SlideShare a Scribd company logo

Snort

Download as PPT, PDF
Stickman Hai
Stickman Hai

This book talks about how to use IDS in security

Education
1 of 20
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation
Overview      What’s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.
What’s snort?  NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.  Snort:  Snort: an open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.
Snort 1. A packet sniffer: 2. Packet logger: log data in text file Honeypot monitor: deceiving hostile parties NIDS: network intrusion detection system 3. 4. capture and display packets from the network with different levels of detail on the console
Typical locations for snort
Requirement of snort    lightweight NIDS small, flexible highly capable system
Snort architecture From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.
Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
Logical components of snort  Packet Decoder:  Preprocessor:  Detection Engine: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams. the most important part, applies rules to packets   Logging and Alerting System Output Modules: process alerts and logs and generate final output.
TCP/IP layer Physical layer Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
Detection Engine ※Things need to be done for detection engine: •The IP header of the packet •The transport layer header. TCP, UDP, ICMP etc. •The application layer level header. Header of DNS, FTP, SNMP, SMTP •Packet payload ※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm ※ Requirement 1. 2. Time critical Fast
Detection engine     Number of rules Traffic load on the network Speed of network and machine Efficiency of detection algorithm
Rules    In a single line Rules are created by known intrusion signatures. Usually place in snort.conf configuration file. rule header rule options
Rule examples destination ip address Apply to all ip packets Source ip address Destination port Source port # Rule options Alert will be generated if criteria met Rule header
Detection engine order to scan the rules  1. 2. 3. Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: Alert rules Pass rules Log rules
Challenges with snort         Misuse detection – avoid known intrusions Rules database is larger and larger It continues to grow snort version 2.3.2, there are 2,600 rules 80% of them are signatures Snort spends 80% work time to do string match Anomaly detection – identify new attacks Probability of detection is low
Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
Attempts to improve  Increasing preprocessing ability --- offload partial work from detect engine  Using hardware to reduce workload - a hybrid architecture --- software has more flexibility, hardware has relatively higher throughput  Better detection algorithm
Possible ways?   Organize the well-known rules into better data structure to achieve better performance A detector with acceptable detection probability
Thank you !

Recommended

All About Snort
All About SnortAll About Snort
All About Snort
28pranjal
 
Snort
SnortSnort
SnortRahul Jain
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
Snort
SnortSnort
Snort
Michael Boman
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
Snort
SnortSnort
Snort
Fadwa Gmiden
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Snort IPS
Snort IPSSnort IPS
Snort IPSSimone Tino
 

Recommended

All About Snort
All About SnortAll About Snort
All About Snort
28pranjal
 
Snort
SnortSnort
SnortRahul Jain
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
Snort
SnortSnort
Snort
Michael Boman
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
Snort
SnortSnort
Snort
Fadwa Gmiden
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Snort IPS
Snort IPSSnort IPS
Snort IPSSimone Tino
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Snort ppt
Snort pptSnort ppt
Snort pptaAlcantar93
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
Kailash Kumar
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
Minhaz A V
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
primeteacher32
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Ids(final)
Ids(final)Ids(final)
Ids(final)Not yet working. I am still studying
 
Network scanning
Network scanningNetwork scanning
Network scanning
oceanofwebs
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
Nmap
NmapNmap
Nmap
Sreekanth Narendran
 
Snort
SnortSnort
Snort
bala150985
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
Mahendra Pratap Singh
 

More Related Content

What's hot

Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
Kailash Kumar
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
Minhaz A V
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
primeteacher32
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Network scanning
Network scanningNetwork scanning
Network scanning
oceanofwebs
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
Nmap
NmapNmap
Nmap
Sreekanth Narendran
 

What's hot (20)

Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Snort ppt
Snort pptSnort ppt
Snort ppt
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Ids(final)
Ids(final)Ids(final)
Ids(final)
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Nmap
NmapNmap
Nmap
 

Viewers also liked

Snort
SnortSnort
Snort
bala150985
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
Snort
SnortSnort
Snort
Tensor
 
Wireshark
WiresharkWireshark
Wireshark
Sourav Roy
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Snort_IDS
Snort_IDSSnort_IDS
Snort_IDS
Natalia Martinez Ramos
 
Detector de ataques en red
Detector de ataques en redDetector de ataques en red
Detector de ataques en red
hugo.gonzalez
 
Sg t2 practicas_snort
Sg t2 practicas_snortSg t2 practicas_snort
Sg t2 practicas_snortgarciadebora
 
Andrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de SnortAndrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de SnortAndrés González Suárez
 
Sistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORTSistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORT
seguridadelinux
 
Practica 4 herramienta snort entregable
Practica 4 herramienta snort entregablePractica 4 herramienta snort entregable
Practica 4 herramienta snort entregable
Karmen Arrazola
 
Actividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con SnortActividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con Snort
Francisco Medina
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark ppt
bala150985
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using Snort
Disha Bedi
 
Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)
Alberto Mayo Vega
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
Apache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating SystemApache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating System
Adarsh Pannu
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Apache spark basics
Apache spark basicsApache spark basics
Apache spark basics
sparrowAnalytics.com
 
Hadoop MapReduce Fundamentals
Hadoop MapReduce FundamentalsHadoop MapReduce Fundamentals
Hadoop MapReduce Fundamentals
Lynn Langit
 

