Term Paper Snort

7/31/2019 Term Paper Snort

1/6

Page 1

Snort

Introduction

When a network size grows, the threats to this network will also increase. Therefore,

more security tools, techniques are needed to reduce the risk which involve with the growing ofthe network. However, to secure networks, we need to implement three techniques (Prevention,

Detection, and Response); we cannot use only prevention techniques to secure the network

because prevention can prevent only known attacks. Therefore, using detection technique will

help to increase the overall security because detection technique will help us to know what types

of activity are on our network.

However, recognizing normal and abnormal activities will increase the chance to prevent

and response to suspicious activities on our network. Therefore, when we need to prevent and

response to suspicious activities, first we need to detect any type of unwanted activities, and then

we could prevent and response to these activities.

Since, detection technique is essential to secure networks; we are going to look at Snort

which is one of the most popular intrusion detection system. Also, Snort can be implemented as

intrusion prevention system.

What is Snort?

Snort is an open source Intrusion detection and prevention system. It is created in 1998

by Martin Roesch who is the founder of SourceFire Inc. which is now developing Snort.

However, snort is a lightweight Linux-based intrusion detection/prevention system tool, and

snort can be also run on most of the operating systems such as Windows, Linux, Solaris and

*BSD. Moreover, Snort can be run as Network-based intrusion detection/prevention system or

Host-based intrusion/prevention system. Stallings and Brown (2008) state that Snort is highly

configurable and portable host-based or network-based IDS with these characteristics:

Easily deployed on most node (host, server, router)of network Efficient operation that uses small amount of memory and processor time Easily configured (P. 204)

What Snort Can Do?

Snort can perform some tasks, these tasks are real-time traffic capturing which is like

tcpdump, and also it can perform protocol analysis, content searching and detecting task which is

considered the most important ability in Snort. Snort can detect most the known attacks and

probes, which helps to alert the administrators before any incident can happen. The detection is

based on rules which can be downloaded from the Snort website or can any administrator can

write a rule that fits his/her needs.


2/6

Page 2

How Snort Works?

Snort NIDS can log or/and alert any suspicious activities, which help administrators to

take an action to prevent or response to these activities. When we implement snort NIDS, the

packets will go through four logical components.

First, a packet goes through the decoder which help snort to decode the packet by identify and

isolate protocol headers.

Second, after decoding the packet, it goes into the Detection Engine that decides which

action will be taken based on the set of rules, in fact there are three actions can be taken (log,

alert and discard) when the packet matches the rule, then the action will be logging or/and

alerting the packet.

Third, Snort could be configured to send the logs to any machine on the network to save

these logs as human readable format or binary format.

Fourth, Snort could be configured to alert administrator on real-time about any unwanted

traffic.

However, when a packet is not matching any rules, then snort will discard the packet and the

packet will go into the network. Therefore, the rules are most important factor on snort which

they need to be updated and modified to secure systems.

Detecion

Engine

Logging

Alerting

Decoder

Figure 1: Four Logical Components of Snort


3/6

Page 3

Operating Mode of Snot:

Indeed, Snort can be implemented in different modes; Snort run in four operation modes.

These modes are Sniffer, Packet logger, Network intrusion detection and inline mode (prevention

mode).

Sniffer Mode:

In this mode snort acts like Tcpdump, Ethereal which captures a packet and send to the

console.

Example: By using this commend to run snort in Sniffer Mode:

This Commend Snort will capture the IP and TCP/UDP/ICMP headers and send them to theconsole.

Packet Logger Mode:

In this mode snort logs the packets and send them to the folder or storage for review and

analysis later.

Example: By using this commend to run snort in packet logger Mode:

In this commend, snort logs the packets in folder (log) on remote machine.

Network Intrusion Detection Mode:

In this mode Snort logs and alerts only the packets that match snort rules, this mode is

the powerful of snort

Example: by using this commend to run Snort on NIDS Mode.

In this commend, Snort will logs any packets that match the rules in the Rules.conf file.

./snort -v

./snort ./snort -dev -l ./log -h 10.1.1.10/24

./snort -dev -l ./log -h 10.1.1.10/24 -c Rules.conf


4/6

Page 4

Inline Mode:

In this mode, Snort will acts as Network Intrusion Prevention System (IPS). In this mode

Snort works with Iptables to allow or drop packets, which means packets comes from the

Iptables to Snort and then Snort apply the rules, and then Snort decides which action should be

taken based on the rules. After that, Snort tells the iptables which action to take. However, thereare four actions can be taken in the inline mode:

Drop: this tells iptables to drop the packet and Snort logs the packet.

