Snort Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

Snort Intrusion Detection

Description:

Snort Intrusion Detection What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2.4.4 as of April 17th ... – PowerPoint PPT presentation

Number of Views:632
Avg rating:3.0/5.0
Slides: 16
Provided by: ODSN
Category:

less

Transcript and Presenter's Notes

Title: Snort Intrusion Detection


1
Snort Intrusion Detection
2
What is Snort
  • Packet Analysis Tool
  • Most widely deployed NIDS
  • Initial release by Marty Roesch in 1998
  • Current version 2.4.4 as of April 17th, 2006

3
Features
  • Small Package 2.7 M for source
  • Cross Platform
  • Open Source
  • Backed by Sourcefire
  • Fast (High rate of detection on average networks)
  • Configurable

4
Design
  • Packet Analysis Pipline

DataAcquisition
Decode
Preprocess
Detect
Action
5
Design Engine
  • Uses Rules to form signatures
  • Modular Detection elements to form specific
    signatures
  • Detect Anomaly Activity
  • Easily updateable

6
Different Modes
  • Packet Sniffer
  • Packet Logger
  • NIDS Mode
  • Inline Mode

7
Rules
  • Two Parts
  • Rule Header
  • Rule Options

8
Rule Header
alert tcp BAD any -gt GOOD any
Dest. Port
Rule action
Protocol
Dest. CIDR
Direction
Src. CIDR
Src. Port
alert tcp !10.1.1.0/24 any -gt 10.1.1.0/24 any
9
Rule Options
  • (flags SF msg SYN-FIN scan)
  • Keyword Separator Argument Delimiter

10
Common Rule Options
  • IP TTL
  • IP ID
  • Fragment size
  • TCP Flags
  • TCP Ack number
  • TCP Seq number
  • Payload size
  • Content
  • Content offset
  • Content depth
  • Session recording
  • ICMP type
  • ICMP code
  • Alternate log files

11
Make Custom Rules
  • Detect String

alert tcp any any -gt any any \ (content
clemson msg detected clemson!)
12
Output
  • Log all the alerts
  • Real-time alerts
  • Several different types
  • Syslog
  • Plain text
  • Databases
  • Unified output

13
Common Options
  • Option Description
  • -A fast Fast alert mode. Writes the alert in a
    simple format with a timestamp, alert message,
    source and destination IPs/ports.
  • -A full Full alert mode. This is the default
    alert mode and will be used automatically if
    you do not specify a mode.
  • -A unsock Sends alerts to a UNIX socket that
    another program can listen on.
  • -A none Turns off alerting.
  • -A console Sends fast-style alerts to the
    console (screen).
  • -A cmg Generates cmg style alerts.

14
Tools for Snort
  • Acid
  • SnortSnarf
  • Snort Alert Monitor (SAM)
  • Snortalog
  • Guardian
  • DeMarc PureSecure
  • IDSCenter (Windoze)

15
Resources
  • Snort.org
  • www.snort.org/dl (downloads)
  • BleedingEdge
  • www.bleedingsnort.com/
  • Sourcefire
  • www.sourcefire.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Snort Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!