Snort - an network intrusion prevention and detection system

Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation

Overview

Whats snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.

Whats snort?

NIDS:

A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.

Snort:

an open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods

Snort:

the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.

Snort
1. 2. 3. 4.

A packet sniffer:

capture and display packets from the network with different levels of detail on the console

Packet logger: log data in text file Honeypot monitor: deceiving hostile parties NIDS: network intrusion detection system

Typical locations for snort

Requirement of snort

lightweight NIDS small, flexible highly capable system

Snort architecture

From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.

Snort components

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.

Logical components of snort

Packet Decoder: Preprocessor:

takes packets from different types of network interfaces (Ethernet, SLIP,PPP), prepare packets for processing (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams.

Detection Engine:
rules to packets

the most important part, applies

Logging and Alerting System Output Modules: process alerts and logs and generate
final output.

TCP/IP layer

Physical layer
Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer

Detection Engine
Things need to be done for detection engine:
The IP header of the packet The transport layer header. TCP, UDP, ICMP etc. The application layer level header. Header of DNS, FTP, SNMP, SMTP Packet payload

How to do these?
Apply rules to the packets using a Boyer-Moore string matching
algorithm

Requirement
1. 2.

Time critical Fast

Detection engine

Number of rules Traffic load on the network Speed of network and machine Efficiency of detection algorithm

Rules

In a single line Rules are created by known intrusion signatures. Usually place in snort.conf configuration file.

rule header

rule options

Rule examples
destination ip address Apply to all ip packets Source ip address Destination port

Source port # Rule options Alert will be generated if criteria met

Rule header

Detection engine order to scan the rules

1. 2. 3.

Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: Alert rules Pass rules Log rules

Challenges with snort

Misuse detection

avoid known

intrusions Rules database is larger and larger It continues to grow snort version 2.3.2, there are 2,600 rules 80% of them are signatures Snort spends 80% work time to do string match

Anomaly detection

identify new

attacks Probability of detection is low

Snort components

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.

Attempts to improve

Increasing preprocessing ability --- offload partial work from detect

Using hardware to reduce workload - a hybrid architecture --- software has more flexibility,
hardware has relatively higher throughput

Better detection algorithm

Possible ways?

Organize the well-known rules into better data structure to achieve better performance A detector with acceptable detection probability

Thank you !