Harnessing the

Power of Snort

Brian Caswell
Principal Research Engineer
Sourcefire Vulnerability Research Team
 Background
 What is Snort?
 Open Source packet analysis tool
 The most widely deployed Network Intrusion Detection
System (NIDS)
 The de facto standard in intrusion detection and
prevention
 Who is Brian Caswell?
 Sourcefire
Vulnerability Research Team - Principal
Research Engineer
 Keeping Snort users ahead of the threat
 SnortRules Maintainer
 Author Snort 2.1 Intrusion Detection: Second Edition

2
 Snort History
 Initial release by Marty Roesch in 1998
 Original goals of Snort:
 Traffic analysis tool for home network
 Debugger for service simulators Marty was developing
for a honeypot system
 Learning tool for libpcap

 Initial open source release in

December 1998
 Justa sniffer, no rule language
 Rules implemented early 1999

 1.0 release, June 1999

 Basic rules language, stateless

3
 Snort History [cont.]

 Snort 1.5 released December 1999

 System was rearchitected to be modular and
extensible
 Same basic architecture still used today!
 Snort implemented as a packet analysis pipeline

Data
Aquisition Decode Preprocess Detect Action

4
 Snort Goes Commercial

 Sourcefire founded in January 2001

 Snort 1.7 last release before “full time”
development begins
 Snort 1.7 is pitted head to head against 9 commercial
IDS offerings in a Network Computing test, comes in
3rd overall!
 Snort 1.8 released in mid-2001, contains high
speed output system, enterprise grade IP
defragmenter/TCP Stream Reassembler, etc

5
 Snort Today
Snort 2.3 available
 Highly stateful, 3000 detection rules + protocol
anomaly detection
 Recent additions include
 New portscan detector
 Target-based IP Defragmenter
 Event queuing
 Gigabit performance capabilities, etc
12-15000 downloads/week
600k+ rule updates per month
“Most Innovative” @ RSA 2005
6
 Snort Tomorrow

The future
 New extensible data acquisition/decoder
architecture
 New stream reassembler
 More application layer protocol analysis
(SMTP/POP/IMAP, DCERPC, SNMP,
Telnet/FTP, etc)
 Target-based traffic analysis…

7
Getting Started
 Getting Started

 Website - http://www.snort.org
 Stable release is always available at
http://www.snort.org/dl
 Installable binary packages and source tarballs
are typically available
 Also available via CVS
 http://www.snort.org/source.html

9
 Building Snort

 Get the tarball from snort.org

 http://www.snort.org/dl/snort-2.3.0.tar.gz
 Make sure libpcap and PCRE are installed

 Unpack as usual
 Tar zxvf snort-2.3.0.tar.gz
 Build
 Cd snort-2.3.0; ./configure && make && make install

10
 Read the Docs!

 Lots of documentation is available for Snort!

 Look in the ‘doc’ directory of the tarball
 Snortmanual in PDF format
 README files cover Snort features and subsystems
 Man pages available too

11
Running Snort
 Snort Run Modes

 Three basic modes of operation

 Sniffer
 Packet logger
 NIDS

 Runtime mode is determined at run-time via

command line switches

05/22-11:50:11.320761 127.0.0.1:55786 -> 127.0.0.1:631

TCP TTL:64 TOS:0x0 ID:16546 IpLen:20 DgmLen:69 DF
***AP*** Seq: 0xCE6183EE Ack: 0x89ECD4F2 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1481027454 1481027454
50 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D POST / HTTP/1.1.
0A .

13
 NIDS Mode
 Sniffer and packet logger modes are covered in
the first chapter of the Snort manual
 NIDS Mode is what most people think of when
talking about Snort
 Command line switches:
 -c <config_file>: load NIDS config from <config_file>
 -A <mode>: specify alert <mode>
 -s: generate alerts to syslog

 Examples:
 Snort -c snort.conf
 Snort -c snort.conf -d -l ~/pktlog -s
 Snort -c snort.conf -b -A fast

14
 NIDS Mode [cont]

 Useful switches
 -D: daemon mode
 -i <intf>: sniff on network interface <intf>
 -r <pcap_file>: read packets from <pcap_file>
 -g <gid>: set group ID of Snort process
 -u <uid>: set user ID of Snort process
 -t <dir>: chroot Snort process to <dir>

 If no command line switches are specified, Snort

looks for snort.conf in the /etc/snort and the local
directory
 Default logging directory is /var/log/snort
15
Snort Rules
 Rule Syntax

 Snort’s rule syntax is simple and straightforward

 It is also, unfortunately, quirky
 Full rule docs in snort_manual.pdf file!

