Uploaded byprimeteacher32
PPTX, PDF1,840 views

Snort IDS

This document provides an overview of Snort, an open source intrusion detection system (IDS). It discusses what an IDS is and how Snort works by examining packets and applying rules with a specific syntax. Key points covered include common IDS functionality, Snort rule structure and options, how content detection works, and using Snort to replay packet captures and test rulesets.

Embed presentation

Downloaded 30 times
SNORT
,,_ O“ )~ ‘’’’
The Networked Family ICM P TCP IP UDP
WHAT’S AN IDS? • Intrusion Detection System • You can try to prevent an intrusion…
WHAT’S AN IDS? • Intrusion Detection System • You can try to prevent an intrusion… • But when it happens, you need to be able to detect it
WHAT’S AN IDS? • Intrusion Detection System • You can try to prevent an intrusion… • But when it happens, you need to be able to detect it • It’s not an IPS
HOW DOES IT WORK? • What would you look for? • What can you look for?
SYNTAX Rule structure and example Structure Example Rule Actions alert Protocol icmp Source IP Address any Source Port any Direction Operator -> Destination IP Address any Destination Port any (rule options) (msg:”ICMP Packet”; sid:477; rev:3;)
RULE OPTIONS Keyword Description msg The msg keyword tells the logging and alerting engine the message to print with the packet dump or alert. reference The reference keyword allows rules to include references to external attack identification systems. gid The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires. sid The sid keyword is used to uniquely identify Snort rules. rev The rev keyword is used to uniquely identify revisions of Snort rules. classtype The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class. priority The priority keyword assigns a severity level to rules. metadata The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format.
CONTENT DETECTION Keyword Description content The content keyword allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. rawbytes The rawbytes keyword allows rules to look at the raw packet data, ignoring any decoding that was done by preprocessors. depth The depth keyword allows the rule writer to specify how far into a packet Snort should search for the specified pattern. offset The offset keyword allows the rule writer to specify where to start searching for a pattern within a packet. distance The distance keyword allows the rule writer to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match. within The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword. uricontent The uricontent keyword in the Snort rule language searches the normalized request URI field. isdataat The isdataat keyword verifies that the payload has data at a specified location. pcre The pcre keyword allows rules to be written using perl compatible regular expressions. byte_test The byte_test keyword tests a byte field against a specific value (with operator). byte_jump The byte_jump keyword allows rules to read the length of a portion of data, then skip that far forward in the packet. ftpbounce The ftpbounce keyword detects FTP bounce attacks.
CAN YOU DETECT A REVERSE SHELL EXPLOIT? • How would you start?
CAN YOU DETECT A REVERSE SHELL EXPLOIT? • How would you start? • What would examine?
CAN YOU DETECT A REVERSE SHELL EXPLOIT? • How would you start? • What would examine? • How would you test?
$SNORT -R • Replay a pcap file captured from tcpdump to test your ruleset
SYNTAX • <Rule Actions> <Protocol> <Source IP Address> <Source Port> • <Direction Operator> <Destination IP Address> <Destination > (rule options) • ---------------------------------------------------------------------------------------------------------- • Becomes this: • alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
WHAT HAPPENS? • Rules trigger alerts into the snort logs • To automatically be alerted use a shell script to monitor • Pseudo code is something like this: • #grep for something in the log • #if the output isn’t blank, email someone • #do that again forever and clear the log once you’ve seen the message
SUMMARY • An IDS is an intelligent packet sniffer • Snort is an open sourced implementation • Rules have a standard format • Rules are configured to look at packet headers and/or content

More Related Content

PDF
Tuto VP IPSEC Site-to-site
byDimitri LEMBOKOLO
 
PDF
Mise en place d’un système de détection
byManassé Achim kpaya
 
PDF
Mise en place de vlan au sein d'un réseau
byGeorges Amichia
 
PDF
Installation et Configuration de Pfsense
byIsmail Rachdaoui
 
PPTX
All About Snort
by28pranjal
 
PDF
Alphorm.com Formation Certification NSE4 : Fortinet Fortigate Security 6.x
byAlphorm
 
PPTX
Introduction to Snort
byHossein Yavari
 
PPT
Snort
byRahul Jain
 
Tuto VP IPSEC Site-to-site
byDimitri LEMBOKOLO
 
Mise en place d’un système de détection
byManassé Achim kpaya
 
Mise en place de vlan au sein d'un réseau
byGeorges Amichia
 
Installation et Configuration de Pfsense
byIsmail Rachdaoui
 
All About Snort
by28pranjal
 
Alphorm.com Formation Certification NSE4 : Fortinet Fortigate Security 6.x
byAlphorm
 
