Snort: A Network Intrusion Detection Software
Matt Gustafson Becky Smith CS691 Semester Project Spring 2003
♦ Intrusion Detection Systems are used to
discover “attempts to comprise the confidentiality, integrity, and availability… of a computer or network.” (Bace, p.5)
♦ Snort is a Network IDS with three modes:
sniffer, packet logger, and network intrusion detection. Snort can also run in the background as a daemon.
♦ Analysis Console for Intrusion Databases
(ACID) is a viewer for IDSs which supplies a web based interface for monitoring and analyzing possible intrusions.
Why choose Snort?
When deciding what type of IDS to incorporate, there are two main requirements to consider:
• Accountability – Who attacked? • Response – What action to take when an attack is found?
Snort focuses on response because accountability is difficult to accomplish due to techniques such as IP Masquerading. Snort is easy to maintain and administrate. Snort can monitor small or large networks. Snort contains multiple output options. For instance, unsock, sends alerts to a UNIX socket that a program can listen on (i.e. firewall).
Figure 1 from Snort Installation Manual (Scott, p. 7)
Figure 2 from Snort Installation Manual (Scott, p. 7)
Software Required to run Snort
♦ Redhat 8.0 ftp://ftp.redhat.com ♦ Snort v2.0, Snort Daemon ♦ ♦ ♦ ♦ PHP v 4.1.2-7.3.6
ftp://updates.redhat.com/8.0/en/ os/i386/ http://www.snort.org/dl/ ♦ ADODB v 2.50 MySQL v3.23.52 http:// http://php.weblogs.com/adodb www.mysql.com/downloads/mysql-3.23.html ♦ PHPLOT v4.4.6 Webmin v.99 http://www.phplot.com/ http://www.webmin.com/ ♦ GD v1.8.4 NetSSLeay v1.20 http://www.boutell.com/gd/ http://symlabs.com/Net_SSLea ♦ Mozilla y/ http://www.mozilla.org/ ACID v0.9.6b23 ♦ Snort Webmin module v1.08 http://acidlab.sourceforge.net/ http://msbnetworks.net/snort/ OpenSSL v1-0.9.7b http://www.openssl.org/
Configuring and Operating Snort
1. 2. 3.
Install all recommended software and snort. Configure SSL Encryption with Webmin http://<snortmachinename>:10000/ Setup Module Configuration from the Snort IDS Admin.
a. b. Decide what options to run Snort with. Specify location of Snort configuration file and rule files.
4. 5. 6. 7. 8.
Create a MySQL database for Snort. Setup appropriate users and passwords for Snort, MySQL, and ACID. Edit the snortd daemon file to project same information from step 3. Start the snortd daemon. Login to ACID: http://<snortmachinename>/acid/
Primary Methods to IDS Analysis
♦ Misuse Detection
– Misuse detection looks for signatures (patterns for known attacks) within network activity. Many misuse detectors minimize the number of false positives. Snort provides a large base-line of rules for detecting many well-known attack signatures and issues new releases frequently. Snort also allows development of unique rules by the network’s administrator.
♦ Anomaly Detection
– Anomaly detection responses to abnormal events on a network. These detectors create profiles of the network that contain normal activities. The downfall to Anomaly detection is that it produces an extremely large number of false positives. It also requires a large history of network activities to build the profiles. Snort also does some Anomaly Detection but it is based on the rules not history.
Format of Snort Rules
Snort rules are made up of two parts: rule header and rule options.
–The header consists of: the action, protocol, source and destination IPs and netmasks, and source and destination ports. –The options section consists of: alert messages and portions of the packet to examine for intrusion.
<action> <protocol> <src IP/mask> <port> -> <dest IP/mask> <port> (msg: <alert message>; content:”search packet for”; … etc)
Some of the Rules We Wrote
A Scan Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (flags: A; ack: 0; tag: host, 500, packets, src; msg: “NMAP TCP ping”;) A Local Rule: pass tcp $HOME_NET any -> 22.214.171.124 53 (msg: “DNS zone transfer – Transfer uccs.edu domain:; flags: A+; content: “|00 00 FC|”; offset: 13; reference: arachmids, 212; classtype: attempted-recon; sid: 255; rev:5;)
IDS Responses to Detection
♦ IDSs are not designed to response to or counter an attack.
They merely notify and log the possible intrusions. Some more powerful IDS, like Snort, can alert specific Intrusion Response Systems to an attack. Data collected from IDSs can aid in Intrusion Prevention methods as well. An IDS alone is not enough to protect your network, but it is a main collaborator in your system’s security.
♦ Snort is a well written and
designed Network IDS. ♦ Snort is free and enormously flexible. ♦ Snort is easy to manage and configure. ♦ Snort works for small or large networks.