Professional Documents
Culture Documents
Sourcefire Inc.
Topics
• Background
– What is Snort?
• Using Snort
• Snort Architecture
• The Future of Snort and Snort 2.0
Background – Policy
• Preprocessor
– Packets are examined/manipulated before
being handed to the detection engine
• Detection
– Perform single, simple tests on a single
aspect/field of the packet
• Output
– Report results from the other plug-ins
Using Snort
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Packet Logger Mode
Snort
Packet Stream
Data Flow
Preprocessor
(Plug-ins)
Detection Engine
(Plug-ins)
Output Stage
Alerts/Logs
(Plug-ins)
Detection Engine: Rules
Option Node
(flags: SF; msg: “SYN-FIN Scan”;)
Option Option
Node Node
Conclusion
• Snort is a powerful tool, but maximizing its
usefulness requires a trained operator
• Becoming proficient with network intrusion
detection takes 12 months; “expert” 24-36?
• Snort is considered a superior NIDS when
compared to most commercial systems
• Managed network security providers should
collect enough information to make decisions
without calling clients to ask what happened
Backup Slides
DS Implementation Map
Honeypot
(Deception System)
Generic Server
(Host-Based ID)
(Snort 2.0)
Internet
Firewall
Filtering (Perimeter
Router Statistical IDS Logs)
(Perimeter Logs) (Snort)
Network IDS
(Snort)
Snort 1.x Architecture
• Output
– People have a really nasty tendency to write slow
output plug-ins!
– Variable output formats mean performance is
highly variable based on the selected output
modes
– No way to control Snort’s performance effectively,
leading to negative reviews and user e-mail
• “Snort’s eating 90% of the CPU!?!”
Snort 2.0 Architecture
• Basic goals
– Faster
– More extensible
– Better protocol support
– Better able to analyze the full gestalt of
network intrusion activity
Snort 2.0 Plug-Ins
tcp
Sip: 1.1.1.1
Dip: 2.2.2.2
Dp: 80
Sip: 1.1.1.1
Dip: 10.1.1.0/24
content: “baz”;
Acquisition Plugins
• Libpcap allows us to be very cross platform
but is also a bottleneck
• Acquisition plugins allow arbitrary data input
sources
• Interesting applications
– Netfilter/divert socket input stream
– Gateway IDS…
– Host-based IDS…
• High speed platform specific acquistion
capability
Decoder Plugins
• Arbitrary protocol support in Snort
• Snort is currently limited to…
– Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw
– IP, ARP
– TCP, UDP, ICMP
• With plug-ins, new decoders can be
painlessly dropped into Snort, automatically
making Snort “aware” of that protocol and
capable of performing traffic analysis on it
• Additional support for “unknown” protocols
will have to be added to the detection engine
Pluggable Detection
Engines
• Current signature based engine isn’t
necessarily the only way to do NID
• The current primary detection engine in Snort
is really just a very involved preprocessor
• Other possibilities
– Snort + Netfilter (or Divert Sockets) = Gateway
IDS (or “packet scrubber”)
– Snort + NMAP = Target-based IDS
– Snort + SAS = Statistical Anomaly IDS (ok, just
kidding)
Learning More
• www.snort.org
– Writing Snort Rules
• www.snort.org/snort_rules.html
– FAQ, USAGE file, README file, man page
– Snort mailing lists
• Books
– Intrusion Detection: An Analysts Handbook by Northcutt
– Intrusion Signatures and Analysis by Northcutt
– The Practical Intrusion Detection Handbook by Paul Proctor