Implementing Snort into SURFids Sander Keemink and Michael van Kleij - - PowerPoint PPT Presentation

implementing snort into surfids
SMART_READER_LITE
LIVE PREVIEW

Implementing Snort into SURFids Sander Keemink and Michael van Kleij - - PowerPoint PPT Presentation

Sep 26, 2022 457 likes •684 views

Implementing Snort into SURFids Implementing Snort into SURFids Sander Keemink and Michael van Kleij February 6, 2008 1 / 21 Implementing Snort into SURFids 1 SURFids 2 Snort 3 Assignment 4 Experiments and results 5 Integrating Snort 6

slide-1
SLIDE 1

Implementing Snort into SURFids

Implementing Snort into SURFids

Sander Keemink and Michael van Kleij February 6, 2008

1 / 21

slide-2
SLIDE 2

Implementing Snort into SURFids

1 SURFids 2 Snort 3 Assignment 4 Experiments and results 5 Integrating Snort 6 Conclusion 7 Future work

2 / 21

slide-3
SLIDE 3

Implementing Snort into SURFids SURFids

IDS

Intrusion Detection System Detects unwanted activity Host based or Network based

3 / 21

slide-4
SLIDE 4

Implementing Snort into SURFids SURFids

SURFids

4 / 21

slide-5
SLIDE 5

Implementing Snort into SURFids SURFids

Honeypots

Nepenthes Low interaction honeypot Simulates known vulnerabilities Argos High interaction honeypot Analyses the operating system

5 / 21

slide-6
SLIDE 6

Implementing Snort into SURFids SURFids

Nepenthes information

6 / 21

slide-7
SLIDE 7

Implementing Snort into SURFids SURFids

Argos information

7 / 21

slide-8
SLIDE 8

Implementing Snort into SURFids Snort

Snort

Network Intrusion Detection System Rule and anomaly based

8 / 21

slide-9
SLIDE 9

Implementing Snort into SURFids Assignment

Assignment

Definition ”Which implementation of Snort into SURFids gives the most added value to the customer while not degrading performance in a noticable way.“ Research questions Added value of Snort? Where to place Snort? How can Snort output be integrated?

9 / 21

slide-10
SLIDE 10

Implementing Snort into SURFids Assignment

Performance

SURFids 3 Mbits constant 30 Mbits max peaks Snort 125 Mbits without packet loss

10 / 21

slide-11
SLIDE 11

Implementing Snort into SURFids Experiments and results

Experiments

Experiments

1 Snort before Argos 2 Snort besides Argos and Nepenthes 3 Snort on the tunnel server 11 / 21

slide-12
SLIDE 12

Implementing Snort into SURFids Experiments and results

Experiment 1

12 / 21

slide-13
SLIDE 13

Implementing Snort into SURFids Experiments and results

Results experiment 1

Results Over 90% of the attacks registered by Argos were detected by Snort Other attacks also recognized Timeskew, Multiple entries per attack

13 / 21

slide-14
SLIDE 14

Implementing Snort into SURFids Experiments and results

Experiment 2

14 / 21

slide-15
SLIDE 15

Implementing Snort into SURFids Experiments and results

Results experiment 2

Not conducted due to time and hardware limitations

15 / 21

slide-16
SLIDE 16

Implementing Snort into SURFids Experiments and results

Experiment 3

16 / 21

slide-17
SLIDE 17

Implementing Snort into SURFids Experiments and results

Results experiment 3

Over 90% of the attacks registered by Nepenthes were detected by Snort Identification of 10% of the possible malicious attacks

17 / 21

slide-18
SLIDE 18

Implementing Snort into SURFids Integrating Snort

Integrating Snort

Barnyard, a Snort output processor Offloads Snort Supports multiple output formats Database aware

18 / 21

slide-19
SLIDE 19

Implementing Snort into SURFids Integrating Snort

Integrating Snort

Develop a database output plugin Shortest path IP packet payload information Parse Comma Seperated Value

  • utput

Relative easy to develop No IP packet payload informatioin

19 / 21

slide-20
SLIDE 20

Implementing Snort into SURFids Conclusion

Conclusion

Snort provides added value to SURFids Nepenthes possible malicious attacks can be discarded

20 / 21

slide-21
SLIDE 21

Implementing Snort into SURFids Future work

Future work

Develop a program that deals with Snort output

21 / 21