Snort - Open Source Network Intrusion Detection System Survey

Outline What is Snort Snort operational modes NIDS mode Snort 1.X Snort 2.X Snort Rule Signature

What is Snort A “ lightweight ” network intrusion detection system with the capabilities of the sniffer, packet logger, network traffic analysis Can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks.

Snort Features Multi-operational packet processing tools Rules-based detection engine Small ~800k source Cross platform : Linux, Windows, MacOS X, Solaris, BSD, IRIX, Tru64, HP-UX, etc High speed of detection for a given attack on 100 Mbps networks Easy rules language, many reporting/logging options Free (GPL/Open Source Software) Libpcap-based sniffing interface Capability to filter traffic with Berkeley Packet Filter (BPF) commands Plug-in system are flexible Real-time alerting capability, with alerts being sent to syslog, Server Message Block (SMB) "WinPopup" messages, or a separate "alert" file.

Snort Operational Modes Operational modes are configured via command line –Default is NIDS mode if no command line switches Three main operational modes –Sniffer Mode –Packet Logger Mode –NIDS Mode

Packet Logger Mode Multiple packet logging options –Flat ASCII, tcpdump, XML, database, etc Log the data and post-processing to look the anomalous activities

Sniffer Mode Works much like tcpdump Decodes packets and dumps them to stdout Packet filtering interface available to shape displayed network traffic =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 11/09-11:12: :1032 -> :23 TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF ***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20 FF FC 23 FF FC 27 FF FC 24 FF FA E 53..#..'..$....ANS 49 FF F0 I.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

NIDS Mode I Filtering Router (Perimeter Logs) Firewall (Perimeter Logs) Generic Server (Host-Based ID) (Snort 2.0) Network IDS (Snort) Internet Honeypot (Deception System) Statistical IDS (Snort)

NIDS Mode II Can use snort + plug-ins for both misuse detection and anomalous activity Can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis and normalization, etc Various output options available Multiple detection modes available –Rules/signature –Statistical anomaly –Protocol verification

Snort 1.x Architecture Packet Decoder Preprocessor (Plug-ins) Detection Engine (Plug-ins) Output Stage (Plug-ins) Packet Stream Sniffing Snort Data Flow Alerts/Logs

Snort 1.x Detection Engine Rule based detection engine Rules are detection elements which are combined to form the signature Detection rules in a two dimensional linked list –Chain Headers –Chain Options Wide range of detection capabilities –Stealth scans, OS fingerprinting, buffer overflows, back doors, CGI exploits, etc.

Rule Header Alert tcp any -> any Rule Options (flags: SF; msg: “SYN-FIN Scan”;) Alert tcp any -> any (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Detection Engine: Rules Alert tcp any -> any Rule Node (flags: SF; msg: “SYN-FIN Scan”;) (flags: S12; msg: “Queso Scan”;) (flags: F; msg: “FIN Scan”;) Option Node Internal Representation

Rule Node Rule Node Rule Node Rule Node Rule Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Option Node Detection Engine: Fully Populated

Snort 1.x Pro and Con Pro –Wide rules available (~1300 by June 2001) –Very high speed decoding and stateless intrusion detection 100Mbps is not too difficult –Flexibility & multi-platform Good choice for a number of applications in the rapid prototyping platform for new ideas in intrusion detection Con –Data structure and rule description language is limited at the protocol level Easy to describe IP/TCP/UDP/ICMP/IGMP/Etc, hard to describe HTTP, RPC, SMTP, etc –Tendency to write slow output plug-ins!

Snort 2.0 Multi-format rules input –DB, XML, etc Traffic decoders –Support arbitrary protocol, multi-path traffic flows –Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw, IP, ARP, TCP, UDP, ICMP Pluggable detection engines –Standard NIDS, Target-based IDS, Statistical IDS, Host-based IDS ~500% in pattern matching performance improvement reported in research work! Spooling output

Snort 2.0 Detection Engine Comparison – V 1.x Sip: Dip: Dp: 80 (flags: A+; content: “”foo”;) (flags: A+; content: “bar”;) (flags: A+; content: “baz”;) alert tcp

Snort 2.0 Detection Engine Comparison – V 2.0 content: “”foo”; content: “bar”; content: “baz”; alerttcp Dip: Dip: /24 Flags: A+; Sip: Dp: 80

Snort Signature Example SID 630messageSCAN synscan portscan Signature alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;) Summary A host has scanned the network looking for vulnerable servers. Impact Information leak, reconnaisance, preperation for automated attack such as worm propagation Detailed Information Synscan is the scanning and vulnerability testing engines for ramen, canserserver and is included in some versions of the t0rn root kit as t0rnscan. It is a very fast syn scanner. Attack Scenarios This is a scanning tool that is often the precursor to a worm infection. Ease of Attack This scanner is fast and easy to use. It is readily available and was included with several worms. False Positives sscan, mscan, and several other tools used ID=39426 but the use of SYNFIN is unique to synscan [1.5|1.6] False Negatives NONE. Corrective Action Run flexresp with synscan kill. Contributors Don Smith Initial Research Josh Gray Edits References arachnids,441

Format of Snort Rule Language Rules Headers –Rule Actions alert, log, pass, activate, dynamic –Protocols –IP Addresses –Port Numbers –The Direction Operator –.. Rule Options –msg: " “ –logto: " " –… Content-list –multiple content strings to be specified in the place of a single content option