Journal Online

Installing and Using Snort to Monitor and Control A Network

Jeffrey a. Livermore, Ph.D., has experience in both the academic and professional worlds of IT and IA. Prior to joining Walsh College (Detroit, Michigan, USA) as the department chair of business information technology and information assurance, he was the chief information officer (CIO) for a major cancer research institute. He is a frequent presenter at conferences and is currently researching the ethics of teaching information assurance.

Intrusion detection can be accomplished by detecting digital signatures in network traffic or anomalies within network traffic. Signature detection involves comparing network traffic against a database of digital signatures collected from prior attacks. A signature detection-based intrusion detection system (IDS) such as Snort1 issues an alert when network traffic matches a signature in the dataset. Anomaly detection compares network behavior against a database of past behaviors and issues an alert when the behavior is anomalous or does not match past behavior. This type of IDS must build a database of normal behaviors on the network.2 An anomalybased IDS may generate more false-positives than a signature-based IDS. SnortS Defining CharaCteriStiCS Snort is a popular IDS that has been downloaded 3.7 million times by 2009.3 Snort can be used as a packet sniffer to capture traffic from the network, as a packet logger to save packets to a file or database, or as an IDS. According to Marty Roesch, the original author of Snort, there are at least 250,000 Snort users.4 Snort has been incorporated into more than 140 open-source add-on projects.5 For example, Foundry Networks has included Snort in its LAN switch/WAN router management software. Incorporating Snort into network switching equipment eliminates the need for a separate server running Snort. Companies that incorporate Snort into their products have to pay a license fee. Snort has four major components, the packet sniffer, the preprocessor, the detection engine and the output processor. The packet sniffer is either a hardware- or software-based mechanism for connecting Snort to the network and enables Snort to read or capture the traffic as it flows past the computer on which Snort is installed.6 Snort is able to work with a variety of sniffers including Nessus, Ethereal and Wireshark.7 The preprocessor enables a system administrator to

utilize optional Snort plug-ins that can analyze or manipulate network traffic before it is run past Snorts detection engine. The preprocessor plugins are written in C and can detect anomalies and reconstruct sessions. The detection engine compares network traffic against a set of rules that is installed or created by the system administrator. Learning how to create and effectively use Snorts rules is the most difficult part of learning how to administer Snort. The rules can be broken down into two parts: a rule header that describes the action to be taken and an option that contains the digital signature that Snort should compare against network traffic. Rules have been written to address 4,700 specific threats.8 A typical Snort rule consists of the following components: header, the name of the targeted protocol, the targeted port, a title, a flow statement, the depth and offset in a packet to compare the content to, and the content against which to match network traffic. There are other options for writing complex rules and there are a number of tools such as Oinkmaster that will simplify rule management.9 One of the characteristics of Snort is that it is not a reactive IDS. A reactive IDS takes actions such as closing connections or sending false information back to the attacking host to stop threats and attacks that it detects. Snort is not reactive, but it can feed alerts into other software packages that will convert the alerts into actions. It is possible to establish a connection between Snort and a network firewall to block unwanted traffic and stop threats to the network. The SnortSAM10 plug-in will create the connection between Snort and a variety of firewalls on UNIX or Linux platforms including CheckPoint, Cisco PIX, Cisco routers, Netscreen, Watchguard, and IPTables and IPChains. To achieve reactive functionality, the Snort sensor must be located in line with the firewall. Snort can also be configured to generate a log file that is fed into Lockdown Networks Enforcer product, which
ISACA JOURNAL VOLUME 6, 2009

