Contact Information Intrusion Detection using Snort Session E6

advertisement
Intrusion Detection
using Snort
Session E6
Contact Information
z Matthew
Hicks, CISSP, GCIA
z Senior Information Security Analyst
z Children’s National Medical Center,
z Washington DC
z mhicks@cnmc.org
Responsibilities
z
z
z
z
Intrusion Detection Analysis
Security Investigations
Maintain Security Perimeter
– Firewall
– IDS
– VPN
Anything and everything else
Agenda
z Quick
Survey
z Introduction to Intrusion Detection
z Snort Overview
z Using Snort
z Live Demo
A Quick Survey
z How
many consider themselves Intrusion
Analysts?
– Training
– Reviewing data packets on a regular basis
z Does anyone currently
– Review of logs
– Update signatures
– Dedicated staff
support a IDS?
Food for Thought
z
z
z
z
z
You would be surprised at the number of organizations
who have installed an IDS but do not monitor it
Staff supporting the IDS are not trained as Intrusion
Analyst
Some Organizations have installed an IDS but do not
update it or add signatures
The result is the organization claims the IDS is not
working and will shut it off
DO NOT LET THE IDS BECOME OBSOLETE AN
SELFWARE OR FLOORWARE
What do you think?
From:
www.infosecuritymag.com/articles/august01/cover.shtml
“an IDS is like a Christmas puppy,” says Pete Lindstrom,
senior security analyst at Hurwitz Group, “at first, it sounds
like a great idea but then once you get the thing, your are
thinking like, ‘oh my god I have got to care for this and it’s a
lot more work then I thought”
Introduction to Intrusion
Detection
Intrusion Detection
Not just one Piece
You must
have the
support staff!
URL Filtering
IDS
Firewall
Email Filtering
Virus Scanning
Procedures and Policies
Audit and Monitoring
The firewall stopped 3100 hits of
the SQL-Slammer worm on Jan
25th.
Intrusion Analysis Tools
z
Ethereal
– www.ethereal.com
– Sniffs the network to show and capture traffic
z
Windump or Tcpdump
– windump.polito.it
– www.tcpdump.org
– Dumps data packets based on a set of filters and parameters for
future analysis
z
Snort IDS
– www.snort.org
SQL Slammer worm
Real Life Story
z
z
z
z
z
The SQL Slammer worm was released on Jan 24th
The worm begins to swamp the internet affecting one
bank’s ATM system and an online reservation system
My firewall recorded 3100 hits in 5 hours
My systems were not affected by this worm because I
had configured the firewall against unauthorized traffic
The SQL Server Resolution Service, which operates on
UDP port 1434, provides a way for clients to query for
the appropriate network endpoints to use for a particular
SQL Server instance.
Slammer Worm
z How
to tell what is a bad packet or not?
z How to tell if the IDS alert is a false positive or
not?
z The key here is Intrusion Analysis
z Capture and look at the data packet
z We will look at the example of the SQL Slammer
Worm
SQL Slammer Worm
Kernel32.dll
Ws2_32.dll
02/04-14:46:04.168266 xxx.xxx.0.210:1115 -> xxx.xxx.72.29:1434
UDP TTL:111 TOS:0x0 ID:16303 IpLen:20 DgmLen:404
Len: 384
0x0000: 00 04 9A D0 DA 24 00 30 94 CB 73 E1 08 00 45 00 .....$.0..s...E.
0x0010: 01 94 3F AF 00 00 6F 11 63 FA 8E B0 00 D2 CF 10 ..?...o.c.......
0x0020: 48 1D 04 5B 05 9A 01 80 8A 40 04 01 01 01 01 01 H..[.....@......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P.
SQL Slammer Worm
z
Causes SQL server to stop responding by using a buffer overflow
– See the 04 in the previous slide
z
Writes garbage data to the buffer
– See the ‘01010101010101010101010’ in previous slide
z
Access kernel32.dll and ws2_32.dll
– See previous slide
z
z
z
100% memory resident – no files written to hard drive
Remove infection by rebooting server but easily infected if not
patched
Must load Win2K SP3 to protect against this worm
– Some SQL applications are not cert for SP3
SQL Slammer Worm
SQL Slammer Worm
z Snort rule to detect the Slammer worm
– alert udp $EXTERNAL_NET any -> $HOME_NET
1434 (msg:"MS-SQL Worm propagation attempt";
content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B
81 F1 01|"; content:"sock"; content:"send";
– Your challenge is to find the above data following the
Content option in the previous packet trace.
