CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Slides:

Advertisements

Similar presentations

NetFPGA Project: 4-Port Layer 2/3 Switch Ankur Singla Gene Juknevicius

Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Senior Project with the SPP Michael Williamson. Communicating with a Slice Slice-RMP library using a Unix Domain Socket ◦ RPC-Like ◦ Slice application.

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

2010/11 : [1]Building Web Applications using MySQL and PHP (W1)MySQL Recap.

SPICE! An Ontology Based Web Application By Angela Maduko and Felicia Jones Final Presentation For CSCI8350: Enterprise Integration.

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

400 Gb/s Programmable Packet Parsing on a Single FPGA Authors : Michael Attig 、 Gordon Brebner Publisher: 2011 Seventh ACM/IEEE Symposium on Architectures.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

INTRUSION DETECTION SYSTEM

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Programmable Data Planes COS 597E: Software Defined Networking.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Sarang Dharmapurikar With contributions from : Praveen Krishnamurthy,

Tutorial 14 Working with Forms and Regular Expressions.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Chapter 6: Packet Filtering

1 mmdump Reference: “mmdump: A Tool for Monitoring Internet Multimedia Traffic” J. van der Merwe, R. Cceres, Y-H. Chu, C. Sreenan. ACM SIGCOMM Computer.

Jon Turner, John DeHart, Fred Kuhns Computer Science & Engineering Washington University Wide Area OpenFlow Demonstration.

Examining TCP/IP.

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.

NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

FlexElink Winter presentation 26 February 2002 Flexible linking (and formatting) management software Hector Sanchez Universitat Jaume I Ing. Informatica.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

CS/CoE 536 : Lockwood 1 CS/CoE 536 Reconfigurable System On Chip Design Lecture 4 : Demonstration of Machine Problem 1 : CAM-based Firewall Washington.

Sven Ubik, Petr Zejdl, Vladimir Smotlacha TNC-2006, Catania, Hardware anonymization.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Extensible Networking Platform Lockwood / Zuver - Applied Research Laboratory -- Extensible Networking Development of a System-On-Chip Extensible.

CS/CoE 536 : Lockwood 1 Project Integration : In order to ensure that projects can be integrated at the end of the semester, a few rules have been developed.

Web Server Administration Chapter 7 Installing and Testing a Programming Environment.

CS/CoE 535 : Lockwood - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Author ： Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher ： ANCS’06 Presenter ： Zong-Lin Sie Date ： 2011/01/05.

Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.

Field Programmable Port Extender (FPX) 1 NCHARGE: Remote Management of the Field Programmable Port Extender (FPX) Todd Sproull Washington University, Applied.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

Gbps IPv6 Programmable IDS/IPS Livio Ricciulli (408) *Supported by the Division of Design Manufacturing and Industrial.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

ECE 526 – Network Processing Systems Design Network Address Translator.

CS/CoE 536 : Lockwood 1 CS/CoE 536 Reconfigurable System On Chip Design Lecture 10 : MP3 Working Draft Washington University Fall 2002

Field Programmable Port Extender (FPX) 1 Remote Management of the Field Programmable Port Extender (FPX) Todd Sproull Washington University, Applied Research.

Improvement of Apriori Algorithm in Log mining Junghee Jaeho Information and Communications University,

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

First generation firewalls packets filtering ريماز ابراهيم محمد علي دعاء عادل محمد عسجد سامي عبدالكريم.

IST 210: PHP Basics IST 210: Organization of Data IST2101.

400 Gb/s Programmable Packet Parsing on a Single FPGA Author: Michael Attig 、 Gordon Brebner Publisher: ANCS 2011 Presenter: Chun-Sheng Hsueh Date: 2013/03/27.

Snort – IDS / IPS.

Module 11: File Structure

PHP / MySQL Introduction

Introducing ACL Operation

Washington University

Transport Layer Systems Packet Classification

Bloom Filters Very fast set membership. Is x in S? False Positive

Washington University, Applied Research Lab

Remote Management of the Field Programmable Port Extender (FPX)

Implementing an OpenFlow Switch on the NetFPGA platform

High Performance Pattern Matching using Bloom–Bloomier Filter

Presentation transcript:

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design Webpage

CS/CoE 535 : Snort Lite - Fall Motivation Built up ability to do packet inspection Would like to add some form of packet- classification Combining these 2 features is a first step toward implementing Snort in hardware –Ideally reach line rates –Inspect all packets –Turn Snort active Header Processing + Payload Processing

