Escolar Documentos
Profissional Documentos
Cultura Documentos
Presented by:
Mansi Sharma (09030241219)
Ujjwal Kohli (09030241235)
IDS – General Observations
Definition of IDS is Tricky…
“..“Intrusion Detection” addresses a range of
technologies that are involved in the detection,
reporting, and correlation of system and network
security events”. - “The Hackers Handbook” (Young, Aitel)
IDS Solutions are Diverse and becoming
more Hybrid
Host-based Intrusion Detection (HIDS)
Network-based Intrusion Detection (NIDS)
Behavior (Policy) based IDS
Signature (Knowledge) based IDS
Intrusion Prevention (IPS)
Change Auditing
Security Information Management (SIM)
Snort – What it is, What it does
So Where does Snort fit within the IDS
Landscape?
Developed by Martin Roesch
Open Source Network Intrusion Prevention
System (NIPS)
Sourcefireoffers commercial version of Snort
(Sourcefire Intrusion Sensor)
Performs Real-time traffic analysis, logging, and
alerting
Supports 2 types of IDS/IPS functionality:
Normalized analysis of traffic
Signature-based analysis of traffic
Snort – Basic Configuration Modes
Snort can be run in one of several
configuration modes
Sniffer Mode – Snort reads packets off of the network
and displays them on console
Packet Logger Mode – simply logs packets to disk
Network Intrusion Detection System (NIDS)
mode – Snort grabs traffic from the network using libpcap,
analyzes for matches to a defined rule set and generates
alerts (as appropriate)
Inline Mode – obtains packet data from iptables (versus
libpcap) and signals iptables to drop or pass packets using
inline-specific rules
Sizing up Snort…
Free can be a good thing…
Snort is Open Source, covered under the GPL
Rules are readily editable and freely available
Snort Development efforts proceed under the GPL and
have contributed to Snort being a robust IDS solution
Good way to get started with IDS for a minimal
investment (time and $$)
The Snort Community is very active
Signature updates are often made available within
hours of a new exploit
Several commercial vendors use Snort as a basis for
commercial IDS solutions (or to supplement third party
IDS)
Snort is considered to be an enterprise-grade IDS
A Basic Snort Architecture
Sensor(s)
Server
Snort IDS
Detect Events
Forward Alerts
MySQL, Apache
Syslog
Console
Receives &
Stores Alerts
Web Browser
Displays Alerts
Snort (Sensor) Technical Details
10111010001010101
1011101000101010111..
Packet
libpcap Preprocessor
Decoder