We will discuss Snort rules shortly
What Is an IDS?
Basic components
z Traditional software
– Input
– Processing
– Output
design:
z IDS components
– Collection
(Input)
– Analysis
(Processing)
– Reporting
(Output)
IDS Data Flowchart
COLLECTION
1 to n Sensors
ANALYSIS
1
2
3
…
4
n
REPORTING
Overview of Snort
Snort Is . . .
z
z
z
A lightweight Network Intrusion Detection System (NIDS)
– Compact, efficient code
– Light load on the system running it
– Fast execution
Flexible:
– Highly Configurable
– Broadly Scalable
Multi-platform
– There are performance problems running under windows
z
Most important of all…..
Free!
More about Snort
z
Winpcap or Libpcap-based packet sniffing
– A system-independent interface for packet capture. It provides
a portable framework for low-level network monitoring in the
form of a include files and a library that be linked against, as is
done with the Tcpdump package.
z
Rules-based detection engine
– Completely user programmable and configurable
z
Plug-in based extensibility
– Pre-processors, detection, output plug-ins
Snort Data Flow
SNORT
Packet Decoder
Pre-Processor
<Plug-Ins>
Data Flow
Packet Stream
Sniffing
Detection Engine
<Plug-Ins>
Post-Processor
& Output Stage
<Plug-Ins>
Alerts/Logs
Snort Packet Decoder
worm
Protocol
IP header
Ethernet
packet
network
Snort Packet Decoder (2)
worm
Protocol
IP header
Ethernet
tcpdump
binary file
Introduction to Snort Usage
In This Section
z
z
Basic Invocation using command line
Logging & Options
– Directory sort
– Binary dump
– Off
z
(default)
(tcpdump format)
(no logging)
Alerts & Options
– Alert types
– Alert delivery options
z
Rules
– Rule file specification
– Rule types
Running Snort
z Invoking
Snort with no arguments just
generates usage / options message
z To do something, at least one of the
following is required:
-v - Verbose, dump decoded packets to stdout
-c - <fn>
Use rules file <fn>
-b - Binary dump undecoded packets into a file
(tcpdump format)
Example: Basic Invocation
>
snort –v
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
-*> Snort! <*Version 1.6.1-beta1
By Martin Roesch (roesch@clark.net, www.clark.net/~roesch)
06/28-16:58:19.877894 204.89.131.233:80 -> MY.NET.150.160:1412
TCP TTL:119 TOS:0x0 ID:13696 DF
******A* Seq: 0x101AEB1
Ack: 0x9A5FA7
Win: 0x2001
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-16:58:19.877998 MY.NET.150.160:1412 -> 204.89.131.233:80
TCP TTL:127 TOS:0x1A ID:43538 DF
******A* Seq: 0x9A5FA7
Ack: 0x101B461
Win: 0x1C7C
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-16:58:19.878182 209.252.154.64:1899 -> MY.NET.253.114:80
TCP TTL:20 TOS:0x0 ID:16420 DF
*****PA* Seq: 0xB3B219C
Ack: 0x30A1394B
Win: 0x2176
Example: Getting More Detail
>
snort -vd
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
-*> Snort! <*Version 1.6.1-beta1
By Martin Roesch (roesch@clark.net, www.clark.net/~roesch)
06/28-17:02:33.761442 208.188.32.226:64302 -> MY.NET.70.121:7777
UDP TTL:116 TOS:0x0 ID:45845
Len: 37
29 CA 48 03 01 BC 82 B9 6A DE B4 50 07 CA D6 48 ).H.....j..P...H
04 00 9C CB 8B A1 89 01 1C 11 CA BB 21
............!
