-
8/3/2019 Iit 2008087
1/15
Snort - A network intrusionprevention and detection system
Student: Vinay Aggarwal(IIT2008087)
Professor: R. C. Tripathi
Class presentation
-
8/3/2019 Iit 2008087
2/15
Description outline of Tools
Brief Introduction
Features of the tool
Architecture
Installation Procedure
Screenshots of the working tool
-
8/3/2019 Iit 2008087
3/15
Snort
An open source network intrusion prevention and
detectionsystem.
It uses a rule-based language combining signature, protocoland
anomaly inspection methods
The mostwidelydeployed intrusion detection and
preventiontechnology
t has become the de facto standard technology worldwide inthe
industry.
Small (~110K source distribution)
Portable (Linux, Solaris, *BSD, IRIX, HP-UX)
Fast (High probability of detection for a given attack onaverage
networks)
Free (GPL/Open Source Software)
-
8/3/2019 Iit 2008087
4/15
Snort - Features
Capture and display packets from the network with different
levels
of detail on the console.
Log data in text file. Lightweight Network intrusion detection
system .
Snort can detect threats like stealth port scans, SMB probes,CGI
attacks, buffer overflows, NetBIOS queries and NMAP.
Alert file indicates any suspicious or malicious attacks.
Snort supports target-based intrusion detection.
-
8/3/2019 Iit 2008087
5/15
Typical locations for snort
-
8/3/2019 Iit 2008087
6/15
Snort architecture
From: Nalneesh Gaur, Snort: Planning IDS for your
enterprise,http://www.linuxjournal.com/article/4668, 2001.
http://www.linuxjournal.com/article/4668,2001http://www.linuxjournal.com/article/4668,2001http://www.linuxjournal.com/article/4668,2001http://www.linuxjournal.com/article/4668,2001
-
8/3/2019 Iit 2008087
7/15
Snort components
From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort:
Advanced IDSTechniques with Snort, Apache, MySQL, PHP, and
ACID.
-
8/3/2019 Iit 2008087
8/15
Logical components of snort
Packet Decoder: takes packets from different types ofnetwork
interfaces (Ethernet, SLIP,PPP), prepare packets for
processing
Preprocessor: (1) prepare data for detection engine; (2)detect
anomalies in packet headers; (3) packet defragmentation;(4)decode
HTTP URI; (5) reassemble TCP streams.
Detection Engine: the most important part, appliesrules to
packets
Logging and Alerting System Output Modules: process alerts and
logs and generate
final output.
-
8/3/2019 Iit 2008087
9/15
Rules In a single line Rules are created by known intrusion
signatures. Usually place in snort.confconfiguration file.
rule header rule options
-
8/3/2019 Iit 2008087
10/15
Rule examples
Alert will be generated if criteria met
Apply to all ip packets
Source ip address
Source port #
destination ip address
Destination port
Rule options
Rule header
-
8/3/2019 Iit 2008087
11/15
Detection engine order to scan therules
Snort does not evaluate the rulesin the order that they appear
inthe Snort rules file. In default, theorder is:
1. Alert rules
2. Pass rules
3. Log rules
-
8/3/2019 Iit 2008087
12/15
Snort Installation Procedure
For windows: Install the WinPcap File. This allows you to
capture
and examine packets as they flow across the network. This
installs fast so dont think you didnt get it to work
right. This is found at (http://winpcap.org/)
Next install the SNORT program. This allows you to domany
different things according to the command linethat you type in. Use
all of the default settings until you get to where you
need to shoes where to install it. Chose the correctlocation and
click install.
This is found at (http://www.snort.org/).
For other OS go to : http://www.snort.org/docs
http://www.snort.org/http://www.snort.org/http://www.snort.org/http://www.snort.org/
-
8/3/2019 Iit 2008087
13/15
Screenshots
-
8/3/2019 Iit 2008087
14/15
Screenshots
-
8/3/2019 Iit 2008087
15/15
Thank you !
