SNORT
Presented by Xinchi He
April 10, 2014
WHAT IS SNORT?
 Open source network intrusion prevention and detection system
 Mostly widely deployed IDS/IPS technology worldwide
 Millions of downloads
 400,000 registered users
 De facto standard for IPS
WHAT IS IDS?
 Intrusion detection system
 Device or software application that monitors network or system
activities for malicious activities or policy violations and produces
reports to a management station.
 Network based IDS (NIDS)
 Host based IDS (HIDS)
HOW DOES IDS WORK?
 Signature-based IDS
 Compare against a database of signatures (known malicious threats)
 Similar to most antivirus software detect malware
 Check and update signatures in a period of time.
 Statistical anomaly-based IDS
 Compare against an established baseline
 Bandwidth generally used
 Protocols generally used
 Ports and devices generally connected to
SOME COMMON ATTACKS
 Nuke
 Invalid ICMP packets send to the target
 Use modified ping utility to repeatedly send corrupt data
 Slow down the machine until it stops
 WinNuke (WIn95 NetBIOS)
 Teardrop
 Send IP fragments with overlapping, over-sized payloads to target machine
 TCP/IP fragmentation re-assembly bug
 Linux favors new data
 Windows favors old data
WHY SNORT?
 Open source
 Light weighted
 Flexible
SNORT RULE BASICS
<Rule Acrions> <Protocols> <SRC IP> <SRC Port> <Direction Operator> <DST IP>
<DST Port> (rule options)
Stucture
Example
Rule Actions
alert
Protocols
icmp/tcp/udp
Source IP Address
any/129.244.55.11
Source Port
any/80/21/3389
Direction Operator
->/<>
Destination IP Address
any/129.244.254.100
Destination Port
any/80/8080
(rule options)
(msg:”demo”,sid:447;rev:3)
REFERENCE
 http://en.wikipedia.org/wiki/Denial-of-service_attack
 http://en.wikipedia.org/wiki/Intrusion_detection_system
 http://www.snort.org
 http://www.thegeekstuff.com/2010/08/snort-tutorial/
QUESTIONS?