can then react to Snort alerts and take actions. Enforcer works by applying rules that describe what actions to take for specific Snort alerts.11 Snort can detect only threats that have been previously identified by a human and had rules written and loaded into the Snort detection engine. Keeping Snort current and effective requires considerable manual effort. Identifying a threat and identifying a digital signature that can detect it takes time and leaves networks that rely on Snort for intrusion detection unprotected. When the Slammer and Code Red worms hit the Internet, it took several days to identify signatures for them, which enabled these worms to spread before Snort rules were distributed and installed on a large scale.12 Snort is an open-source tool. Open-source products have become a vital part of many organizations software acquisition and development strategies. Because it is open source, many developers produce applications that supplement Snorts built-in functionality. SnortSnarf, ACID, Razorback and SnortView are applications that improve on Snorts ability to display warnings and alert system administrators to attacks.13 While Snort is a free open-source download, many of the add-on products are proprietary commercial products. Users have the choice to pay for a rules subscription or to receive the rules for free. The free rules are released five days after they are released to the paying customers. Like all IDSs, Snort generates a large number of falsepositives. The number of false-positives can overwhelm the people implementing an IDS for the first time. Sifting through all of the warnings and false-positives to spot true threats to the network requires experience and skill. To help reduce the number of false-positives, Snort has incorporated features such as suppression and thresholding. Snort is unable to identify every intrusion or attack. The large number of false-positives makes the output dataset very large, and it can be very difficult to sort through all those data to find the true threats that need to be addressed. There are a variety of tools such as SnortView that help the true threats stand out from the false-positives. SnortView helps clarify Snorts output by eliminating alerts that appear consecutively, occur very frequently, or are for services that do not exist on that network. Once SnortView has eliminated the non-threatening alerts, the relevant alerts are presented in a graphical format that includes the 2
ISACA JOURNAL VOLUME 6, 2009

following information: time of alert and the type, source and destination of the attack activity.14 Snorts detection of certain threats can be complicated if the digital signature is fragmented across a number of packets. For example, the signature for the Code Red worm is more than 100 bytes. If the signature is broken into smaller segments, the number of false-positives generated will increase. A signature-matching IDS can be defeated by altering the code of an attack to modify the digital signature or encrypting the packet payloads. Snort is able to analyze traffic in real time but has limited ability to recognize attacks that are spread out over a period of time. This limitation of Snort can be extended by storing packets in a database and then examining the packets for patterns or anomalies.15 the Snort inStaLLation ProCeSS Before installing Snort, it is important to make sure that the necessary legal steps to comply with applicable laws have been taken. After that, it is important to determine what add-on applications and system software will be installed to support Snort. The add-on applications will determine several of the installation options that will be selected during installation. For example, the Snort installation needs to know which, if any, database management system (DBMS) will be used to store Snort messages. Not all add-on applications are available on all of the platforms that Snort supports. Snort can be installed on all versions of Windows since Windows 98. Snort can be run on any Windows-based PC with a packet-capture driver and a network interface card (NIC). Additional disk space will be required to contain the logs and alerts generated by Snort. The following steps should be taken to lock down the computer before installing Snort: configure the system to boot only from the hard drive, have a strong password, rename the guest and administrator accounts, turn off or remove all unnecessary services, disable all network protocols except for TCP/IP, and apply all relevant patches and maintenance. It is important that the computer running Snort be secure. Once Snort has been installed, it may be run as a Windows service. Before installing the Snort software,16 it is necessary to install the WinPcap driver. This executable should be launched and will cause the installation wizard window to pop up. The installer needs to sequentially click on the Next, Yes, I agree with the terms of this license agreement, Next

and OK buttons to complete the installation. The Windows machine should be rebooted at this time, just as after the installation of any software. The downloaded executable should be launched, which will cause the installation wizard to pop up. The installer needs to click on the I agree button after reading the usage agreement. The installation wizard will then present the installer with a series of windows with questions about the desired installation configuration. The installer needs to decide on the type of database support wanted and then select the appropriate Snort components. The next window presented to the installer enables him/ her to pick the directory into which the Snort software will be installed. Snort is installed into the following six subdirectories under the user-chosen installation directory: bin, contrib., doc, etc, log and rules. The newly installed Snort software can be configured by changing the options in the snort.conf file. Once Snort has been installed on a computer, the computer must be placed in the network to serve as a Snort sensor. The location of the sensor is important as placement determines what network traffic Snort will be able to capture and analyze. Snort will analyze all of the traffic it can access unless the configuration file specifies a range of addresses. Effective locations for Snort sensors are at external access, any DMZ area, connections betweens subnets, and in locations where they can monitor critical or vulnerable services such as mail, FTP, web and database. Multiple Snort sensors in a network can feed alerts into a single database. To maintain security, the data being sent from the sensor to the database can be encrypted with Secure Sockets Layer (SSL). SnortCenter may be used to manage distributed sensors. One of the operational limitations of Snort is that it can only scale to handle certain levels of network traffic. Snort can be overwhelmed by large amounts of network traffic and will begin to drop packets when it does not have the central processing unit (CPU) resources to examine the packets. When Snort begins to drop packets, it will identify only 10 percent of the attacks it faces.17 Snort should be run on a high-end PC or server because Windows, Snort and the software typically installed along with Snort are all large consumers of CPU resources. Snort and its associated software may require up to 60 megabytes (MB) of hard drive space.18

