1. Network Security Analysis using Snort and ACID

• • Introduction to

• Network Security Analysis

• using

• Snort and ACID

• Linux User Group Singapore

• Friday 7 thMay 2004

• By

• Michael Boman

2. What we will cover:

Benefits of running Snort + ACID

Alert flow in a Snort + ACID setup

Demo of ACID

Q & A

3. Why Snort and ACID?

De-facto standard for Open Source Network IDS

Very well documented combination

• 3 books published

• Many HOWTO's available for free on the net

4. Software

Snort

• NIDS engine

Barnyard / Mudpit / FLoP

• Output processor for Snort

MySQL / PostgreSQL

• Alert storage medium

Apache / ACID

• Web server / Web application

Web browser of choice

• Alert display console

5. The Snort Architecture

Detect Events of Interest on the network

Send alerts to server

Receive alerts from sensor

Display alerts

6. Snort flow : Receiving IDS Alerts 7. Snort flow : Receiving IDS Alerts (barnyard) 8. Snort flow : Getting Alert Details 9. Demo

Enough theory, let us get our hands dirty with the pig

10. What have we learned?

Benefits of running Snort + ACID

Alert flow in a Snort + ACID setup

11. Questions?

Got any questions? Now is the time to ask them!

12. Suggested reading material

Snort 2.0 Intrusion Detection

• Brian Caswell, Jay Beale, James C. Foster, Jeremy Faircloth; ISBN: 1931836744

Intrusion Detection with Snort

• Jack Koziol; ISBN: 157870281X

http://www.snort.org/docs/