The first part of my article on Network security dealt with setting up a firewall in OpenSUSE.
Continuing with the same, lets discuss the Security cameras in OpenSUSE. The Intrusion prevention system (IPS) form the security watchdogs and monitor the system for any security breach. SNORT is the most common IPS in Linux.
SNORT is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by dropping attacks as they are taking place. Snort™ can be combined with other software such as SnortSnarf, sguil,OSSIM, and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data.
I tried Snort on OpenSUSE using the official SUSE install guide. The guide helps enable sort and mysql integration. This way the logs from snort are saved in mysql and I can review them from other systems ( on my local network) using a easy to use web GUI for mysql. Similar guides are available for RedHat also.
SNORT is governed by Signatures. Signatures consist of specific attack characteristics embodied into rules within the IDS internal database that permit statistical analysis of data relating to network operation, i.e. server CPU utilization, specific types of network traffic, and other numeric characteristics easily measurable and likely to be affected by an intrusion. SNORT is mainly a signature analysis tool, but can be configured for some statistical functionality. There are three run modes for Snort: Sniffer, Packet Logger, or NIDS (Network IDS).
Snort’s strength is its high degree of comparability. Its main weakness is its dependence on (sometimes poor) signatures. As with all signature-based IDSes, Snort can be defenseless against unknown or “zero-day” attacks until a signature becomes available. Another problem with Snort is that some of the signatures -- no doubt designed to identify older attacks -- look for benign words (such as “TOP”) in the payload to determine whether a packet is malicious. As a result, an initial ruleset from the Snort project gave us several hundred false positives. Snort developers have addressed this drawback by allowing you to comment out rules that you do not want to use on your network. The problem with this is, anytime you update your rules with the newest set from Snort.org, you’ll have to comment them out again.
Limitations apart, SNORT does a wonderful job of detecting intrusions and logging them. I can then simply modify my firewall rules and disable access to possible intruders. Above all it gives me the feeling that if someone breaks in, I'll have an information about the break-in and some details about the culprit. I can thus check my data for integrity and immediately change all my passwords. Not sure but maybe I can also use the logged information as a legal evidence against the attacker or help the experts catch him.
P.S:
There is also a windows port of SNORT ( for the poor souls who have to live with VISTA).
As always, thanks to various websites for providing me information about SNORT and helping me install it.
Continuing with the same, lets discuss the Security cameras in OpenSUSE. The Intrusion prevention system (IPS) form the security watchdogs and monitor the system for any security breach. SNORT is the most common IPS in Linux.
SNORT is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by dropping attacks as they are taking place. Snort™ can be combined with other software such as SnortSnarf, sguil,OSSIM, and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data.
I tried Snort on OpenSUSE using the official SUSE install guide. The guide helps enable sort and mysql integration. This way the logs from snort are saved in mysql and I can review them from other systems ( on my local network) using a easy to use web GUI for mysql. Similar guides are available for RedHat also.
SNORT is governed by Signatures. Signatures consist of specific attack characteristics embodied into rules within the IDS internal database that permit statistical analysis of data relating to network operation, i.e. server CPU utilization, specific types of network traffic, and other numeric characteristics easily measurable and likely to be affected by an intrusion. SNORT is mainly a signature analysis tool, but can be configured for some statistical functionality. There are three run modes for Snort: Sniffer, Packet Logger, or NIDS (Network IDS).
Snort’s strength is its high degree of comparability. Its main weakness is its dependence on (sometimes poor) signatures. As with all signature-based IDSes, Snort can be defenseless against unknown or “zero-day” attacks until a signature becomes available. Another problem with Snort is that some of the signatures -- no doubt designed to identify older attacks -- look for benign words (such as “TOP”) in the payload to determine whether a packet is malicious. As a result, an initial ruleset from the Snort project gave us several hundred false positives. Snort developers have addressed this drawback by allowing you to comment out rules that you do not want to use on your network. The problem with this is, anytime you update your rules with the newest set from Snort.org, you’ll have to comment them out again.
Limitations apart, SNORT does a wonderful job of detecting intrusions and logging them. I can then simply modify my firewall rules and disable access to possible intruders. Above all it gives me the feeling that if someone breaks in, I'll have an information about the break-in and some details about the culprit. I can thus check my data for integrity and immediately change all my passwords. Not sure but maybe I can also use the logged information as a legal evidence against the attacker or help the experts catch him.
P.S:
There is also a windows port of SNORT ( for the poor souls who have to live with VISTA).
As always, thanks to various websites for providing me information about SNORT and helping me install it.
0 comments:
Post a Comment