0 Detection Engine Comparison V 1x Sip 1111 Dip 2222 Dp 80 flags A content foo

0 detection engine comparison v 1x sip 1111 dip 2222

This preview shows page 40 - 45 out of 45 pages.

Snort 2.0 Detection Engine  Comparison – V 1.x Sip: 1.1.1.1 Dip: 2.2.2.2 Dp: 80 (flags: A+; content: “”foo”;) (flags: A+; content: “bar”;) (flags: A+; content: “baz”;) alert tcp
Image of page 40
Snort 2.0 Detection Engine  Comparison – V 2.0 content: “”foo”; content: “bar”; content: “baz”; alert tcp Dip: 2.2.2.2 Dip: 10.1.1.0/24 Flags: A+; Sip: 1.1.1.1 Dp: 80
Image of page 41
Acquisition Plugins Libpcap allows us to be very cross platform but is also a bottleneck Acquisition plugins allow arbitrary data input sources Interesting applications Netfilter/divert socket input stream Gateway IDS… Host-based IDS… High speed platform specific acquistion capability
Image of page 42
Decoder Plugins Arbitrary protocol support in Snort Snort is currently limited to… Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw IP, ARP TCP, UDP, ICMP With plug-ins, new decoders can be painlessly dropped into Snort, automatically making Snort “aware” of that protocol and capable of performing traffic analysis on it Additional support for “unknown” protocols will have to be added to the detection engine
Image of page 43
Pluggable Detection Engines Current signature based engine isn’t necessarily the only way to do NID The current primary detection engine in Snort is really just a very involved preprocessor Other possibilities Snort + Netfilter (or Divert Sockets) = Gateway IDS (or “packet scrubber”) Snort + NMAP = Target-based IDS Snort + SAS = Statistical Anomaly IDS (ok, just kidding)
Image of page 44
Learning More Writing Snort Rules FAQ, USAGE file, README file, man page Snort mailing lists Books Intrusion Detection: An Analysts Handbook by Northcutt Intrusion Signatures and Analysis by Northcutt The Practical Intrusion Detection Handbook by Paul Proctor
Image of page 45

You've reached the end of your free preview.

Want to read all 45 pages?

  • Fall '08
  • staff
  • Transmission Control Protocol, snort, Network intrusion detection system, detection engine

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture