Toon posts:

Snort/Suricata - wat doet het?

Pagina: 1
Acties:

  • tony_clifton
  • Registratie: februari 2012
  • Laatst online: 06-04-2018
Beste allen,

Ik vraag mij al geruime tijd af wat Snort en Suricata en aanverwante applicaties precies doen.
Ik snap dat dit intrusion prevention/detection doet en dit door middel van een soort Layer 7 inspectie.

Maar waartegen beschermt dit concreet? Het enige voorbeeld dat ik kan bedenken is het detecteren/blokkeren van aanvallen zoals DNS-tunneling. Toch vraag ik mij af wat er nog meer tegengehouden wordt door Snort en aanverwanten; en dat deze aanvallen frequent voorkomen. Ik had zelf nog niet echt van DNS-tunneling gehoord tot ik naar Snort begon te zoeken.

Ook vroeg ik mij af waar het verschil ligt met closed source L7-appliances zoals Palo Alto, Fortinet of Sophos.
Met Palo Alto heb ik enige ervaring; deze herkent signatures van online/offline programma's zoals Dropbox, YouTube, malwares,...
Snort lijkt mij dit niet te doen? Klopt dit?

Als laatste en minst belangrijke vraag; ik neem binnenkort een pfSense router in gebruik. De enige package die ik momenteel plan te installeren is pfBlockerNG met DNSBL. Dit lijkt mij een enorm effectieve manier om het grootste gedeelte van de rommel buiten te houden.
Is Snort dus een waardevolle toevoeging of is Suricata een beter alternatief?

Heel erg bedankt! Alle info op internet lijkt te vertrekken vanuit een standpunt dat het vanzelfsprekend is wat Snort/Suricata doen of laten. Het is moeilijk om concrete voorbeelden te vinden van wat IPS/IDS precies inhoudt.

  • ndeleeuw
  • Registratie: februari 2002
  • Laatst online: 29-07 19:06
In princiepe vergelijkt snort/surricata al het netwerkverkeer door het tegen een lijst met signatures te houden. Op deze manier detecteerd een IPS/IDS als iemand iets doet wat er uit ziet als een aanval.
Je kunt aan snort ook nieuwe signatures toevoegen er zijn zelfs bedrijven die dit voor je regelen.
Je kunt snort ook van IDS mode naar IPS mode zetten en hem dan inline the gebruiken. In dit geval zal snort de gedetecteerde aanvallen blokkeren. Snort en surricata doen exact hetzelfde surricata is wat jonger en geeft mogelijk opties die snort niet kan/wil aanbieden. Als jij vermoed dat externe ips gaan proberen in te breken dan kan snort handig zijn om die aanvallen te detecteren