Sdrop: this tells iptables to drop the packet silently

Reject: this tells iptables to reject the packet and send back TCP rest, or Port unreachable for

UDP protocol.

Technical Impacts:

Snort now can help many Security administrators to monitor the activities of their

network by logging and alerting and preventing any suspicious traffic. When administrators use

Snort as intrusion detection system, Snort can help them to know all the activities over their

company networks. From using snort and review its logs, administrator could see what type of

suspicious traffic and then they can try to prevent these traffic. Also, they could see which

services are attacked and these services need more security implementation than other services.

Moreover, administrators could use Snort as Intrusion Prevention System, which help some to

prevent many types of attacks such as buffer overflows, stealth port scan, backdoors and others.

Moreover, when administrators understand and know the suspicious activities, they can

write their own rules which fit their networks need. Also, many people around the world write

rules for snort which can be obtain to alert or log any new type of attacks. Therefore, rules of

Snort are regularly updated.

Legal Impacts:

One of the advantages from using Snort as IDS/IPS is that can logs any activities and it

could be as an evidence in a court , So Snort help to auditing and provide more information

about any activities which an attackers did when he /she attacks the company system.

Therefore, providing these logs to the court could be as evidence against the attacker. Also in

termination or firing of an employee, it could help company to prove any suspicious activitieswhich he/she done.


5/6

Page 5

Cost of Snort:

Snort IDS/IPS can be downloaded from Snort.com and it is free of charge. Which means

any one can download and use Snort. But to get new and updated certified Rules, there are some

cost associates with SourceFire VRT Rules.

Here are the pricing retrieved from Snort.com on 11-20-2009

The pricing for the Sourcefire VRT Certified Rules is based on an annual subscription model.

Subscription prices break down as follows:

Subscription Type Pricing Sensor(s)

Personal (available only online) $29.99/sensor 1

Business $499/sensor 1-5

Business $399/sensor 6+

Who use Snort?

Snort has a large number of users over the world. In fact snort is well documented and

Snort user manual is translated into ten languages such as Arabic and Russian. That means most

of IT people around the world use snort because it is free to download, well documented and

growing fast. Also Snort can be enhanced by third party application for example Demarc

program which NIDS management console.

Conclusion:

Snort has become more popular as IDS/IPS which helps security administrators to

monitor their networks and see the performance of their network. It can be used as IDS which

can help to detects suspicious activities and malicious codes based on set of rules (auditing), and

it alerts to the administrators about these activities. Moreover, Snort can be run as IPS which

helps Security people to prevent attacks and suspicious traffic from reaching the system which

they are trying to protect. Using inline mode in snort can improve iptables works for example it

can help iptables to drop or pass the packets based on the snort rules. Snort with the third partyenhancement can help security people to read the output easily. Finally, Since Snort is free; it can

be good tools for education and understating the IDS functionality for anyone who wants to learn

about how IDS works.


6/6

Page 6

References:

Terry, S., & Chow, J. (2005). An Assessment of the DARPA IDS Evaluation DatasetUsing Snort. Retrieved November 15, 2009.http://www.cs.ucdavis.edu/research/tech-

reports/2007/CSE-2007-1.pdf

The Snort Project. September 21, 2009. SNORT R Users Manual 2.8.5. RetrievedNovember 20, 2009.http://www.snort.org/assets/120/snort_manual.pdf

Ur Rehman, R. (2003). Intrusion Detection with SNORT: Advanced IDS TechniquesUsing SNORT, Apache, MySQL, PHP, and ACID. New jersey: Prentice Hall PTR

William Stallings and Lawrie Brown (2008). Computer Security: Principles and Practice.Prentice Hall

Zimmerman, B. (2003). Auditing a Snort Intrusion Detection System: An AuditorsPerspective. Retrieved November 15, 2009.https://it-

audit.sans.org/community/papers/auditing_a_snosirt_intruon_detection_system:_an_audit

ors_perspective_72
http://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.snort.org/assets/120/snort_manual.pdfhttp://www.snort.org/assets/120/snort_manual.pdfhttp://www.snort.org/assets/120/snort_manual.pdfhttps://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72https://it-audit.sans.org/community/papers/auditing_a_snort_intrusion_detection_system:_an_auditors_perspective_72http://www.snort.org/assets/120/snort_manual.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdfhttp://www.cs.ucdavis.edu/research/tech-reports/2007/CSE-2007-1.pdf

Term Paper Snort

Documents

Transcript of Term Paper Snort