1 / 19

Snort - Open Source Network Intrusion Detection System Survey

Snort - Open Source Network Intrusion Detection System Survey. Outline. What is Snort Snort operational modes NIDS mode Snort 1.X Snort 2.X Snort Rule Signature. What is Snort.

brigit
Download Presentation

Snort - Open Source Network Intrusion Detection System Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Snort - Open Source Network Intrusion Detection System Survey

  2. Outline • What is Snort • Snort operational modes • NIDS mode • Snort 1.X • Snort 2.X • Snort Rule Signature

  3. What is Snort • A “lightweight” network intrusion detection system with the capabilities of the sniffer, packet logger, network traffic analysis • Can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks.

  4. Snort Features • Multi-operational packet processing tools • Rules-based detection engine • Small ~800k source • Cross platform : Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc • High speed of detection for a given attack on 100 Mbps networks • Easy rules language, many reporting/logging options • Free (GPL/Open Source Software) • Libpcap-based sniffing interface • Capability to filter traffic with Berkeley Packet Filter (BPF) commands • Plug-in system are flexible • Real-time alerting capability, with alerts being sent to syslog, Server Message Block (SMB) "WinPopup" messages, or a separate "alert" file.

  5. Snort Operational Modes • Operational modes are configured via command line • Default is NIDS mode if no command line switches • Three main operational modes • Sniffer Mode • Packet Logger Mode • NIDS Mode

  6. Packet Logger Mode • Multiple packet logging options • Flat ASCII, tcpdump, XML, database, etc • Log the data and post-processing to look the anomalous activities

  7. Sniffer Mode • Works much like tcpdump • Decodes packets and dumps them to stdout • Packet filtering interface available to shape displayed network traffic =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12:02.954779 10.1.1.6:1032 -> 10.1.1.8:23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E 53 ..#..'..$....ANS 49 FF F0 I.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

  8. NIDS Mode I Honeypot (Deception System) Generic Server (Host-Based ID) (Snort 2.0) Internet Firewall (Perimeter Logs) Filtering Router (Perimeter Logs) Statistical IDS (Snort) Network IDS (Snort)

  9. NIDS Mode II • Can use snort + plug-ins for both misuse detection and anomalous activity • Can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis and normalization, etc • Various output options available • Multiple detection modes available • Rules/signature • Statistical anomaly • Protocol verification

  10. Snort 1.x Architecture Packet Stream Snort Sniffing Packet Decoder Data Flow Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Alerts/Logs

  11. Snort 1.x Detection Engine • Rule based detection engine • Rules are detection elements which are combined to form the signature • Detection rules in a two dimensional linked list • Chain Headers • Chain Options • Wide range of detection capabilities • Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc.

  12. Detection Engine: Rules Rule Header Rule Options Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: S12; msg: “Queso Scan”;) Alert tcp 1.1.1.1 any -> 2.2.2.2 any (flags: F; msg: “FIN Scan”;) Rule Node Alert tcp 1.1.1.1 any -> 2.2.2.2 any Option Node (flags: SF; msg: “SYN-FIN Scan”;) Internal Representation (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;)

  13. Detection Engine: Fully Populated Rule Node Rule Node Rule Node Rule Node Rule Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node

  14. Snort 1.x Pro and Con • Pro • Wide rules available (~1300 by June 2001) • Very high speed decoding and stateless intrusion detection • 100Mbps is not too difficult • Flexibility & multi-platform • Good choice for a number of applications in the rapid prototyping platform for new ideas in intrusion detection • Con • Data structure and rule description language is limited at the protocol level • Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard to describe HTTP, RPC, SMTP, etc • Tendency to write slow output plug-ins!

  15. Snort 2.0 • Multi-format rules input • DB, XML, etc • Traffic decoders • Support arbitrary protocol, multi-path traffic flows • Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw, IP, ARP, TCP, UDP, ICMP • Pluggable detection engines • Standard NIDS, Target-based IDS, Statistical IDS, Host-based IDS • ~500% in pattern matching performance improvement reported in research work! • Spooling output

  16. Snort 2.0 Detection Engine Comparison – V 1.x alert tcp Sip: 1.1.1.1 Dip: 2.2.2.2 Dp: 80 (flags: A+; content: “”foo”;) (flags: A+; content: “bar”;) (flags: A+; content: “baz”;)

  17. Snort 2.0 Detection Engine Comparison – V 2.0 alert tcp Sip: 1.1.1.1 Dip: 10.1.1.0/24 content: “”foo”; Dip: 2.2.2.2 Dp: 80 Flags: A+; content: “bar”; content: “baz”;

  18. Snort Signature Example

  19. Format of Snort Rule Language • Rules Headers • Rule Actions • alert, log, pass, activate, dynamic • Protocols • IP Addresses • Port Numbers • The Direction Operator • .. • Rule Options • msg: "<message text>“ • logto: "<filename>" • … • Content-list • multiple content strings to be specified in the place of a single content option

More Related