Term Paper Snort
Transcript of Term Paper Snort
-
7/31/2019 Term Paper Snort
1/6
Page 1
Snort
Introduction
When a network size grows, the threats to this network will also increase. Therefore,
more security tools, techniques are needed to reduce the risk which involve with the growing ofthe network. However, to secure networks, we need to implement three techniques (Prevention,
Detection, and Response); we cannot use only prevention techniques to secure the network
because prevention can prevent only known attacks. Therefore, using detection technique will
help to increase the overall security because detection technique will help us to know what types
of activity are on our network.
However, recognizing normal and abnormal activities will increase the chance to prevent
and response to suspicious activities on our network. Therefore, when we need to prevent and
response to suspicious activities, first we need to detect any type of unwanted activities, and then
we could prevent and response to these activities.
Since, detection technique is essential to secure networks; we are going to look at Snort
which is one of the most popular intrusion detection system. Also, Snort can be implemented as
intrusion prevention system.
What is Snort?
Snort is an open source Intrusion detection and prevention system. It is created in 1998
by Martin Roesch who is the founder of SourceFire Inc. which is now developing Snort.
However, snort is a lightweight Linux-based intrusion detection/prevention system tool, and
snort can be also run on most of the operating systems such as Windows, Linux, Solaris and
*BSD. Moreover, Snort can be run as Network-based intrusion detection/prevention system or
Host-based intrusion/prevention system. Stallings and Brown (2008) state that Snort is highly
configurable and portable host-based or network-based IDS with these characteristics:
Easily deployed on most node (host, server, router)of network Efficient operation that uses small amount of memory and processor time Easily configured (P. 204)
What Snort Can Do?
Snort can perform some tasks, these tasks are real-time traffic capturing which is like
tcpdump, and also it can perform protocol analysis, content searching and detecting task which is
considered the most important ability in Snort. Snort can detect most the known attacks and
probes, which helps to alert the administrators before any incident can happen. The detection is
based on rules which can be downloaded from the Snort website or can any administrator can
write a rule that fits his/her needs.
-
7/31/2019 Term Paper Snort
2/6
Page 2
How Snort Works?
Snort NIDS can log or/and alert any suspicious activities, which help administrators to
take an action to prevent or response to these activities. When we implement snort NIDS, the
packets will go through four logical components.
First, a packet goes through the decoder which help snort to decode the packet by identify and
isolate protocol headers.
Second, after decoding the packet, it goes into the Detection Engine that decides which
action will be taken based on the set of rules, in fact there are three actions can be taken (log,
alert and discard) when the packet matches the rule, then the action will be logging or/and
alerting the packet.
Third, Snort could be configured to send the logs to any machine on the network to save
these logs as human readable format or binary format.
Fourth, Snort could be configured to alert administrator on real-time about any unwanted
traffic.
However, when a packet is not matching any rules, then snort will discard the packet and the
packet will go into the network. Therefore, the rules are most important factor on snort which
they need to be updated and modified to secure systems.
Detecion
Engine
Logging
Alerting
Decoder
Figure 1: Four Logical Components of Snort
-
7/31/2019 Term Paper Snort
3/6
Page 3
Operating Mode of Snot:
Indeed, Snort can be implemented in different modes; Snort run in four operation modes.
These modes are Sniffer, Packet logger, Network intrusion detection and inline mode (prevention
mode).
Sniffer Mode:
In this mode snort acts like Tcpdump, Ethereal which captures a packet and send to the
console.
Example: By using this commend to run snort in Sniffer Mode:
This Commend Snort will capture the IP and TCP/UDP/ICMP headers and send them to theconsole.
Packet Logger Mode:
In this mode snort logs the packets and send them to the folder or storage for review and
analysis later.
Example: By using this commend to run snort in packet logger Mode:
In this commend, snort logs the packets in folder (log) on remote machine.
Network Intrusion Detection Mode:
In this mode Snort logs and alerts only the packets that match snort rules, this mode is
the powerful of snort
Example: by using this commend to run Snort on NIDS Mode.
In this commend, Snort will logs any packets that match the rules in the Rules.conf file.
./snort -v
./snort ./snort -dev -l ./log -h 10.1.1.10/24
./snort -dev -l ./log -h 10.1.1.10/24 -c Rules.conf
-
7/31/2019 Term Paper Snort
4/6
Page 4
Inline Mode:
In this mode, Snort will acts as Network Intrusion Prevention System (IPS). In this mode
Snort works with Iptables to allow or drop packets, which means packets comes from the
Iptables to Snort and then Snort apply the rules, and then Snort decides which action should be
taken based on the rules. After that, Snort tells the iptables which action to take. However, thereare four actions can be taken in the inline mode:
Drop: this tells iptables to drop the packet and Snort logs the packet.
