16.2 IDS, Firewall and Honeypot Solutions
Intrusion Detection Tool: Snort
- Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
- It can perform protocol analysis and content searching/matching, and is used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
- It uses flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture.
- Uses of Snort:
- Straight packet sniffer like tcpdump
- Packet logger (useful for network traffic debugging, etc.)
- Network intrusion prevention system
- Snort's rule engine enables custom rules to meet the needs of the network.
- Snort rules help in differentiating between normal Internet activities and malicious activities.
- Snort rules must be contained on a single line, the Snort rule parser does not handle rules on multiple lines.
- Snort rules with two logical parts:
- Rule header: Identifies rule's actions such as alerts, log, pass, activate, dynamic, etc.
- Rule options: Identifies rule's alert messages.
content: "|00 01 86 a5|"
msg: "mountd access"
- alert: Rule Action
- tcp: Rule Protocol
- ->: Rule Format Direction
- 192.168.1.0/24: Rule IP address
- 111: Rule Port
- content: "|00 01 86 a5|": Payload detection rule
- msg: "mountd access": Alert message
Snort uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the same library that tcpdump uses to perform its packet sniffing.