SNORT - University of Tulsa
Download
Report
Transcript SNORT - University of Tulsa
Greg Steen
What is Snort?
Snort purposes
Where can it be used?
IDS/IPS
Sniffer
Sniffs & Logs packets based on rule set
When inline, can drop packets, thus IPS
Command-line packet sniffer
Packet Logger
Logs packets without a rule base.
Architecture
Where will Snort reside on a network?
Installation
Components
Snort- IDS/IPS
Barnyard- Processes output of Snort
Base- GUI to see the captured packets
MySQL- Stores packet information and run DML
functions
Configuration files
Rules.conf
Snort.conf
Barnyard2.conf
Permission settings
Database
GUI
Rule writing
Sample rules
#pass tcp 192.168.1.106 any <> 91.189.88.40 any
(msg:"allowed traffic for ubuntu updates";sid:1000011;)
alert icmp !10.1.0.0/16 any -> 10.1.1.0/16 any (msg:
"Intrusion traffic";sid: 1000008;)
#drop tcp any 80 <> any 80 (msg:"Drop tcp all port
80";sid:1000014;)
Base lining the network
Important to monitor and establish what is
acceptable traffic.
Data
What is collected.
Interpretation
Analysis
Uses for data
Summary
Snort is an open-source IDS/IPS
Designed to be available at no cost for those that
want it
Many businesses can use Snort, small to large and it
depends on the amount of maintenance desired to
handle.