Snort can be limited by other hardware factors than the CPU. Snort can also be limited by the amount of installed memory, the system bus, the speed of the NIC and the amount of available disk speed. Snort needs to execute on a system with enough memory to allow the entire rule set to reside in memory, reducing the amount of physical input/output (I/O) operations. Bus speed is important to Snort, as a slow bus can become bogged down by I/O operations. Snort will perform best with a specialized NIC that is designed to capture packets without taking resources from the CPU to other system components. Snort needs to have a fast disk drive with adequate capacity to contain the necessary log files or databases.19 Snort provides protection from worms in two ways. The first method is by detecting the digital signature of the intruding worm. Most worms have a distinct digital signature that Snort can detect. Detecting worms is complicated by the fact that there are typically several variations of each worm, with each variation having a distinct signature. These variations are typically different releases of the worm, as the author refines the code to alter the worms functionality. Of the 790 worms examined in one study, 290 of them had one or more variations from the original.20 The problem with detecting and blocking worms with signature-based techniques is that it is a slow, labor-intensive process that occurs while the worm is spreading.21 Snort can also be used to detect worms by finding similar patterns of packet code compression and complexity. The compress plug-in for Snort enables Snort to determine the amount of compression being used in a packet stream and determine if the compression pattern is similar to a known worms compression pattern. Snort can also determine if a packet stream is similar to a captured stream that contains a worm. Snort can be part of an organizations solution to detect and stop peer-to-peer (P2P) traffic. Current P2P software downloads and uploads files across a number of ports to avoid detection. Snort can detect the P2P protocols within network streams and also identify the source of the P2P traffic. Snort can be used with the SnortSam plug-in to communicate the source of the traffic to a controlling firewall that can block the traffic. Snort is also capable of detecting instant messaging (IM) traffic by identifying connections being made to the ports used by popular IM networks.
ISACA JOURNAL VOLUME 6, 2009

organizationaL goaLS for Snort Every organization will have different reasons for installing Snort and will have different network monitoring and management goals it hopes to meet by using Snort. Multimedia traffic is becoming a significant problem in many networks as users stream and download multimedia content. The Ringling School of Art and Design was able to reduce its network traffic by 80 percent by using Snort to identify and help block P2P activity.22 Many colleges and universities would like to keep their bandwidth reserved for educational purposes and also restrict copyright violations with P2P. In addition to bandwidth consumption, new attacks have been developed that are unique to multimedia. The number of multimedia attacks is increasing as more media formats and protocols are developed and deployed. Schools can use Snort as an educational tool as well as an intrusion detection tool. Utah Valley State College (USA) has incorporated Snort into its undergraduate networking program as part of an inexpensive open-source networking lab. The college has developed a lab exercise using Snort to spot an intrusion.23 Snort can also be integrated into other parts of an IT curriculum. One add-on product that will fit into a curriculum is Barnyard. Barnyard is an open-source product that takes the responsibility of loading the Snort output to a database.24 This tool will enable students to measure the overhead of using a database instead of a flat file and the performance impact of various database-tuning actions. Routing Snort output to a database provides real-life opportunities for writing extraction and reporting programs. The large number of false-positives produced by Snort will cause a lot of data to be written to the database. One of the educational options for integrating Snort into a curriculum is writing an output plug-in. Writing a moderately complex output plug-in should take a moderately skilled programmer two to four weeks.25 Developing an output plug-in is an appropriately sized assignment for a group of undergraduate or graduate students that would demonstrate their coding skills and an understanding of network intrusion detection.

