Title: Snort - Open Source Network Intrusion Detection System Survey
1Snort - Open Source Network Intrusion Detection
System Survey
2Outline
- What is Snort
- Snort operational modes
- NIDS mode
- Snort 1.X
- Snort 2.X
- Snort Rule Signature
3What is Snort
- A lightweight network intrusion detection
system with the capabilities of the sniffer,
packet logger, network traffic analysis - Can be deployed to monitor small TCP/IP networks
and detect a wide variety of suspicious network
traffic as well as outright attacks.
4Snort Features
- Multi-operational packet processing tools
- Rules-based detection engine
- Small 800k source
- Cross platform Linux, Windows, MacOS X,
Solaris, BSD, IRIX, Tru64, HP-UX, etc - High speed of detection for a given attack on 100
Mbps networks - Easy rules language, many reporting/logging
options - Free (GPL/Open Source Software)
- Libpcap-based sniffing interface
- Capability to filter traffic with Berkeley Packet
Filter (BPF) commands - Plug-in system are flexible
- Real-time alerting capability, with alerts being
sent to syslog, Server Message Block (SMB)
"WinPopup" messages, or a separate "alert" file.
5Snort Operational Modes
- Operational modes are configured via command line
- Default is NIDS mode if no command line switches
- Three main operational modes
- Sniffer Mode
- Packet Logger Mode
- NIDS Mode
6Packet Logger Mode
- Multiple packet logging options
- Flat ASCII, tcpdump, XML, database, etc
- Log the data and post-processing to look the
anomalous activities
7Sniffer Mode
- Works much like tcpdump
- Decodes packets and dumps them to stdout
- Packet filtering interface available to shape
displayed network traffic
11/09-111202.954779
10.1.1.61032 -gt 10.1.1.823 TCP TTL128 TOS0x0
ID31237 IpLen20 DgmLen59 DF AP Seq
0x16B6DA Ack 0x1AF156C2 Win 0x2217 TcpLen
20 FF FC 23 FF FC 27 FF FC 24 FF FA 18 00 41 4E
53 ....'......ANS 49 FF F0
I..
8NIDS Mode I
Honeypot (Deception System)
Generic Server (Host-Based ID) (Snort 2.0)
Internet
Firewall (Perimeter Logs)
Filtering Router (Perimeter Logs)
Statistical IDS (Snort)
Network IDS (Snort)
9NIDS Mode II
- Can use snort plug-ins for both misuse
detection and anomalous activity - Can perform portscan detection, IP
defragmentation, TCP stream reassembly,
application layer analysis and normalization, etc - Various output options available
- Multiple detection modes available
- Rules/signature
- Statistical anomaly
- Protocol verification
10Snort 1.x Architecture
Packet Stream
Snort
Sniffing
Packet Decoder
Data Flow
Preprocessor (Plug-ins)
Detection Engine (Plug-ins)
Output Stage (Plug-ins)
Alerts/Logs
11Snort 1.x Detection Engine
- Rule based detection engine
- Rules are detection elements which are combined
to form the signature - Detection rules in a two dimensional linked list
- Chain Headers
- Chain Options
- Wide range of detection capabilities
- Stealth scans, OS fingerprinting, buffer
overflows, back doors, CGI exploits, etc.
12Detection Engine Rules
Rule Header
Rule Options
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
(flags SF msg SYN-FIN Scan)
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
(flags S12 msg Queso Scan)
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
(flags F msg FIN Scan)
Rule Node
Alert tcp 1.1.1.1 any -gt 2.2.2.2 any
Option Node
(flags SF msg SYN-FIN Scan)
Internal Representation
(flags S12 msg Queso Scan)
(flags F msg FIN Scan)
13Detection Engine Fully Populated
Rule Node
Rule Node
Rule Node
Rule Node
Rule Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
Option Node
14Snort 1.x Pro and Con
- Pro
- Wide rules available (1300 by June 2001)
- Very high speed decoding and stateless intrusion
detection - 100Mbps is not too difficult
- Flexibility multi-platform
- Good choice for a number of applications in the
rapid prototyping platform for new ideas in
intrusion detection - Con
- Data structure and rule description language is
limited at the protocol level - Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard
to describe HTTP, RPC, SMTP, etc - Tendency to write slow output plug-ins!
15Snort 2.0
- Multi-format rules input
- DB, XML, etc
- Traffic decoders
- Support arbitrary protocol, multi-path traffic
flows - Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw, IP,
ARP, TCP, UDP, ICMP - Pluggable detection engines
- Standard NIDS, Target-based IDS, Statistical IDS,
Host-based IDS - 500 in pattern matching performance improvement
reported in research work! - Spooling output
16Snort 2.0 Detection Engine Comparison V 1.x
alert
tcp
Sip 1.1.1.1 Dip 2.2.2.2 Dp 80
(flags A content foo)
(flags A content bar)
(flags A content baz)
17Snort 2.0 Detection Engine Comparison V 2.0
alert
tcp
Sip 1.1.1.1
Dip 10.1.1.0/24
content foo
Dip 2.2.2.2
content bar
Flags A
Dp 80
content baz
18Snort Signature Example
SID 630 message SCAN synscan portscan
Signature alert tcp EXTERNAL_NET any -gt HOME_NET any (msg"SCAN synscan portscan" id 39426 flags SFreferencearachnids,441 classtypeattempted-recon sid630 rev1) alert tcp EXTERNAL_NET any -gt HOME_NET any (msg"SCAN synscan portscan" id 39426 flags SFreferencearachnids,441 classtypeattempted-recon sid630 rev1) alert tcp EXTERNAL_NET any -gt HOME_NET any (msg"SCAN synscan portscan" id 39426 flags SFreferencearachnids,441 classtypeattempted-recon sid630 rev1)
Summary A host has scanned the network looking for vulnerable servers. A host has scanned the network looking for vulnerable servers. A host has scanned the network looking for vulnerable servers.
Impact Information leak, reconnaisance, preperation for automated attack such as worm propagation Information leak, reconnaisance, preperation for automated attack such as worm propagation Information leak, reconnaisance, preperation for automated attack such as worm propagation
Detailed Information Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner.
Attack Scenarios This is a scanning tool that is often the precursor to a worm infection. This is a scanning tool that is often the precursor to a worm infection. This is a scanning tool that is often the precursor to a worm infection.
Ease of Attack This scanner is fast and easy to use. It is readily available and was included with several worms. This scanner is fast and easy to use. It is readily available and was included with several worms. This scanner is fast and easy to use. It is readily available and was included with several worms.
False Positives sscan, mscan, and several other tools used ID39426 but the use of SYNFIN is unique to synscan 1.51.6 sscan, mscan, and several other tools used ID39426 but the use of SYNFIN is unique to synscan 1.51.6 sscan, mscan, and several other tools used ID39426 but the use of SYNFIN is unique to synscan 1.51.6
False Negatives NONE. NONE. NONE.
Corrective Action Run flexresp with synscan kill. Run flexresp with synscan kill. Run flexresp with synscan kill.
Contributors Don Smith Initial ResearchJosh Gray Edits Don Smith Initial ResearchJosh Gray Edits Don Smith Initial ResearchJosh Gray Edits
References arachnids,441 arachnids,441 arachnids,441
19Format of Snort Rule Language
- Rules Headers
- Rule Actions
- alert, log, pass, activate, dynamic
- Protocols
- IP Addresses
- Port Numbers
- The Direction Operator
- ..
- Rule Options
- msg "ltmessage textgt
- logto "ltfilenamegt"
-
- Content-list
- multiple content strings to be specified in the
place of a single content option