Senthil Vit, profile picture
Uploaded bySenthil Vit
PPT, PDF239 views

snort.ppt

Snort is an open source network intrusion prevention system capable of real-time traffic analysis and packet logging. It uses a rules-based detection engine to examine packets against defined signatures. Snort has three main operational modes: sniffer, packet logger, and network intrusion detection system. It utilizes a modular architecture with plug-ins for preprocessing, detection, and output. Rules provide flexible and configurable detection signatures.

Embed presentation

Download to read offline
SNORT
Topics • Background – What is Snort? • Using Snort • Snort Architecture
SNORT • Snort is an open source network intrusion prevention system, capable of performing real- time traffic analysis and packet logging on IP networks.
Background – Policy • Successful intrusion detection depends on policy and management as much as technology – Security Policy (defining what is acceptable and what is being defended) is the first step – Notification • Who, how fast? – Response Coordination
Intro to Snort • What is Snort? – Snort is a multi-mode packet analysis tool • Sniffer • Packet Logger • Forensic Data Analysis tool • Network Intrusion Detection System • Where did it come from? – Developed out of the evolving need to perform network traffic analysis in both real-time and for forensic post processing
Snort “Metrics” • Small (~800k source download) • Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP- UX, etc) • Fast (High probability of detection for a given attack on 100Mbps networks) • Configurable (Easy rules language, many reporting/logging options • Free (GPL/Open Source Software)
Snort Design • Packet sniffing “lightweight” network intrusion detection system • Libpcap-based sniffing interface • Rules-based detection engine • Plug-in system allows endless flexibility
Detection Engine • Rules form “signatures” • Modular detection elements are combined to form these signatures • Wide range of detection capabilities – Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. • Rules system is very flexible, and creation of new rules is relatively simple
Plug-Ins • Preprocessor – Packets are examined/manipulated before being handed to the detection engine • Detection – Perform single, simple tests on a single aspect/field of the packet • Output – Report results from the other plug-ins
Using Snort • Three main operational modes – Sniffer Mode – Packet Logger Mode – NIDS Mode – (Forensic Data Analysis Mode) • Operational modes are configured via command line switches – Snort automatically tries to go into NIDS mode if no command line switches are given, looks for snort.conf configuration file in /etc
Using Snort – Sniffer Mode • Works much like tcpdump • Decodes packets and dumps them to stdout • BPF (Berkeley Packet Filtering) interface available to shape displayed network traffic – pseudo devices can be found.
What Do The Packet Dumps Look Like? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS 49 FF F0 I.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.956582 10.1.1.8:23 -> 10.1.1.6:1032 TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20 0D 0A 0D 0A 53 75 6E 4F 53 20 35 2E 37 0D 0A 0D ....SunOS 5.7... 00 0D 0A 0D 00 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Packet Logger Mode • save packets to disk… • Multi-mode packet logging options available – Flat ASCII, tcpdump, XML, database, etc available • Log all data and post-process to look for anomalous activity
NIDS Mode • Wide variety of rules available for signature engine (~1300 as of June 2001, grow to ~2900 at May 2005) • Multiple detection modes available via rules and plug-ins – Rules/signature – Statistical anomaly – Protocol verification
Snort Rules
Snort Rules • Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS • Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • Elements before parentheses comprise ‘rule header’ • Elements in parentheses are ‘rule options’
Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • alert action to take; also log, pass, activate, dynamic • tcp protocol; also udp, icmp, ip • $EXTERNAL_NET source address; this is a variable – specific IP is ok • 27374 source port; also any, negation (!21), range (1:1024) • -> direction; best not to change this, although <> is allowed • $HOME_NET destination address; this is also a variable here • any destination port
Snort Rules alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • msg:”BACKDOOR subseven 22”; message to appear in logs • flags: A+; tcp flags; many options, like SA, SA+, !R, SF* • content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches • reference…; where to go to look for background on this rule • sid:103; rule identifier • classtype: misc-activity; rule type; many others • rev:4; rule revision number • other rule options possible, like offset, depth, nocase
Snort Rules • bad-traffic.rules exploit.rules scan.rules • finger.rules ftp.rules telnet.rules • smtp.rules rpc.rulesrservices.rules • dos.rules ddos.rules dns.rules • tftp.rules web-cgi.rules web-coldfusion.rules • web-frontpage.rules web-iis.rules web-misc.rules • web-attacks.rules sql.rules x11.rules • icmp.rules netbios.rules misc.rules • backdoor.rules shellcode.rules policy.rules • info.rules icmp-info.rules • virus.rules local.rules attack-responses.rules
Snort Rules • Rules which actually caught intrusions – alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS- SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server – alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB- IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web- application-attack; sid:1002; rev:2;) caught Code Red infection – alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP "MKD / " possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server
Snort Architecture
Data Flow Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Packet Stream Sniffing Snort Data Flow Alerts/Logs
Rule Header Alert tcp 1.1.1.1 any -> 2.2.2.2 any Rule Options (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Detection Engine: Rules QUESO is not as popular or robust as NMAP, it still provides great signatures to look at and analyze. QUESO usually sends out seven (7) packets at a time. QUESO allows a user to spoof his/her address and to choose what port he/she wants to scan. QUESO also chooses random source ports (4000 -65000).
Alert tcp 1.1.1.1 any -> 2.2.2.2 any Rule Node (flags: SF; msg: “SYN-FIN Scan”;) (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Option Node Detection Engine: Internal Representation
Rule Node Rule Node Rule Node Rule Node Rule Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Detection Engine: Fully Populated
Link: • https://www.youtube.com/watch?v=HW uUW4XGxHo
Conclusion • Snort is a powerful tool, but maximizing its usefulness requires a trained operator • Becoming proficient with network intrusion detection takes 12 months; “expert” 24-36? • Snort is considered a superior NIDS when compared to most commercial systems • Managed network security providers should collect enough information to make decisions without calling clients to ask what happened