Viewers also liked (20)

Snort
SnortSnort
Snort
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
Snort
SnortSnort
Snort
 
Wireshark
WiresharkWireshark
Wireshark
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Snort_IDS
Snort_IDSSnort_IDS
Snort_IDS
 
Detector de ataques en red
Detector de ataques en redDetector de ataques en red
Detector de ataques en red
 
Sg t2 practicas_snort
Sg t2 practicas_snortSg t2 practicas_snort
Sg t2 practicas_snort
 
Andrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de SnortAndrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de Snort
 
Sistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORTSistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORT
 
Practica 4 herramienta snort entregable
Practica 4 herramienta snort entregablePractica 4 herramienta snort entregable
Practica 4 herramienta snort entregable
 
Actividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con SnortActividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con Snort
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark ppt
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using Snort
 
Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
Apache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating SystemApache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating System
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Apache spark basics
Apache spark basicsApache spark basics
Apache spark basics
 
Hadoop MapReduce Fundamentals
Hadoop MapReduce FundamentalsHadoop MapReduce Fundamentals
Hadoop MapReduce Fundamentals
 

Similar to Snort

1.SNORT.pdf
1.SNORT.pdf1.SNORT.pdf
1.SNORT.pdf
AgusNursidik
 
Snort
SnortSnort
Snort
nazzf
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORT
ijsrd.com
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection system
newbie2019
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
skpatel91
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
skpatel91
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
IDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxIDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptx
askaripayalo
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
Anpumathews
 
Chapter 12
Chapter 12Chapter 12
Chapter 12cclay3
 
Snort by SecArmour
Snort by SecArmour Snort by SecArmour
Snort by SecArmourSec Armour
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
vtunotesbysree
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers
Ravi Teja Reddy
 
6
66
6
aniketnimaje
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Procuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkProcuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the Network
IOSR Journals
 
NetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionNetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and Detection
DESHPANDE M
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 

Similar to Snort (20)

1.SNORT.pdf
1.SNORT.pdf1.SNORT.pdf
1.SNORT.pdf
 
Snort
SnortSnort
Snort
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORT
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection system
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
IDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxIDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptx
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Snort by SecArmour
Snort by SecArmour Snort by SecArmour
Snort by SecArmour
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers
 
6
66
6
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Procuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkProcuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the Network
 
NetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionNetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and Detection
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 

Recently uploaded

GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
Nguyen Thanh Tu Collection
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
Celine George
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
AzmatAli747758
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
GeoBlogs
 
How to Break the cycle of negative Thoughts
How to Break the cycle of negative ThoughtsHow to Break the cycle of negative Thoughts
How to Break the cycle of negative Thoughts
Col Mukteshwar Prasad
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
GeoBlogs
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
Excellence Foundation for South Sudan
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
beazzy04
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdfESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
Fundacja Rozwoju Społeczeństwa Przedsiębiorczego
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 

Recently uploaded (20)

GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
How to Break the cycle of negative Thoughts
How to Break the cycle of negative ThoughtsHow to Break the cycle of negative Thoughts
How to Break the cycle of negative Thoughts
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdfESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 

Snort

  • 1. Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation
  • 2. Overview      What’s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.
  • 3. What’s snort?  NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.  Snort:  Snort: an open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.
  • 4. Snort 1. A packet sniffer: 2. Packet logger: log data in text file Honeypot monitor: deceiving hostile parties NIDS: network intrusion detection system 3. 4. capture and display packets from the network with different levels of detail on the console
  • 6. Requirement of snort    lightweight NIDS small, flexible highly capable system
  • 7. Snort architecture From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.
  • 8. Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
  • 9. Logical components of snort  Packet Decoder:  Preprocessor:  Detection Engine: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams. the most important part, applies rules to packets   Logging and Alerting System Output Modules: process alerts and logs and generate final output.
  • 10. TCP/IP layer Physical layer Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
  • 11. Detection Engine ※Things need to be done for detection engine: •The IP header of the packet •The transport layer header. TCP, UDP, ICMP etc. •The application layer level header. Header of DNS, FTP, SNMP, SMTP •Packet payload ※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm ※ Requirement 1. 2. Time critical Fast
  • 12. Detection engine     Number of rules Traffic load on the network Speed of network and machine Efficiency of detection algorithm
  • 13. Rules    In a single line Rules are created by known intrusion signatures. Usually place in snort.conf configuration file. rule header rule options
  • 14. Rule examples destination ip address Apply to all ip packets Source ip address Destination port Source port # Rule options Alert will be generated if criteria met Rule header
  • 15. Detection engine order to scan the rules  1. 2. 3. Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: Alert rules Pass rules Log rules
  • 16. Challenges with snort         Misuse detection – avoid known intrusions Rules database is larger and larger It continues to grow snort version 2.3.2, there are 2,600 rules 80% of them are signatures Snort spends 80% work time to do string match Anomaly detection – identify new attacks Probability of detection is low
  • 17. Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
  • 18. Attempts to improve  Increasing preprocessing ability --- offload partial work from detect engine  Using hardware to reduce workload - a hybrid architecture --- software has more flexibility, hardware has relatively higher throughput  Better detection algorithm
  • 19. Possible ways?   Organize the well-known rules into better data structure to achieve better performance A detector with acceptable detection probability