CS/CoE 535 : Snort Lite - Fall Assumptions Time constraints force several assumptions –Support Signature lengths from 10 to 32 characters long (80 to 256 bits) –1 content-rule can be associated with only 1 header rule –Must have content and header rule Content + Header = Rule –No content Wildcards (no regular expressions) –Wildcards are allowed in Header Fields –Recognize IP, TCP, UDP protocols

CS/CoE 535 : Snort Lite - Fall Hardware Overview Packet Data SID Matching Rule

CS/CoE 535 : Snort Lite - Fall Major Components Functionality Options Processing –Payload Processing via Multiple Bloom Filters 8 Hash Functions per BF False Positive Probability –SDRAM Hash Table Implementation (Quadratic Probing) Expected Number of Lookups = ? Header Processing –SRAM table lookup –Header Fields Comparator

CS/CoE 535 : Snort Lite - Fall Chip Utilization Number of 4-input LUTs – 63% Number of Occupied Slices – 88% Number of Block RAMs – 123 of 160 – 76% Speed – 34.7 MHz –(this number doesn’t reflect current design)!

CS/CoE 535 : Snort Lite - Fall Control Opcodes x70 – Add String to Hash Table x72 – Remove String from Hash Table x74 – Set Bits in a Bloom Filter x76 – Add Header Table Entry x78 – Remove Header Table Entry x80 – Change Alert Message Destination x82 – Read Header Table Entry x84 – Read Statistics x86 – Test Functionality / Pass Through

CS/CoE 535 : Snort Lite - Fall Example Rule alert tcp /16 any  (content: “Look at my Sample content!”; sid:750;) Generic –action proto src_ip src_port dest_ip dest_port (content: sid:)

CS/CoE 535 : Snort Lite - Fall Java Rule Parser Reads in a Rule File Creates the payload for 3 control packets to program Circuit –x70 – add signature to analyzer –x74 – set bits in appropriate Bloom Filter –x76 – Add Header Entry Tells you if a rule doesn’t match assumptions Ignores other fields –Just extracts content and sid

CS/CoE 535 : Snort Lite - Fall Data Flow Overview Add rules from web interface Save rules into database Construct rules to plain text Parse rules into payload Record matches in database Output statistics to web page Construct payload to UDP

CS/CoE 535 : Snort Lite - Fall Updated Table definitions in DB snortlight TABLES BLOOMFILTER Id INT ; // identity(1, 1) BlockRAM1 INT ; // the ID of BlockRAM 1 BlockRAM2 INT ; // the ID of BlockRAM 2 BlockRAM3 INT ; // the ID of BlockRAM 3 BlockRAM4 INT ; // the ID of BlockRAM 4 BlockRAM5 INT ; // the ID of BlockRAM 5 RULES Id INT ; // identity(1, 1) BloomId INT ; // FK of BLOOMFILTER Content VARCHAR(100) ; // NOT NULL SourceIP VARCHAR(30) ; DestIP VARCHAR(30) ; SourcePort VARCHAR(20) ; DestPort VARCHAR(20) ; NoCase ENUM(“FALSE”, “TRUE”) ; // 0 false InHardware ENUM(“FALSE”, “TRUE”) ; // 0 false Action CHAR(5) ; // actions to take Protocol CHAR(5) ; // type of protocol InsertTime DATE; DeleteTime DATE; KeepLog ENUM(“FALSE”, “TRUE”) ; // 0 false BLOOMCNTR BloomId INT ; BlockRAMId VARCHAR(10) ; BitPosition INT ; Counter INT ; RULEMATCH PacketID INT ; RuleID INT ; // FK of RULES EventDT DATE; MATCHSTATIS // use 0 for false match RuleID INT ; BloomID INT ; StartDT DATE; EndDT DATE; counter INT ;

CS/CoE 535 : Snort Lite - Fall Work completed during break- software Resolved All Major Technical Challenges during first-use of PHP and MySQL –Reconfigured Apache and PHP for Java extension and tested using system classes –Tested File I/O from PHP and tested –Reconfigured PHP for socket extension and tested using Telnet to communicate to server Modified Web Pages ( partial demo)

CS/CoE 535 : Snort Lite - Fall Web Interface Use Apache as web server, MySQL as database server all on Windows XP HTML and PHP including its extensions to glue the system together

CS/CoE 535 : Snort Lite - Fall Results - Software Integration –Statistics for matches –Bloom Filter Counter –Software and hardware components –Sockets?

CS/CoE 535 : Snort Lite - Fall Future Work Redesign – too many assumptions Allow Header-only and content-only rules Implement more content-based features –TCP flags –IP options –More header fields –Multiple Signatures per content rule Snort has many over-lapping rules Software to dynamically recreate VHDL to change Number of PBFs per LBF based on number of strings for a particular length –Statistical Modeling would help determine this