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:02:33.761503 MY.NET.20.10:39850 -> 216.115.105.60:80
TCP TTL:63 TOS:0x0 ID:62903
**S***** Seq: 0xA2DD19C5
Ack: 0x0
Win: 0x2000
TCP Options => MSS: 1460
Logging
z
Snort supports three kinds of logging
1. Directory sort:
–
Decodes packets and sorts the results into different
directories by IP and port
Default method
–
2. Binary dump:
Stores raw packet data in a binary file
–
3. Off:
Logging disabled
–
Setting the logging directory
z By
default, logs go to the directory
– /var/log (unix)
– /snort/log (win32)
z Command
line option:
-l <logdir>
– Redirects logs to directory <logdir>
Logging 1
./log/131.118.254.130/TCP:1959-119
06/28-17:08:16.561137 131.118.254.130:1959 -> MY.NET.1.6:119
TCP TTL:61 TOS:0x0 ID:32792 DF
*****PA* Seq: 0xA017051A
Ack: 0xA5356082
Win: 0x4470
25 5E 45 2B 26 0D 0A 4D 42 41 53 2D 53 45 45 31 %^E+&..MBAS-SEE1
2A 24 4C 51 3D 3B 39 60 37 27 37 2B 29 38 46 43 *$LQ=;9`7'7+)8FC
56 29 38 30 41 3E 2A 46 24 27 56 31 4E 2A 46 44 V)80A>*F$'V1N*FD
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:08:16.571185 MY.NET.1.6:119 -> 131.118.254.130:1959
TCP TTL:63 TOS:0x0 ID:6910 DF
******A* Seq: 0xA5356082
Ack: 0xA0178846
Win: 0x5B40
00 00 00 00 00 00
....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:08:16.651944 MY.NET.1.6:119 -> 131.118.254.130:1959
TCP TTL:63 TOS:0x0 ID:6976 DF
******A* Seq: 0xA5356082
Ack: 0xA019428A
Win: 0x5B40
00 00 00 00 00 00
....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Logging 2
z
Reading from a binary dump
>
snort -v -r ./log/snort-0628@1738.log
Initializing Network Interface ep0
snaplen = 1514
Entering readback mode..
-*> Snort! <*Version 1.6.1-beta1
By Martin Roesch (roesch@clark.net, www.clark.net/~roesch)
06/28-17:38:40.456070 61.139.8.125:80 -> MY.NET.20.10:29568
TCP TTL:43 TOS:0x0 ID:28329 DF
******A* Seq: 0xE43A5DAA
Ack: 0xC59E5EB8
Win: 0x7D78
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:38:40.456164 MY.NET.20.10:41771 -> 216.200.16.77:80
TCP TTL:63 TOS:0x0 ID:10919
******A* Seq: 0x55CFD22
Ack: 0x5554AECE
Win: 0x2238
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/28-17:38:40.456371 MY.NET.20.10:41771 -> 216.200.16.77:80
TCP TTL:63 TOS:0x0 ID:10920
*****PA* Seq: 0x55CFD22
Ack: 0x5554AECE
Win: 0x2238
Logging 3: Disabled
z
Command line option: -N
– Turns off all logging functions
>
snort -v -N
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
-*> Snort! <*Version 1.6.1-beta1
By Martin Roesch (roesch@clark.net, www.clark.net/~roesch)
06/30-14:05:39.359582 204.117.117.22:1318 -> MY.NET.151.20:1704
UDP TTL:116 TOS:0x0 ID:47822
Len: 789
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/30-14:05:39.359726 MY.NET.20.10:2672 -> 216.111.248.10:80
TCP TTL:63 TOS:0x0 ID:52617
**S***** Seq: 0x7B372741
Ack: 0x0
Win: 0x2000
TCP Options => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Alerting
z Alerts
are “special actions” that Snort can take in
response to different packets.
z Definition
of these actions is in the rules file, but
the format and delivery of alerts is specified on
the Snort command line.
Snort Alert Types
z Command
line option: -A <type>
where <type> is one of the following:
– full
Full alert (default)
z Full text with detail of packet that triggered alert
– fast
Fast alert
z Abbreviated alert with packet header information
– none No alert
z disable alert function
Snort Alert Delivery
z By
default all alerts go to a file named “alert” in
the logging directory
z Command line option: -s
– Directs alerts to the syslog
z Command line option: -M <smb-hosts-file>
– Send WinPopup messages to the list of workstations
contained in the smb-hosts-file
Rules, Filters, and Modules
z Filters
– Narrow the selection of packets at collection
z Rules
– Specify processing and response
z Modules
– Pre- and Post-Processors
Snort Rules
z
z
z
Rules are the core of Snort’s flexibility
Specified in a rules file
Actions:
– Alert: generate alert message and log the packet
– Log: log the packet
– Pass: ignore the packet
z
Order of evaluation: Alert-Pass-Log
– -o option changes this to Pass-Alert-Log
z
Command line option: -c <rules file>
A Word on CIDR notation
z
Classless Inter-Domain Routing – used to identify the
network Snort is protecting
– MY.0.0.0/8
z
Class A network MY.x.x.x
– MY.NET.0.0/16
z
Class B network MY.NET.x.x
– MY.NET.WORK.0/24
z
Class C network MY.NET.WORK.x
– MY.NET.WORK.135/32
z
Indicates a specific host (135) on the class C MY.NET.WORK network
Snort Session with Rules
zA
simple rules file:
var HOME_NET MY.NET.0.0/16
alert tcp any any -> $HOME_NET 21
HOME_NET is the private network you
are protecting with the SNORT IDS.
