SlideShare une entreprise Scribd logo
1  sur  20
Télécharger pour lire hors ligne
Snort - an network intrusion
prevention and detection system
Student: Yue Jiang
Professor: Dr. Bojan Cukic
CS665 class presentation
Overview






What’s snort?
Snort architecture
Snort components
Detection engine and rules in snort
Possible research works in snort.
What’s snort?


NIDS:

A network intrusion detection system (NIDS)
is an intrusion detection system that tries to detect
malicious activity such as denial of service attacks, port
scans or even attempts to crack into computers by
monitoring network traffic.



Snort:



Snort:

an open source network intrusion prevention and
detection system. It uses a rule-based language combining
signature, protocol and anomaly inspection methods
the most widely deployed intrusion detection and
prevention technology and it has become the de facto
standard technology worldwide in the industry.
Snort
1.

A packet sniffer:

2.

Packet logger: log data in text file
Honeypot monitor: deceiving hostile parties
NIDS: network intrusion detection system

3.
4.

capture and display packets from
the network with different levels of detail on the console
Typical locations for snort
Requirement of snort




lightweight NIDS
small, flexible
highly capable system
Snort architecture

From: Nalneesh Gaur, Snort: Planning IDS for your enterprise,
http://www.linuxjournal.com/article/4668, 2001.
Snort components

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS
Techniques with Snort, Apache, MySQL, PHP, and ACID.
Logical components of snort


Packet Decoder:



Preprocessor:



Detection Engine:

takes packets from different types of
network interfaces (Ethernet, SLIP,PPP…), prepare packets for
processing
(1) prepare data for detection engine; (2)
detect anomalies in packet headers; (3) packet defragmentation;(4)
decode HTTP URI; (5) reassemble TCP streams.
the most important part, applies

rules to packets




Logging and Alerting System
Output Modules: process alerts and logs and generate
final output.
TCP/IP layer

Physical layer
Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
Detection Engine
※Things need to be done for detection engine:
•The IP header of the packet
•The transport layer header. TCP, UDP, ICMP etc.
•The application layer level header. Header of DNS, FTP, SNMP, SMTP
•Packet payload

※ How to do these?
Apply rules to the packets using a Boyer-Moore string matching
algorithm

※ Requirement
1.
2.

Time critical
Fast
Detection engine





Number of rules
Traffic load on the network
Speed of network and machine
Efficiency of detection algorithm
Rules




In a single line
Rules are created by known intrusion signatures.
Usually place in snort.conf configuration file.

rule header

rule options
Rule examples
destination ip address

Apply to all ip packets
Source ip address

Destination port

Source port #
Rule options
Alert will be generated if criteria met

Rule header
Detection engine order to scan the
rules


1.
2.
3.

Snort does not evaluate the rules
in the order that they appear in
the Snort rules file. In default, the
order is:
Alert rules
Pass rules
Log rules
Challenges with snort










Misuse detection –

avoid known

intrusions
Rules database is larger and larger
It continues to grow
snort version 2.3.2, there are 2,600 rules
80% of them are signatures
Snort spends 80% work time to do string match

Anomaly detection –

identify new

attacks
Probability of detection is low
Snort components

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS
Techniques with Snort, Apache, MySQL, PHP, and ACID.
Attempts to improve


Increasing preprocessing
ability --- offload partial work from detect
engine



Using hardware to reduce
workload - a hybrid
architecture --- software has more flexibility,
hardware has relatively higher throughput



Better detection algorithm
Possible ways?




Organize the well-known rules into
better data structure to achieve
better performance
A detector with acceptable detection
probability
Thank you !

Contenu connexe

Tendances

Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPSMinhaz A V
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemMohit Belwal
 

Tendances (20)

Snort
SnortSnort
Snort
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Snort ppt
Snort pptSnort ppt
Snort ppt
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
NMAP
NMAPNMAP
NMAP
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 

En vedette

Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Detector de ataques en red
Detector de ataques en redDetector de ataques en red
Detector de ataques en redhugo.gonzalez
 
Sg t2 practicas_snort
Sg t2 practicas_snortSg t2 practicas_snort
Sg t2 practicas_snortgarciadebora
 
Andrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de SnortAndrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de SnortAndrés González Suárez
 
Sistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORTSistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORTseguridadelinux
 
Practica 4 herramienta snort entregable
Practica 4 herramienta snort entregablePractica 4 herramienta snort entregable
Practica 4 herramienta snort entregableKarmen Arrazola
 
Actividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con SnortActividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con SnortFrancisco Medina
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortDisha Bedi
 
Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)Alberto Mayo Vega
 
Apache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating SystemApache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating SystemAdarsh Pannu
 
Hadoop MapReduce Fundamentals
Hadoop MapReduce FundamentalsHadoop MapReduce Fundamentals
Hadoop MapReduce FundamentalsLynn Langit
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 

En vedette (20)

Snort
SnortSnort
Snort
 
Snort
SnortSnort
Snort
 
Wireshark
WiresharkWireshark
Wireshark
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Snort_IDS
Snort_IDSSnort_IDS
Snort_IDS
 
Detector de ataques en red
Detector de ataques en redDetector de ataques en red
Detector de ataques en red
 
Sg t2 practicas_snort
Sg t2 practicas_snortSg t2 practicas_snort
Sg t2 practicas_snort
 
Andrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de SnortAndrés González Suárez - Instalación y configuración de Snort
Andrés González Suárez - Instalación y configuración de Snort
 
Sistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORTSistemas de detección de intrusiones. SNORT
Sistemas de detección de intrusiones. SNORT
 
Practica 4 herramienta snort entregable
Practica 4 herramienta snort entregablePractica 4 herramienta snort entregable
Practica 4 herramienta snort entregable
 
Actividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con SnortActividad No. 6.6: Detección de intrusos con Snort
Actividad No. 6.6: Detección de intrusos con Snort
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark ppt
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using Snort
 
Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
Apache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating SystemApache Spark: The Analytics Operating System
Apache Spark: The Analytics Operating System
 
Apache spark basics
Apache spark basicsApache spark basics
Apache spark basics
 
Hadoop MapReduce Fundamentals
Hadoop MapReduce FundamentalsHadoop MapReduce Fundamentals
Hadoop MapReduce Fundamentals
 
Ingeniería de software modelo incremental
Ingeniería de software  modelo incrementalIngeniería de software  modelo incremental
Ingeniería de software modelo incremental
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 

Similaire à Snort

Snort
SnortSnort
Snortnazzf
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTijsrd.com
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemnewbie2019
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...skpatel91
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...skpatel91
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
IDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxIDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxaskaripayalo
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensicsAnpumathews
 
Chapter 12
Chapter 12Chapter 12
Chapter 12cclay3
 
Snort by SecArmour
 Snort by SecArmour Snort by SecArmour
Snort by SecArmourSec Armour
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSvtunotesbysree
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Procuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkProcuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkIOSR Journals
 
NetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionNetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionDESHPANDE M
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceSam Bowne
 

Similaire à Snort (20)

1.SNORT.pdf
1.SNORT.pdf1.SNORT.pdf
1.SNORT.pdf
 
Snort
SnortSnort
Snort
 
An analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORTAn analysis of Network Intrusion Detection System using SNORT
An analysis of Network Intrusion Detection System using SNORT
 
Pertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection systemPertemuan 9 intrusion detection system
Pertemuan 9 intrusion detection system
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
IDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptxIDS_WK_Arsalan.pptx
IDS_WK_Arsalan.pptx
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Snort by SecArmour
 Snort by SecArmour Snort by SecArmour
Snort by SecArmour
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers
 
6
66
6
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Procuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkProcuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the Network
 
NetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and DetectionNetSim Webinar on Network Attacks and Detection
NetSim Webinar on Network Attacks and Detection
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network EvidenceCNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 

Dernier

CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapitolTechU
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17Celine George
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxiammrhaywood
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 

Dernier (20)

CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
CapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptxCapTechU Doctoral Presentation -March 2024 slides.pptx
CapTechU Doctoral Presentation -March 2024 slides.pptx
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Prelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quizPrelims of Kant get Marx 2.0: a general politics quiz
Prelims of Kant get Marx 2.0: a general politics quiz
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17How to Use api.constrains ( ) in Odoo 17
How to Use api.constrains ( ) in Odoo 17
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptxAUDIENCE THEORY -- FANDOM -- JENKINS.pptx
AUDIENCE THEORY -- FANDOM -- JENKINS.pptx
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 

Snort

  • 1. Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation
  • 2. Overview      What’s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.
  • 3. What’s snort?  NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.  Snort:  Snort: an open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.
  • 4. Snort 1. A packet sniffer: 2. Packet logger: log data in text file Honeypot monitor: deceiving hostile parties NIDS: network intrusion detection system 3. 4. capture and display packets from the network with different levels of detail on the console
  • 6. Requirement of snort    lightweight NIDS small, flexible highly capable system
  • 7. Snort architecture From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.
  • 8. Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
  • 9. Logical components of snort  Packet Decoder:  Preprocessor:  Detection Engine: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams. the most important part, applies rules to packets   Logging and Alerting System Output Modules: process alerts and logs and generate final output.
  • 10. TCP/IP layer Physical layer Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
  • 11. Detection Engine ※Things need to be done for detection engine: •The IP header of the packet •The transport layer header. TCP, UDP, ICMP etc. •The application layer level header. Header of DNS, FTP, SNMP, SMTP •Packet payload ※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm ※ Requirement 1. 2. Time critical Fast
  • 12. Detection engine     Number of rules Traffic load on the network Speed of network and machine Efficiency of detection algorithm
  • 13. Rules    In a single line Rules are created by known intrusion signatures. Usually place in snort.conf configuration file. rule header rule options
  • 14. Rule examples destination ip address Apply to all ip packets Source ip address Destination port Source port # Rule options Alert will be generated if criteria met Rule header
  • 15. Detection engine order to scan the rules  1. 2. 3. Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: Alert rules Pass rules Log rules
  • 16. Challenges with snort         Misuse detection – avoid known intrusions Rules database is larger and larger It continues to grow snort version 2.3.2, there are 2,600 rules 80% of them are signatures Snort spends 80% work time to do string match Anomaly detection – identify new attacks Probability of detection is low
  • 17. Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
  • 18. Attempts to improve  Increasing preprocessing ability --- offload partial work from detect engine  Using hardware to reduce workload - a hybrid architecture --- software has more flexibility, hardware has relatively higher throughput  Better detection algorithm
  • 19. Possible ways?   Organize the well-known rules into better data structure to achieve better performance A detector with acceptable detection probability