Question

What kind of software is SNORT? How would it be used in sniffer mode for network forensics?

Answer 1

SNORT:

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

First, let us look at What is Network Forensics?

Network forensics is a capture, recording, and analysis of network packets in order to determine the source of network security attacks. The major goal of network forensics is to collect evidence. It tries to analyze network traffic data, which is collected from different sites and different network equipment, such as firewalls and IDS. In addition, it monitors on the network to detect attacks and analyze the nature of attackers. Network forensics is also the process of detecting intrusion patterns, focusing on attacker activity.

A generic Network forensic examination includes the following steps:

Identification, preservation, collection, examination, analysis, presentation and Incident Response.

The following is a brief overview of each step:

Identification: recognizing and determining an incident based on network indicators. This step is significant since it has an impact on the following steps.

Preservation: securing and isolating the state of physical and logical evidence from being altered, such as, for example, protection from electromagnetic damage or interference.

Collection: Recording the physical scene and duplicating digital evidence using standardized methods and procedures.

Examination: an in-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.

Analysis: determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found.

Presentation: summarize and provide an explanation of drawn conclusions.

Incident Response: The response to attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.

NETWORK FORENSICS USING SNORT

Snort is a NIDS (network intrusion detection system) designed to capture live network traffic or playback pre-captured network traffic for advance intrusion analysis [12]. The pre-captured network traffic should be saved as a “de facto” standard. The “de facto” standard for network data is the libpcap library format known as pcap (for UNIX/Linux-based operating systems [OSes]). For Microsoft Windows-based OSes, the library format is known as WinPcap, but it is the same format as the UNIX/Linux-based pcap.

For detecting the network attacks, Network forensic analysis plays an important role and the architecture on which network forensic analysis depends upon tools used for network forensic analysis. Generally, we use the Snort tool for the detection of the malicious packet. Snort, a free open - source multiplatform product, can be configured to run in four modes. the First mode is sniffer, function as a packet sniffer that reads the packets of the network. The second mode, packets logger, can be configured to log the packets to disk. The third mode is, NIDS allow snort to analyze decoded network traffic against predefined preprocessors and rules and performs several different actions if a match is found. The fourth move is inline, allows snort to obtain packets and drops or pass those packets based on snort inline specific rule types

the following is the block diagram.

NOTE:

If You have any doubt, please comment.