Snort - an network intrusion
prevention and detection system
Student: Yue Jiang
Professor: Dr. Bojan Cukic
CS665 class pre...
Overview






What’s snort?
Snort architecture
Snort components
Detection engine and rules in snort
Possible researc...
What’s snort?


NIDS:

A network intrusion detection system (NIDS)
is an intrusion detection system that tries to detect
...
Snort
1.

A packet sniffer:

2.

Packet logger: log data in text file
Honeypot monitor: deceiving hostile parties
NIDS: ne...
Typical locations for snort
Requirement of snort




lightweight NIDS
small, flexible
highly capable system
Snort architecture

From: Nalneesh Gaur, Snort: Planning IDS for your enterprise,
http://www.linuxjournal.com/article/4668...
Snort components

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS
Techniques with Snort, Apac...
Logical components of snort


Packet Decoder:



Preprocessor:



Detection Engine:

takes packets from different types...
TCP/IP layer

Physical layer
Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
Detection Engine
※Things need to be done for detection engine:
•The IP header of the packet
•The transport layer header. T...
Detection engine





Number of rules
Traffic load on the network
Speed of network and machine
Efficiency of detection...
Rules




In a single line
Rules are created by known intrusion signatures.
Usually place in snort.conf configuration f...
Rule examples
destination ip address

Apply to all ip packets
Source ip address

Destination port

Source port #
Rule opti...
Detection engine order to scan the
rules


1.
2.
3.

Snort does not evaluate the rules
in the order that they appear in
t...
Challenges with snort










Misuse detection –

avoid known

intrusions
Rules database is larger and larger
It...
Snort components

From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS
Techniques with Snort, Apac...
Attempts to improve


Increasing preprocessing
ability --- offload partial work from detect
engine



Using hardware to ...
Possible ways?




Organize the well-known rules into
better data structure to achieve
better performance
A detector wit...
Thank you !
Upcoming SlideShare
Loading in …5
×

Snort

1,992 views
1,639 views

Published on

This book talks about how to use IDS in security

Published in: Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,992
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
155
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Snort

  1. 1. Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation
  2. 2. Overview      What’s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.
  3. 3. What’s snort?  NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.  Snort:  Snort: an open source network intrusion prevention and detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.
  4. 4. Snort 1. A packet sniffer: 2. Packet logger: log data in text file Honeypot monitor: deceiving hostile parties NIDS: network intrusion detection system 3. 4. capture and display packets from the network with different levels of detail on the console
  5. 5. Typical locations for snort
  6. 6. Requirement of snort    lightweight NIDS small, flexible highly capable system
  7. 7. Snort architecture From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.
  8. 8. Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
  9. 9. Logical components of snort  Packet Decoder:  Preprocessor:  Detection Engine: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams. the most important part, applies rules to packets   Logging and Alerting System Output Modules: process alerts and logs and generate final output.
  10. 10. TCP/IP layer Physical layer Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
  11. 11. Detection Engine ※Things need to be done for detection engine: •The IP header of the packet •The transport layer header. TCP, UDP, ICMP etc. •The application layer level header. Header of DNS, FTP, SNMP, SMTP •Packet payload ※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm ※ Requirement 1. 2. Time critical Fast
  12. 12. Detection engine     Number of rules Traffic load on the network Speed of network and machine Efficiency of detection algorithm
  13. 13. Rules    In a single line Rules are created by known intrusion signatures. Usually place in snort.conf configuration file. rule header rule options
  14. 14. Rule examples destination ip address Apply to all ip packets Source ip address Destination port Source port # Rule options Alert will be generated if criteria met Rule header
  15. 15. Detection engine order to scan the rules  1. 2. 3. Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is: Alert rules Pass rules Log rules
  16. 16. Challenges with snort         Misuse detection – avoid known intrusions Rules database is larger and larger It continues to grow snort version 2.3.2, there are 2,600 rules 80% of them are signatures Snort spends 80% work time to do string match Anomaly detection – identify new attacks Probability of detection is low
  17. 17. Snort components From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
  18. 18. Attempts to improve  Increasing preprocessing ability --- offload partial work from detect engine  Using hardware to reduce workload - a hybrid architecture --- software has more flexibility, hardware has relatively higher throughput  Better detection algorithm
  19. 19. Possible ways?   Organize the well-known rules into better data structure to achieve better performance A detector with acceptable detection probability
  20. 20. Thank you !

×