I.E. internal network = 192.168.1.0
HOME_NET = MY.NET.1.0
Snort Session with Rules (2)
z
z
First line defines the variable $HOME_NET to be
MY.NET.0.0/16
Second line specifies that an alert be generated for every
packet that is:
– alert tcp any any -> $HOME_NET 21
– A tcp packet
– From any source IP
z
From any source port
– To any destination within $HOME_NET
z
To destination port 21
Rules Session Output
z Snort
>
command with -c option:
snort -l ./log -c ./rules/myrules
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
Initializing Preprocessors!
------------------------------------------------Keyword
|
Preprocessor @
------------------------------------------------http_decode :
0xd0d4
minfrag
:
0xd2fc
portscan
:
0xdfa0
portscan-ignorehosts:
0xea30
defrag
:
0x10544
-------------------------------------------------
Rules Session Output
z Now
>
we look in the ./log directory
ls ./log
209.70.98.152
210.229.79.62
212.170.18.20
213.228.3.197
alert
z Note:
Default style logging (IP sorted by
subdirectory) occurred since we didn’t use the -N
option
Rules Session Output (7)
>
cat ./log/alert
[**] Snort Alert! [**]06/30-14:58:42.567915 209.70.98.152:1168 -> MY.NET.60.11:21
TCP TTL:117 TOS:0x0 ID:28726 DF
*****PA* Seq: 0x48B9BE1
Ack: 0xFF900F0
Win: 0x1EC2
[**] Snort Alert! [**]06/30-14:58:42.675093 209.70.98.152:1168 -> MY.NET.60.11:21
TCP TTL:117 TOS:0x0 ID:29238 DF
*****PA* Seq: 0x48B9C03
Ack: 0xFF90122
Win: 0x1E90
…
[**] Snort Alert! [**]06/30-14:58:50.565715 213.228.3.197:32575 -> MY.NET.253.105:21
TCP TTL:50 TOS:0x0 ID:37043 DF
*****PA* Seq: 0x85115725
Ack: 0x176C2565
Win: 0x2238
TCP Options => NOP NOP TS: 7979439 31450159
[**] Snort Alert! [**]06/30-14:58:50.771597 213.228.3.197:32575 -> MY.NET.253.105:21
TCP TTL:50 TOS:0x0 ID:37361 DF
******A* Seq: 0x8511572C
Ack: 0x176C257D
Win: 0x2238
TCP Options => NOP NOP TS: 7979439 31450160
2nd Snort Session with Rules
z
A slightly different Snort command with options:
-N -c -A fast
>
snort -l ./log -c ./rules/myrules -N -A fast
Initializing Network Interface ep1
Decoding Ethernet on interface ep1
Initializing Preprocessors!