Introduction to Snort
byHossein Yavari
 
Snort
byRahul Jain
 

What's hot

PPTX
Cisco CCNA-Router on Stick
byHamed Moghaddam
 
PPTX
Installation et configuration d'un système de Détection d'intrusion (IDS)
byCharif Khrichfa
 
PDF
Gouvernance de la sécurite des Systèmes d'Information Volet-1
byPRONETIS
 
PPTX
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
bySakka Mustapha
 
ODP
Snort
byMichael Boman
 
PDF
Etude et mise en place d'un plateforme IMS Sécurisée
byHermann GBILIMAKO
 
PPTX
Administration reseau
bynadimoc
 
PDF
Mise en place d'une solution du supérvision réseau
byRabeb Boumaiza
 
PDF
cours ospf
byEL AMRI El Hassan
 
PPTX
Iptables the Linux Firewall
bySyed fawad Gillani
 
PDF
projet fin d'étude IWAN
byMed Amine El Abed
 
PDF
TD_complet_reseau__CISCO__Packet Tracer.pdf
byInes Ben Hassine
 
PDF
VPN site-to-site.pdf
bygorguindiaye
 
PPTX
Les systèmes de détection et prévention d’intrusion
byIntissar Dguechi
 
PPT
Un slideshow de présentation d'Asterisk présenté en entreprise en 2008.
bybetsmee
 
PPTX
Firewall
byMudasser Afzal
 
PDF
netfilter and iptables
byKernel TLV
 
PPTX
What is PCRF? – Detailed PCRF architecture and functioning
byMahindra Comviva
 
PPTX
Nat
byElshan86
 
PDF
GNS3, VoIP, ToIP
byDimitri LEMBOKOLO
 
Cisco CCNA-Router on Stick
byHamed Moghaddam
 
Installation et configuration d'un système de Détection d'intrusion (IDS)
byCharif Khrichfa
 
Gouvernance de la sécurite des Systèmes d'Information Volet-1
byPRONETIS
 
Sécurité Réseau à Base d'un Firewall Matériel (fortigate)
bySakka Mustapha
 
Snort
byMichael Boman
 
Etude et mise en place d'un plateforme IMS Sécurisée
byHermann GBILIMAKO
 
Administration reseau
bynadimoc
 
Mise en place d'une solution du supérvision réseau
byRabeb Boumaiza
 
cours ospf
byEL AMRI El Hassan
 
Iptables the Linux Firewall
bySyed fawad Gillani
 
projet fin d'étude IWAN
byMed Amine El Abed
 
TD_complet_reseau__CISCO__Packet Tracer.pdf
byInes Ben Hassine
 
VPN site-to-site.pdf
bygorguindiaye
 
Les systèmes de détection et prévention d’intrusion
byIntissar Dguechi
 
Un slideshow de présentation d'Asterisk présenté en entreprise en 2008.
bybetsmee
 
Firewall
byMudasser Afzal
 
netfilter and iptables
byKernel TLV
 
What is PCRF? – Detailed PCRF architecture and functioning
byMahindra Comviva
 
Nat
byElshan86
 
GNS3, VoIP, ToIP
byDimitri LEMBOKOLO
 

Viewers also liked

PPTX
Snort
byTensor
 
PDF
Snort
bybala150985
 
PPT
Snort
byStickman Hai
 
PPT
Network Intrusion Detection System Using Snort
byDisha Bedi
 
PDF
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
byijsrd.com
 
PPTX
Regular Expression Mining System for Information Extraction
byDimuthu Samarasekara
 
PDF
Sms compliance white paper for mobile communications
byTextGuard
 
ODP
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
byJoshua S. White, PhD josh@securemind.org
 
PPTX
ImmaginAzione - svilupparla col metodo Woodys®
byDiego Senziani
 
PPTX
Pcre introduciton
byYi-Jun Zheng
 
PPT
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
byamiable_indian
 
PPTX
Incident Response
byprimeteacher32
 
PPTX
Industrial Training - Network Intrusion Detection System Using Snort
byDisha Bedi
 
PPTX
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
PDF
試してわかるSDN
bycloretsblack
 
