Network Intrusion Detection with Snort - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Network Intrusion Detection with Snort

Description:

Fragmented packets are reassembled before being sent to detection engine ... False Positives - must custom tune rules engine for environment; update consistently ... – PowerPoint PPT presentation

Number of Views:557
Avg rating:3.0/5.0
Slides: 20
Provided by: jgjgj
Category:

less

Transcript and Presenter's Notes

Title: Network Intrusion Detection with Snort


1
Network Intrusion Detection with Snort
  • Jensen Galan
  • CSc 650

2
What is Snort?
  • An Open-Source Network Intrusion Detection system
  • Monitors activity to identify malicious or
    suspicious events
  • Real-time traffic analysis / Packet Sniffing
    Logging on IP networks

3
How does Snort work?
  • Signature-based (pattern-matching)
  • Boyer-Moore string matching algorithm
  • Not anomaly-based (but, Securimine for Snort adds
    functionality)

4
4 Basic Components
  • The sniffer
  • The preprocessor
  • The detection engine
  • The output

5
Packet Sniffer
  • Uses libpcap - packet capture library for Linux
    systems
  • Also a version for Windows - WinPcap
  • IP traffic includes TCP, UDP, ICMP
  • Configure NIC in promiscuous mode

6
Preprocessor
  • Takes raw packets and checks them against enabled
    plug-ins
  • Notable preprocessors
  • frag2
  • stream4
  • portscan
  • http_decode

7
frag2 Preprocessor
  • Fragmented packets are reassembled before being
    sent to detection engine
  • Normal on networks for packets to be fragmented
    (MTU)
  • Also a way to avoid pattern-matching systems

8
stream4 Preprocessor
  • Designed to make Snort stateful
  • Snort builds own state tables
  • Check to see if packet part of established
    connection
  • Ex alert on stealth Fin scan -Nmap
  • Rebuild full session data wth Sguil

9
portscan Preprocessors
  • Detect portscans
  • Attackers use port scanners to detect which ports
    are open
  • Ex send SYN to server - replies with SYN/ACK if
    open, RST/ACK if closed
  • Only detects over certain period of time

10
http_decode
  • Attackers can use different equivalent
    expressions to avoid pattern-matching
  • IIS accepts Unicode hexadecimal encoding
  • http_decode normalizes URI (part after server
    name in URL) before matching with rules

11
Detection Engine
  • Core of the IDS in Snort
  • Takes the data from the preprocessors and checks
    against the set of enabled rules
  • Rules have two parts
  • Header - action to take, type of packet, IP
    addresses, ports
  • Option - content in the packet to match with rule

12
Example Rule
  • Alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
    HTTP_PORTS (msgWEB-MISC http directory
    traversal flowto_server, established
    content../ referencearachnids,297
    classtypeattempted-recon sid1113)
  • Nimda footprint

13
Output Component
  • Many output options - can also write custom
    output plug-in
  • Syslog file
  • Database - MySQL, PostgreSQL, etc.
  • Snort Unified Binary Format - Fastest!

14
Where to Deploy Snort?
15
Problems with Snort
  • False Positives - must custom tune rules engine
    for environment update consistently
  • Not picking up all the packets - database writes
    expensive use Barnyard to decouple
  • Interface

16
Snort Tools
  • ACID / BASE - Browser based (Apache, PHP,
    database plug-in)
  • Honeynet Security Console - Windows based
    stand-alone
  • Sguil - Real-time analysis complete session data

17
Snort Tools (cont.)
  • Oinkmaster - Perl script to update rules
  • Barnyard - decouple Snort and expensive database
    writes
  • SFS - adds layer of anomaly based detection to
    Snort

18
Snort as an Inline IDS
  • Operate Snort in conjunction with firewall
    (IPtables)
  • Drop packets based on set of rules
  • Can PREVENT intrusion instead of merely DETECTING

19
References
  • http//userwww.sfsu.edu/jrgalan/650_presentation.
    ppt
  • http//www.snort.org/
  • http//sourceforge.net/projects/secureideas/
  • Snort 2.0 Intrusion Detection, Caswell, Brian,
    Syngress Publishing 2003.
  • Security in Computing, Pfleeger, Charles,
    Prentice Hall, 2003.
Write a Comment
User Comments (0)
About PowerShow.com