Greg Steen

What is Snort? Snort purposes Where can it be used?

IDS/IPS Sniffs & Logs packets based on rule set When inline, can drop packets, thus IPS

Sniffer Command-line packet sniffer

Packet Logger Logs packets without a rule base.

Architecture Where will Snort reside on a network?

Installation Components

Snort- IDS/IPS Barnyard- Processes output of Snort Base- GUI to see the captured packets MySQL- Stores packet information and run DML

functions

Configuration files Rules.conf Snort.conf Barnyard2.conf

Permission settings Database GUI

Rule writing Sample rules

#pass tcp 192.168.1.106 any <> 91.189.88.40 any (msg:"allowed traffic for ubuntu updates";sid:1000011;)

alert icmp !10.1.0.0/16 any -> 10.1.1.0/16 any (msg: "Intrusion traffic";sid: 1000008;)

#drop tcp any 80 <> any 80 (msg:"Drop tcp all port 80";sid:1000014;)

Base lining the network Important to monitor and establish what is

acceptable traffic.

Data What is collected. Interpretation

Analysis Uses for data

Summary Snort is an open-source IDS/IPS Designed to be available at no cost for those

that want it Many businesses can use Snort, small to large

and it depends on the amount of maintenance desired to handle.