Snort:

Jason Booth – Intrusion Detection System

Overview

Snort / DrawbacksIDS - TheoryIDS – TestPractical IDSSetup ScriptsOink-MasterSnort-MySqlLog FilesLocationWhat is logged

What is SNORT?

Snort is an Intrusion Detection System. It generally runs on a Bastion Server (Server with one purpose).

This helps to limit the possible attack points on the Bastion Server.

Drawbacks

Slower network (more overhead)The IDS can become an intrusion point in and of itselfLaws limit what can be logged from a packet.IDS is only as good as its definition rules

A tcp/ip packet

What snort logs

[**] [1:1384:8] MISC UPnP malformed advertisement [**][Classification: Misc Attack] [Priority: 2] 02/23-10:20:29.041905 192.168.0.1:1900 -> 239.255.255.250:1900UDP TTL:127 TOS:0x0 ID:17771 IpLen:20 DgmLen:346Len: 318[Xref => http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0877][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0876][Xref => http://www.securityfocus.com/bid/3723][Xref => http://www.securityfocus.com/bid/3723]

Snort Priority

Prioritizing with classification.config

config classification: successful-dos, Denial of Service, 2

http://www.linux.com/articles/29830

What this means

Theory

Theory

Test

Practical IDS

➲ Choose a setup that is practical and cost effective for yourself or business yet offer a fast response to intrusions.

Setup Scripts

➲ /var/log/syslog for➲ a line that looks like this:➲ snort[1731]: Snort initialization completed successfully

(pid=1731)

Setup Scripts

➲ /var/snort➲ Goto setup.txt file to demonstrate this.

SNORT Rules

➲ The rules are the vital part of snort. There are various categories of rules shipped with snort. They can be found in /etc/snort/, ending with *.rules.

OinkMaster

➲ “If you have many sensors, it can be a very difficult job to keep all the

➲ rules current on all of your sensors. A great tool for this task is Oinkmaster”

(http://www.snort.org/docs/setup_guides/deb-snort-howto.pdf)

Snort-Mysql

➲Snort supports mysql. In the snort.confg

# vim /etc/snort/snort.conf Find this line below, uncomment the line, and then add your appropriate

values: output database: log, mysql, user=snort password=mypass

dbname=snort host=localhost Go restart snort and verify its writing to the database. Easiest way is to get into mysql and "select * from event" and you should see lots of events if you still have the alerting going on for each packet or the icmp rule. Or you can run this command: # mysql -uroot -pmypassword -D snort -e "select count(*) from event"

Points of Reference

➲ http://www.snort.org/docs/➲ Google it!

Snort Snort-mysql IDS Linux and snort Careers with IDS and snort

Mis. Section➲ Snort in promiscuous mode

Poisoning the network

➲ I'm having a very anoying problem in my LAN: someone (or a virus?) is sending ARP messages like the following (in human words):

➲ "I am computer with mac de:ad:de:ad:de:ad and with IP <victim's IP> and I am asking everyone (destination MAC ff:ff:ff:ff:ff:ff): does anyone else have this IP?"

➲ http://www.webservertalk.com/message1217112.html

Question?

➲ How does snot know its been penetrated? It looks the packets and determines the payload.

Conclusion

➲ Snort is a versatile and strong network IDS – tool. When used correctly a network admin can have a great deal of network info with low cost in overhead.