SnortLab (1).pdf - Learning Snort Rules by Capturing Intrusions In Live Network Traffic Dr Jinsheng Xu Triveni Gadipalli North Carolina A&T State

SnortLab (1).pdf - Learning Snort Rules by Capturing...

This preview shows page 1 - 10 out of 24 pages.

Learning Snort Rules by Capturing Intrusions In Live Network TrafficDr. Jinsheng XuTriveni GadipalliNorth Carolina A&T State University
Background image
IntroductionSnort is a leading open source network intrusion detection system (NIDS)It is ranked as one of the top network security tools by sectools.orgSnort componentsSniffer, Preprocessor, Detection Engine, Alert/LoggingRules are the key!Sourcefire RulesFree Community Rules
Background image
MotivationsSnort Rules are complexUnderstanding a rule is not easyWriting correct rules are even harderSnort tutorials do not have hands-on experiments
Background image
GoalsDevelop a hands-on lab for learning snort rulesRules are tested against the live trafficLearn various features of Snort rules
Background image
Lab ComponentsSnortWiresharkTraffic GeneratorIt is a program that broadcasts packets to the LAN continuouslyThe packets contains 11 intrusionsAll components are packaged into a single Windows XP VM
Background image
ImplementationReal captured traffic found on the InternetSelected individually and combined into a single capture fileRequires from easy rules to more advanced rulesTo broadcast to the network, destination MAC address is changed to broadcast address by the traffic generatorTraffic generator is implemented using WinPCap library
Background image
InstructionsSending trafficGoto cygwin home directory./traffic.exeRunning SnortGoto c:\snort\bin./snort.exe c ../etc/snoft.confl ../log/ -i 2 A consoleEditing RulesGoto c:\snort\rulesEdit local.rules
Background image
Rule StructureSnort rules have two logical partsRule HeaderRule OptionsRule Options follow the Rule header and they are enclosed in closed bracesExample of a simple ruleActionSource Address DirectionDestination portalert IP any 21 -> 152.54.23.89 any (msg:”IP packet is detected”; sid: 1000001;)ProtocolSource PortDestination AddressActionProtocolSource AddressSource ProtocolDirectionDestination addressDestination Protocol
Background image
ActionPurpose of this field is to show what action will be taken when rule conditions are trueThere are five predefined actions Pass: Tells snort to ignore the packet (why do we need pass action)Pass icmp any any -> 192.324.3.23 any (msg:” pass example”; sid:123938;)Log: Used to log a packetLog tcp any any -> 192.324.3.23 any (msg:” log example”; sid: 102938;)Alert: An alert message is generated when the rule conditions are metActivate: Used to create an alert and then to activate another rule for checking more conditionsDynamic: These are invoked by other rules using activate actionActivate tcp any any -
Background image
Image of page 10

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture