Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Snort IDS presentation for Linux User Group (Singapore) 2004/4/7

Published in: Technology
  • Be the first to comment


  1. 1. Introduction to Snort IDS <ul><ul><li>Introduction to </li></ul></ul><ul><ul><li>Snort IDS </li></ul></ul><ul><ul><li>Linux User Group Singapore </li></ul></ul><ul><ul><li>Friday 7 th May 2004 </li></ul></ul><ul><ul><li>By </li></ul></ul><ul><ul><li>Michael Boman </li></ul></ul><ul><ul><li><> </li></ul></ul>
  2. 2. What we will cover: <ul><li>Short overview on the history of Snort </li></ul><ul><li>Packet flow inside Snort </li></ul><ul><li>Configuring Snort </li></ul><ul><ul><li>Configuring variables </li></ul></ul><ul><ul><li>Configuring preprocessors </li></ul></ul><ul><ul><li>Configuring output modules </li></ul></ul><ul><ul><li>The anatomy of signatures </li></ul></ul><ul><li>Snort compatible spool readers </li></ul><ul><li>Q & A </li></ul>
  3. 3. History of Snort <ul><li>Dec. 1998 </li></ul><ul><ul><li>snort.c created </li></ul></ul><ul><li>Jan. 1999 </li></ul><ul><ul><li>Rule sorting implemented </li></ul></ul><ul><li>Mar. 1999 </li></ul><ul><ul><li>Pattern search engine rewritten from a brute force approach to use Boyer-Moore algorithm </li></ul></ul><ul><li>Aug. 1999 </li></ul><ul><ul><li>New detection engine using a 2 dimensional linked list. 200%-500% speed improvement. </li></ul></ul>
  4. 4. History of Snort (2) <ul><li>Dec. 1999 </li></ul><ul><ul><li>Preprocessors introduced </li></ul></ul><ul><ul><li>Detection plugins introduced </li></ul></ul><ul><ul><li>Variables introduced </li></ul></ul><ul><li>Jan. 2000 </li></ul><ul><ul><li>Portscan preprocessor added </li></ul></ul><ul><li>Jul. 2000 </li></ul><ul><ul><li>IP (de)fragmentation preprocessor added </li></ul></ul><ul><ul><li>Database output plugin added </li></ul></ul><ul><ul><ul><li>MySQL </li></ul></ul></ul><ul><ul><ul><li>PostgreSQL </li></ul></ul></ul><ul><ul><ul><li>unixODBC </li></ul></ul></ul>
  5. 5. History of Snort (3) <ul><li>Jan. 2001 </li></ul><ul><ul><li>XML (IDMEF) output plugin added </li></ul></ul><ul><ul><li>ORACLE output plugin added </li></ul></ul><ul><ul><li>SPADE anomaly preprocessor added </li></ul></ul><ul><li>Apr. 2001 </li></ul><ul><ul><li>Priority and classification of signatures </li></ul></ul><ul><ul><li>VLAN support </li></ul></ul><ul><ul><li>Back Orifice detection plugin added </li></ul></ul><ul><ul><li>uricontent support added </li></ul></ul><ul><li>Jul. 2001 </li></ul><ul><ul><li>New de-fragment preprocessor </li></ul></ul><ul><ul><li>Added stateful inspection </li></ul></ul>
  6. 6. History of Snort (4) <ul><li>Aug. 2001 </li></ul><ul><ul><li>MSSQL output support added </li></ul></ul><ul><ul><li>SNMP output support added </li></ul></ul><ul><ul><li>IDMEF support compiled in by default </li></ul></ul><ul><ul><li>First commit from a address </li></ul></ul><ul><li>Feb. 2002 </li></ul><ul><ul><li>Portscan2 preprocessor added </li></ul></ul><ul><li>May. 2002 </li></ul><ul><ul><li>XML (IDMEF) output plugin removed </li></ul></ul><ul><li>Oct. 2002 </li></ul><ul><ul><li>pthread support killed (never worked anyway) </li></ul></ul>
  7. 7. History of Snort (5) <ul><li>Nov. 2002 </li></ul><ul><li>Removed IPv6 and IPX printing (never did much anyway) </li></ul><ul><li>Mar. 2003 </li></ul><ul><ul><li>Removed ASN1 and fnord preprocessor </li></ul></ul><ul><ul><li>Removed XML and SNMP output plugins </li></ul></ul><ul><li>Oct. 2003 </li></ul><ul><ul><li>Removed WinPopUp output plugin </li></ul></ul>
  8. 8. Snort, today and tomorrow <ul><li>2.1.3 is soon out (RC1 was released Apr. 21) </li></ul><ul><li>Signature quality and documentation is taken very seriously </li></ul><ul><li>Detection capacity and speed main concern </li></ul><ul><li>More output plugins will be removed from Snort and moved to Barnyard. </li></ul>
  9. 9. A packet's journey through Snort
  10. 10. Configuring Snort <ul><li>Variables </li></ul><ul><li>Preprocessors </li></ul><ul><li>Output plugins </li></ul><ul><li>Signatures </li></ul>
