threats by correlating local network data with external threat intelligence feeds.
CCNA stands for Cisco Certified Network Associate. Routers are networking devices that direct data packets to their destination. Routers use routing protocols like RIP to share information and determine the best paths between networks. Access control lists (ACLs) allow routers to filter traffic and restrict access to networks for security purposes. Network Address Translation (NAT) allows multiple devices to share public IP addresses to communicate on the Internet.
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Disha Bedi
Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)
Catalyst OS (CatOS) is the discontinued operating system used on many Cisco Catalyst brand switches such as the 1200, 2948G, 4000, 4500, 5000, 5500, and 6500 series. CatOS was originally called XDI and was developed separately from Cisco IOS. It provided basic layer 2 switching functions and some layer 3 routing capabilities. Configuration of CatOS switches was done via set commands in enabled mode with changes written immediately to NVRAM.
Calico is an open source networking solution for OpenStack that provides tenant isolation, security groups, and external reachability constraints through network policy enforcement on every node in a cluster. The document outlines the basic steps to install and configure Calico in an Ubuntu environment, including installing OpenStack, configuring APT for Calico packages, adding the BIRD PPA, installing etcd, configuring Neutron to use the Calico plugin, and installing Calico services on controller and compute nodes. More detailed documentation for the Calico installation process can be found on Project Calico's website.
1. www.snortattack.org
3M IPS
Multiqueue Multilevel Multiservice
Pierpaolo Palazzoli, Brescia, Italy
Fabio Mostarda, Brescia, Italy
Claudia Ghelfi, Brescia, Italy
The IPS acronym references an Intrusion Prevention System, i.e. a network security
device. It features network traffic flow monitoring in order to provide real-time attack
blocking capabilities against any threat, both criminal and unintentional.
The IPS technology originates as an extension of Intrusion Detection Systems, and it’s
still tightly bound to them.
Compared to an Intrusion Detection System, which only listens to the traffic flow, an
IPS has the advantage of real time blocking against malicious traffic, following
administrator-defined security policies.
An IPS can be implemented with a device where the Snort software does the IPS job,
while Iptables endorses firewall duties and, with additional modules, creates software
queues for the packets to be analyzed.
SNORT
Snort is an intrusion detection and prevention system (ISPD), and can operate in two
different ways:
o Inline. In this mode Snort works like an Ethernet bridge, that is, in order to
monitor a network segment, it has to be inserted transparently with two bridged
NICs.
IPS InlineNetwork Internet
Network Traffic
<DROP>
With this setup, any packet can flow through the bridge from a network card to
the other, unless it matches the drop rules; in that case, the switch opens and
blocks the packet.
o Flex Response. With this second setup, all the inbound traffic is replicated by a
network device (i.e. a switch) to a “mirror port”. The IPS is then linked to that
1
2. www.snortattack.org
port, analyzing the traffic flow and sending RST packets whenever it detects a
match in the drop policies.
Mirrored Traffic
Network
Catalyst 4948-10GE
PS1
STATUS
FAN
PS2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
CON MGT
X2-1
X2-2
Switch
<RST>
Internet
IPS Flex
In both setups the IPS is transparent and utterly invisible to the network.
IPTABLES
Between the two previous Snort setups, the one featuring the best performance is the
Inline mode, because it offers protection against attacks delivered by a small number of
packets.
On the contrary, it takes more time to the flex-response mode to identify an intrusion
and then to reset the proper port.
The usage of an inline IPS doesn’t fix all network security issues, but it contributes to
the centralized structuring of a security system that is both dynamic and efficient.
Inline Snort works by analyzing packet queues, and therefore it’s mandatory the usage
of a queue creation system, additionally to Snort itself.
If “Snort inline mode” is used, then you can create just a single queue, while
“Snort_inline” allows unlimited queues.
Iptables, additionally to the standard Linux firewall features, performs the queue-
creation function, using additional modules like ip_queue or nfnetlink_queue.
The difference between these two modules marks the mono-queue IPS from the multi-
queue IPS.
2
3. www.snortattack.org
MONOQUEUE IPS
Whenever ip_queue is chosen to create queues, then Snort can use a single queue only,
over which every inbound packet is forced to flow.
This queue is then analyzed by Snort according to a single set of rules; it’s not feasible
to differentiate inbound network flows and to apply custom blocking policies.
IPS Inline
Network
Internet
Network Traffic
NIC #1
SNORT Process
NIC #2
Bridge
MULTIQUEUE IPS
Leveraging the nfnetlink_queue module instead of ip_queue, it’s theoretically possible
to create up to 65535 independent queues.
