Snort - A network intrusion prevention and detection system

Student: Vinay Aggarwal(IIT2008087) Professor: R. C. Tripathi Class presentation

Description outline of Tools

Brief Introduction Features of the tool Architecture Installation Procedure Screenshots of the working tool

Snort

An open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods The most widely deployed intrusion detection and prevention technology t has become the de facto standard technology worldwide in the industry. Small (~110K source distribution) Portable (Linux, Solaris, *BSD, IRIX, HP-UX) Fast (High probability of detection for a given attack on average networks) Free (GPL/Open Source Software)

Snort - Features

Capture and display packets from the network with different levels of detail on the console

Log data in text file .

Lightweight Network intrusion detection system .

Snort can detect threats like stealth port scans, SMB probes, CGI attacks, buffer overflows, NetBIOS queries and NMAP. Alert file indicates any suspicious or malicious attacks. Snort supports target-based intrusion detection.

Typical locations for snort

Snort architecture

From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.

Snort components

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.

Logical components of snort

Packet Decoder: Preprocessor:

takes packets from different types of network interfaces (Ethernet, SLIP,PPP), prepare packets for processing (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams.

Detection Engine:
rules to packets

the most important part, applies

Logging and Alerting System Output Modules: process alerts and logs and generate
final output.

Rules

In a single line Rules are created by known intrusion signatures. Usually place in snort.conf configuration file.

rule header

rule options

Rule examples
destination ip address Apply to all ip packets Source ip address Destination port

Source port # Rule options Alert will be generated if criteria met

Rule header

Detection engine order to scan the rules

1. 2. 3.

Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: Alert rules Pass rules Log rules

Snort Installation Procedure

For windows:

Install the WinPcap File. This allows you to capture and examine packets as they flow across the network.
This installs fast so dont think you didnt get it to work right. This is found at (http://winpcap.org/)

Next install the SNORT program. This allows you to do many different things according to the command line that you type in.

Use all of the default settings until you get to where you need to shoes where to install it. Chose the correct location and click install. This is found at (http://www.snort.org/). For other OS go to : http://www.snort.org/docs

Screenshots

Screenshots

Thank you !