Transcript SNORT - University of Tulsa

Greg Steen



What is Snort?
Snort purposes
Where can it be used?

IDS/IPS



Sniffer


Sniffs & Logs packets based on rule set
When inline, can drop packets, thus IPS
Command-line packet sniffer
Packet Logger

Logs packets without a rule base.

Architecture


Where will Snort reside on a network?
Installation

Components
 Snort- IDS/IPS
 Barnyard- Processes output of Snort
 Base- GUI to see the captured packets
 MySQL- Stores packet information and run DML
functions

Configuration files




Rules.conf
Snort.conf
Barnyard2.conf
Permission settings


Database
GUI

Rule writing

Sample rules
 #pass tcp 192.168.1.106 any <> 91.189.88.40 any
(msg:"allowed traffic for ubuntu updates";sid:1000011;)
 alert icmp !10.1.0.0/16 any -> 10.1.1.0/16 any (msg:
"Intrusion traffic";sid: 1000008;)
 #drop tcp any 80 <> any 80 (msg:"Drop tcp all port
80";sid:1000014;)

Base lining the network

Important to monitor and establish what is
acceptable traffic.

Data



What is collected.
Interpretation
Analysis

Uses for data

Summary
Snort is an open-source IDS/IPS
 Designed to be available at no cost for those that
want it
 Many businesses can use Snort, small to large and it
depends on the amount of maintenance desired to
handle.
