Snort

1
Snort ACID
2

• SNORT

3
Overview

• Tool Description
• Where You Can Find it
• Applicability to Forensics
• Tool Use/Screen Views
• Observations
• Lessons Learned

4
Technical Description

• What is Snort?
• Snort is an open source network intrusion
  detection system, capable of performing real-time
  traffic analysis and packet logging on IP
  networks.
• Performs protocol analysis, content
  searching/matching
• Can detect all sorts of probes and attacks

5
Where to Find the Tool

• Snort
• www.snort.org

6
How Snort Supports Forensics

• Snort is a packet sniffer on steroids.
• Can be placed at different points in a network to
  provide real time information.
• By logging alerts and rule violations, a systems
  administrator can be mindful of attacks in
  progress or research past incidents.

7
Snort Usage

• Run from the command line or as a Windows
  Service.
• Lots of options

8
Snort Options

• USAGE snort -options ltfilter optionsgt
• snort /SERVICE /INSTALL -options ltfilter
  optionsgt
• snort /SERVICE /UNINSTALL
• snort /SERVICE /SHOW
• Options
• -A Set alert mode fast, full,
  console, or none (alert file ale
• rts only)
• -b Log packets in tcpdump format
  (much faster!)
• -c ltrulesgt Use Rules File ltrulesgt
• -C Print out payloads with
  character data only (no hex)
• -d Dump the Application Layer
• -e Display the second layer
  header info
• -E Log alert messages to NT
  Eventlog. (Win32 only)
• -f Turn off fflush() calls after
  binary log writes
• -F ltbpfgt Read BPF filters from file
  ltbpfgt
• -h lthngt Home network lthngt
• -i ltifgt Listen on interface ltifgt
• -I Add Interface name to alert
  output
• -k ltmodegt Checksum mode
  (all,noip,notcp,noudp,noicmp,none)

9
More Snort Options

• -L ltfilegt Log to this tcpdump file
• -n ltcntgt Exit after receiving ltcntgt
  packets
• -N Turn off logging (alerts still
  work)
• -o Change the rule testing order
  to PassAlertLog
• -O Obfuscate the logged IP
  addresses
• -p Disable promiscuous mode
  sniffing
• -P ltsnapgt Set explicit snaplen of packet
  (default 1514)
• -q Quiet. Don't show banner and
  status report
• -r lttfgt Read and process tcpdump file
  lttfgt
• -R ltidgt Include 'id' in
  snort_intfltidgt.pid file name
• -s Log alert messages to syslog
• -S ltnvgt Set rules file variable n
  equal to value v
• -T Test and report on the current
  Snort configuration
• -U Use UTC for timestamps
• -v Be verbose
• -V Show version number
• -W Lists available interfaces.
  (Win32 only)
• -w Dump 802.11 management and
  control frames
• -X Dump the raw packet data
  starting at the link layer

10
Snort in Action
11

• Snort Raw Output

12

• Snort Logs Better Information

13
Observations of Snort - Good

• FREE!
• Large user base
• Community provides constant rule updates
• Free tools to provide log analysis and
  email/pager alerts

14
Observations of Snort - Bad

• UNIX tool ported to Windows behaves like a UNIX
  tool
• Difficult to configure
• Cryptic command line driven interface
• All configuration is driven by files
• Lacks standardized support

15
Lessons Learned - Snort

• You get what you pay for!
• Documentation for running Snort on XP is
  inconsistent and out of date.
• Since the solution comprises several free tools,
  each tool has separate issues with XP.

16

• ACID

17
Overview

• Tool Description
• Where You Can Find it
• Applicability to Forensics
• Tool Use/Screen Views
• Observations
• Lessons Learned

18
Technical Description

• What is ACID?
• The Analysis Console for Intrusion Databases
  (ACID)
• PHP-based analysis engine to search and process a
  database of security events generated by various
  IDSes, firewalls, and network monitoring tools.

19
Where to Find the Tool

• ACID
• http//acidlab.sourceforge.net/

20
How ACID Supports Forensics

• ACID helps to make sense of Snort data in a
  visual manner.
• Can help analyze trends and help filter out the
  noise by categorizing attacks and IP addresses.
• Query-builder and search interface.
• Can provide alerts when events occur.

21
ACID Usage

• Acid runs as a set of PHP web pages under IIS or
  Apache.
• Reports, alerts, and information is accessed
  through the web interface

22
ACID at Work
23

Alert Screen
24
Alert Screen - Detail
25
Alert Screen Graph
26
Observations of ACID - Good

• FREE!
• Nice graphical interface written in PHP,
  therefore user community to rely on.
• Free tools to provide log analysis and
  email/pager alerts.
• Helps sort through all the info from Snort.

27
Observations of ACID - ACID

• Lacks standardized support
• Lots of options to become familiar with

28
Lessons Learned ACID

• You get what you pay for!
• Configuration is file driven, no GUI.
• Most documentation for running ACID pertains to
  Apache servers and took some searching to run on
  IIS.
• Reliance on PHP means that any interesting
  aspects on running PHP on Windows had to be
  sorted through.

29
Summary

• Both Snort and ACID are excellent tools for
  Intrusion Detection.
• Open Source means (hopefully) constant
  improvements
• Free tools for companies that cannot afford tools
  or services provided by other companies.
• Can be time frustrating to deal with and requires
  an administrator with the time and expertise to
  master all the options and create a working
  system.