Steam: Profile / Socialclub: Profile / Uplay: minedwarf / Origin: lordgandalf3


  • Bor
  • Registratie: februari 2001
  • Laatst online: 12:53

Bor

Coördinator Frontpage Admins / FP Powermod

01000010 01101111 01110010

Wat heb je zelf al onderzocht? Op de website van Snort is bijvoorbeeld een schat aan informatie te vinden. De lijst met rules die daar te downloaden is geeft gelijk al voor een groot deel antwoord op jouw vraag.
app-detect.rules – This category contains rules that look for, and control, the traffic of certain applications that generate network activity. This category will be used to control various aspects of how an application behaves.
blacklist.rules – This category contains URI, USER-AGENT, DNS, and IP address rules that have been determined to be indicators of malicious activity. These rules are based on activity from the Talos virus sandboxes, public list of malicious URLs, and other data sources.
browser-chrome.rules – This category contains detection for vulnerabilities present in the Chrome browser. (This is separate from the “browser-webkit” category, as Chrome has enough vulnerabilities to be broken out into it’s own, and while it uses the Webkit rendering engine, there’s a lot of other features to Chrome.)
browser-firefox.rules – This category contains detection for vulnerabilities present in the Firefox browser, or products that have the “Gecko” engine. (Thunderbird email client, etc)
browser-ie.rules – This category contains detection for vulnerabilities present in the Internet Explorer browser (Trident or Tasman engines)
browser-webkit – This category contains detection of vulnerabilities present in the Webkit browser engine (aside from Chrome) this includes Apple’s Safari, RIM’s mobile browser, Nokia, KDE, Webkit itself, and Palm.
browser-other – This category contains detection for vulnerabilities in other browsers not listed above.
browser-plugins – This category contains detection for vulnerabilities in browsers that deal with plugins to the browser. (Example: Active-x)
content-replace – This category con taints any rule that utilizes the “replace” functionality inside of Snort.
deleted – When a rule has been deprecated or replaced it is moved to this categories. Rules are never totally removed from the ruleset, they are moved here.
exploit – This is an older category which will be deprecated soon. This category looks for exploits against software in a generic form.
exploit-kit – This category contains rules that are specifically tailored to detect exploit kit activity. This does not include “post-compromise” rules (as those would be in indicator-compromise). Files that are dropped as result of visiting an exploit kit would be in their respective file category.
file-executable – This category contains rules for vulnerabilities that are found or are delivered through executable files, regardless of platform.
file-flash - This category contains rules for vulnerabilities that are found or are delivered through flash files. Either compressed or uncompressed, regardless of delivery method platform being attacked.
file-image – This category contains rules for vulnerabilities that are found inside of images files. Regardless of delivery method, software being attacked, or type of image. (Examples include: jpg, png, gif, bmp, etc)
file-identify – This category is to identify files through file extension, the content in the file (file magic), or header found in the traffic. This information is usually used to then set a flowbit to be used in a different rule.
file-multimedia – This category contains rules for vulnerabilities present inside of multimedia files (mp3, movies, wmv)
file-office – This category contains rules for vulnerabilities present inside of files belonging to the Microsoft Office suite of software. (Excel, PowerPoint, Word, Visio, Access, Outlook, etc)
file-pdf – This category contains rules for vulnerabilities found inside of PDF files. Regardless of method of creation, delivery method, or which piece of software the PDF affects (for example, both Adobe Reader and FoxIt Reader)
file-other – This category contains rules for vulnerabilities present inside a file, that doesn’t fit into the other categories above.
indicator-compromise – This category contains rules that are clearly to be used only for the detection of a positively compromised system, false positives may occur.
indicator-obfuscation – This category contains rules that are clearly used only for the detection of obfuscated content. Like encoded JavaScript rules.
indicator-shellcode – This category contains rules that are simply looking for simple identification markers of shellcode in traffic. This replaces the old ”shellcode.rules”.
malware-backdoor – This category contains rules for the detection of traffic destined to known listening backdoor command channels. If a piece of malicious soft are opens a port and waits for incoming commands for its control functions, this type of detection will be here. A simple example would be the detection for BackOrifice as it listens on a specific port and then executes the commands sent.
malware-cnc – This category contains known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and ex-filtration of data. Actual commands issued from “Master to Zombie” type stuff will also be here.
malware-tools – This category contains rules that deal with tools that can be considered malicious in nature. For example, LOIC.
malware-other – This category contains rules that are malware related, but don’t fit into one of the other ’malware’ categories.
os-linux – This category contains rules that are looking for vulnerabilities in Linux based OSes. Not for browsers or any other software on it, but simply against the OS itself.
os-solaris – This category contains rules that are looking for vulnerabilities in Solaris based OSes. Not for any browsers or any other software on top of the OS.
os-windows – This category contains rules that are looking for vulnerabilities in Windows based OSes. Not for any browsers or any other software on top of the OS.
os-other – This category contains rules that are looking for vulnerabilities in an OS that is not listed above.
policy-multimedia – This category contains rules that detect potential violations of policy for multimedia. Examples like the detection of the use of iTunes on the network. This is not for vulnerabilities found within multimedia files, as that would be in file-multimedia.
policy-social – This category contains rules for the detection potential violations of policy on corporate networks for the use of social media. (p2p, chat, etc)
policy-other – This category is for rules that may violate the end-users corporate policy bud do not fall into any of the other policy categories first.
policy-spam – This category is for rules that may indicate the presence of spam on the network.
protocol-finger – This category is for rules that may indicate the presence of the finger protocol or vulnerabilities in the finger protocol on the network.
protocol-ftp – This category is for rules that may indicate the presence of the ftp protocol or vulnerabilities in the ftp protocol on the network.
protocol-icmp – This category is for rules that may indicate the presence of icmp traffic or vulnerabilities in icmp on the network.
protocol-imap – This category is for rules that may indicate the presence of the imap protocol or vulnerabilities in the imap protocol on the network.
protocol-pop – This category is for rules that may indicate the presence of the pop protocol or vulnerabilities in the pop protocol on the network.
protocol-services – This category is for rules that may indicate the presence of the rservices protocol or vulnerabilities in the rservices protocols on the network.
protocol-voip – This category is for rules that may indicate the presence of voip services or vulnerabilities in the voip protocol on the network.
pua-adware – This category deals with “pua” or Potentially Unwanted Applications that deal with adware or spyware.
pua-p2p – This category deals with “pua” or Potentially Unwanted Applications that deal with p2p.
pua-toolbars – This category deals with “pua” or Potentially Unwanted Applications that deal with toolbars installed on the client system. (Google Toolbar, Yahoo Toolbar, Hotbar, etc)
pua-other – This category deals with “pua” or Potentially Unwanted Applications that don’t fit into one of the categories shown above.
server-apache – This category deals with vulnerabilities in or attacks against the Apache Web Server.
server-iis – This category deals with vulnerabilities in or attacks against the Microsoft IIS Web server.
server-mssql – This category deals with vulnerabilities in or attacks against the Microsoft SQL Server.
server-mysql – This category deals with vulnerabilities in or attacks against Oracle’s MySQL server.
server-oracle – This category deals with vulnerabilities in or attacks against Oracle’s Oracle DB Server.
server-webapp – This category deals with vulnerabilities in or attacks against Web based applications on servers.
server-mail – This category contains rules that detect vulnerabilities in mail servers. (Exchange, Courier). These are separate from the protocol categories, as those deal with the traffic going to the mail servers itself.
server-other – This category contains rules that detect vulnerabilities in or attacks against servers that are not detailed in the above list.
Meer informatie: Wikipedia: Snort (software)