PDF
ネットワーク運用とIoT
bycloretsblack
 
PDF
Introduction to Snort Rule Writing
byCisco DevNet
 
PPT
Intrusion detection system ppt
bySheetal Verma
 
PPSX
Intrusion detection system
bygaurav koriya
 
Snort
byTensor
 
Snort
bybala150985
 
Snort
byStickman Hai
 
Network Intrusion Detection System Using Snort
byDisha Bedi
 
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
byijsrd.com
 
Regular Expression Mining System for Information Extraction
byDimuthu Samarasekara
 
Sms compliance white paper for mobile communications
byTextGuard
 
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
byJoshua S. White, PhD josh@securemind.org
 
ImmaginAzione - svilupparla col metodo Woodys®
byDiego Senziani
 
Pcre introduciton
byYi-Jun Zheng
 
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
byamiable_indian
 
Incident Response
byprimeteacher32
 
Industrial Training - Network Intrusion Detection System Using Snort
byDisha Bedi
 
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
試してわかるSDN
bycloretsblack
 
ネットワーク運用とIoT
bycloretsblack
 
Introduction to Snort Rule Writing
byCisco DevNet
 
Intrusion detection system ppt
bySheetal Verma
 
Intrusion detection system
bygaurav koriya
 

Similar to Snort IDS

PPTX
IDS_WK_Arsalan.pptx
byaskaripayalo
 
PPTX
Snort
bynazzf
 
PDF
Pertemuan 9 intrusion detection system
bynewbie2019
 
PPT
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
PPT
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
PDF
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 
PPTX
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
PDF
Understanding Intrusion Detection Systems with Snort
byShyamsundar Das
 
PPTX
Intrusion Prevention System
byVishwanath Badiger
 
PDF
1.SNORT.pdf
byAgusNursidik
 
PPTX
Snort- Presentation.pptx
bySathishKumar960827
 
PDF
Detect Network Threat Using SNORT Intrusion Detection System
byIRJET Journal
 
PPTX
Snort Home Lab - Workshop
byHishan Shouketh
 
PPTX
Group4_final_report.pptx
byHataseSouta
 
PPT
snort.ppt
bySenthil Vit
 
PPTX
NSM_Protecting your network in real time
bysamsanjai82
 
PDF
Evaluation of Snort using Rules for DARPA 1999 Dataset
byIJCSIS Research Publications
 
PPTX
Network intrusion detection system and analysis
byBikrant Gautam
 
PPT
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
PPT
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
IDS_WK_Arsalan.pptx
byaskaripayalo
 
Snort
bynazzf
 
Pertemuan 9 intrusion detection system
bynewbie2019
 
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
Understanding Intrusion Detection Systems with Snort
byShyamsundar Das
 
Intrusion Prevention System
byVishwanath Badiger
 
1.SNORT.pdf
byAgusNursidik
 
Snort- Presentation.pptx
bySathishKumar960827
 
Detect Network Threat Using SNORT Intrusion Detection System
byIRJET Journal
 
Snort Home Lab - Workshop
byHishan Shouketh
 
Group4_final_report.pptx
byHataseSouta
 
snort.ppt
bySenthil Vit
 
NSM_Protecting your network in real time
bysamsanjai82
 
Evaluation of Snort using Rules for DARPA 1999 Dataset
byIJCSIS Research Publications
 
Network intrusion detection system and analysis
byBikrant Gautam
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 

