Overview
Explore advanced Snort capabilities beyond traditional Intrusion Detection Systems in this 57-minute conference talk from BSides Columbus Ohio 2015. Delve into Next Generation Firewall concepts, Application Control, and File Control features. Learn about Application Detector Packages, examining output, writing custom rules, and creating detectors. Discover file inspection techniques, including file type identification and capture alerts. Gain insights into Snort's evolution as a comprehensive security tool, covering topics such as application APIs, preprocessing, and integration with antivirus solutions like ClamAV.
Syllabus
Intro
Overview
WTF is a Next Gen Firewall?
Application Control
New Requirements
Application Detector Package
Applications
Examining Output
Intrusion Output
Application Rules
Writing a Rule
Custom Detector
Port Detection Example
Anatomy of a Detector
Information Header
Included Libraries
Detector PackageInfo
Initialization Function
Validation Function
Clean Function
Detection Functions
Other Detection Types
File APIs
File Inspection Preprocessor
Supported
snort.conf
File Type Identification
File Capture Alert
Clam-not-just-AV