SNORT

Intrusion Detection
System
 Introduction

• Snort is an Intrusion Detection System (IDS) and Intrusion

Prevention System (IPS)
• Snort can be used to block malware, and other intrusions on
your computer.
• Snort, although initially programmed for Linux and other
Command Line Interface (CLI) systems, can be configured to
run on Windows.
• Before configuring Snort to run on Windows, your system is
required to have WinPCap and Barnyard installed.
 cont..
• Snort is a good sniffer.
• Snort uses a detection engine, based on rules.
• Packets that do not match any rule are discarded.
• Otherwise, they are logged.
• Rule matching packets can also trigger an alert.
• Snort is a multi-mode packet analysis tool
• Sniffer
• Packet Logger
• Forensic Data Analysis tool
• Network Intrusion Detection System
 Sniffer Mode

Run-time switches:
 -v verbose

 -d dump package payloads

 -x dump entire package in hex

 -a display arp packages //does not work on your version.

 -e display link layer data

 Packet Logger Mode
• Tell snort to output packages to a log file.
• Command line options:
 -l dump packages into log directory
 -b log packages in binary (tcpdump) format
• Example: snort –b –l /temp/snort
• Binary log files are in tcpdump format.
• Can be read by snort with the –r switch.
• Readback can be used to dump, log, or perform detection.
Full Text Logging
• Packets are logged in plain ascii format.
• One file created per protocol port pair.
• A port scan creates too many files.
 Forensic Use

• Filter logs of large size quickly.

• Snort filters are very sophisticated.
 NIDS Mode

• Load snort with a set of rules, configure packet

analysis plug-ins, and let it monitor hostile network
activity.
• Use –c switch to specify configuration file.
 Snort –c snort.conf
• If no config file is specified, snort looks in the /etc
directory.
• Specify an alternative logging directory with –l
• Specify an alternate alert mode
 -AL fast, full, none, console
 Snort Architecture

• Sniffer
• Preprocessor
• Detection Engine
• Alert Logging
• Packet Sniffer
 Taps into network

• Preprocessor
 Checks against plug-ins

RPC plug-in
Port scanner plug-in
• Detection Engine
 Snort is a signature-based IDS

 Implemented via rule-sets

• Rules
 Consists of rule header

Action to take
Type of packet
Source, destination IP address
 And rule option

Content of package that should make the packet

match the rule
• Snort Alerting
 Incoming “interesting packets” are sent to log files.

 Also sent to various Add-ons

SnortSnarf (diagnostics with html output)

SnortPlot (Perl script that plots attacks)
Swatch (provides email alerts).
 Conclusion
• Snort is a powerful tool, but maximizing its usefulness requires a
trained operator
• Becoming proficient with network intrusion detection takes 12
months.
• Snort is considered a very good NIDS when compared to most
commercial systems
• Managed network security providers should collect enough
information to make decisions without calling clients to ask what
happened