This allows inbound flows differentiation, that is, it’s feasible to separate packets
flowing through different VLANs by creating virtual bridges.
Leveraging the Ethernet VLAN tag, a manageable switch is able to recognize the
VLAN of the incoming packet, and therefore to route it to the proper queue.
With this setup, each flow analysis can be done independently one from another, and
it’s possible to deploy different Snort versions as well as queue-specific traffic analysis
rules, which are customized according to every VLAN’s requirements.
According to the IEEE 802.1q standard, the maximum number of VLANs is 1024/2048,
and therefore the limit to the bridge number is 512/1024.
Inside every queue it’s feasible to define sub-queues, differentiated according to service
and marked by the port number.
Thanks to this additional feature, Snort rules can be applied over any single network
flow, thus improving the system efficiency.
3
4. www.snortattack.org
IPS Inline - Multiqueue
Network Internet
NIC #1
SNORT Process
#2
NIC #2
Bridge #2
VLAN
B
VLAN
B
SNORT Process
#1
Bridge #1
VLAN
A
VLAN
A
SNORT Process
#3
Bridge #3
VLAN
C
VLAN
D
VLAN
B
VLAN
C
VLAN
A
VLAN
B
VLAN
D
VLAN
A
APPLICATIONS
The creation of an IPS requires the following steps:
1. Operating System and Libraries install
Libnfnetlink-0.0.39 and libnetfilter_queue-0.0.16 libraries are required. If an OS like
Debian-4.0rc5 or Fedora-10 is chosen, then you can easily add these libraries later.
The OS install procedure can be completed with the “minimal install” setup; for our
walkthrough, we’ll use Debian-4.0r5.
After the install, it’s better to modify the sources.list file in the following way, in
order to download the proper libraries later:
vi /etc/apt/sources.list
Disable all the instructions by putting # before them and add:
deb http://ftp.it.debian.org/debian/ unstable main contrib non-free
install ssh to allow remote management:
apt-get install ssh
remove unnecessary packages, i.e. everything but ssh:
netstat -taupen
(shows the list of applications that are running daemons on specific ports)
apt-get remove portmap exim4 exim4-config openbsd-inetd
(removes the specified unnecessary packets)
Now the update of the installed packages and their dependencies:
apt-get update
apt-get upgrade
and now it’s possible to install the proper libraries for the multique IPS, using the
following commands:
4
5. www.snortattack.org
apt-get install libnfnetlink0
apt-get install libnfnetlink-dev
apt-get install libnetfilter-queue1
apt-get install libnetfilter-queue-dev
To check the installed library versions, you can use the command: dpkg –l [library].
2. New kernel installation
To work properly with libnetfilter libraries, it’s necessary to use a kernel version
higher than 2.6.25; in this case, install the following:
apt-get install linux-image-2.6-686
apt-get install linux-image-2.6-686-bigmem
(more than 3GB RAM)
reboot
(reboots the machine)
uname -a
(checks if the new kernel is currently activated)
3. Additional packet installation
In addition to the previous libraries, it’s necessary to install the following packages
in order to ensure the correct system operation:
apt-get install mlocate
(to use functions like updatedb, locate,…)
apt-get install ntpdate
(PC clock sync protocol)
apt-get install vim
(to ease the use of vi)
apt-get install psmisc
(package featuring killall)
apt-get install iptraf
(statistical traffic generator for IP network)
apt-get install bridge-utils
(Linux Ethernet bridges configuration utilities)
apt-get install gcc
(GNU compiler)
apt-get install libpcap0.8
(packet capture and network monitoring libraries)
apt-get install libpcap0.8-dev
(source code of the previous libraries that you may have to include)
apt-get install libpcre3
(PCRE libraries (Pearl Compatible Regular Expression) featuring functions that
implement commands with Pearl-like syntax and semantics)
apt-get install libpcre3-dev
(pcre libraries source code)
apt-get install libmysqlclient15-dev
5
6. www.snortattack.org
(libraries needed to access and write mysql)
apt-get install iptables-dev
(iptables source code, needed to include packet queuing features)
apt-get install automake autoconf make
(compiler packages)
apt-get install libtool
(Snort required libraries)
apt-get install libclamav-dev clamav-freshclam
(needed to allow Snort to access Clamav (OpenSource Antivirus) signatures)
apt-get install libnet1-dev
(source code enabling a programmer to build and insert network packages)
apt-get install subversion
(client server versioning system: a server stores the current project version and its
history, and the client connects to it to verify the latest software version)
apt-get install ntop
(traffic monitoring tool)
apt-get install apache2
(modular web server platform)
apt-get install rrdtool
(data storage and presentation graphical system)
apt-get install librrdp-perl librrds-perl
(perl interfaces to RRD)
4. Snort_inline installation
svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/trunk
(downloads the updated snort_inline )
cd /trunk
sh autojunk.sh
(prepares the package to be compiled)
./configure --enable-pthread --enable-memory-cleanup --enable-stream4udp --
enable-inline-init-failopen --enable-nfnetlink --enable-clamav --enable-linux-
smp-stats --with-mysql
(checks the intallation requirements)
make
make install
(installs snort_inline)
5. Snort rules download
Whenever a rules backup is not available, those rules can be downloaded online in
the following way:
o Choose the download subscription class regarding the rules:
- Subscribers: they get the updates as soon as those are available. To access
this user class a yearly fee is required, which varies according to the number
of sensors:
6
7. www.snortattack.org
http://www.snort.org/vrt/why_subscribe.html.
