Security Principles SNORT - IDS

Similar documents
Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam

Intrusion Detection - Snort

Intrusion Detection - Snort

Security Monitoring. ITU/APNIC IPv6 Infrastructure Workshop 21 st 23 rd June Phnom Penh. Last updated 22 July 2014

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

Intrusion Detection. What is Intrusion Detection

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Detecting Specific Threats

Anomaly Detection in Communication Networks

Overview Intrusion Detection Systems and Practices

CIH

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

CIT 480: Securing Computer Systems

Pre processors. Detection Engine

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

Cisco Firepower NGIPS Tuning and Best Practices

REMINDER course evaluations are online

Securing CS-MARS C H A P T E R

ANOMALY DETECTION IN COMMUNICTION NETWORKS

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Open Source IDS Rules Comparison Report July 2014

McAfee Network Security Platform

Topics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffic

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

CSN15: Using ArcSight ESM for Malicious Domain Detection. Chris Watley Information Assurance Engineer US Government

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

CSE 565 Computer Security Fall 2018

TEL

Monitor Commands. monitor session source, page 2 monitor session destination, page 4

Chapter 6: IPS. CCNA Security Workbook

Cisco IOS Inline Intrusion Prevention System (IPS)

James Culverhouse AusCERT General Manager Mike Holm Operations Manager Protecting Organisations from cyber threats since 1993

Study of Snort Ruleset Privacy Impact

Performance Rules Creation. Part 2: Rules Options and Techniques

Needle in a Haystack. Improving Intrusion Detection Performance in University settings by removing good traffic to better focus on bad traffic

GE s Enterprise Sensor Grid

Imperva Incapsula Website Security

The Intrusion Rules Editor

A Probabilistic Approach to Autonomic Security Management

Configuring Flex Links

The Intrusion Rules Editor

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

The Intrusion Rules Editor

Network Security Platform Overview

Incorporating Network Flows in Intrusion Incident Handling and Analysis

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Maximizing visibility for your

Intrusion Detection. October 19, 2018

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection


Configuring SPAN. Understanding SPAN CHAPTER. This chapter describes how to configure Switched Port Analyzer (SPAN) and on the Catalyst 2960 switch.

CISNTWK-440. Chapter 5 Network Defenses

Chapter 9. Firewalls

What are network flows? Using Argus and Postgres to analyse network flows for security

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Activating Intrusion Prevention Service

Port Mirroring in CounterACT. CounterACT Technical Note

ECCouncil EC Ethical Hacking and Countermeasures V7. Download Full Version :

Computer Network Vulnerabilities

NETWORK THREATS DEMAN

Security Device Roles

Lab 8: Firewalls & Intrusion Detec6on Systems

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Configuring UDLD. Understanding UDLD CHAPTER

IC32E - Pre-Instructional Survey

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Intrusion Detection Systems

Reduce Your Network's Attack Surface

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

SymmetricDS Pro 3.0 Quick Start Guide

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Sensitive Data Detection

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

Configuring IGMP Snooping and Filtering

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

SIEM (Security Information Event Management)

Access Control Using Intrusion and File Policies

Compare Security Analytics Solutions

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Port Mirroring Best Practice

Training UNIFIED SECURITY. Signature based packet analysis

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Configuring SPAN and RSPAN

and the Forensic Science CC Spring 2007 Prof. Nehru

Improving your custom Snort rules. What you will learn. What you should know. Leon Ward - November 2010

Network Security. Chapter 0. Attacks and Attack Detection

Secure Network Design Document

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model:

Chapter 2. Switch Concepts and Configuration. Part II

Snort. Search out hidden attacks with the Snort intrusion detection system. BY CHRIS RILEY

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Managing Latency in IPS Networks

5. Execute the attack and obtain unauthorized access to the system.

Transcription:

Security Principles SNORT - IDS

Intrusion detection What is intrusion detection? Technically, any method that allows you to discover if someone has penetrated or is attempting intrusion into your network, host, services. What is intrusion? Unlawfully gaining access to systems, resources The access itself, or the methods used, may be unlawful There may not be a breakin The result is the same Someone is accessing something they are not allowed to Just because the door was open doesn t mean I am allowed to walk in You still have an intruder!

What is an IDS? An IDS is a device, or group of devices, which look for specific patterns in network traffic, for the purpose of detecting malicious intent

Snort? Snort is an open source IDS, and one of the oldest ones Hundreds of thousands of users Active development of rules by the community make Snort up to date, and often more so than commercial alternatives Snort is fast! It can run at Gbit/s rates with the right hardware and proper tuning

Where to place Snort? Snort will need to be close to the choke point (the point where all traffic flows through on the way in or out of your network) Inside of the border router or firewall, for example

Getting Snort to see the network You could run Snort in multiple ways As a device in line behind or after the firewall/router But this adds one more element that can fail in your connectivity Or you could use a span/mirror port to send traffic to Snort Or you can use an optical splitter to mirror or tap into traffic from a fiber optic link This method and the previous are the most recommended

Getting Snort to see the network O SWITCH MI RR OR SNORT I

Getting Snort to see the network Be careful not to overload your switch port If you mirror a gigabit port to another gigabit port, the monitoring port (the receiving port) can drop packets if the total traffic exceeds 1 Gbit/s We ll illustrate this

Monitoring Port On Cisco Catalyst, this is a SPAN port You can SPAN one port to another, a group of ports to one port, or an entire VLAN to a port Sample config: interface FastEthernet 0/1 # port monitor FastEthernet 0/2 This would copy any packet received on F0/2 to F0/1

Monitoring Port Other equipment vendors have different syntax HP calls it a mirror port

Snort configuration file By default, /etc/snort/snort.conf It s a long file 900+ lines If you browse it, you will notice many preprocessor entries Snort has a number of preprocessors which will analyze the network traffic and possibly clean it up before passing it to the rules

Snort rules Snort rules are plain text files Adding new rules to snort is as simple as dropping the files into /etc/snort/rules/ Groups of rules can be loaded from snort.conf using the include statement Rules can match anything Technical web attacks, buffer overflow, portscan, etc Policy/user oriented URL filtering, keyword, forbidden applications, etc

Tailoring the rules Not all rules will make sense in your network You will want to customize which rules you want to run Otherwise you will get many false positives, which will lead you to ignore Snort, or simply turn it of It doesn t help to have logs full of junk alerts you don t want To avoid this, rules can be suppressed (disabled)

Updating Snort rules The commercially maintained snort rules are available for free with a 30 day delay from http://www.snort.org/start/rules Other rules are maintained by some volunteers at emerging threats: http://rules.emergingthreats.net/open/ The updating of rules can be automated with a tool called Pulled Pork, which is located at http://code.google.com/p/pulledpork/

Sample rules # These signatures are not enabled by default as they may generate false # positive alarms on networks that do mysql development. alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"mysql root login attempt"; flow:to_server,established; content:" 0A 00 00 01 85 04 00 00 80 root 00 "; classtype:protocol-command-decode; sid:1775; rev:2;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"mysql show databases attempt"; flow:to_server,established; content:" 0F 00 00 00 03 show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"mysql 4.0 root login attempt"; flow:to_server,established; content:" 01 "; within:1; distance:3; content:"root 00 "; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;)

Reporting and logging Snort can be made to log alerts to an SQL database, for easier searching A web front-end for Snort, BASE, allows one to browse security alerts graphically

References and documentation Snort preprocessors: http://www.informit.com/articles/article.aspx?p=101148&seqnum=2 Snort documentation http://www.snort.org/docs An install guide for Ubuntu 10.04: http://www.snort.org/assets/158/014-snortinstallguide292.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback