Network Intrusion Detection with Snort

1
Network Intrusion Detection with Snort

• Jensen Galan
• CSc 650

2
What is Snort?

• An Open-Source Network Intrusion Detection system
• Monitors activity to identify malicious or
  suspicious events
• Real-time traffic analysis / Packet Sniffing
  Logging on IP networks

3
How does Snort work?

• Signature-based (pattern-matching)
• Boyer-Moore string matching algorithm
• Not anomaly-based (but, Securimine for Snort adds
  functionality)

4
4 Basic Components

• The sniffer
• The preprocessor
• The detection engine
• The output

5
Packet Sniffer

• Uses libpcap - packet capture library for Linux
  systems
• Also a version for Windows - WinPcap
• IP traffic includes TCP, UDP, ICMP
• Configure NIC in promiscuous mode

6
Preprocessor

• Takes raw packets and checks them against enabled
  plug-ins
• Notable preprocessors
• frag2
• stream4
• portscan
• http_decode

7
frag2 Preprocessor

• Fragmented packets are reassembled before being
  sent to detection engine
• Normal on networks for packets to be fragmented
  (MTU)
• Also a way to avoid pattern-matching systems

8
stream4 Preprocessor

• Designed to make Snort stateful
• Snort builds own state tables
• Check to see if packet part of established
  connection
• Ex alert on stealth Fin scan -Nmap
• Rebuild full session data wth Sguil

9
portscan Preprocessors

• Detect portscans
• Attackers use port scanners to detect which ports
  are open
• Ex send SYN to server - replies with SYN/ACK if
  open, RST/ACK if closed
• Only detects over certain period of time

10
http_decode

• Attackers can use different equivalent
  expressions to avoid pattern-matching
• IIS accepts Unicode hexadecimal encoding
• http_decode normalizes URI (part after server
  name in URL) before matching with rules

11
Detection Engine

• Core of the IDS in Snort
• Takes the data from the preprocessors and checks
  against the set of enabled rules
• Rules have two parts
• Header - action to take, type of packet, IP
  addresses, ports
• Option - content in the packet to match with rule

12
Example Rule

• Alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
  HTTP_PORTS (msgWEB-MISC http directory
  traversal flowto_server, established
  content../ referencearachnids,297
  classtypeattempted-recon sid1113)
• Nimda footprint

13
Output Component

• Many output options - can also write custom
  output plug-in
• Syslog file
• Database - MySQL, PostgreSQL, etc.
• Snort Unified Binary Format - Fastest!

14
Where to Deploy Snort?
15
Problems with Snort

• False Positives - must custom tune rules engine
  for environment update consistently
• Not picking up all the packets - database writes
  expensive use Barnyard to decouple
• Interface

16
Snort Tools

• ACID / BASE - Browser based (Apache, PHP,
  database plug-in)
• Honeynet Security Console - Windows based
  stand-alone
• Sguil - Real-time analysis complete session data

17
Snort Tools (cont.)

• Oinkmaster - Perl script to update rules
• Barnyard - decouple Snort and expensive database
  writes
• SFS - adds layer of anomaly based detection to
  Snort

18
Snort as an Inline IDS

• Operate Snort in conjunction with firewall
  (IPtables)
• Drop packets based on set of rules
• Can PREVENT intrusion instead of merely DETECTING

19
References

• http//userwww.sfsu.edu/jrgalan/650_presentation.
  ppt
• http//www.snort.org/
• http//sourceforge.net/projects/secureideas/
• Snort 2.0 Intrusion Detection, Caswell, Brian,
  Syngress Publishing 2003.
• Security in Computing, Pfleeger, Charles,
  Prentice Hall, 2003.