Professional Documents
Culture Documents
Power of Snort
Brian Caswell
Principal Research Engineer
Sourcefire Vulnerability Research Team
Background
What is Snort?
Open Source packet analysis tool
The most widely deployed Network Intrusion Detection
System (NIDS)
The de facto standard in intrusion detection and
prevention
Who is Brian Caswell?
Sourcefire
Vulnerability Research Team - Principal
Research Engineer
Keeping Snort users ahead of the threat
SnortRules Maintainer
Author Snort 2.1 Intrusion Detection: Second Edition
2
Snort History
Initial release by Marty Roesch in 1998
Original goals of Snort:
Traffic analysis tool for home network
Debugger for service simulators Marty was developing
for a honeypot system
Learning tool for libpcap
3
Snort History [cont.]
Data
Aquisition Decode Preprocess Detect Action
4
Snort Goes Commercial
5
Snort Today
Snort 2.3 available
Highly stateful, 3000 detection rules + protocol
anomaly detection
Recent additions include
New portscan detector
Target-based IP Defragmenter
Event queuing
Gigabit performance capabilities, etc
12-15000 downloads/week
600k+ rule updates per month
“Most Innovative” @ RSA 2005
6
Snort Tomorrow
The future
New extensible data acquisition/decoder
architecture
New stream reassembler
More application layer protocol analysis
(SMTP/POP/IMAP, DCERPC, SNMP,
Telnet/FTP, etc)
Target-based traffic analysis…
7
Getting Started
Getting Started
Website - http://www.snort.org
Stable release is always available at
http://www.snort.org/dl
Installable binary packages and source tarballs
are typically available
Also available via CVS
http://www.snort.org/source.html
9
Building Snort
Unpack as usual
Tar zxvf snort-2.3.0.tar.gz
Build
Cd snort-2.3.0; ./configure && make && make install
10
Read the Docs!
11
Running Snort
Snort Run Modes
13
NIDS Mode
Sniffer and packet logger modes are covered in
the first chapter of the Snort manual
NIDS Mode is what most people think of when
talking about Snort
Command line switches:
-c <config_file>: load NIDS config from <config_file>
-A <mode>: specify alert <mode>
-s: generate alerts to syslog
Examples:
Snort -c snort.conf
Snort -c snort.conf -d -l ~/pktlog -s
Snort -c snort.conf -b -A fast
14
NIDS Mode [cont]
Useful switches
-D: daemon mode
-i <intf>: sniff on network interface <intf>
-r <pcap_file>: read packets from <pcap_file>
-g <gid>: set group ID of Snort process
-u <uid>: set user ID of Snort process
-t <dir>: chroot Snort process to <dir>
17
Rule format
alert tcp $BAD any -> $GOOD any (flags: SF; msg: “SYN-FIN scan”;)
18
Rule Headers
19
Rule Options
Option start/finish
Option Detail
flags: SF;
Keyword Delimiter
Argument
Separator
20
Fun with Snort Rules
alert tcp any any > any any \
(content: “foo”; msg: “detected foo!”;)
21
Getting Stateful with Snort Rules
Two options available for Snort rules
Flow: check TCP session state, direction
Flowbits: set/test/clear application state info
Stream4 preprocessor must be running for the flow
keyword to work
Flow preprocessor must be running to enable flowbits
alert tcp any any > any any \
(flow: established, to_server; \
Content: “foo”; msg: “detected foo”;)
This rule will only fire for TCP sessions that are in the
ESTABLISHED state and for traffic headed to the server
22
Stateful Snort Rules
24
Managing Output
Snort Output
Two basic types
Alert are for real-time notification
Logs are for forensics
27
Output Futures
28
Current & Future Developments
New portscan detector
Uses rate-based and backscatter methods to detect portscans
New IP defragmenter (frag3)
Target-based, very hard to evade or confuse, high performance
New TCP Stream Reassembler (stream5)
Target-based, high performance
New data acquisition frontend
Modular, extensible
New decoder architecture
Modular, extensible, easier to add protocols to Snort
Additional layer-7 preprocessing
Better protocol anomaly detection, more protocols normalized,
enable new protocol-specific detection keywords
Target-base detection engine…
29
“Sourcefire, framing the
future of IT security”
Information Security Magazine, The Influence List
www.sourcefire.com
800 917 4134