YouTube: Snort - What is Snort (network intrusion detection system)
YouTube: Creating SNORT Rules

Frontpagemoderatie Forum


  • WK100
  • Registratie: februari 2011
  • Nu online

WK100

Zeer baas.

Ikzelf heb Snort draaiend, ook op een pfSense router. Deze package heeft al vele bedreigingen buiten gehouden en ik kan ook niet meer zonder.

In jouw geval zou ik het eerst installeren in IDS mode. Je kan dan een paar weken wachten en de rules aan- en uitzetten naar wens. Na een tijdje kun je overschakelen naar IPS-mode, waarbij hij de rules gaat handhaven en naast het waarschuwen gaat hij als IPS ook verbindingen blokkeren of optioneel zelfs afkappen voordat de payload er is.

Voor de signatures gebruik ik een Squid proxy met ClamAV als anti-virus die de cache scant. Deze heeft echter een maximale bestandsgrootte (die je volgens mij wel in kan stellen) en werkt misschien anders dan die L7-applicaties waar jij over spreekt.


Nintendo Switch (OLED model) Apple iPhone 13 LG G1 Google Pixel 6 Call of Duty: Vanguard Samsung Galaxy S21 5G Apple iPad Pro (2021) 11" Wi-Fi, 8GB ram Nintendo Switch Lite

Tweakers vormt samen met Hardware Info, AutoTrack, Gaspedaal.nl, Nationale Vacaturebank, Intermediair en Independer DPG Online Services B.V.
Alle rechten voorbehouden © 1998 - 2021 Hosting door True

Tweakers maakt gebruik van cookies

Bij het bezoeken van het forum plaatst Tweakers alleen functionele en analytische cookies voor optimalisatie en analyse om de website-ervaring te verbeteren. Op het forum worden geen trackingcookies geplaatst. Voor het bekijken van video's en grafieken van derden vragen we je toestemming, we gebruiken daarvoor externe tooling die mogelijk cookies kunnen plaatsen.

Meer informatie vind je in ons cookiebeleid.

Sluiten

Forum cookie-instellingen

Bekijk de onderstaande instellingen en maak je keuze. Meer informatie vind je in ons cookiebeleid.

Functionele en analytische cookies

Deze cookies helpen de website zijn functies uit te voeren en zijn verplicht. Meer details

janee

    Cookies van derden

    Deze cookies kunnen geplaatst worden door derde partijen via ingesloten content en om de gebruikerservaring van de website te verbeteren. Meer details

    janee