Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Snort Intrusion Detection What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version 2.4.4 as of April 17th, 2006 Features Small Package – 2.7 M for source Cross Platform Open Source Backed by Sourcefire Fast (High rate of detection on average networks) Configurable Design Packet Analysis Pipline Data Acquisition Decode Preprocess Detect Action Design Engine Uses Rules to form “signatures” Modular Detection elements to form specific signatures Detect Anomaly Activity Easily updateable Different Modes Packet Sniffer Packet Logger NIDS Mode Inline Mode Rules Two Parts – – Rule Header Rule Options Rule Header alert tcp $BAD any -> $GOOD any Dest. Port Rule action Protocol Dest. CIDR Direction Src. CIDR Src. Port alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any Rule Options (flags: SF; msg: “SYN-FIN scan”;) Keyword Separator Argument Delimiter Common Rule Options IP TTL IP ID Fragment size TCP Flags TCP Ack number TCP Seq number Payload size Content Content offset Content depth Session recording ICMP type ICMP code Alternate log files Make Custom Rules Detect String alert tcp any any -> any any \ (content: clemson; msg: detected clemson Output Log all the alerts Real-time alerts Several different types – – – – Syslog Plain text Databases Unified output Common Options Option -A fast -A full -A unsock -A none -A console -A cmg Description Fast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports. Full alert mode. This is the default alert mode and will be used automatically if you do not specify a mode. Sends alerts to a UNIX socket that another program can listen on. Turns off alerting. Sends “fast-style” alerts to the console (screen). Generates “cmg style” alerts. Tools for Snort Acid SnortSnarf Snort Alert Monitor (SAM) Snortalog Guardian DeMarc PureSecure IDSCenter (Windoze) Resources Snort.org – BleedingEdge – www.snort.org/dl (downloads) www.bleedingsnort.com/ Sourcefire – www.sourcefire.com