More Related Content

PPT
Cryptography and Network Security William Stallings Lawrie Brown
byInformation Security Awareness Group
 
PPTX
Wireless Penetration Testing
byMohammed Adam
 
PPT
Ch02...1
bynathanurag
 
PDF
Snort-IPS-Tutorial
byVladimir Koychev
 
PDF
Ccna rse chp7 Access Control List (ACL)
bynewbie2019
 
PDF
KRACK attack
byVadimDavydov3
 
PPTX
Cryptanalysis
bySou Jana
 
PDF
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
byYoram Orzach
 
Cryptography and Network Security William Stallings Lawrie Brown
byInformation Security Awareness Group
 
Wireless Penetration Testing
byMohammed Adam
 
Ch02...1
bynathanurag
 
Snort-IPS-Tutorial
byVladimir Koychev
 
Ccna rse chp7 Access Control List (ACL)
bynewbie2019
 
KRACK attack
byVadimDavydov3
 
Cryptanalysis
bySou Jana
 
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
byYoram Orzach
 

What's hot

PDF
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
bySalem Trabelsi
 
PPT
Cisco ACL
byfaust0
 
PPTX
#Acunetix #product #presentation
byCheer Chain Enterprise Co., Ltd.
 
PPT
Acl
byRaghu Kiran
 
PPTX
Introduction to Network Security
byJohn Ely Masculino
 
PPTX
Firewall and its purpose
byRohit Phulsunge
 
PPT
Ch03 block-cipher-and-data-encryption-standard
bytarekiceiuk
 
PPTX
Introduction to Snort
byHossein Yavari
 
PDF
Ccnp workbook network bulls
bySwapnil Kapate
 
PPTX
ccna networking ppt
byEr. Anmol Bhagat
 
PPTX
Symmetric encryption and message confidentiality
byCAS
 
PPTX
Nmap
byMegha Sahu
 
PPTX
firewall and its types
byMohammed Maajidh
 
PPTX
IP Sec - Basic Concepts
byAvadhesh Agrawal
 
PDF
IOS Cisco - Cheat sheets
byAlejandro Marin
 
PPT
Ch15
byraja yasodhar
 
PDF
IPSec (Internet Protocol Security) - PART 1
byShobhit Sharma
 
PDF
Cryptography in Python
byAmirali Sanatinia
 
PPTX
Snort
byFadwa Gmiden
 
PPT
Introduction to Secure Sockets Layer
byNascenia IT
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
bySalem Trabelsi
 
Cisco ACL
byfaust0
 
#Acunetix #product #presentation
byCheer Chain Enterprise Co., Ltd.
 
