Add to collection(s) Add to saved
  1. Social Science
  2. Political Science
  3. Media

Snort - Lightweight Intrusion Detection for Networks Martin Roesch

advertisement 
Snort - Lightweight
Intrusion Detection
for Networks
Martin Roesch
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Introducing Snort
• Snort is:
– Small (~110K source distribution)
– Portable (Linux, Solaris, *BSD, IRIX, HP-UX)
– Fast (High probability of detection for a
given attack on “average” networks)
– Configurable (Easy rules language, many
reporting/logging options)
– Free (GPL/Open Source Software)
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Snort Design
• Packet sniffing network intrusion
detection system
• Libpcap-based sniffing interface
• Rules-based detection engine
• Multiple output options
– decoded logs, tcpdump formatted logs
– real-time alerting to syslog, file, winpopup
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Detection Engine
• Rules form “signatures”
• Modular detection elements are
combined to form these signatures
• Anomalous activity detection is possible
– stealth scans, OS fingerprinting, invalid
ICMP codes, etc
• Rules system is very flexible, and
creation of new rules is relatively simple
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Rules Format
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags: SF; msg: “SYN-FIN Scan”;)
• Two sections to a rule
• rule header:
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any
• rule options:
(flags: SF; msg: “SYN-FIN Scan”;)
• Rule headers and options can be strung together in any
combination
• Current version of Snort (1.3.1) has fourteen rule options
available
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Rule Header Features
• IP addresses
– negation, CIDR blocks
• TCP/UDP ports
– negation, ranges, greater than/less than
• uni/bi-directional port/address
consideration
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Rule Option Features
•
•
•
•
•
•
•
IP TTL
IP ID
Fragment size
TCP Flags
TCP Ack number
TCP Seq number
Payload size
USENIX LISA ‘99 Conference
•
•
•
•
•
•
•
Content
Content offset
Content depth
Session recording
ICMP type
ICMP code
Alternate log files
© Copyright 1999, Martin Roesch
Uses for Snort
•
•
•
•
Standard packet sniffing NIDS
Honeypot monitor
Scan detection/traps
Other fun stuff
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Packet Sniffing NIDS
• Load up a good rules set and let it run!
– www.whitehats.com
• Automatically generates alerts and logs
full packet data
• Alternative alerting/actions can be
handled by something like Swatch
– email alerts, active response, etc
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Honeypot Monitor
• Honeypots are “deception systems” that
perform intrusion detection by inclusion
– Gets rid of all the false alarms!
• Use Snort’s filtering capability to log
only the traffic (but all the traffic!) going
to the honeypot
• Post process the data with a good
ruleset
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Scan Detection/Traps
• Snort has no formal port scan detection
mechanism
• Setup rules to log traffic to known
closed ports & unused addresses
• Poor man’s honeypot/port scan detector
Alert tcp any any -> 10.1.1.0/24 100:600 (flags: S; msg: “TRAP!”;)
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Other Fun Stuff
• Snort is a packet sniffer, can be used to
analyze traffic in real-time
• Motivated people can write rules to pick
up all sorts of naughty things
– SQL/ODBC, ActiveX, Java/JavaScript, Macro
Viruses
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Other Fun Stuff (Cont.)
• SHADOW sensor replacement
• SHADOW is a free NIDS based on
tcpdump
• Snort can use the SHADOW BPF rule
set, plus it’s own!
• Gains:
– real-time alerting, payload analysis, rules
simplicity, post-processing, etc.
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
The Future!
• Snort 1.5-2.0
– New plugin architecture
– Write detection modules and add them to
rule set
– Hooks for preprocessors
• ip defrag, TCP stream reassembly, statistics, etc
– Hooks for backend/output
• database, SNMP, tunnels, etc.
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
FIN
• Get Snort from:
<www.clark.net/~roesch>
• E-mail me:
<roesch@clark.net>
• Writing Snort rules:
<www.clark.net/~roesch/snort_rules.html>
USENIX LISA ‘99 Conference
© Copyright 1999, Martin Roesch
Related documents
English Keystone Prep Power Point (Week 2)
English Keystone Prep Power Point (Week 2)
The right chemistry - Khandallah Pharmacy
The right chemistry - Khandallah Pharmacy
The Grammar of Spoken Singapore English Corpus (GSSEC)
The Grammar of Spoken Singapore English Corpus (GSSEC)
Course overview
Course overview
Title Page, Organizers, Reviewers
Title Page, Organizers, Reviewers
"The Medicine Bag" PPT
"The Medicine Bag" PPT
Download
advertisement