Sdrop: this tells iptables to drop the packet silently
Reject: this tells iptables to reject the packet and send back TCP rest, or Port unreachable for
UDP protocol.
Technical Impacts:
Snort now can help many Security administrators to monitor the activities of their
network by logging and alerting and preventing any suspicious traffic. When administrators use
Snort as intrusion detection system, Snort can help them to know all the activities over their
company networks. From using snort and review its logs, administrator could see what type of
suspicious traffic and then they can try to prevent these traffic. Also, they could see which
services are attacked and these services need more security implementation than other services.
Moreover, administrators could use Snort as Intrusion Prevention System, which help some to
prevent many types of attacks such as buffer overflows, stealth port scan, backdoors and others.
Moreover, when administrators understand and know the suspicious activities, they can
write their own rules which fit their networks need. Also, many people around the world write
rules for snort which can be obtain to alert or log any new type of attacks. Therefore, rules of
Snort are regularly updated.
Legal Impacts:
One of the advantages from using Snort as IDS/IPS is that can logs any activities and it
could be as an evidence in a court , So Snort help to auditing and provide more information
about any activities which an attackers did when he /she attacks the company system.
Therefore, providing these logs to the court could be as evidence against the attacker. Also in
termination or firing of an employee, it could help company to prove any suspicious activitieswhich he/she done.
-
7/31/2019 Term Paper Snort
5/6
Page 5
Cost of Snort:
Snort IDS/IPS can be downloaded from Snort.com and it is free of charge. Which means
any one can download and use Snort. But to get new and updated certified Rules, there are some
cost associates with SourceFire VRT Rules.
Here are the pricing retrieved from Snort.com on 11-20-2009
The pricing for the Sourcefire VRT Certified Rules is based on an annual subscription model.
Subscription prices break down as follows:
Subscription Type Pricing Sensor(s)
Personal (available only online) $29.99/sensor 1
Business $499/sensor 1-5
Business $399/sensor 6+
Who use Snort?
Snort has a large number of users over the world. In fact snort is well documented and
Snort user manual is translated into ten languages such as Arabic and Russian. That means most
of IT people around the world use snort because it is free to download, well documented and
growing fast. Also Snort can be enhanced by third party application for example Demarc
program which NIDS management console.
Conclusion:
Snort has become more popular as IDS/IPS which helps security administrators to
monitor their networks and see the performance of their network. It can be used as IDS which
can help to detects suspicious activities and malicious codes based on set of rules (auditing), and
it alerts to the administrators about these activities. Moreover, Snort can be run as IPS which
helps Security people to prevent attacks and suspicious traffic from reaching the system which
they are trying to protect. Using inline mode in snort can improve iptables works for example it
can help iptables to drop or pass the packets based on the snort rules. Snort with the third partyenhancement can help security people to read the output easily. Finally, Since Snort is free; it can
be good tools for education and understating the IDS functionality for anyone who wants to learn
about how IDS works.
-
7/31/2019 Term Paper Snort
6/6
Page 6
References:
Terry, S., & Chow, J. (2005). An Assessment of the DARPA IDS Evaluation DatasetUsing Snort. Retrieved November 15, 2009.http://www.cs.ucdavis.edu/research/tech-
reports/2007/CSE-2007-1.pdf
The Snort Project. September 21, 2009. SNORT R Users Manual 2.8.5. RetrievedNovember 20, 2009.http://www.snort.org/assets/120/snort_manual.pdf
Ur Rehman, R. (2003). Intrusion Detection with SNORT: Advanced IDS TechniquesUsing SNORT, Apache, MySQL, PHP, and ACID. New jersey: Prentice Hall PTR
William Stallings and Lawrie Brown (2008). Computer Security: Principles and Practice.Prentice Hall
Zimmerman, B. (2003). Auditing a Snort Intrusion Detection System: An AuditorsPerspective. Retrieved November 15, 2009.https://it-
audit.sans.org/community/papers/auditing_a_snosirt_intruon_detection_system:_an_audit
ors_perspective_72
http://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.snort.org/assets/120/snort_manual.pdfhttp://www.snort.org/assets/120/snort_manual.pdfhttp://www.snort.org/assets/120/snort_manual.pdfhttps://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72http://www.snort.org/assets/120/snort_manual.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdf