Transcript Intrusion Detection: Snort
Intrusion Detection: Snort
Basics: History
Snort was developed in 1998 by Martin Roesch.
It was intended to be an open-source technology, and remains as such.
Originally, it was a “lightweight” intrusion detection system. Now, it has expanded to include features that can hardly be called “lightweight.”
Basics: History
Snort is now the de facto standard in intrusion detection and prevention.
It is one of the most flexible and variable threat detection systems available.
It is available for Windows, Linux, Unix, and other more obscure operating systems.
Basics: About
Snort is primarily a network intrusion detection system (IDS).
– IDS: an application that performs traffic analysis (packets going across a network), packet logging, attack/intrusion alerting, port scans, and many other types of infringements on an IP network.
Basics: About
Snort has the capability to detect a variety of attacks on an IP network, including: – Buffer overflows – Stealth port scans – CGI attacks – SMB (server message block) probes – OS fingerprinting
Setup
Snort can be obtained from www.winsnort.com
or www.snort.org
.
Snort requires WinPCap 3.0. The newest version (3.1) will not work with Snort. WinPCap is a packet-capturing tool (not a standalone application; a tool required by most IDSs). It can be obtained from winpcap.polito.it.
Setup
Once Snort and WinPCap have been installed, the snort.conf (configuration file) must be edited.
Within the file, the only change
required
that of the location of the RULES files. This is normally c:\snort\rules\. is Other changes to snort.conf are up to the user – such as the IP addresses to watch, etc
Running Snort
Once snort.conf is edited properly, choose RUN and enter: – C:\Snort\bin\snort.exe {any flags go here} – The next slide tells you what flags are what. (A flag is a variable used to indicate a true or false value; that is, a flag tells the program what options you want to employ.)
Running Snort
Many flags are available for use. In our testing, we’ve come up with some that work well together: – d dumps APPLICATION LAYER data – – e dumps DATA LINK LAYER data v is visual mode; this flag keeps Snort’s activities visible in the terminal box.
– l is required to log the packets. Usage: -l c:\Snort\log\. It will create a logfile.
– O puts IP addresses in the format xx.xx.xx.xx.
– C drops all hex data and reports only ASCII data. This is useful to trim the fat, as it were, off your log files.
Running Snort
So the proper usage would be something like this, in the RUN dialog box: – C:\Snort\bin\snort.exe –devOC –l c:\Snort\log\ This will run Snort and display a visual output, dumping application and data link layer data, logging the packets that travel across the network to c:\Snort\log\snort.log.
Here is what a standard logfile looks like:
05/11-22:09:39.472302 192.168.234.209:2414 -> 192.168.235.254:8905 UDP TTL:128 TOS:0x0 ID:8280 IpLen:20 DgmLen:59 Len: 31 00 00 00 1F 01 01 11 DB 87 50 BC 56 56 34 5A E8 .........P.VV4Z.
46 62 7B C9 56 AD 16 EB 7A F5 72 04 1E D4 18 Fb{.V...z.r....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Breakdown
Here is a breakdown of what Snort reports in the log file: – Date / Time – – Source IP (source of packet) Destination IP (destination of packet – often xx.xx.xx.255, which is a broadcast to all computers on xx.xx.xx.xx) – – TTL (Time-to-Live) for packet in ms TOS (Types of Service – indicates priority given to packet contents) – – – Packet ID number IP length DMG length
Alerting
The rules files (several come with Snort, several more are available from various resources on the Internet) contain information about when to send off an alert. (You can set in the snort.conf file which rules will be turned on or off.) When Snort finds a packet that violates a rule that you have turned on, it will notify you via dialog box.
For whom?
Snort is a non-commercial enterprise, and as such, is not suited for commercial uses. That said, it could definitely be of use to commercial organizations.
For personal use, Snort has many possible uses, especially for the paranoid.
Questions?
Ask them. We’ll do our best.