Acl
byRaghu Kiran
 
Introduction to Network Security
byJohn Ely Masculino
 
Firewall and its purpose
byRohit Phulsunge
 
Ch03 block-cipher-and-data-encryption-standard
bytarekiceiuk
 
Introduction to Snort
byHossein Yavari
 
Ccnp workbook network bulls
bySwapnil Kapate
 
ccna networking ppt
byEr. Anmol Bhagat
 
Symmetric encryption and message confidentiality
byCAS
 
Nmap
byMegha Sahu
 
firewall and its types
byMohammed Maajidh
 
IP Sec - Basic Concepts
byAvadhesh Agrawal
 
IOS Cisco - Cheat sheets
byAlejandro Marin
 
Ch15
byraja yasodhar
 
IPSec (Internet Protocol Security) - PART 1
byShobhit Sharma
 
Cryptography in Python
byAmirali Sanatinia
 
Snort
byFadwa Gmiden
 
Introduction to Secure Sockets Layer
byNascenia IT
 

Similar to snort.ppt

PPT
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
PPT
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
PPT
Snort
byRahul Jain
 
PDF
Pertemuan 9 intrusion detection system
bynewbie2019
 
PPTX
IDS_WK_Arsalan.pptx
byaskaripayalo
 
PPTX
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
PPTX
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
PDF
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 
PPTX
All About Snort
by28pranjal
 
PPT
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
PPT
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
PDF
IDS & Passive Network Defense
bySalvatore Lentini
 
PPTX
Security Onion
byjohndegruyter
 
PDF
Understanding Intrusion Detection Systems with Snort
byShyamsundar Das
 
PPTX
NSM_Protecting your network in real time
bysamsanjai82
 
PPTX
Snort- Presentation.pptx
bySathishKumar960827
 
PDF
26.1.7 lab snort and firewall rules
byFreddy Buenaño
 
PDF
Detect Network Threat Using SNORT Intrusion Detection System
byIRJET Journal
 
PPTX
Snort
bynazzf
 
PPT
Network Intrusion Detection System Using Snort
byDisha Bedi
 
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
Snort
byRahul Jain
 
Pertemuan 9 intrusion detection system
bynewbie2019
 
IDS_WK_Arsalan.pptx
byaskaripayalo
 
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 
All About Snort
by28pranjal
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
byskpatel91
 
IDS & Passive Network Defense
bySalvatore Lentini
 
Security Onion
byjohndegruyter
 
Understanding Intrusion Detection Systems with Snort
byShyamsundar Das
 
NSM_Protecting your network in real time
bysamsanjai82
 
Snort- Presentation.pptx
bySathishKumar960827
 
26.1.7 lab snort and firewall rules
byFreddy Buenaño
 
Detect Network Threat Using SNORT Intrusion Detection System
byIRJET Journal
 
Snort
bynazzf
 
Network Intrusion Detection System Using Snort
byDisha Bedi
 

More from Senthil Vit

PPTX
FALLSEM2021-22_CSE3035_ETH_VL2021220103964_2021-10-22_Reference-Material-I.pptx
bySenthil Vit
 
PDF
FALLSEM2024-25_BCSE408L_TH_VL2024250101820_2024-09-05_Reference-Material-I.pdf
bySenthil Vit
 
