4. Intrusion Detection System IDS
+ Monitors network and system activities
+ Reports any malicious activities or violation policies
+ IDS uses SIEM: Security Information and Event Management
+ IDS Classification: NIDS and HIDS
+ Detection Method: Signature or Anomaly
4
Introduction (1)
7. Snort ...
+ Intrusion Detection & Prevention System
+ Open Source and under GPLV2 License
+ Snort modes:
- Sniffer
- Packet logger
- IDS: Network-based or Host-based
7
What is Snort? (1)
8. Snort as IDPS
+ Real-time traffic analysis
+ Protocol analysis
+ Content Searching/Matching
+ Detect varied types of attacks:
- Buffer overflow
- Stealth port Scans
- CGI attacks
- …
8
What is Snort? (2)
9. Snort as IDPS
+ Mode expansion
+ Inline as IPS
+ Passive IDS
+ Inline-test: monitoring test without affecting
network using --enable-inline-test
9
What is Snort? (3)
11. Rules
Rules are:
+ A methodology of performing detection
+ Detect the vulnerability
+ Need an understanding of how vulnerability works
Example:
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1;
sid:10000001; rev:001; classtype:icmp-event;)
11
What is Snort? (4)
18. Snort as a Sniffer
-:~$ sudo snort -v #TCP/IP headers
-:~$ sudo snort -vd #TCP/IP UDP and ICMP headers
-:~$ sudo snort -vde #Displaying with link headers
18
Implementation (6)
19. Snort as a Packet Logger mode
-:~$ sudo snort -dev -l path/to/log #log into the specified path
-:~$ sudo snort -dev -l path/to/log -h 192.168.2.0 #Logging will be devided into
subdirectories for each IP address
-:~$ sudo snort -b# For binary logging
-:~$ sudo snort -dbr path/to/binary/log # pust snort on playback and gets the logs
readable
-:~$ sudo snort -dbr path/to/binary/log ICMP # Displays only the ICMP packtes.
19
Implementation (7)
20. Snort configuration (NIDS)
-:~$ sudo sed -i "s/include $RULE_PATH/#include $RULE_PATH/" /etc/snort/snort.conf
-:~$ sudo vim /etc/snort/snort.conf #change according to folders path
-:~$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i
enp0s3
20
Implementation (8)
21. Additional features: Barnyard2
+ open source interpreter of snort binary file. (github: firnsy/barnyard2)
+ can log the data into different: files or database
+ Log files extension is u2
21
Implementation (9)
22. Additional features PulledPork
+ Helper Script written in Perl
+ Downloads and updates rules from snort official website
+ PulledPork needs a token by registering in snort (www.snort.org) called
oinkcode
+ In this implementation, my oinkcode is 33955f002653e33fb94156457ad9bbe3d2e940c5
+ Make changes in PulledPork
22
Implementation
(10)