- Registered: to this class belong users who registered on the snort.org portal.
They get the new rules 30 days after their development, but they don’t pay
any fee.
- Unregistered: unregistered users who get new rules bundled with Snort
major version updates only.
o Choosing the subscription will allow to receive a code (oinkcode) that will be
the key to use oinkmaster.
o Now it’s possible to install Oinkmaster, an automated rules management
software that keeps the rule database updated adding a crontab line like:
30 2 * * * oinkmaster.pl -o /etc/snort/rules/ -t oinkmaster
Any change is notified to the user; Oinkmaster can be downloaded at
http://oinkmaster.sourceforge.net/download.shtml
Additionally to those rules, it’s possible to include the ones available at
http://www.emergingthreats.net/.
6. Rc.local configuration
Rc.local can be generally found among the startup scripts (in /etc/) and it is run at
the end of the startup procedure. It contains user-defined commands that are to be
run after all services have been started.
Before compiling this file, it’s necessary to clearly understand the architecture that
is to be implemented, especially the number of queues and bridges (both physical
and logical) that will be required.
In the following pages, four base configuration examples are explained, operating
on level 1,2,3,4 of the ISO/OSI architecture. It’s then possible, starting from those
examples, to create more complex solutions involving multiple levels at the same
time, featuring a multilevel service in a multiqueue setup, thus allowing a
multiservice protection.
Case One: two layer 1 queues (physical)
/sbin/ifconfig eth4 0.0.0.0 promisc up
/sbin/ifconfig eth5 0.0.0.0 promisc up
/sbin/ifconfig eth0 0.0.0.0 promisc up
/sbin/ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addbr br1
(two bridges are defined, br0 and br1, both physical)
brctl addif br0 eth4
brctl addif br0 eth5
(the first bridge is built, between interfaces eth4 and eth5)
brctl addif br1 eth0
brctl addif br1 eth1
(second bridge between interfaces eth0 and eth1)
7
8. www.snortattack.org
ifconfig br0 up promisc
ifconfig br1 up promisc
Those commands couple the two network interface cards at layer 2, creating two
bridges so that the IPS looks transparent to the network traffic.
To setup the bridges, it's necessary to have the bridge-utils package installed.
modprobe nfnetlink_queue
modprobe nf_conntrack
Those modules are needed to create a multiqueue setup
echo "VALUE" > /proc/sys/net/nf_conntrack_max
This command is necessary for a multiqueue system: VALUE is to be replaced
with the number of sessions that the kernel must be able to sustain with
nf_conntrack (i.e. 262140).
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
echo "3" > /proc/sys/net/ipv4/tcp_fin_timeout
Commands oriented to session support at kernel level.
sysctl -w net.core.rmem_default='8388608'
sysctl -w net.core.wmem_default='8388608'
sysctl -w net.ipv4.tcp_wmem='1048576 4194304 16777216'
sysctl -w net.ipv4.tcp_rmem='1048576 4194304 16777216'
sysctl -w net.ipv4.route.flush=1
Optimized parameters for Gigabit Ethernet speeds.
iptables -A FORWARD -i br0 -j NFQUEUE --queue-num 42
iptables -A FORWARD -i br1 -j NFQUEUE --queue-num 43
The following commands generate queues nr. 42 and 43, linked to the physical
bridges br0 and br1 respectively.
snort_inline -A fast -b -d -D -Q42 -c /etc/snort/snort.conf -l
var/log/snort/42/ --nolock-pidfile
snort_inline -A fast -b -d -D -Q43 -c /etc/snort/snort.conf –
l /var/log/snort/43/ --nolock-pidfile
Snort is started on both queues.