More from primeteacher32

PPT
Software Development Life Cycle
byprimeteacher32
 
PPTX
Variable Scope
byprimeteacher32
 
PPTX
Returning Data
byprimeteacher32
 
PPTX
Intro to Functions
byprimeteacher32
 
PPTX
Introduction to GUIs with guizero
byprimeteacher32
 
PPTX
Function Parameters
byprimeteacher32
 
PPTX
Nested Loops
byprimeteacher32
 
PPT
Conditional Loops
byprimeteacher32
 
PPTX
Introduction to Repetition Structures
byprimeteacher32
 
PPTX
Input Validation
byprimeteacher32
 
PPTX
Windows File Systems
byprimeteacher32
 
PPTX
Nesting Conditionals
byprimeteacher32
 
PPTX
Conditionals
byprimeteacher32
 
PPT
Intro to Python with GPIO
byprimeteacher32
 
PPTX
Variables and Statements
byprimeteacher32
 
PPTX
Variables and User Input
byprimeteacher32
 
PPT
Intro to Python
byprimeteacher32
 
PPTX
Raspberry Pi
byprimeteacher32
 
PPT
Hardware vs. Software Presentations
byprimeteacher32
 
PPTX
Block chain security
byprimeteacher32
 
Software Development Life Cycle
byprimeteacher32
 
Variable Scope
byprimeteacher32
 
Returning Data
byprimeteacher32
 
Intro to Functions
byprimeteacher32
 
Introduction to GUIs with guizero
byprimeteacher32
 
Function Parameters
byprimeteacher32
 
Nested Loops
byprimeteacher32
 
Conditional Loops
byprimeteacher32
 
Introduction to Repetition Structures
byprimeteacher32
 
Input Validation
byprimeteacher32
 
Windows File Systems
byprimeteacher32
 
Nesting Conditionals
byprimeteacher32
 
Conditionals
byprimeteacher32
 
Intro to Python with GPIO
byprimeteacher32
 
Variables and Statements
byprimeteacher32
 
Variables and User Input
byprimeteacher32
 
Intro to Python
byprimeteacher32
 
Raspberry Pi
byprimeteacher32
 
Hardware vs. Software Presentations
byprimeteacher32
 
Block chain security
byprimeteacher32
 

Recently uploaded

PDF
Top 10 Home and Online Tutoring Platforms in Telangana for Teachers.pdf
byDigital Marketing Services India
 
PDF
Notes (Classification on feeding habits).pdf
bykpunia900
 
PPT
Advantages and disadvantages of the transducer.ppt
byvickeyrathore1
 
PDF
Complete List of all 565 CAAHEP & ABHES Accredited Medical Assisting Programs...
byCrystal Smith
 
PDF
Lecture 4 AI.pdfgggfggghggffgvvvcgggggdggf
bymohammeedd2000d
 
PDF
Research-Proposal-Writing-Service-UK-for-Structured-Academic-Success.pdf
byResearch Proposal Help
 
PPTX
720208371-Health.pptxmjkjkjkjkjkjkjkjkkmjkj
byjaysonalbarracin4
 
PPT
Hanry Fayol.pptJBJHFIDHEIRHFIHREHIFHREIFHIOREHIFOH
byprachi0rawat
 
PDF
SABRE BASIC AIRLINES RESERVATION AND TICKETING SHORT MANUAL BY MD SHAIFULLAR ...
byMd Shaifullar Rabbi
 
PPTX
6. Political-Legal Perspective of Gender & Sexuality.pptx
byChonaDichosaPajarill1
 
PPTX
Brown Vintage Watercolor Creative Portfolio Presentation.pptx
byMaryFaithKibos
 
PPTX
Operational Leadership Projects Presentation
bysarahaha89
 
PPTX
Role_of_Arthropods_in_Transmission_of_Human_Diseases.pptx
bydauli4796
 
PPTX
How to Study At CLC Sikar - Best NEET coaching
byCLC Sikar
 
PDF
BCG Attorney Search's The Five Most Important Questions to Ask
byBCG Attorney Search
 
PPTX
583395073-Presentation-on-Artificial-intelligence.pptx
byPRAVEENRAI365425
 
PDF
Service Overview | Simplifying Government Paperwork | GOV+ Reviews.pdf
byGovPlus Reviews
 
PDF
Top 10 Home and Online Tutoring Platforms in Karnataka for Teachers.pdf
byDigital Marketing Services India
 
PDF
Qualification n Membership Rajesh Prasad.pdf
byRajesh Prasad
 
PPTX
CareerOptionsAfterHSCCommerceMumbaiNEP2020pptx.pptx
byABDUL RASHEED MOHAMMED MOGHEES
 
Top 10 Home and Online Tutoring Platforms in Telangana for Teachers.pdf
byDigital Marketing Services India
 
Notes (Classification on feeding habits).pdf
bykpunia900
 
Advantages and disadvantages of the transducer.ppt
byvickeyrathore1
 
Complete List of all 565 CAAHEP & ABHES Accredited Medical Assisting Programs...
byCrystal Smith
 
Lecture 4 AI.pdfgggfggghggffgvvvcgggggdggf
bymohammeedd2000d
 
Research-Proposal-Writing-Service-UK-for-Structured-Academic-Success.pdf
byResearch Proposal Help
 
720208371-Health.pptxmjkjkjkjkjkjkjkjkkmjkj
byjaysonalbarracin4
 
Hanry Fayol.pptJBJHFIDHEIRHFIHREHIFHREIFHIOREHIFOH
byprachi0rawat
 
SABRE BASIC AIRLINES RESERVATION AND TICKETING SHORT MANUAL BY MD SHAIFULLAR ...
byMd Shaifullar Rabbi
 
6. Political-Legal Perspective of Gender & Sexuality.pptx
byChonaDichosaPajarill1
 
Brown Vintage Watercolor Creative Portfolio Presentation.pptx
byMaryFaithKibos
 
Operational Leadership Projects Presentation
bysarahaha89
 
Role_of_Arthropods_in_Transmission_of_Human_Diseases.pptx
bydauli4796
 
How to Study At CLC Sikar - Best NEET coaching
byCLC Sikar
 
BCG Attorney Search's The Five Most Important Questions to Ask
byBCG Attorney Search
 
