Snorts

Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs the activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

The three main modes in which Snort can be configured are as follows:

• Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console.
• Packet logger mode: It logs the packets to the disk.
• Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set.

Various features of snort

Snort has the following features:

• It detects and alerts people when it finds threats such as buffer overflows, stealth port scans, CGI attacks, SMB probes and NetBIOS queries, NMAP and other port scanners, well-known backdoors and system vulnerabilities, and DDoS clients.
• It develops a new signature to find vulnerabilities.
• It records packets in their human-readable form from the IP address.
• It is used as a passive trap to record the presence of traffic that should not be found on a network, such as NFS or Napster connections.
• It is used to monitor a home DSL connection or a corporate Web site.

Snort Rules

Snort rules are the conditions specified by a Network Administrator to differentiate between normal Internet activities and malicious activities. Snort rules are made up of two basic parts:

• Rule header: This is the part of any rule where the rule’s actions are identified. Alert, Log, Pass, Activate, Dynamic etc. are some important actions used in snort rules.
• Rule options: This is the part of any rule where the rule’s alert messages are identified.

For example:

If any Network Administrator has written the rule Alert tcp $HOME_NET any -> any 6667 (msg:”IRC port in use”; flow:from_client), the first portion of the rule specifies the action, which is to examine port 6667 traffic. If a match occurs, a message should be generated that reads, “IRC port is in use”, and the IDS will create a record that an IRC port might have been accessed.

Some common snort rules are as follows:

• OS Fingerprinting:

  Alert tcp any any -> any (msg: “O/S Fingerprint detected”; flags: S12;)

• Trivial File Transfer Protocol attempt:

  Alert udp any any -> any 69 (msg “TFTP Connection Attempt)”;)

• Password transfer:

  Alert tcp any any -> any (content: “Password”; msg: “Password Transfer May Be Occured!”;)

• Automated Unicode Attack By Nimda Virus:

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WEB-IIS cmd.exe access”; flow:to_server,established; content:”cmd.exe”; nocase; classtype:web-application-attack; sid:1002; rev:6;)

• Download practice question and study guide for lpic-2 for exam.
• Pass Linux Professional in first attampt.
• Best exam simulation LPI 117-202 download free trial.
• Download practice question and study guide for 312-50 for exam.
• Download free practice test for CompTIA Network+ Bridge Exam exam.
• Click here to get free N10-004 CompTIA Network+ (2009 Edition) exam practice questions.
• Pass Security+ (2008 Edition) in first attampt.
Like this article? Share it with others
If you like this article, please leave a comment or subscribe this blog via RSS or via e-mail, Bookmark and share through your network. Click the AddThis button below. Thanks.
• 
• Previous Entry: Who is a disgruntled employee?
• Next Entry: How are message driven beans different from session beans and entity beans?