Transcript SNORT Feed the Pig

SNORT
Feed the Pig
Vicki Insixiengmay
Jon Krieger
What is SNORT?
A so-called Intrusion Detection System
(IDS)
Analyzes IP-Network traffic online and
records packets
Reduces the risk of intrusion
What is SNORT?
Five major components:
Packet capturing mechanism
Snort relies on an external packet capturing library
(libpcap) to sniff packets
Packets are passed into the packet decoder.
Translates specific protocol elements into an internal
data structure.
After the decode is completed, traffic is handled
by the preprocessors. Any number of pluggable
preprocessors either examine or manipulate
packets before handing them to the next
component: the detection engine.
What is SNORT?
The detection engine performs simple tests
on a single aspect of each packet to detect
intrusions.
The last component is the output plugins
Generates alerts to present suspicious activity
Snort Component Dataflow
What does Snort do?
Snort uses a flexible rules language to
describe traffic that it should collect or pass,
including a detection engine that utilizes a
modular plugin architecture.
Snort has a real- time alerting capability.
Alerts mechanisms for syslog, user specified
files, a UNIX socket, or WinPopup messages
to Windows clients using Samba's smbclient.
Packet Decoder
First internal component of Snort that a
sniffed packet encounters.
Purpose:
To strip off the various headers. It works by
decoding up the TCP/IP stack, and placing
the packet in a data structure. Packets are
then routed to the preprocessors.
Preprocessors
Perform two fundamental functions:
Manipulate packets so the detection
engine can properly analyze them OR
Examine traffic for suspicious use that
cannot be discovered by signature
detection alone.
After traffic is run through the
preprocessors, it is sent on to the
detection engine.
Detection Engine
Responsible for the actual signature
detection. Snort rules are loaded into the
detection engine and are categorized in a
tree-like data structure, which minimizes the
number of tests the detection engine has to
perform to discover malicious activity.
Snort writes intrusion data to any number of
output plugins.
Output Plugins
The means Snort has to get data from
the detection engine to user. Snort can
be configured with multiple output
plugins to better facilitate intrusion data
management. Output plugins can range
from simple comma-delimited output to
complex relational database output.
Primary Uses
Snort has three primary uses:
Sniffer Mode
Reads packets off of the network and displays
them in continuous stream on the screen
./snort -v
Packet Logger Mode
Records/logs packets to disk.
./snort –dev –l ./log
Primary Uses
Network Intrusion Detection System
(NIDS) mode
Analyzes network traffic for matches against
user-defined rule set and performs actions
based on what is shown
./snort –dev –l ./log –h 134.198.161.101/23 –c
snort.conf
Rules
Rule Header
Action, Protocol, IP Addresses and Ports
Rule Option
Alert Messages and Items to Look for
alert tcp any any -> 192.168.1.0/24 111
(content:"|00 01 86 a5|"; msg:"mountd access";)
References
http://www.informit.com/articles/article.
asp?p=101148
http://www.snort.org