If you can't read please download the document
Upload
michael-boman
View
7.830
Download
0
Embed Size (px)
Citation preview
Introduction to Snort IDS
Introduction to
Snort IDS
Linux User Group Singapore
Friday 7th May 2004
By
Michael Boman
What we will cover:
Short overview on the history of Snort
Packet flow inside Snort
Configuring Snort
Configuring variables
Configuring preprocessors
Configuring output modules
The anatomy of signatures
Snort compatible spool readers
Q & A
History of Snort
Dec. 1998
snort.c created
Jan. 1999
Rule sorting implemented
Mar. 1999
Pattern search engine rewritten from a brute force approach to use Boyer-Moore algorithm
Aug. 1999
New detection engine using a 2 dimensional linked list. 200%-500% speed improvement.
History of Snort (2)
Dec. 1999
Preprocessors introduced
Detection plugins introduced
Variables introduced
Jan. 2000
Portscan preprocessor added
Jul. 2000
IP (de)fragmentation preprocessor added
Database output plugin added
MySQL
PostgreSQL
unixODBC
History of Snort (3)
Jan. 2001
XML (IDMEF) output plugin added
ORACLE output plugin added
SPADE anomaly preprocessor added
Apr. 2001
Priority and classification of signatures
VLAN support
Back Orifice detection plugin added
uricontent support added
Jul. 2001
New de-fragment preprocessor
Added stateful inspection
History of Snort (4)
Aug. 2001
MSSQL output support added
SNMP output support added
IDMEF support compiled in by default
First commit from a @sourcefire.com address
Feb. 2002
Portscan2 preprocessor added
May. 2002
XML (IDMEF) output plugin removed
Oct. 2002
pthread support killed (never worked anyway)
History of Snort (5)
Nov. 2002
Removed IPv6 and IPX printing (never did much anyway)
Mar. 2003
Removed ASN1 and fnord preprocessor
Removed XML and SNMP output plugins
Oct. 2003
Removed WinPopUp output plugin
Snort, today and tomorrow
2.1.3 is soon out (RC1 was released Apr. 21)
Signature quality and documentation is taken very seriously
Detection capacity and speed main concern
More output plugins will be removed from Snort and moved to Barnyard.
A packet's journey through Snort
libpcapPattern matchingPreprocessorsOutput pluginsLog facilityAlert facility
Configuring Snort
Variables
Preprocessors
Output plugins
Signatures
Snort variables
Variables can be specified both in the configuration file and from the command line.
snort.conf syntax:
var HOME_NET [192.168.0.0/24]
var EXTERNAL_NET !$HOME_NET
Command line syntax (escape it properly):
-S HOME_NET=[192.168.0.0/24]
Variables are usually specified in snort.conf
Snort preprocessors
Snort preprocessors offers additional detection capabilities
Stream re-assembly/de-fragmentation
Portscan detection
etc.
Configuration examples:
preprocessor flow: stats_interval 2 hash 0
preprocessor bo
Snort output plugins
Two output facilities
Alert
Log
Example of log formats
Syslog
Log files (text, pcap, unified)
Databases (mysql, postgresql etc)
Configuration examples:
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort \
pass=dbpass dbname=db dbhost=localhost \
sensor_name=sensor1
Snort signatures
Simple, straight forward signature language.
Has become a de-facto standard with open source NIDS software, and some proprietary vendors has support for at least a sub-set of the functionality.
Format:
facility protocol src_ip src_port direction dst_ip dst_port (options)
Example (alerts on all IP packets):
alert ip any any -> any any (msg:IP packet;)
The unified log format
Reading files written in the unified log format
Unified log format was created so that Snort could offload the alerting to other applications, so Snort can concentrate on intrusion detection instead of generating alerts.
Unified log format can be best described as a glorified pcap format, where snort specific options has been added (signature id, interface etc..).
Database and ASCII logging is very expensive, resource vise, for Snort
A missed packet is a lost packet.
Unified log readers
Barnyard
QPL
By the same guys who made Snort
Can only process either alert or log stream per instance
Mudpit
GPL
Can process both alert and log stream at the same time
Personal note: Never got it to compile
What we have learned
The history of Snort
How it started
How it continued
What we might see in the future
Packet flow inside Snort
Configuring Snort
Variables
Preprocessors
Output plugins
Signature syntax
Snort compatible spool readers
Questions?
Got any questions? Now is the time to ask them!
Suggested reading material
Snort 2.0 Intrusion Detection
Brian Caswell, Jay Beale, James C. Foster, Jeremy Faircloth; ISBN: 1931836744
Intrusion Detection with Snort
Jack Koziol; ISBN: 157870281X
http://www.snort.org/docs/
Click to edit the title text format
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline Level
Copyright 2004 Michael Boman. All Rights Reserved.