Section 15.4 The Snort Attack Detector

   


15.4 The Snort Attack Detector

Snort is designed to, uh, snort (sniff) your network looking for patterns of known attacks and warn you. It has a very large database of more than 500 attack signatures and this database is kept up-to-date. It is an intrusion detection system (IDS), not a firewall. This means that it will detect problems but will not block them. An IDS assumes that someone will receive the warning and manually resolve the problem.

Unlike many simple firewalls, Snort can do content filtering and this allows it to catch those many Windows viruses that we need to worry about in mixed environments where Linux is acting as firewall and server. Some SysAdmins will want to parse the output of an IDS, such as Snort, and use this output to adapt (reconfigure) their firewall or TCP Wrappers.


As an excellent example of Snort's power, here are the rules to catch the ILOVEYOU Windows worm discussed in "Desktop Policy" on page 344. This Snort trap was published the day after ILOVEYOU struck. Like many readers, I received a copy but, of course, Linux is immune unless you get carried away with MIME configuration. (In this example, remove the "\" character and join its line with the next line, having only a single space after the semicolon.)

 
 alert tcp any 110 -> any any (msg:"Incoming Love Letter Worm";\ content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) alert tcp any 143 -> any any (msg:"Incoming Love Letter Worm";\ content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) alert tcp any any -> any 25 (msg:"Outgoing Love Letter Worm";\ content:"rem barok -loveletter"; content:"@GRAMMERSoft Group";) 

Note that this is a very specific test. Within a few days, the worm had mutated due to evil people simply changing certain insignificant aspects of it. Certain mutations will not be detected by this test. Note that this simply warns of the virus, it does not block it. Blocking is discussed in "Using Sendmail to Block E-Mail Attacks" on page 393. It may be downloaded from

www.snort.org/


   
Top


Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net