17
 Rule format

alert tcp $BAD any -> $GOOD any (flags: SF; msg: “SYN-FIN scan”;)

Rule Header Rule Options

Rule Header Rule Options
- static definition - variable definition
- has to be in every rule - not always necessary
- 50+ options available

18
 Rule Headers

alert tcp $BAD any -> $GOOD any

Rule action Dest. Port

Protocol Dest. CIDR
Src. CIDR Direction
Src. Port

19
Rule Options

(flags: SF; msg: “SYN-FIN scan”;)

Option start/finish

Option Detail
flags: SF;
Keyword Delimiter
Argument
Separator

20
 Fun with Snort Rules

 Basic detection is fun and easy with Snort rules

 To detect a basic string on the network (network
grep) you just need the content keyword

alert tcp any any ­> any any \
(content: “foo”; msg: “detected foo!”;)

 Detecting basic strings is easy but can result in

false positives
 Better method is to define more constraints
under which the rule may fire

21
 Getting Stateful with Snort Rules
 Two options available for Snort rules
 Flow: check TCP session state, direction
 Flowbits: set/test/clear application state info
 Stream4 preprocessor must be running for the flow
keyword to work
 Flow preprocessor must be running to enable flowbits

alert tcp any any ­> any any \
(flow: established, to_server; \
Content: “foo”; msg: “detected foo”;)
 This rule will only fire for TCP sessions that are in the
ESTABLISHED state and for traffic headed to the server

22
 Stateful Snort Rules

 There is another type of state that can be used,

cross-rule state
 Uses the new “flowbits” keyword to set/test/clear
bits in Snort rules
 We can track application protocol state with Snort!
 Example:
alert tcp any any ­> $SMTP 25 \
    (pcre: “/^DATA\n/i”; \
     flowbits: set,smtp.client.mode.data;
     flowbits: noalert;)
alert tcp any any ­> $SMTP 25 \
    (msg:"SMTP expn decode"; 
     flow: established, to_server;
     flowbits: isnotset,smtp.client.mode.data;
     ...
23
 Regular Expressions

 Snort supports PCRE - powerful regular

expression payload analysis
 Use with care
 Maintainability, performance issues
alert tcp $HOME_NET any ­> $EXTERNAL_NET 25
(msg:"VIRUS OUTBOUND bad file attachment"; \
flow:to_server,established; \
content:"Content­Disposition|3A|"; nocase; \
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|
s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|
jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|
v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|
ocx)[\x27\x22\n\r\s]/iR"; \
classtype:suspicious­filename­detect; \
sid:721; rev:7;)

24
Managing Output
 Snort Output
 Two basic types
 Alert are for real-time notification
 Logs are for forensics

 Several alert/log output types available

 Alert: syslog, text, database, unified
 Log: text, pcap, database, unified, CSV

 Performance is a big deal in the output

subsystem
 Low performance = dropped packets
 Snort’s unified format was designed specifically
for high-performance output
 Pcap format is for cross-platform analysis
26
 Unified Output

 Unified output is setup for high performance and

flexibility
 Unified format can be converted to any of the
other formats (DB, pcap, XML, etc)
 Barnyard is used to process unified files
 http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
 Input/output plugins
 Input: Alert, log, stream (flow data)
 Output: DB, CSV, syslog, pcap, SGUIL, text, XML

27
 Output Futures

 Unified/Barnyard are the future of Snort output

generation
 Performance is the number one concern of the
sensor process
 Unfied2 coming soon, barnyard will change to
suit
 Most complex post-processing should move into
Barnyard

28
 Current & Future Developments
 New portscan detector
 Uses rate-based and backscatter methods to detect portscans
 New IP defragmenter (frag3)
 Target-based, very hard to evade or confuse, high performance
 New TCP Stream Reassembler (stream5)
 Target-based, high performance
 New data acquisition frontend
 Modular, extensible
 New decoder architecture
 Modular, extensible, easier to add protocols to Snort
 Additional layer-7 preprocessing
 Better protocol anomaly detection, more protocols normalized,
enable new protocol-specific detection keywords
 Target-base detection engine…
29
“Sourcefire, framing the
future of IT security”
Information Security Magazine, The Influence List

Questions & Answers

www.sourcefire.com
800 917 4134