Case Two: two layer 2 queues
/sbin/ifconfig eth2 0.0.0.0 promisc up
/sbin/ifconfig eth3 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth2
brctl addif br0 eth3
ifconfig br0 up promisc
Physical bridge between interfaces eth2 and eth3.
vconfig add eth2 5
vconfig add eth2 7
vconfig set_flag eth2.5 0
8
9. www.snortattack.org
vconfig set_flag eth2.7 0
/sbin/ifconfig eth2.5 0.0.0.0 promisc up
/sbin/ifconfig eth2.7 0.0.0.0 promisc up
On the interface eth2, VLAN 5 and 7 are defined on the corresponding virtual
interfaces eth2.5 and eth2.7.
vconfig add eth3 6
vconfig add eth3 8
vconfig set_flag eth3.6 0
vconfig set_flag eth3.8 0
/sbin/ifconfig eth3.6 0.0.0.0 promisc up
/sbin/ifconfig eth3.8 0.0.0.0 promisc up
VLAN 6 and 8 are defined on the interface eth3, with the virtual interfaces
eth3.6 e eth3.8.
brctl addbr br1
brctl addif br1 eth2.5
brctl addif br1 eth3.6
ifconfig br1 up promisc
brctl addbr br2
brctl addif br2 eth2.7
brctl addif br2 eth3.8
ifconfig br2 up promisc
Setup of logical bridges br1 (between interfaces eth2.5 and eth3.6) and br2
(between eth2.7 and eth3.8).
modprobe nfnetlink_queue
modprobe nf_conntrack
Modules required for multiqueue setup.
echo "VALUE" > /proc/sys/net/nf_conntrack_max
This command is necessary for a multiqueue system: VALUE is to be replaced
with the number of sessions that the kernel must be able to sustain with
nf_conntrack (e.g. 262140).
echo "3" > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
Commands oriented to session support at kernel level.
sysctl -w net.core.rmem_default='8388608'
sysctl -w net.core.wmem_default='8388608'
sysctl -w net.ipv4.tcp_wmem='1048576 4194304 16777216′
sysctl -w net.ipv4.tcp_rmem='1048576 4194304 16777216′
sysctl -w net.ipv4.route.flush=1
Optimized parameters for Gigabit ethernet speeds.
iptables -A FORWARD -i br1 -j NFQUEUE --queue-num 42
iptables -A FORWARD -i br2 -j NFQUEUE --queue-num 43
The following commands generate queues nr. 42 and 43, linked to the physical
bridges br0 and br1 respectively.
9
10. www.snortattack.org
snort_inline -A fast -b -d -D -Q42 -c /etc/snort/snort.conf –
l /var/log/snort/42 --nolock-pidfile
snort_inline -A fast -b -d -D -Q43 -c /etc/snort/snort.conf –
l /var/log/snort/43 --nolock-pidfile
Snort is started on both queues.
Case three: multiple layer 3 queues (IP)
/sbin/ifconfig eth0 0.0.0.0 promisc up
/sbin/ifconfig eth1 0.0.0.0 promisc up
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/sbin/ifconfig br0 up
Physical bridge between interfaces eth0 and eth1.
modprobe nfnetlink_queue
modprobe nf_conntrack
Modules required for multiqueue setup.
echo "VALUE" > /proc/sys/net/nf_conntrack_max
This command is necessary for a multiqueue system: VALUE is to be replaced
with the number of sessions that the kernel must be able to sustain with
nf_conntrack (e.g. 262140).
echo "3" > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
Commands oriented to session support at kernel level.
sysctl -w net.core.rmem_default=8388608
sysctl -w net.core.rmem_max=8388608
sysctl -w net.core.wmem_max=8388608
sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608'
sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608'
sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608'
sysctl -w net.ipv4.route.flush=1
Optimized parameters for Gigabit ethernet speeds.
