Intrusion Detection System

1
Intrusion Detection System

• Snort

2
What is Snort?

• Free and Open Source Intrusion Detection System
• Monitor network traffic
• Scan for protocol anomalies
• Scan for packet payload signatures that represent
  potential attacks, worms, and unusual activities
• Monitoring consoles available
• Can be configured as an IPS

3
Where should it be placed?

• Snort Tap Placement
• Natural Choke Points
• Areas where the network topology creates a single
  traffic path
• Artificial Choke Points
• Exist due to logical topology of the network
• Intranet Trust/Un-trust Zone Boundaries
• Similar to Natural Choke Points but are
  intra-network

4
How does it work?

• Snort Rules
• Primarily a signature based detection engine
• Example
• alert tcp TELNET_SERVERS 23 -gt EXTERNAL_NET any
  (msg"TELNET root login" flowfrom_server,establi
  shed content"login3A root"
  classtypesuspicious-login sid719 rev7)
• While indicative of attacks, leaks, and protocol
  violations, false positives are generated

5
How to monitor?

• BASE (Basic Analysis and Security Engine)
• Number of unique alerts
• Alerts ordered by category
• Todays alert
• Most frequent src/dest ports

6
BASE Main Screen
7
BASE Policy Violations
8
Worm Propagation Analysis Example

• Multiple Layers of Antivirus checkers in place
  workstations, servers, email-stores, and email
  gateways
• Most active updating checkers gets new signatures
  every 15 minutes
• On September 2005, 3 bagle variants were released
  quickly
• AV companies alerted us, but workstations were
  affected
• Which of the 5000 workstations were affected?

9
Worm Propagation Analysis Example

• alert tcp any any -gt any any (msg"Potential
  Bagle Propagation" content"osa6.gif"
  classtypepolicy-violation sid1000003 rev3)

10
Conclusion

• Snort provides another tool in the toolkit and
  can help provide information about exactly whos
  talking to who on the network
• Security is a process, not a product