PPTX
Jenkins and Maven in cloud data Engineering
bySenthil Vit
 
PPTX
Introduction to Jenkins Pipeline in data engg
bySenthil Vit
 
PPTX
Logical Design Architecture in Internet of Things
bySenthil Vit
 
PDF
Wireless sensor networks in Internet of Things
bySenthil Vit
 
PPTX
Classification Algorithm in Machine Learning
bySenthil Vit
 
PPTX
Decision Trees Learning in Machine Learning
bySenthil Vit
 
PPTX
Operating system Virtualization_NEW.pptx
bySenthil Vit
 
PPTX
Synchronization Peterson’s Solution.pptx
bySenthil Vit
 
PPT
Control structures in Python programming
bySenthil Vit
 
PPT
Data and Expressions in Python programming
bySenthil Vit
 
PPTX
Python programming Introduction about Python
bySenthil Vit
 
PDF
Switching Problems.pdf
bySenthil Vit
 
PPT
Big Oh.ppt
bySenthil Vit
 
PPT
AsymptoticNotations.ppt
bySenthil Vit
 
PPTX
First Best and Worst Fit.pptx
bySenthil Vit
 
PPTX
File Implementation Problem.pptx
bySenthil Vit
 
PPT
Design Issues of an OS.ppt
bySenthil Vit
 
PPTX
Operating Systems – Structuring Methods.pptx
bySenthil Vit
 
FALLSEM2021-22_CSE3035_ETH_VL2021220103964_2021-10-22_Reference-Material-I.pptx
bySenthil Vit
 
FALLSEM2024-25_BCSE408L_TH_VL2024250101820_2024-09-05_Reference-Material-I.pdf
bySenthil Vit
 
Jenkins and Maven in cloud data Engineering
bySenthil Vit
 
Introduction to Jenkins Pipeline in data engg
bySenthil Vit
 
Logical Design Architecture in Internet of Things
bySenthil Vit
 
Wireless sensor networks in Internet of Things
bySenthil Vit
 
Classification Algorithm in Machine Learning
bySenthil Vit
 
Decision Trees Learning in Machine Learning
bySenthil Vit
 
Operating system Virtualization_NEW.pptx
bySenthil Vit
 
Synchronization Peterson’s Solution.pptx
bySenthil Vit
 
Control structures in Python programming
bySenthil Vit
 
Data and Expressions in Python programming
bySenthil Vit
 
Python programming Introduction about Python
bySenthil Vit
 
Switching Problems.pdf
bySenthil Vit
 
Big Oh.ppt
bySenthil Vit
 
AsymptoticNotations.ppt
bySenthil Vit
 
First Best and Worst Fit.pptx
bySenthil Vit
 
File Implementation Problem.pptx
bySenthil Vit
 
Design Issues of an OS.ppt
bySenthil Vit
 
Operating Systems – Structuring Methods.pptx
bySenthil Vit
 

Recently uploaded

PDF
Earths-Structure-and-Composition_20260127_110958_0000.pdf
byabdurasabarfaki
 
PPTX
FROM MEASUREMENT TO MEANING : Metrology-Driven Battery Testing for Reliable ...
byRunjhunDutta
 
PPTX
Why Air Droppable Containers Are Critical for Modern Aerial Logistics
byNeometrix_Engineering_Pvt_Ltd
 
PDF
Formality - Logic Equivalence Checking - Part 1
byAmr Adel
 
PPTX
24ME402-ENGINEERING MATERIALS AND METALLURGY --- UNIT-II
byDJAGADEESH1
 
PDF
Requirement Engineering : Capturing the Requirements
byGunjalSanjay
 
PDF
Software Engineering :Software Engineering Practice
byGunjalSanjay
 
PDF
Software Engineering : Process Models.
byGunjalSanjay
 
PDF
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
PPTX
Industry 4.0- fourth industrial revolution Presentation.pptx
byrameswari15491
 
PDF
LS029B3SX06A 2.9 Inch TFT LCD 2K Resolution 2160X2160 For AR VR
bySyluxdisplay
 
PPTX
Energy system modelling to support national energy and climate policy making ...
byIEA-ETSAP
 
PPTX
TechSprint WinterHack || After an intense hackathon filled with creativity, ...
bybajpaitusharoffon678
 
