Snort Ids Introduction
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Snort Ids Introduction as PDF for free.
More details
- Words: 410
- Pages: 13
Snort
Layout by orngjce223, CC-BY
Using version 2.8.1 (Newest: 2.8.4.1)
Snort Open Source Network IDS / Network IPS Commercially Developed by SourceFire Commercial Services by SourceFire
Layout by orngjce223, CC-BY
Hardware / Software / Certification / Rule Updates
SourceFire Vulnerability Research Team (VRT) 3 Million Downloads 225,000 Active Users
Why Run an IDS? Provide an Audit Trail Data Analysis Research Because you can
Layout by orngjce223, CC-BY
To Detect ...
What can an IDS do? Detect Skiddies Worms Other Potential Threats DOS Attack
Layout by orngjce223, CC-BY
Create Alerts Create False Positives / False Negative Attacks that aren't Missed attacks due to evasion / dos
Signatures Signature Detection Created by known traffic patterns that match rules Low on false positives May miss new / unknown attacks 0-Day. (false negative)
Layout by orngjce223, CC-BY
Anomaly Detection “Learns” what's normal, throws a fit when something isn't normal. High on false positives Low on false negatives (less likely not to alert on a 0-Day)
Installing Snort Download Binaries (Windows / Linux) http://www.snort.org/downloads
OR Install from Repository
Layout by orngjce223, CC-BY
Configure Download / Write Rules Install Rules Run!
Using Snort Test your configuration file snort -T -c /etc/snort/snort.cfg
Using as an IDS snort -c /etc/snort/snort.conf -i ethX
Packet Sniffer (tcpdump -vvi ethX) Layout by orngjce223, CC-BY
snort -v -i ethX
Output Log File Tcpdump format Plaintext Binary (for reading with Barnyard) Syslog/ng stdout Layout by orngjce223, CC-BY
SQL (postgres, mySQL) Graphical Clients ACID (Analysis Console for Intrusion Detection) Many others
Writing Rules Setup Your Rule Path include $RULE_PATH/.rules Log / alert
Layout by orngjce223, CC-BY
log tcp 192.168.1.18/32 any -> any 80 (msg:"eBaying"; uricontent:"ebay.com";) alert tcp $EXTERNAL_NET any -> 172.16.30.7 25 (msg:"Found hacking reference in e-mail"; content:"hacking";)
Regular Expressions!
Layout by orngjce223, CC-BY
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".ph p";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;) SQL Injection '-- Attack More SQL Injection / XSS http://www.securityfocus.com/infocus/1768
Demonstration
Nikto http://www.cirt.net/nikto2 Make Sure Perl's installed wget http://www.cirt.net/nikto/nikto-current.tar.gz tar xvzf nikto-current.tar.gz perl nikto.pl -h 192.168.X.X
Layout by orngjce223, CC-BY
On Snort Box: snort -c /etc/snort/snort.conf -i wlan0
Developments IP Blacklist depending on Reputation
http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-sno
SAM (Snort Alert Monitor) E-Mail, Audio/Visual Warnings http://projects.darkaslight.com/projects/show/sam
Pscan Plugin to Portscan on certain keywords Layout by orngjce223, CC-BY
http://sourceforge.net/projects/pscan-plugin/
BlockIt Modify Firewall Rules (IPTables, IPChains, IPFWADM, IPFilter, PF, or Checkpoint) http://www.teknofx.com/
Additional Resources Community Maintained Signatures http://www.emergingthreats.net/ Snort for Dummies (ISBN:9780764568350) Cheat Sheet Good General Introduction
Layout by orngjce223, CC-BY
Snort.org/docs Manual, FAQ, Webinar recordings / slides
Google
Layout by orngjce223, CC-BY
Using version 2.8.1 (Newest: 2.8.4.1)
Snort Open Source Network IDS / Network IPS Commercially Developed by SourceFire Commercial Services by SourceFire
Layout by orngjce223, CC-BY
Hardware / Software / Certification / Rule Updates
SourceFire Vulnerability Research Team (VRT) 3 Million Downloads 225,000 Active Users
Why Run an IDS? Provide an Audit Trail Data Analysis Research Because you can
Layout by orngjce223, CC-BY
To Detect ...
What can an IDS do? Detect Skiddies Worms Other Potential Threats DOS Attack
Layout by orngjce223, CC-BY
Create Alerts Create False Positives / False Negative Attacks that aren't Missed attacks due to evasion / dos
Signatures Signature Detection Created by known traffic patterns that match rules Low on false positives May miss new / unknown attacks 0-Day. (false negative)
Layout by orngjce223, CC-BY
Anomaly Detection “Learns” what's normal, throws a fit when something isn't normal. High on false positives Low on false negatives (less likely not to alert on a 0-Day)
Installing Snort Download Binaries (Windows / Linux) http://www.snort.org/downloads
OR Install from Repository
Layout by orngjce223, CC-BY
Configure Download / Write Rules Install Rules Run!
Using Snort Test your configuration file snort -T -c /etc/snort/snort.cfg
Using as an IDS snort -c /etc/snort/snort.conf -i ethX
Packet Sniffer (tcpdump -vvi ethX) Layout by orngjce223, CC-BY
snort -v -i ethX
Output Log File Tcpdump format Plaintext Binary (for reading with Barnyard) Syslog/ng stdout Layout by orngjce223, CC-BY
SQL (postgres, mySQL) Graphical Clients ACID (Analysis Console for Intrusion Detection) Many others
Writing Rules Setup Your Rule Path include $RULE_PATH/
Layout by orngjce223, CC-BY
log tcp 192.168.1.18/32 any -> any 80 (msg:"eBaying"; uricontent:"ebay.com";) alert tcp $EXTERNAL_NET any -> 172.16.30.7 25 (msg:"Found hacking reference in e-mail"; content:"hacking";)
Regular Expressions!
Layout by orngjce223, CC-BY
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL Injection - Paranoid"; flow:to_server,established;uricontent:".ph p";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i"; classtype:Web-application-attack; sid:9099; rev:5;) SQL Injection '-- Attack More SQL Injection / XSS http://www.securityfocus.com/infocus/1768
Demonstration
Nikto http://www.cirt.net/nikto2 Make Sure Perl's installed wget http://www.cirt.net/nikto/nikto-current.tar.gz tar xvzf nikto-current.tar.gz perl nikto.pl -h 192.168.X.X
Layout by orngjce223, CC-BY
On Snort Box: snort -c /etc/snort/snort.conf -i wlan0
Developments IP Blacklist depending on Reputation
http://securitysauce.blogspot.com/2009/05/ip-blacklisting-for-sno
SAM (Snort Alert Monitor) E-Mail, Audio/Visual Warnings http://projects.darkaslight.com/projects/show/sam
Pscan Plugin to Portscan on certain keywords Layout by orngjce223, CC-BY
http://sourceforge.net/projects/pscan-plugin/
BlockIt Modify Firewall Rules (IPTables, IPChains, IPFWADM, IPFilter, PF, or Checkpoint) http://www.teknofx.com/
Additional Resources Community Maintained Signatures http://www.emergingthreats.net/ Snort for Dummies (ISBN:9780764568350) Cheat Sheet Good General Introduction
Layout by orngjce223, CC-BY
Snort.org/docs Manual, FAQ, Webinar recordings / slides
Related Documents
Snort Ids Introduction
May 2020 3
Snort
November 2019 37
Snort
November 2019 46
Introduction Aux Ids
June 2020 4
Snort
November 2019 40
