Snort - Open Source Network Intrusion Detection System Survey

1
Snort - Open Source Network Intrusion Detection
System Survey
2
Outline

• What is Snort
• Snort operational modes
• NIDS mode
• Snort 1.X
• Snort 2.X
• Snort Rule Signature

3
What is Snort

• A lightweight network intrusion detection
  system with the capabilities of the sniffer,
  packet logger, network traffic analysis
• Can be deployed to monitor small TCP/IP networks
  and detect a wide variety of suspicious network
  traffic as well as outright attacks.

4
Snort Features

• Multi-operational packet processing tools
• Rules-based detection engine
• Small 800k source
• Cross platform Linux, Windows, MacOS X,
  Solaris, BSD, IRIX, Tru64, HP-UX, etc
• High speed of detection for a given attack on 100
  Mbps networks
• Easy rules language, many reporting/logging
  options
• Free (GPL/Open Source Software)
• Libpcap-based sniffing interface
• Capability to filter traffic with Berkeley Packet
  Filter (BPF) commands
• Plug-in system are flexible
• Real-time alerting capability, with alerts being
  sent to syslog, Server Message Block (SMB)
  "WinPopup" messages, or a separate "alert" file.

5
Snort Operational Modes

• Operational modes are configured via command line
• Default is NIDS mode if no command line switches
  
• Three main operational modes
• Sniffer Mode
• Packet Logger Mode
• NIDS Mode

6
Packet Logger Mode

• Multiple packet logging options
• Flat ASCII, tcpdump, XML, database, etc
• Log the data and post-processing to look the
  anomalous activities

7
Sniffer Mode

• Works much like tcpdump
• Decodes packets and dumps them to stdout
• Packet filtering interface available to shape
  displayed network traffic

11/09-111202.954779
10.1.1.61032 -gt 10.1.1.823 TCP TTL128 TOS0x0
ID31237 IpLen20 DgmLen59 DF AP Seq
0x16B6DA Ack 0x1AF156C2 Win 0x2217 TcpLen
20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E
53 ....'......ANS 49 FF F0
I..

8
NIDS Mode I
Honeypot (Deception System)
Generic Server (Host-Based ID) (Snort 2.0)
Internet
Firewall (Perimeter Logs)
Filtering Router (Perimeter Logs)
Statistical IDS (Snort)
Network IDS (Snort)
9
NIDS Mode II

• Can use snort plug-ins for both misuse
  detection and anomalous activity
• Can perform portscan detection, IP
  defragmentation, TCP stream reassembly,
  application layer analysis and normalization, etc
• Various output options available
• Multiple detection modes available
• Rules/signature
• Statistical anomaly
• Protocol verification

10
Snort 1.x Architecture
Packet Stream
Snort
Sniffing
Packet Decoder
Data Flow
Preprocessor (Plug-ins)
Detection Engine (Plug-ins)
Output Stage (Plug-ins)
Alerts/Logs
11
Snort 1.x Detection Engine

• Rule based detection engine
• Rules are detection elements which are combined
  to form the signature
• Detection rules in a two dimensional linked list
• Chain Headers
• Chain Options
• Wide range of detection capabilities
• Stealth scans, OS fingerprinting, buffer
  overflows, back doors, CGI exploits, etc.

12
Detection Engine Rules
Rule Header
Rule Options
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
(flags SF msg SYN-FIN Scan)
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
(flags S12 msg Queso Scan)
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
(flags F msg FIN Scan)
Rule Node
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
Option Node
(flags SF msg SYN-FIN Scan)
Internal Representation
(flags S12 msg Queso Scan)
(flags F msg FIN Scan)
13
Detection Engine Fully Populated
Rule Node
Rule Node
Rule Node
Rule Node
Rule Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
14
Snort 1.x Pro and Con

• Pro
• Wide rules available (1300 by June 2001)
• Very high speed decoding and stateless intrusion
  detection
• 100Mbps is not too difficult
• Flexibility multi-platform
• Good choice for a number of applications in the
  rapid prototyping platform for new ideas in
  intrusion detection
• Con
• Data structure and rule description language is
  limited at the protocol level
• Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard
  to describe HTTP, RPC, SMTP, etc
• Tendency to write slow output plug-ins!

15
Snort 2.0

• Multi-format rules input
• DB, XML, etc
• Traffic decoders
• Support arbitrary protocol, multi-path traffic
  flows
• Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw, IP,
  ARP, TCP, UDP, ICMP
• Pluggable detection engines
• Standard NIDS, Target-based IDS, Statistical IDS,
  Host-based IDS
• 500 in pattern matching performance improvement
  reported in research work!
• Spooling output

16
Snort 2.0 Detection Engine Comparison V 1.x
alert
tcp
Sip 1.1.1.1 Dip 2.2.2.2 Dp 80
(flags A content foo)
(flags A content bar)
(flags A content baz)
17
Snort 2.0 Detection Engine Comparison V 2.0
alert
tcp
Sip 1.1.1.1
Dip 10.1.1.0/24
content foo
Dip 2.2.2.2
content bar
Flags A
Dp 80
content baz
18
Snort Signature Example
SID 630 message SCAN synscan portscan
Signature alert tcp EXTERNAL_NET any -gt HOME_NET any (msg"SCAN synscan portscan" id 39426 flags SFreferencearachnids,441 classtypeattempted-recon sid630 rev1) alert tcp EXTERNAL_NET any -gt HOME_NET any (msg"SCAN synscan portscan" id 39426 flags SFreferencearachnids,441 classtypeattempted-recon sid630 rev1) alert tcp EXTERNAL_NET any -gt HOME_NET any (msg"SCAN synscan portscan" id 39426 flags SFreferencearachnids,441 classtypeattempted-recon sid630 rev1)
Summary A host has scanned the network looking for vulnerable servers. A host has scanned the network looking for vulnerable servers. A host has scanned the network looking for vulnerable servers.
Impact Information leak, reconnaisance, preperation for automated attack such as worm propagation Information leak, reconnaisance, preperation for automated attack such as worm propagation Information leak, reconnaisance, preperation for automated attack such as worm propagation
Detailed Information Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner.
Attack Scenarios This is a scanning tool that is often the precursor to a worm infection. This is a scanning tool that is often the precursor to a worm infection. This is a scanning tool that is often the precursor to a worm infection.
Ease of Attack This scanner is fast and easy to use. It is readily available and was included with several worms. This scanner is fast and easy to use. It is readily available and was included with several worms. This scanner is fast and easy to use. It is readily available and was included with several worms.
False Positives sscan, mscan, and several other tools used ID39426 but the use of SYNFIN is unique to synscan 1.51.6 sscan, mscan, and several other tools used ID39426 but the use of SYNFIN is unique to synscan 1.51.6 sscan, mscan, and several other tools used ID39426 but the use of SYNFIN is unique to synscan 1.51.6
False Negatives NONE. NONE. NONE.
Corrective Action Run flexresp with synscan kill. Run flexresp with synscan kill. Run flexresp with synscan kill.
Contributors Don Smith Initial ResearchJosh Gray Edits Don Smith Initial ResearchJosh Gray Edits Don Smith Initial ResearchJosh Gray Edits
References arachnids,441 arachnids,441 arachnids,441
19
Format of Snort Rule Language

• Rules Headers
• Rule Actions
• alert, log, pass, activate, dynamic
• Protocols
• IP Addresses
• Port Numbers
• The Direction Operator
• ..
• Rule Options
• msg "ltmessage textgt
• logto "ltfilenamegt"
• Content-list
• multiple content strings to be specified in the
  place of a single content option