PDF
Chip Designer's Code - Linux Terminal Part 6 - Text Viewers
byAmr Adel
 
PDF
Mahabir - Structural Steel Brochure - 2025
byMahabirIndustries1
 
PDF
PASSIVE AND ACTIVE REINFORCEMENT LEARNING
byAnushaSanjay
 
PDF
Fundamentals of AI - Problem Solving Approach.pdf
byVyankateshBhaurkar1
 
PDF
Software Engineering Perspective Process Models
byGunjalSanjay
 
PDF
Reality Check Deploying Computer Vision and LLMs at the Edge
byICS
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 2.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
Earths-Structure-and-Composition_20260127_110958_0000.pdf
byabdurasabarfaki
 
FROM MEASUREMENT TO MEANING : Metrology-Driven Battery Testing for Reliable ...
byRunjhunDutta
 
Why Air Droppable Containers Are Critical for Modern Aerial Logistics
byNeometrix_Engineering_Pvt_Ltd
 
Formality - Logic Equivalence Checking - Part 1
byAmr Adel
 
24ME402-ENGINEERING MATERIALS AND METALLURGY --- UNIT-II
byDJAGADEESH1
 
Requirement Engineering : Capturing the Requirements
byGunjalSanjay
 
Software Engineering :Software Engineering Practice
byGunjalSanjay
 
Software Engineering : Process Models.
byGunjalSanjay
 
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
Industry 4.0- fourth industrial revolution Presentation.pptx
byrameswari15491
 
LS029B3SX06A 2.9 Inch TFT LCD 2K Resolution 2160X2160 For AR VR
bySyluxdisplay
 
Energy system modelling to support national energy and climate policy making ...
byIEA-ETSAP
 
TechSprint WinterHack || After an intense hackathon filled with creativity, ...
bybajpaitusharoffon678
 
Chip Designer's Code - Linux Terminal Part 6 - Text Viewers
byAmr Adel
 
Mahabir - Structural Steel Brochure - 2025
byMahabirIndustries1
 
PASSIVE AND ACTIVE REINFORCEMENT LEARNING
byAnushaSanjay
 
Fundamentals of AI - Problem Solving Approach.pdf
byVyankateshBhaurkar1
 
Software Engineering Perspective Process Models
byGunjalSanjay
 
Reality Check Deploying Computer Vision and LLMs at the Edge
byICS
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 2.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 

