16.2 IDS, Firewall and Honeypot Solutions

Intrusion Detection Tool: Snort

  • Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
  • It can perform protocol analysis and content searching/matching, and is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
  • It uses flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture.
  • Uses of Snort:
    • Straight packet sniffer like tcpdump
    • Packet logger (useful for network traffic debugging, etc.)
    • Network intrusion prevention system

Snort Rules

  • Snort's rule engine enables custom rules to meet the needs of the network.
  • Snort rules help in differentiating between normal Internet activities and malicious activities.
  • Snort rules must be contained on a single line, the Snort rule parser does not handle rules on multiple lines.
  • Snort rules with two logical parts:
    • Rule header: Identifies rule's actions such as alerts, log, pass, activate, dynamic, etc.
    • Rule options: Identifies rule's alert messages.
  • Example:
    • alert tcp any any -> 192.168.1.0/24 111 (content: "|00 01 86 a5|";msg: "mountd access";)
      • alert: Rule Action
      • tcp: Rule Protocol
      • ->: Rule Format Direction
      • 192.168.1.0/24: Rule IP address
      • 111: Rule Port
      • content: "|00 01 86 a5|": Payload detection rule
      • msg: "mountd access": Alert message

Snort uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the same library that tcpdump uses to perform its packet sniffing.

results matching ""

    No results matching ""