SNORT__.ppt - Modified slides from Martin Roesch Sourcefire Inc Topics Background What is Snort Using Snort Snort Architecture Third-Party Enhancements

SNORT__.ppt - Modified slides from Martin Roesch Sourcefire...

This preview shows page 1 - 10 out of 31 pages.

Modified slides from Martin Roesch Sourcefire Inc .
Image of page 1
Topics Background What is Snort? Using Snort Snort Architecture Third-Party Enhancements
Image of page 2
Background – Policy Successful intrusion detection depends on policy and management as much as technology Security Policy (defining what is acceptable and what is being defended) is the first step Notification Who, how fast? Response Coordination
Image of page 3
Intro to Snort What is Snort?
Image of page 4
Snort “ Metrics Portable (Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc) Fast (High probability of detection for a given attack on 100Mbps networks) Configurable (Easy rules language, many reporting/logging options Free (GPL/Open Source Software)
Image of page 5
Snort Design Packet sniffing “lightweight” network intrusion detection system Libpcap-based sniffing interface Rules-based detection engine Plug-in system allows endless flexibility
Image of page 6
Detection Engine Rules form “signatures” Modular detection elements are combined to form these signatures Wide range of detection capabilities Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc. Rules system is very flexible, and creation of new rules is relatively simple
Image of page 7
Plug-Ins Preprocessor Packets are examined/manipulated before being handed to the detection engine Detection Perform single, simple tests on a single aspect/field of the packet Output Report results from the other plug-ins
Image of page 8
Using Snort Three main operational modes Sniffer Mode Packet Logger Mode NIDS Mode (Forensic Data Analysis Mode) Operational modes are configured via command line switches Snort automatically tries to go into NIDS mode if no command line switches are given, looks for snort.conf configuration file in /etc
Image of page 9
Image of page 10

You've reached the end of your free preview.

Want to read all 31 pages?

  • Fall '15
  • ThomasReddington
  • Transmission Control Protocol, Network intrusion detection system

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture