penetration testing security analysis and advanced tools:
DESCRIPTION
Penetration Testing Security Analysis and Advanced Tools:. Snort. Introduction to Snort Analysis. Snort Widely used, open-source, network-based intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/1.jpg)
Penetration Testing
Security Analysis and Advanced Tools:
Snort
![Page 2: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/2.jpg)
Introduction to Snort Analysis
• Snort– Widely used, open-source, network-based
intrusion detection system capable of performing real-time traffic analysis and packet logging on IP networks
– Performs protocol analysis and content matching to detect a variety of attacks and probes such as: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more
![Page 3: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/3.jpg)
Modes of Operation• Snort can be configured to run in the following
modes:– Packet Sniffer– Packet Logger– Network Intrusion Detection System– Inline
![Page 4: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/4.jpg)
Features of Snort
• Features of Snort:– Protocol analysis– Content searching/matching– Real-time alerting capability– Can read a Tcpdump trace and run it against a rule set– Flexible rules language
• Snort can be configured to watch a network for a particular type of attack profile– It can alert the incident response team as soon as the
attack takes place
![Page 5: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/5.jpg)
Configuring Snort• Snort is configured using the text file snort.conf– include keyword allows other rules files to be included
within the rules file• Variables– Used to define parameters for detection, specifically those
of the local network or specific servers or ports for inclusion or exclusion in the rules
• Snort Preprocessors– Offer additional detection capabilities– Port scan: TCP connection that attempts to send to more
than P ports in T seconds or as UDP packets sent to more than P ports in T seconds
![Page 6: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/6.jpg)
Configuring Snort (cont’d.)
These are the different directives that can be used with the config command
![Page 7: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/7.jpg)
Configuring Snort (cont’d.)
• Output Plug-ins– Allow Snort to be much more flexible in the
formatting and presentation of output to its users– Snort has nine output plug-ins:
• alert_syslog• alert_fast• alert_full• alert_unixsock• log_tcpdump• database• csv• unified• log_null
![Page 8: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/8.jpg)
How Snort Works• Initializing Snort– Starting Up– Parsing the Configuration File
• Decoding– Execution begins at the ProcessPacket() function
when a new packet is received• Preprocessing– ProcessPacket() function tests to see the mode in
which Snort is running• Detection– Detection phase begins in the Detect() function
![Page 9: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/9.jpg)
Content Matching• Snort uses a series of string matching and parsing
functions– Contained in the src/mstring.c and src/mstring.h files
in the Snort source tree• Detection engine slightly changes the way Snort
works by having the first phase be a setwise pattern match
• Some detection options, such as pcre and byte test, perform detection in the payload section of the packet, rather than using the setwise pattern-matching engine
![Page 10: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/10.jpg)
The Stream4 Preprocessor
• stream4 module– Provides TCP stream reassembly and stateful analysis
capabilities to Snort– Gives large-scale users the ability to track many
simultaneous TCP streams– Set to handle 8,192 simultaneous TCP connections in
its default configuration• Stream4 contains two configurable modules:– Global Stream4 preprocessor– Stream4 reassemble preprocessor
![Page 11: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/11.jpg)
Inline Functionality
• Implemented utilizing the iptables or ipfw firewall option to provide the functionality for a new set of rule types: drop, reject, and sdrop
• Inline Initialization– inline_flag variable is used to toggle the use of inline
functionality in Snort• Inline Detection– To receive packets from ipqueue or ipfw, calls to the
IpqLoop() and IpfwLoop() functions are added to the SnortMain() function
![Page 12: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/12.jpg)
Writing Snort Rules• Snort uses a simple, lightweight rules description
language that is both flexible and powerful• The Rule Header (fields)– Rule action– Protocol– IP address– Port information– Directional operator
• Rule Options– Specify exactly what to match and what to display
after a successful match
![Page 13: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/13.jpg)
Writing Snort Rules (cont’d.)
These are all available Snort rule options.
![Page 14: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/14.jpg)
Writing Snort Rules (cont’d.)
• Writing Good Snort Rules– Develop effective content-matching strings– Catch the vulnerability, not the exploit– Catch the oddities of the protocol in the rule– Optimize the rules
![Page 15: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/15.jpg)
Snort Tools
• IDS Policy Manager– Written to manage Snort IDS sensors in a distributed
environment• Snort Rules Subscription– Sourcefire, the company behind Snort, uses a
registration and subscription model for distribution of new rules
• Honeynet Security Console– Analysis tool to view events on a personal network or
honeynet
![Page 16: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/16.jpg)
Snort Tools (cont’d.)
IDS Policy Manager configures Snort with a graphical user interface.
![Page 17: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/17.jpg)
Snort Tools (cont’d.)
Honeynet Security Console displays and analyzes events from several IDS programs.
![Page 18: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/18.jpg)
Summary
• Snort is a powerful intrusion detection system (IDS) and traffic analyzer
• A Snort configuration file has four major components:– Variables– Preprocessors– Output plug-ins– Rules
• A Snort rule contains a rule header and rule options• Users can write their own Snort rules either manually
or with the assistance of tools
![Page 19: Penetration Testing Security Analysis and Advanced Tools:](https://reader035.vdocuments.net/reader035/viewer/2022062409/56814f58550346895dbd050e/html5/thumbnails/19.jpg)
Summary (cont’d.)• A three-homed firewall DMZ handles the traffic
between the internal network and firewall, as well as the traffic between the firewall and DMZ
• A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN
• Authentication may not be desired if a network is publicly accessible
• An access point is a layer-2 device that serves as an interface between the wireless network and the wired network