Upload
ashish-meena
View
216
Download
0
Embed Size (px)
Citation preview
8/3/2019 Iit 2008087
1/15
Snort - A network intrusionprevention and detection system
Student: Vinay Aggarwal(IIT2008087)
Professor: R. C. Tripathi
Class presentation
8/3/2019 Iit 2008087
2/15
Description outline of Tools
Brief Introduction
Features of the tool
Architecture
Installation Procedure
Screenshots of the working tool
8/3/2019 Iit 2008087
3/15
Snort
An open source network intrusion prevention and detectionsystem.
It uses a rule-based language combining signature, protocoland anomaly inspection methods
The mostwidelydeployed intrusion detection and preventiontechnology
t has become the de facto standard technology worldwide inthe industry.
Small (~110K source distribution)
Portable (Linux, Solaris, *BSD, IRIX, HP-UX)
Fast (High probability of detection for a given attack onaverage networks)
Free (GPL/Open Source Software)
8/3/2019 Iit 2008087
4/15
Snort - Features
Capture and display packets from the network with different levels
of detail on the console.
Log data in text file. Lightweight Network intrusion detection system .
Snort can detect threats like stealth port scans, SMB probes,CGI attacks, buffer overflows, NetBIOS queries and NMAP.
Alert file indicates any suspicious or malicious attacks.
Snort supports target-based intrusion detection.
8/3/2019 Iit 2008087
5/15
Typical locations for snort
8/3/2019 Iit 2008087
6/15
Snort architecture
From: Nalneesh Gaur, Snort: Planning IDS for your enterprise,http://www.linuxjournal.com/article/4668, 2001.
http://www.linuxjournal.com/article/4668,2001http://www.linuxjournal.com/article/4668,2001http://www.linuxjournal.com/article/4668,2001http://www.linuxjournal.com/article/4668,20018/3/2019 Iit 2008087
7/15
Snort components
From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDSTechniques with Snort, Apache, MySQL, PHP, and ACID.
8/3/2019 Iit 2008087
8/15
Logical components of snort
Packet Decoder: takes packets from different types ofnetwork interfaces (Ethernet, SLIP,PPP), prepare packets for
processing
Preprocessor: (1) prepare data for detection engine; (2)detect anomalies in packet headers; (3) packet defragmentation;(4)decode HTTP URI; (5) reassemble TCP streams.
Detection Engine: the most important part, appliesrules to packets
Logging and Alerting System Output Modules: process alerts and logs and generate
final output.
8/3/2019 Iit 2008087
9/15
Rules In a single line Rules are created by known intrusion signatures. Usually place in snort.confconfiguration file.
rule header rule options
8/3/2019 Iit 2008087
10/15
Rule examples
Alert will be generated if criteria met
Apply to all ip packets
Source ip address
Source port #
destination ip address
Destination port
Rule options
Rule header
8/3/2019 Iit 2008087
11/15
Detection engine order to scan therules
Snort does not evaluate the rulesin the order that they appear inthe Snort rules file. In default, theorder is:
1. Alert rules
2. Pass rules
3. Log rules
8/3/2019 Iit 2008087
12/15
Snort Installation Procedure
For windows: Install the WinPcap File. This allows you to capture
and examine packets as they flow across the network. This installs fast so dont think you didnt get it to work
right. This is found at (http://winpcap.org/)
Next install the SNORT program. This allows you to domany different things according to the command linethat you type in. Use all of the default settings until you get to where you
need to shoes where to install it. Chose the correctlocation and click install.
This is found at (http://www.snort.org/).
For other OS go to : http://www.snort.org/docs
http://www.snort.org/http://www.snort.org/http://www.snort.org/http://www.snort.org/8/3/2019 Iit 2008087
13/15
Screenshots
8/3/2019 Iit 2008087
14/15
Screenshots
8/3/2019 Iit 2008087
15/15
Thank you !