Snort

Introduction When a network size grows, the threats to this network will also increase. Therefore, more security tools, techniques are needed to reduce the risk which involve with the growing of the network. However, to secure networks, we need to implement three techniques (Prevention, Detection, and Response); we cannot use only prevention techniques to secure the network because prevention can prevent only known attacks. Therefore, using detection technique will help to increase the overall security because detection technique will help us to know what types of activity are on our network. However, recognizing normal and abnormal activities will increase the chance to prevent and response to suspicious activities on our network. Therefore, when we need to prevent and response to suspicious activities, first we need to detect any type of unwanted activities, and then we could prevent and response to these activities. Since, detection technique is essential to secure networks; we are going to look at Snort which is one of the most popular intrusion detection system. Also, Snort can be implemented as intrusion prevention system. What is Snort? Snort is an open source Intrusion detection and prevention system. It is created in 1998 by Martin Roesch who is the founder of SourceFire Inc. which is now developing Snort. However, snort is a lightweight Linux-based intrusion detection/prevention system tool, and snort can be also run on most of the operating systems such as Windows, Linux, Solaris and *BSD. Moreover, Snort can be run as Network-based intrusion detection/prevention system or Host-based intrusion/prevention system. Stallings and Brown (2008) state that Snort is highly configurable and portable host-based or network-based IDS with these characteristics: Easily deployed on most node (host, server, router)of network Efficient operation that uses small amount of memory and processor time Easily configured (P. 204)

What Snort Can Do? Snort can perform some tasks, these tasks are real-time traffic capturing which is like tcpdump, and also it can perform protocol analysis, content searching and detecting task which is considered the most important ability in Snort. Snort can detect most the known attacks and probes, which helps to alert the administrators before any incident can happen. The detection is based on rules which can be downloaded from the Snort website or can any administrator can write a rule that fits his/her needs.
Page 1

How Snort Works? Snort NIDS can log or/and alert any suspicious activities, which help administrators to take an action to prevent or response to these activities. When we implement snort NIDS, the packets will go through four logical components. First, a packet goes through the decoder which help snort to decode the packet by identify and isolate protocol headers. Second, after decoding the packet, it goes into the Detection Engine that decides which action will be taken based on the set of rules, in fact there are three actions can be taken (log, alert and discard) when the packet matches the rule, then the action will be logging or/and alerting the packet. Third, Snort could be configured to send the logs to any machine on the network to save these logs as human readable format or binary format. Fourth, Snort could be configured to alert administrator on real-time about any unwanted traffic. However, when a packet is not matching any rules, then snort will discard the packet and the packet will go into the network. Therefore, the rules are most important factor on snort which they need to be updated and modified to secure systems.
Figure 1: Four Logical Components of Snort

Logging

Decoder

Detecion Engine
Alerting

Page 2

Operating Mode of Snot: Indeed, Snort can be implemented in different modes; Snort run in four operation modes. These modes are Sniffer, Packet logger, Network intrusion detection and inline mode (prevention mode). Sniffer Mode: In this mode snort acts like Tcpdump, Ethereal which captures a packet and send to the console. Example: By using this commend to run snort in Sniffer Mode:
./snort -v

This Commend Snort will capture the IP and TCP/UDP/ICMP headers and send them to the console. Packet Logger Mode: In this mode snort logs the packets and send them to the folder or storage for review and analysis later. Example: By using this commend to run snort in packet logger Mode:

./snort ./snort -dev -l ./log -h 10.1.1.10/24

In this commend, snort logs the packets in folder (log) on remote machine. Network Intrusion Detection Mode: In this mode Snort logs and alerts only the packets that match snort rules, this mode is the powerful of snort Example: by using this commend to run Snort on NIDS Mode.
./snort -dev -l ./log -h 10.1.1.10/24 -c Rules.conf

In this commend, Snort will logs any packets that match the rules in the Rules.conf file.