583395073-Presentation-on-Artificial-intelligence.pptx
byPRAVEENRAI365425
 
Service Overview | Simplifying Government Paperwork | GOV+ Reviews.pdf
byGovPlus Reviews
 
Top 10 Home and Online Tutoring Platforms in Karnataka for Teachers.pdf
byDigital Marketing Services India
 
Qualification n Membership Rajesh Prasad.pdf
byRajesh Prasad
 
CareerOptionsAfterHSCCommerceMumbaiNEP2020pptx.pptx
byABDUL RASHEED MOHAMMED MOGHEES
 

Snort IDS

  • 1.
  • 2.
  • 3.
  • 4.
    WHAT’S AN IDS? •Intrusion Detection System • You can try to prevent an intrusion…
  • 5.
    WHAT’S AN IDS? •Intrusion Detection System • You can try to prevent an intrusion… • But when it happens, you need to be able to detect it
  • 6.
    WHAT’S AN IDS? •Intrusion Detection System • You can try to prevent an intrusion… • But when it happens, you need to be able to detect it • It’s not an IPS
  • 7.
    HOW DOES ITWORK? • What would you look for? • What can you look for?
  • 8.
    SYNTAX Rule structure andexample Structure Example Rule Actions alert Protocol icmp Source IP Address any Source Port any Direction Operator -> Destination IP Address any Destination Port any (rule options) (msg:”ICMP Packet”; sid:477; rev:3;)
  • 9.
    RULE OPTIONS Keyword Description msgThe msg keyword tells the logging and alerting engine the message to print with the packet dump or alert. reference The reference keyword allows rules to include references to external attack identification systems. gid The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires. sid The sid keyword is used to uniquely identify Snort rules. rev The rev keyword is used to uniquely identify revisions of Snort rules. classtype The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class. priority The priority keyword assigns a severity level to rules. metadata The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format.
  • 10.
    CONTENT DETECTION Keyword Description contentThe content keyword allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. rawbytes The rawbytes keyword allows rules to look at the raw packet data, ignoring any decoding that was done by preprocessors. depth The depth keyword allows the rule writer to specify how far into a packet Snort should search for the specified pattern. offset The offset keyword allows the rule writer to specify where to start searching for a pattern within a packet. distance The distance keyword allows the rule writer to specify how far into a packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match. within The within keyword is a content modifier that makes sure that at most N bytes are between pattern matches using the content keyword. uricontent The uricontent keyword in the Snort rule language searches the normalized request URI field. isdataat The isdataat keyword verifies that the payload has data at a specified location. pcre The pcre keyword allows rules to be written using perl compatible regular expressions. byte_test The byte_test keyword tests a byte field against a specific value (with operator). byte_jump The byte_jump keyword allows rules to read the length of a portion of data, then skip that far forward in the packet. ftpbounce The ftpbounce keyword detects FTP bounce attacks.
  • 11.
    CAN YOU DETECTA REVERSE SHELL EXPLOIT? • How would you start?
  • 12.
    CAN YOU DETECTA REVERSE SHELL EXPLOIT? • How would you start? • What would examine?
  • 13.
    CAN YOU DETECTA REVERSE SHELL EXPLOIT? • How would you start? • What would examine? • How would you test?
  • 14.
    $SNORT -R • Replaya pcap file captured from tcpdump to test your ruleset
  • 15.
    SYNTAX • <Rule Actions><Protocol> <Source IP Address> <Source Port> • <Direction Operator> <Destination IP Address> <Destination > (rule options) • ---------------------------------------------------------------------------------------------------------- • Becomes this: • alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
  • 16.
    WHAT HAPPENS? • Rulestrigger alerts into the snort logs • To automatically be alerted use a shell script to monitor • Pseudo code is something like this: • #grep for something in the log • #if the output isn’t blank, email someone • #do that again forever and clear the log once you’ve seen the message
  • 17.
    SUMMARY • An IDSis an intelligent packet sniffer • Snort is an open sourced implementation • Rules have a standard format • Rules are configured to look at packet headers and/or content