------------------------------------------------Keyword
|
Preprocessor @
------------------------------------------------http_decode :
0xd0d4
minfrag
:
0xd2fc
portscan
:
0xdfa0
portscan-ignorehosts:
0xea30
defrag
:
0x10544
-------------------------------------------------
2nd Rules Session Output
z Now
we look in the ./log directory
ls ./log
alert
>
z Note:
Default logging was suppressed by the -N
option but alerts were still allowed to be recorded
2nd Rules Session Output (3)
z Note:
Alerts in abbreviated form due to the
option: -A fast
>
cat ./log/alert
06/30-18:03:30.238623
06/30-18:03:30.352807
06/30-18:03:30.627864
06/30-18:03:30.627991
06/30-18:03:30.761860
06/30-18:03:31.688452
06/30-18:03:31.764592
06/30-18:03:31.842841
06/30-18:03:32.036428
06/30-18:03:32.210022
06/30-18:03:32.373553
06/30-18:03:32.517695
06/30-18:03:32.619376
06/30-18:03:32.694124
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
206.136.246.12:3433
->
->
->
->
->
->
->
->
->
->
->
->
->
->
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
MY.NET.60.16:21
Sample Rules
Here are some illustrative rules:
z Note the ‘msg’ option:
alert tcp 195.11.50.204/32 any -> $HOME_NET any
(msg:"GIAC 08-feb-2000";)
z Note
the ‘content’ option:
alert udp any any -> $HOME_NET any (msg:"Trin00
password";content:"[]..Ks";)
Samples Rules (2)
z Note
the ‘flags’ option:
alert tcp any any -> $HOME_NET any (msg:"Possible
Queso Fingerprint attempt"; flags: S12;)
z All
of the above:
alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access
attempt"; content:"/msads/Samples/SELECTOR/showcode.asp";
flags: PA;)
z And
there are many, many other options, and
combinations of options
Writing Snort Rulesets
z Snort
rules are simple and extremely flexible. For
a more in-depth treatment of writing rulesets, it is
more than worth your while to look at docs at
www.snort.org
Snort with filters
z
Snort can accept tcpdump-style filters
– These filters work at the “front end” of Snort
– Only packets passed by the filters will be processed by the rules
– Example:
snort -v ‘tcp[13] &3 != 0’
z
Accepts only packets that either have the SYN or the FIN bit set (or
both)
Snort with filters (2)
z Filters
can be put at the end of Snort commands
(see previous example)
z Filters can also reside in a file
z Command line option: -F <filter file>
– Reads filters into the Snort process from <filter file>
Snort Plug-Ins
z
Snort allows you to add new modules and to activate
existing ones that come with the distribution
– Additions are compiled as object code and activated as usual
– Activation takes place in the rules file
z
A wide variety of modules are available
– One nifty module searches the packet stream for scanning
behavior
Snort Plug-In Types
z Preprocessor
– Packets are examined/manipulated before being
handed to the detection engine
z Detection
– Perform single, simple tests on a single aspect/field of
the packet
z Output
– Report results from the other plug-ins
Ways to use Snort
z
Real-time traffic analysis
– Watching the packets go by live
(do you have a quiet, peaceful network?)
How Fast Can You Read?
z
Packet logging
– Collecting packets in raw form for later analysis
– Creating logs of decoded packets for later analysis
z
Stored log analysis
– Reading raw packet files for in-depth analysis
What Can Come Out of Snort
z
z
z
z
Standard output (decoded packets)
Binary dump
(raw packets)
Snort default logging scheme
Text messages going to text files
– Syslog-based logging
– Other log files (like alert)
z
Notifications
– Samba-based pop-up windows
– Other alerting modules (e.g. paging)
z
Responses
– Auto-responses (e.g. dropping connections)
Do It Yourself
Building a Larger Framework
Very Simple
tcpdump
Packet Stream
Sniffing
Filter file
tcpdump
process
To Log File
Less Simple
To
Em
ail
Cron
Report
Generator
Packet Stream
Sniffing
SNORT
Rules file
To Alert File
Alert
File
Even Less Simple
To
Em
ail
Cron
Report
Generator
Packet Stream
Sniffing
SNORT
Rules file
To Alert File
Alert
File
Correlation
z
z
z
Network traffic logs can be used to correlate with data in
other records (system logs, authentication logs)
If inappropriate or illegal activity is suspected, network
log correlation can be used to justify closer scrutiny of
things like e-mail and network session content
On hearing the description of “correlation”, a Maryland
State trooper replied that he called it “probable cause”.
Correlation: Examples
z
z
z
z
Daily report from system logs identifies any user with
more than 10 authentication failures in one day from
external site
Network Traffic Logs may show other questionable
activity from that site
BlackIce on desktop NT shows DNS probe from external
site
Network Traffic Logs show complete scan of internal
network, port 53
Resources
Resources
z
z
z
z
All things Snort (Marty Roesch’s Snort homepage):
http://www.snort.org
Snort database support:
http://www.incident.org/snortdb
Snort plug-ins
http://spyjurenet.com/linuxrc.org/projects/snort
Attack signatures database (arachNIDS):
http://www.whitehats.com
Resources (2)
z
z
Other Snort tools:
– Statistics:
http://xanadu.rem.cmu.edu/snort
– Snort report → HTML converter:
http://www.silicondefense.com/snortsnarf
Libpcap packet capture library:
– ftp.ee.lbl.gov
Demo
z http://localhost/acid/index.html
Download