Page 3

Inline Mode: In this mode, Snort will acts as Network Intrusion Prevention System (IPS). In this mode Snort works with Iptables to allow or drop packets, which means packets comes from the Iptables to Snort and then Snort apply the rules, and then Snort decides which action should be taken based on the rules. After that, Snort tells the iptables which action to take. However, there are four actions can be taken in the inline mode: Drop: this tells iptables to drop the packet and Snort logs the packet. Sdrop: this tells iptables to drop the packet silently Reject: this tells iptables to reject the packet and send back TCP rest, or Port unreachable for UDP protocol. Technical Impacts: Snort now can help many Security administrators to monitor the activities of their network by logging and alerting and preventing any suspicious traffic. When administrators use Snort as intrusion detection system, Snort can help them to know all the activities over their company networks. From using snort and review its logs, administrator could see what type of suspicious traffic and then they can try to prevent these traffic. Also, they could see which services are attacked and these services need more security implementation than other services. Moreover, administrators could use Snort as Intrusion Prevention System, which help some to prevent many types of attacks such as buffer overflows, stealth port scan, backdoors and others. Moreover, when administrators understand and know the suspicious activities, they can write their own rules which fit their networks need. Also, many people around the world write rules for snort which can be obtain to alert or log any new type of attacks. Therefore, rules of Snort are regularly updated. Legal Impacts: One of the advantages from using Snort as IDS/IPS is that can logs any activities and it could be as an evidence in a court , So Snort help to auditing and provide more information about any activities which an attackers did when he /she attacks the company system. Therefore, providing these logs to the court could be as evidence against the attacker. Also in termination or firing of an employee, it could help company to prove any suspicious activities which he/she done.

Page 4

Cost of Snort: Snort IDS/IPS can be downloaded from Snort.com and it is free of charge. Which means any one can download and use Snort. But to get new and updated certified Rules, there are some cost associates with SourceFire VRT Rules. Here are the pricing retrieved from Snort.com on 11-20-2009 The pricing for the Sourcefire VRT Certified Rules is based on an annual subscription model. Subscription prices break down as follows: Subscription Type Personal (available only online) Business Business Pricing $29.99/sensor $499/sensor $399/sensor Sensor(s) 1 1-5 6+

Who use Snort? Snort has a large number of users over the world. In fact snort is well documented and Snort user manual is translated into ten languages such as Arabic and Russian. That means most of IT people around the world use snort because it is free to download, well documented and growing fast. Also Snort can be enhanced by third party application for example Demarc program which NIDS management console. Conclusion: Snort has become more popular as IDS/IPS which helps security administrators to monitor their networks and see the performance of their network. It can be used as IDS which can help to detects suspicious activities and malicious codes based on set of rules (auditing), and it alerts to the administrators about these activities. Moreover, Snort can be run as IPS which helps Security people to prevent attacks and suspicious traffic from reaching the system which they are trying to protect. Using inline mode in snort can improve iptables works for example it can help iptables to drop or pass the packets based on the snort rules. Snort with the third party enhancement can help security people to read the output easily. Finally, Since Snort is free; it can be good tools for education and understating the IDS functionality for anyone who wants to learn about how IDS works.

Page 5

References:

Terry, S., & Chow, J. (2005). An Assessment of the DARPA IDS Evaluation Dataset Using Snort. Retrieved November 15, 2009. http://www.cs.ucdavis.edu/research/techreports/2007/CSE-2007-1.pdf The Snort Project. September 21, 2009. SNORT R Users Manual 2.8.5. Retrieved November 20, 2009. http://www.snort.org/assets/120/snort_manual.pdf

Ur Rehman, R. (2003). Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID. New jersey: Prentice Hall PTR William Stallings and Lawrie Brown (2008). Computer Security: Principles and Practice. Prentice Hall

Zimmerman, B. (2003). Auditing a Snort Intrusion Detection System: An Auditors Perspective. Retrieved November 15, 2009. https://itaudit.sans.org/community/papers/auditing_a_snosirt_intruon_detection_system:_an_audit ors_perspective_72

Page 6