Modified slides from Martin Roesch Sourcefire Inc .

Topics • Background – What is Snort? • Using Snort • Snort Architecture • Third-Party Enhancements

Background – Policy • Successful intrusion detection depends on policy and management as much as technology – Security Policy (defining what is acceptable and what is being defended) is the first step – Notification • Who, how fast? – Response Coordination

Intro to Snort •What is Snort?

Snort “ Metrics ” • Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc) • Fast (High probability of detection for a given attack on 100Mbps networks) • Configurable (Easy rules language, many reporting/logging options • Free (GPL/Open Source Software)

Snort Design • Packet sniffing “lightweight” network intrusion detection system • Libpcap-based sniffing interface • Rules-based detection engine • Plug-in system allows endless flexibility

Detection Engine • Rules form “signatures” • Modular detection elements are combined to form these signatures • Wide range of detection capabilities – Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. • Rules system is very flexible, and creation of new rules is relatively simple

Plug-Ins • Preprocessor – Packets are examined/manipulated before being handed to the detection engine • Detection – Perform single, simple tests on a single aspect/field of the packet • Output – Report results from the other plug-ins

Using Snort • Three main operational modes – Sniffer Mode – Packet Logger Mode – NIDS Mode – (Forensic Data Analysis Mode) • Operational modes are configured via command line switches – Snort automatically tries to go into NIDS mode if no command line switches are given, looks for snort.conf configuration file in /etc