  11. 11. Snort variables <ul><li>Variables can be specified both in the configuration file and from the command line. </li></ul><ul><ul><li>snort.conf syntax: </li></ul></ul><ul><ul><ul><li>var HOME_NET [] </li></ul></ul></ul><ul><ul><ul><li>var EXTERNAL_NET !$HOME_NET </li></ul></ul></ul><ul><ul><li>Command line syntax (escape it properly): </li></ul></ul><ul><ul><ul><li>-S HOME_NET=[] </li></ul></ul></ul><ul><li>Variables are usually specified in snort.conf </li></ul>
  12. 12. Snort preprocessors <ul><li>Snort preprocessors offers additional detection capabilities </li></ul><ul><ul><li>Stream re-assembly/de-fragmentation </li></ul></ul><ul><ul><li>Portscan detection </li></ul></ul><ul><ul><li>etc. </li></ul></ul><ul><li>Configuration examples: </li></ul><ul><ul><li>preprocessor flow: stats_interval 2 hash 0 </li></ul></ul><ul><ul><li>preprocessor bo </li></ul></ul>
  13. 13. Snort output plugins <ul><li>Two output facilities </li></ul><ul><ul><li>Alert </li></ul></ul><ul><ul><li>Log </li></ul></ul><ul><li>Example of log formats </li></ul><ul><ul><li>Syslog </li></ul></ul><ul><ul><li>Log files (text, pcap, unified) </li></ul></ul><ul><ul><li>Databases (mysql, postgresql etc) </li></ul></ul><ul><li>Configuration examples: </li></ul><ul><ul><li>output alert_syslog: LOG_AUTH LOG_ALERT </li></ul></ul><ul><ul><li>output database: log, mysql, user=snort </li></ul></ul><ul><ul><li>pass=dbpass dbname=db dbhost=localhost </li></ul></ul><ul><ul><li>sensor_name=sensor1 </li></ul></ul>
  14. 14. Snort signatures <ul><li>Simple, straight forward signature language. </li></ul><ul><li>Has become a de-facto standard with open source NIDS software, and some proprietary vendors has support for at least a sub-set of the functionality. </li></ul><ul><li>Format: </li></ul><ul><ul><li>facility protocol src_ip src_port direction dst_ip dst_port (options) </li></ul></ul><ul><li>Example (alerts on all IP packets): </li></ul><ul><ul><li>alert ip any any -> any any (msg:”IP packet”;) </li></ul></ul>
  15. 15. The unified log format <ul><li>Reading files written in the unified log format </li></ul><ul><ul><li>Unified log format was created so that Snort could offload the alerting to other applications, so Snort can concentrate on intrusion detection instead of generating alerts. </li></ul></ul><ul><ul><li>Unified log format can be best described as a glorified pcap format, where snort specific options has been added (signature id, interface etc..). </li></ul></ul><ul><ul><li>Database and ASCII logging is very expensive, resource vise, for Snort </li></ul></ul><ul><ul><ul><li>A missed packet is a lost packet. </li></ul></ul></ul>
  16. 16. Unified log readers <ul><li>Barnyard </li></ul><ul><ul><li>QPL </li></ul></ul><ul><ul><li>By the same guys who made Snort </li></ul></ul><ul><ul><li>Can only process either alert or log stream per instance </li></ul></ul><ul><li>Mudpit </li></ul><ul><ul><li>GPL </li></ul></ul><ul><ul><li>Can process both alert and log stream at the same time </li></ul></ul><ul><ul><li>Personal note: Never got it to compile </li></ul></ul>
  17. 17. What we have learned <ul><li>The history of Snort </li></ul><ul><ul><li>How it started </li></ul></ul><ul><ul><li>How it continued </li></ul></ul><ul><ul><li>What we might see in the future </li></ul></ul><ul><li>Packet flow inside Snort </li></ul><ul><li>Configuring Snort </li></ul><ul><ul><li>Variables </li></ul></ul><ul><ul><li>Preprocessors </li></ul></ul><ul><ul><li>Output plugins </li></ul></ul><ul><ul><li>Signature syntax </li></ul></ul><ul><li>Snort compatible spool readers </li></ul>
  18. 18. Questions? <ul><li>Got any questions? Now is the time to ask them! </li></ul>
  19. 19. Suggested reading material <ul><li>Snort 2.0 Intrusion Detection </li></ul><ul><ul><li>Brian Caswell, Jay Beale, James C. Foster, Jeremy Faircloth; ISBN: 1931836744 </li></ul></ul><ul><li>Intrusion Detection with Snort </li></ul><ul><ul><li>Jack Koziol; ISBN: 157870281X </li></ul></ul><ul><li> </li></ul>