Snort Intrusion Snort Intrusion detection systemdetection system

Charles BeckmannAnthony Magee

Vijay Iyer

2

TopicsTopics

Software Setup Motivations Rules Performance Collected Data References

3

SoftwareSoftware

Debian 5.0 - Robust and stable platform with large community support

IPtables - Popular and preferred on Debian Snort - Open source, mature, rule driven

IDS Guardian Active Response - Active firewall

modification scripts for several firewall programs (not to be confused with DansGuardian)

SnortSnort

Network intrusion detection and prevention system (IDS)

Analyzes incoming traffic for signs of attack Protocol analysis Heuristic content matching Rule based

Report generation

5

Guardian Active ResponseGuardian Active Response

Designed for Snort Whitelist for preventing unwanted

blocking Written is Perl Supports watching multiple IPs

6

IPtablesIPtables

Default firewall controller for Debian Simple to use Provides fine grained control when

needed Example rule to drop all MySQL traffic to a

specific machine iptables -A FORWARD -p tcp -m tcp -s 0.0.0.0/0 -d

<some IP> --dport 3306 -m state --state NEW -j DROP

Motivations:Motivations:Why do we need Snort?Why do we need Snort?

Many forms of attack can go completely undetected by casual observation

Many modern attacks, such as DDOS, are impossible to prevent or contain using static firewall rules

We need a cheap and automated solution

Motivations:Motivations:Why use Guardian?Why use Guardian?

Uses snort logs to dynamically block threats

SNORT Network ConfigurationSNORT Network Configuration

Setup & IntegrationSetup & Integration

Installed on a dedicated machine: The Acronym Friendly Vast Lab Intrusion Detection and Prevention System (AFVLIDPS)

Passive connection to hub sniffs incoming traffic without incurring additional delay

There is a delay, however, between the start of the attack and the Guardian response

11

RulesRules

Avoid service interruptions due to false positives

Creating rules requires nontrivial amounts of data and analysis

Quality of Service Restrict to times of day Restrict based on attack frequency Staged restrictions

PerformancePerformance

Guardian can read the logs quickly MySQL logs are used to view reports and

do not affect speed of system QoS - Quality of Service

Block all potentially harmful traffic? Limit harmful traffic? Leak a little traffic from harmful sources?

Data / ResultsData / Results

ReferencesReferences

“Design Of an Autonomous Anti DDos network” by Angel Cearns

http://www.snort.org http://www.iptables.org http://www.chaotic.org/guardian/

14

This is the last slideThis is the last slide

There are no further slides after this slide. No, Really. You may now ask questions They will be answered with questionable

sincerity