/sbin/iptables -A FORWARD -i br0 –d “ ip1” -j NFQUEUE --queue-num
43
/sbin/iptables -A FORWARD -i br0 -s “ip1” -j NFQUEUE --queue-num 43
/sbin/iptables -A FORWARD -i br0 -d “ip2” -j NFQUEUE --queue-num 44
/sbin/iptables -A FORWARD -i br0 -s “ip2” -j NFQUEUE --queue-num 44
/sbin/iptables -A FORWARD -i br0 -j NFQUEUE --queue-num 42
10
11. www.snortattack.org
Traffic from and to ip addresses “ip1” and “ip2” is selected and routed to queue
43 and 44 respectively.
Queue 42 elaborates everything that is not selected in the queues 43 and 44.
/usr/local/bin/snort_inline -A fast -b -d -D -Q42 -c /etc/snort/snort.conf
-l /var/log/snort/42/ --nolock-pidfile
/usr/local/bin/snort_inline -A fast -b -d -D -Q43 -c /etc/snort/snort.conf
-l /var/log/snort/43/ --nolock-pidfile
/usr/local/bin/snort_inline -A fast -b -d -D -Q44 -c /etc/snort/snort.conf
-l /var/log/snort/44/ --nolock-pidfile
Snort is started on every queue.
Case four: two layer 4 queues (TCP/UDP)
/sbin/ifconfig eth0 0.0.0.0 promisc up
/sbin/ifconfig eth1 0.0.0.0 promisc up
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
ifconfig br0 up promisc
Physical bridge between interfaces eth0 and eth1.
modprobe nfnetlink_queue
modprobe nf_conntrack
Modules required for multiqueue setup..
echo "VALUE" > /proc/sys/net/nf_conntrack_max
This command is necessary for a multiqueue system: VALUE is to be replaced
with the number of sessions that the kernel must be able to sustain with
nf_conntrack (e.g. 262140).
echo "3" > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
Commands oriented to session support at kernel level..
sysctl -w net.core.rmem_default='8388608'
sysctl -w net.core.wmem_default='8388608'
sysctl -w net.ipv4.tcp_rmem='4096 87380 8388608'
sysctl -w net.ipv4.tcp_wmem='4096 65536 8388608'
sysctl -w net.ipv4.tcp_mem='8388608 8388608 8388608'
sysctl -w net.ipv4.route.flush=1
Optimized parameters for Gigabit ethernet speeds.
/sbin/iptables -A FORWARD -i br0 -p tcp --dport “port” -j NFQUEUE --
queue-num 43
11
12. www.snortattack.org
/sbin/iptables -A FORWARD -i br0 -p tcp --sport “port” -j NFQUEUE --
queue-num 43
iptables -A FORWARD -i br0 -j NFQUEUE --queue-num 42
Creation of queue 43 containing all TCP traffic to and from port “port”, while
queue 42 handles all the remaining.
/usr/local/bin/snort_inline -A fast -b -d -D -Q43 -c /etc/snort/snort.conf
-l /var/log/snort/43/ --nolock-pidfile
/usr/local/bin/snort_inline -A fast -b -d -D -Q42 -c /etc/snort/snort.conf
-l /var/log/snort/42/ --nolock-pidfile
Snort is started on both queues.
Remarkably, if a different snort.conf were used in the command line starting snort, then
it would be possible to customize the applied rule set.
After compiling rc.local, the directories to store the logs have to be created, according to
the OS guidelines; in our example:
mkdir /var/log/snort
mkdir /var/log/snort/42
mkdir /var/log/snort/43 ..etc..
It’s very important to reboot the system at this stage, in order to automatically build the
bridges at startup and to have Snort up and running.
7. Snort configuration
The last element to customize is the Snort configuration file: snort.conf.
The following sections have to be edited for this specific configuration:
Network variables definition:
var HOME_NET [10.0.0.0/8]
Through this line it is specified the network that has to be defended; in our exemple,
we'll use 10.0.0.0/8
var EXTERNAL_NET !$HOME_NET
var HONEYNET $HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var SSH_PORTS 22
var HTTP_PORTS [80,443]
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
12
13. www.snortattack.org
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.
161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
The previous instructions define the network variables.
var RULE_PATH /etc/snort/rules
Declares where the rules are.
Preprocessor configuration
Preprocessors, introduced since version 1.5, perform a first traffic check to prepare
it for the following rule-based analysis.
Every preprocessor handles a different protocol.