ConCLuSion Snort is a security product that has been widely adopted. As an open-source downloadable product, Snort is free, easily obtainable and simple to install. As use of open-source products becomes more acceptable to IT and corporate executives, Snort, Linux, Apache and My-SQL can be used to build a secure and completely open-source infrastructure. There are numerous add-on products that extend Snorts functionality. Snort has a simple four-stage architecture that facilitates efficient processing of network traffic while comparing the packets to a database of digital signatures for matches with known attacks. Snort can be overwhelmed by large volumes of network traffic and consumes large amounts of computing resources. The placement of the Snort sensor in the network will determine what traffic is analyzed, as Snort can analyze whatever traffic is flowing through that segment of the network. Snort can analyze internal and external traffic for the different types of attacks that are inherent in each type of traffic. Snort has a strong future as the number of network attacks is likely to increase along with incidents of cybercrime. Organizations are also being required to meet federal regulations and report on security incidents on their networks. Organizations need to recognize that Snort is only one part of their security measures and should not expect Snort to be their security silver bullet. referenCeS Orebaugh, A.; S. Biles; J. Babbin; Snort Cookbook, Sebastopol, OReilly Media Inc., USA, 2005 McLaughlin, K.; Patch Counters Vulnerability in Snort Opensource Intrusion Protection, Computer Reseller News, 12 June 2006, p. 32 Hochmuth, P.; Foundry Adds Snort to LAN Switch, Network World, 23(20), 2006, p. 21-22 Nazario, J.; Defense and Detection Strategies Against Internet Worms, Artech House Inc., USA, 2004 Koziol, J.; Intrusion Detection With Snort, Sams Publishing, USA, 2003 Scott, C.; P. Wolfe; B. Hayes; Snort for Dummies, John Wiley & Sons Inc., USA, 2004 Greer, E.; V. Bishop; Network Analyzer Churns Out Useful Security Reports, Federal Computer Week, 19(35), 2005, p. 56

ISACA JOURNAL VOLUME 6, 2009

enDnoteS 1 Snort was developed in 1988 by Marty Roesch as an open source intrusion detection system. Snort performs real-time analysis of traffic on IP networks. Snort is available on the Windows, Linux, UNIX and Mac OS platforms. Snort has been a relatively bug-free product, but a major vulnerability was discovered in 2006 that allowed malicious network traffic to avoid detection. When vulnerabilities are discovered in Snort, they need to be addressed quickly because Snort is used by so many organizations and is incorporated into network equipment and a number of other security products. 2 Hwang, K.; M. Cai; Y. Chen; M. Qin; Hybrid Intrusion Detection With Weighted Signature Generation Over Anomalous Internet Episodes, IEEE Transactions on Dependable and Secure Computing, 4(1), 2007, p. 41-55 3 Sourcefire, Snort, www.sourcefire.com/products/snort 4 Sourcefire, www.snort.org 5 Reuters, Sourcefire Celebrates 10 Year Anniversary of Snort, 28 May 2009, www.reuters.com 6 Kohlenberg, T. (ed.); Snort Intrusion Detection and Prevention Toolkit, Syngress Publishing Inc., USA, 2007 7 Marques, O.; P. Baillargeon; Design of a Multimedia Traffic Classifier for Snort, Information Management & Computer Security, 15(3), 2007, p. 241-256 8 Op cit, Reuters 9 Ibid. 10 SnortSam can be downloaded from www.snortsam.net. 11 Fratto, M.; Aiming for NACs Blindspot, Network Computing, 18(8), 2007, p. 35-36 12 Varghese, G.; Network Algorithmics: An Interdisciplinary Approach to Designing Fast Network Devices, Elsevier, The Netherlands, 2005

13

14 15

16

17

18

19 20

21 22 23

24 25

Koike, H.; K. Ohno; Snortview: Visualization System of Snort Logs, Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, USA, 2004 Ibid. Wuu, L.; C. Hung; Building Intrusion Pattern Miner for Snort Network Intrusion Detection System, Journal of Systems and Software, 80(10), 2007, p. 1699-1715 The current version of Snort can be downloaded from www.snort.org. Attig, M.; J. Lockwood; SIFT: Snort Intrusion Filter for TCP, Proceedings of the 13th Symposium on High Performance Interconnects, 2005 Mathias, T.; Snort Enhancements Suppress IDS Headaches, Computerworld, 37(51), 2003, p. 33 Op cit, Kohlenberg Wehner, S.; Analyzing Worms and Network Traffic Using Compression, Journal of Computer Security, 15(3), 2007, p. 303-320 Op cit, Varghese Op cit, Marques Heldenbrand, D.; C. Carey; The Linux Router: An Inexpensive Alternative to Commercial Routers in the Lab, Papers of the 14th Annual CCSC Midwestern Conference and Papers of the 16th CCSC Rocky Mountain Conference, 2007, p. 127-133 Op cit, Kohlenberg Ibid.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content. 2009 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
ISACA JOURNAL VOLUME 6, 2009