Snort

1
Snort

• The
• Lightweight Intrusion Detection System

2
The other games in town
Heavyweight systems Stateful firewalls
Example Checkpoint Firewall One Commercial
network intrusion detection systems
Example Network Flight Recorder (NFR)
3
The Art of Intrusion Detection

• Know the protocols.
• Watch the web.
• Set up your IDS monitor.
• Install and tune Snort.
• Set up your switches.
• Watch and process logs.

4
Know the protocols
5
Watch the web
6
Watch the web
www.snort.org www.securityfocus.com csrc.nist.gov
www.sans.org www.cert.org
7
Set up your IDS monitor
8
Set up your IDS monitor
Generic Intel CPU
The software
UNIX-like O/S with LIBPCAP
9
Install and tune Snort
Download
Tune the rules
Compile
10
Set up your switches
Remote Switch
Local Switch
Cross-over jumper
Management VLAN
User PC
Snort Box
The Default VLAN or ELAN
11
Set up your switches
remote-switch set vlan 2 port 3/2 remote-switch
set vlan 2 port 3/3 remote-switch set span 1 3/1
create local-switch set vlan 2 port
4/1 local-switch set vlan 2 port 4/2
12
Watch and process logs

• There are lots of PERL programs.
• Snort can send a WINPOPUP via SMB.
• Snort can log to an MSQL database.
• Get fancy by going through syslog.
• Tip keep systems in sync with NTP.

13
Snort rule anatomy
alert tcp any any - 10.1.1.0/24 80 \
(content "/cgi-bin/phf" msg "PHF probe!")
alert tcp any any - 10.1.1.0/24 60006010 \
(msg "X traffic")
14
Snort rule anatomy
IMAP attack
15
Snort rule anatomy
alert tcp any any - 192.168.1.0/24 143 \
(content"E8C0 FFFF FF/bin/sh" msg \
"New IMAP Buffer Overflow detected!")
16
Operational hint
Run from /etc/inittab with respawn
option snort5respawn/usr/local/bin/snort or
a shell program !/bin/sh while true do
/bin/date gt /var/log/snort-restart.log
/usr/local/bin/snort done
17
Thank you