Professional Documents
Culture Documents
Intrusion Detection System
Intrusion Detection System
Snort
What is Snort?
where the network topology creates a single traffic path due to logical topology of the network
Snort Rules
Primarily a signature based detection engine Example:
alert
tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;)
While indicative of attacks, leaks, and protocol violations, false positives are generated
How to monitor?
Multiple Layers of Antivirus checkers in place: workstations, servers, email-stores, and email gateways Most active updating checkers gets new signatures every 15 minutes On September 2005, 3 bagle variants were released quickly AV companies alerted us, but workstations were affected Which of the 5000 workstations were affected?
alert tcp any any -> any any (msg:"Potential Bagle Propagation"; content:"osa6.gif"; classtype:policyviolation; sid:1000003; rev:3;)
Conclusion
Snort provides another tool in the toolkit and can help provide information about exactly whos talking to who on the network Security is a process, not a product