snort.ppt

  • 1.
  • 2.
    Topics • Background – Whatis Snort? • Using Snort • Snort Architecture
  • 3.
    SNORT • Snort isan open source network intrusion prevention system, capable of performing real- time traffic analysis and packet logging on IP networks.
  • 4.
    Background – Policy •Successful intrusion detection depends on policy and management as much as technology – Security Policy (defining what is acceptable and what is being defended) is the first step – Notification • Who, how fast? – Response Coordination
  • 5.
    Intro to Snort •What is Snort? – Snort is a multi-mode packet analysis tool • Sniffer • Packet Logger • Forensic Data Analysis tool • Network Intrusion Detection System • Where did it come from? – Developed out of the evolving need to perform network traffic analysis in both real-time and for forensic post processing
  • 6.
    Snort “Metrics” • Small(~800k source download) • Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP- UX, etc) • Fast (High probability of detection for a given attack on 100Mbps networks) • Configurable (Easy rules language, many reporting/logging options • Free (GPL/Open Source Software)
  • 7.
    Snort Design • Packetsniffing “lightweight” network intrusion detection system • Libpcap-based sniffing interface • Rules-based detection engine • Plug-in system allows endless flexibility
  • 8.
    Detection Engine • Rulesform “signatures” • Modular detection elements are combined to form these signatures • Wide range of detection capabilities – Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. • Rules system is very flexible, and creation of new rules is relatively simple
  • 9.
    Plug-Ins • Preprocessor – Packetsare examined/manipulated before being handed to the detection engine • Detection – Perform single, simple tests on a single aspect/field of the packet • Output – Report results from the other plug-ins
  • 10.
    Using Snort • Threemain operational modes – Sniffer Mode – Packet Logger Mode – NIDS Mode – (Forensic Data Analysis Mode) • Operational modes are configured via command line switches – Snort automatically tries to go into NIDS mode if no command line switches are given, looks for snort.conf configuration file in /etc
  • 11.
    Using Snort –Sniffer Mode • Works much like tcpdump • Decodes packets and dumps them to stdout • BPF (Berkeley Packet Filtering) interface available to shape displayed network traffic – pseudo devices can be found.
  • 12.
    What Do ThePacket Dumps Look Like? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS 49 FF F0 I.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.956582 10.1.1.8:23 -> 10.1.1.6:1032 TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20 0D 0A 0D 0A 53 75 6E 4F 53 20 35 2E 37 0D 0A 0D ....SunOS 5.7... 00 0D 0A 0D 00 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
  • 13.
    Packet Logger Mode •save packets to disk… • Multi-mode packet logging options available – Flat ASCII, tcpdump, XML, database, etc available • Log all data and post-process to look for anomalous activity
  • 14.
    NIDS Mode • Widevariety of rules available for signature engine (~1300 as of June 2001, grow to ~2900 at May 2005) • Multiple detection modes available via rules and plug-ins – Rules/signature – Statistical anomaly – Protocol verification
  • 15.
  • 16.
    Snort Rules • Snortrules are extremely flexible and are easy to modify, unlike many commercial NIDS • Sample rule to detect SubSeven trojan: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • Elements before parentheses comprise ‘rule header’ • Elements in parentheses are ‘rule options’
  • 17.
    Snort Rules alert tcp$EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • alert action to take; also log, pass, activate, dynamic • tcp protocol; also udp, icmp, ip • $EXTERNAL_NET source address; this is a variable – specific IP is ok • 27374 source port; also any, negation (!21), range (1:1024) • -> direction; best not to change this, although <> is allowed • $HOME_NET destination address; this is also a variable here • any destination port
  • 18.
    Snort Rules alert tcp$EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) • msg:”BACKDOOR subseven 22”; message to appear in logs • flags: A+; tcp flags; many options, like SA, SA+, !R, SF* • content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches • reference…; where to go to look for background on this rule • sid:103; rule identifier • classtype: misc-activity; rule type; many others • rev:4; rule revision number • other rule options possible, like offset, depth, nocase
  • 19.
    Snort Rules • bad-traffic.rulesexploit.rules scan.rules • finger.rules ftp.rules telnet.rules • smtp.rules rpc.rulesrservices.rules • dos.rules ddos.rules dns.rules • tftp.rules web-cgi.rules web-coldfusion.rules • web-frontpage.rules web-iis.rules web-misc.rules • web-attacks.rules sql.rules x11.rules • icmp.rules netbios.rules misc.rules • backdoor.rules shellcode.rules policy.rules • info.rules icmp-info.rules • virus.rules local.rules attack-responses.rules
  • 20.
    Snort Rules • Ruleswhich actually caught intrusions – alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS- SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server – alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB- IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web- application-attack; sid:1002; rev:2;) caught Code Red infection – alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP "MKD / " possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server
  • 21.
  • 22.
    Data Flow Packet Decoder Preprocessor (Plug-ins) DetectionEngine (Plug-ins) Output Stage (Plug-ins) Packet Stream Sniffing Snort Data Flow Alerts/Logs
  • 23.
    Rule Header Alert tcp1.1.1.1 any -> 2.2.2.2 any Rule Options (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Detection Engine: Rules QUESO is not as popular or robust as NMAP, it still provides great signatures to look at and analyze. QUESO usually sends out seven (7) packets at a time. QUESO allows a user to spoof his/her address and to choose what port he/she wants to scan. QUESO also chooses random source ports (4000 -65000).
  • 24.
    Alert tcp 1.1.1.1any -> 2.2.2.2 any Rule Node (flags: SF; msg: “SYN-FIN Scan”;) (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Option Node Detection Engine: Internal Representation
  • 25.
  • 26.
  • 27.
    Conclusion • Snort isa powerful tool, but maximizing its usefulness requires a trained operator • Becoming proficient with network intrusion detection takes 12 months; “expert” 24-36? • Snort is considered a superior NIDS when compared to most commercial systems • Managed network security providers should collect enough information to make decisions without calling clients to ask what happened