First of all, we declare the paths were the preprocessor are to be found:
config checksum_drop : all
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
The command that allows the insertion of a preprocessor is the following:
preprocessor <name>: <options>
Usually, the most employed preprocessors are:
• The frag3 preprocessor reassembles fragmented traffic:
preprocessor frag3_global: max_frags 65536
the option (max_frag) deals about the maximum number of alignable fragments
(the default value is 8192)
preprocessor frag3_engine: policy first detect_anomalies ttl_limit 255
those options handle the defragmenting modes (policy first), the anomalous
packet detection (detect_anomalies) and the maximum TTL delta allowed on the
first packet of the fragment (ttl_limit 255)
• The following preprocessor are complementary: they handle TCP and UDP
protocols, and their setup is the following:
preprocessor flow: memcap 83886080, rows 8198, stats_interval 0 hash 2
Memcap defines the number of bytes to be allocated, rows the number of rows
in the addressing table and hash the addressing mode.
preprocessor stream4: disable_evasion_alerts, enable_udp_sessions,
norm_window, max_sessions 32768, memcap 1000000000
Disable_evasion_alerts disables the warnings for events like TCP overlap,
enable_udp_sessions enables UDP session tracking, and finally max_sessions
and memcap definethe maximum number of sessions and the maximum number
of bytes respectively.
preprocessor clamav: ports 25, toserveronly, action-drop,
dbdir /var/lib/clamav, dbreload-time 3600
ClamAV preprocessor performs an antivirus action, actually on port 25 for the
mail traffic only. Virus contaminated packets are dropped; the rules regarding
this section are located in the directory /var/lib/clamav. Clamav works with
stream4 only, and therefore with flow.
13
14. www.snortattack.org
• Preprocessor Stream5 is used as an alternative to the previous group of
preprocessors, because it handles TCP/UDP protocols too. We chose to use
stream5. A stream5 configuration for our example could be:
preprocessor stream5_global: max_tcp 131070, track_tcp yes, track_udp
yes, memcap 256000000
max_tcp identifies the maximum number of tcp session, and the two following
options allow the analysis of TCP and UDP protocols, memcap defines the
number of bytes to be allocated.
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
this line configures stream5 in the TCP protocol analysis.
preprocessor stream5_udp: ignore_any_rules
this line configures stream5 in the UDP protocol analysis.
• The perfmonitor preprocessor delivers real time Snort benchmarking.
preprocessor perfmonitor: time 60 file /var/log/snort/perfmon.txt pktcnt 500
defines the check interval between measures and the file where the statistics are
written.
• The HttpInspect preprocessor decodes http traffic and identifies application-
level attacks exploiting http vulnerabilities. The configuration of this pre-
processor is split in two parts, a global one and a server one:
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
iis_unicode_map unicode.map 1252 has to be always specified because it
handles the global IIS Unicode map
preprocessor http_inspect_server: server default
profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0
• The preprocessor dcerpc analyzes SMB, DCE/RPC protocols:
preprocessor dcerpc:
ports smb { 139 445 }
ports dcerpc { 135 }
max_frag_size 3000
memcap 150000
reassemble_increment 0
defines the ports where smb and dce/rp monitoring is activated., the maximum
fragment size and the number of bytes to be allocated.
• The smtp preprocessor handles the email flow, and it is configured as
follows:
preprocessor smtp:
ports { 25 }
inspection_type stateful
normalize cmds
normalize_cmds { EXPN VRFY RCPT }
alt_max_command_line_len 260 { MAIL }
alt_max_command_line_len 300 { RCPT }
alt_max_command_line_len 500 { HELP HELO ETRN }
14
15. www.snortattack.org
alt_max_command_line_len 255 { EXPN VRFY }
those commands specify the port which the protocol analysis is to be activated
on, and the stateful inspection mode. The last lines set the length of the smtp
command lines that have to trigger alerts for some kind of services.
Rule set customization:
In this last section of the configuration file there are the declarations of the rules to
be activated. In our example:
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
The command to add a rule is:
include $RULE_PATH
followed by the rule name. The complete rule list is available in the following
pages. Depending on the specific requirements, the proper rules have to be selected
and enabled.
attack-responses.rules
backdoor.rules
bad-traffic.rules
chat.rules
community-bot.rules
community-deleted.rules
community-dos.rules
community-exploit.rules
community-ftp.rules
community-game.rules
community-icmp.rules
community-imap.rules
community-inappropriate.rules
community-mail-client.rules
community-misc.rules
community-nntp.rules
community-oracle.rules
community-policy.rules
community-sip.rules
community-smtp.rules
community-sql-injection.rules
community-virus.rules
community-web-attacks.rules
community-web-cgi.rules
community-web-client.rules
community-web-dos.rules
community-web-iis.rules
community-web-misc.rules
community-web-php.rules
15