an overview

Snort is an Intrusion Detection System (IDS)

• Automated tools to detect intrusions

• Works locally (reactionary) or network wide (preemptive)

• Preemptive IDS can use traffic monitoring or content monitoring

• Does NOT block intruders. Assumes a human is watching!!!

What IDS are available?

• Cisco Secure IDS (Formerly NetRanger)

• Network Flight Recorder

• Realsecure (ISS)

• SecureNet Pro

• Snort!!!

Why pick Snort?

• “Lightweight”

• Free

• Portable – Runs on HP-UX, Linux, AIX, Irix, *BSD,

Solaris, Win2K

• Configurable with easy setup

What can Snort do?

• Packet sniffer

• Packet Logger

• Preemptive IDS– Actively monitors network traffic in real time

to match intrusion signatures and send alerts

Rules, Rules, Rules

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";)

• Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged

• Can also alert based on packet content not just source / destination ports

And more Rules

• Rules can: Alert, Log, or Pass

• Used for IP, UDP, ICMP

• Source address / port

• Destination address / port

• Additional options– This is where content matching can take place

Luckily you probably won’t have to write rules!

What do the alerts look like?

[**] MISC source port 53 to <1024 [**]

05/21-16:30:07.697467 129.219.17.200:53 -> 129.219.XXX.XXX:1024

UDP TTL:253 TOS:0x0 ID:60955 IpLen:20 DgmLen:268 DF

Len: 248

• These can also be nicely formatted by different parser programs

Installation

1. Install libcap

2. Install Snort• # ./configure• # make• # make install

3. Test• #snort -v

More resources

• Snort.org

• Securityfocus.com

• Whitehats.com

PSCS Implementation

By

Mark Peoples