Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Introducing Snort Snort is: –Small (~1.2M source distribution) –Portable (Linux, Solaris, *BSD, IRIX, HP-UX, WIN32) –Fast (High probability of detection for a given attack on “ average ” networks) –Configurable (Easy rules language, many reporting/logging options) –Free (GPL/Open Source Software) –Current version as of Aug 2001
Snort Design Packet sniffing network intrusion detection system Libpcap-based sniffing interface Rules-based detection engine Multiple output options –decoded logs, tcpdump formatted logs –real-time alerting to syslog, file, database, xml
Detection Engine Rules form “ signatures ” Modular detection elements are combined to form these signatures Anomalous activity detection is possible –stealth scans, OS fingerprinting, invalid ICMP codes, etc Rules system is very flexible, and creation of new rules is relatively simple
Rules Format alert tcp ! /24 any -> /24 any (flags: SF; msg: “SYN-FIN Scan”;) Two sections to a rule rule header: alert tcp ! /24 any -> /24 any rule options: (flags: SF; msg: “SYN-FIN Scan”;) Rule headers and options can be strung together in any combination
Rule Header Features IP addresses –negation, CIDR blocks TCP/UDP ports –negation, ranges, greater than/less than uni/bi-directional port/address consideration
Rule Option Features IP TTL IP ID Fragment size TCP Flags TCP Ack number TCP Seq number Payload size Content Content offset Content depth Session recording ICMP type ICMP code Alternate log files
Uses for Snort Packet Sniffing NIDS Honeypot Monitor Scan Detection/Traps Other Fun Stuff
Packet Sniffing NIDS Load up a good rules set and let it run! – Automatically generates alerts and logs full packet data Alternative alerting/actions can be handled by something like Swatch – alerts, active response, etc
Honeypot Monitor Honeypots are “ deception systems ” that perform intrusion detection by inclusion –Gets rid of all the false alarms! Use Snort ’ s filtering capability to log all the traffic going to the honeypot Post process the data with a good ruleset
Scan Detection/Traps Snort has no formal port scan detection mechanism Setup rules to log traffic to known closed ports & unused addresses Poor man ’ s honeypot/port scan detector Alert tcp any any -> /24 100:600 (flags: S; msg: “TRAP!”;)
Other Fun Stuff Snort is a packet sniffer, can be used to analyze traffic in real-time Motivated people can write rules to pick up all sorts of naughty things –SQL/ODBC, ActiveX, Java/JavaScript, Macro Viruses
Other Fun Stuff (Cont.) SHADOW sensor replacement SHADOW is a free NIDS based on tcpdump Snort can use the SHADOW BPF rule set, plus it ’ s own! Gains: –real-time alerting, payload analysis, rules simplicity, post-processing, etc.
Snort Internal Plugin architecture –stream4 : detect stealth portscans Write detection modules and add them to rule set Hooks for preprocessors –IP defrag, TCP stream reassembly, statistics, etc Hooks for backend/output –database, SNMP, tunnels, etc.
Snort Addon Guardian 1.2.0, by Anthony Stevens and Ernie Lim Guardian is a stand-alone Perl script which watches the output of snort, and will add rules to IPChains on the fly as snort detects and reports an attack. snort-panel, by Xato A very useful windows-based utility for managing, controlling, and monitoring the win32 port of Snort. snortnet, by Fyodor This code is an output plugin that allows you to log Snort alerts to a remote machine. Requires libiap-0.1.tar.gzlibiap-0.1.tar.gz Spade , by Silicon Defense SPADE stands for the Statistical Packet Anomaly Detection Engine. It is a Snort preprocessor plugin which sends alerts of anomalous packet through standard Snort reporting mechanisms. Please consider this to be experimental, though it has worked well for us. ACID 0.9.6b9, by CERT ACID is a PHP-based analysis engine to search and process a database of security incidents generated by Snort. Requires PHP and MySQL. … more
FIN Get Snort from: Writing Snort rules: