Published on

Snort IDS presentation for Linux User Group (Singapore) 2004/4/7

Published in: Technology


  1. 1. Introduction to Snort IDS <ul><ul><li>Introduction to </li></ul></ul><ul><ul><li>Snort IDS </li></ul></ul><ul><ul><li>Linux User Group Singapore </li></ul></ul><ul><ul><li>Friday 7 th May 2004 </li></ul></ul><ul><ul><li>By </li></ul></ul><ul><ul><li>Michael Boman </li></ul></ul><ul><ul><li><> </li></ul></ul>
  2. 2. What we will cover: <ul><li>Short overview on the history of Snort </li></ul><ul><li>Packet flow inside Snort </li></ul><ul><li>Configuring Snort </li></ul><ul><ul><li>Configuring variables </li></ul></ul><ul><ul><li>Configuring preprocessors </li></ul></ul><ul><ul><li>Configuring output modules </li></ul></ul><ul><ul><li>The anatomy of signatures </li></ul></ul><ul><li>Snort compatible spool readers </li></ul><ul><li>Q & A </li></ul>
  3. 3. History of Snort <ul><li>Dec. 1998 </li></ul><ul><ul><li>snort.c created </li></ul></ul><ul><li>Jan. 1999 </li></ul><ul><ul><li>Rule sorting implemented </li></ul></ul><ul><li>Mar. 1999 </li></ul><ul><ul><li>Pattern search engine rewritten from a brute force approach to use Boyer-Moore algorithm </li></ul></ul><ul><li>Aug. 1999 </li></ul><ul><ul><li>New detection engine using a 2 dimensional linked list. 200%-500% speed improvement. </li></ul></ul>
  4. 4. History of Snort (2) <ul><li>Dec. 1999 </li></ul><ul><ul><li>Preprocessors introduced </li></ul></ul><ul><ul><li>Detection plugins introduced </li></ul></ul><ul><ul><li>Variables introduced </li></ul></ul><ul><li>Jan. 2000 </li></ul><ul><ul><li>Portscan preprocessor added </li></ul></ul><ul><li>Jul. 2000 </li></ul><ul><ul><li>IP (de)fragmentation preprocessor added </li></ul></ul><ul><ul><li>Database output plugin added </li></ul></ul><ul><ul><ul><li>MySQL </li></ul></ul></ul><ul><ul><ul><li>PostgreSQL </li></ul></ul></ul><ul><ul><ul><li>unixODBC </li></ul></ul></ul>
  5. 5. History of Snort (3) <ul><li>Jan. 2001 </li></ul><ul><ul><li>XML (IDMEF) output plugin added </li></ul></ul><ul><ul><li>ORACLE output plugin added </li></ul></ul><ul><ul><li>SPADE anomaly preprocessor added </li></ul></ul><ul><li>Apr. 2001 </li></ul><ul><ul><li>Priority and classification of signatures </li></ul></ul><ul><ul><li>VLAN support </li></ul></ul><ul><ul><li>Back Orifice detection plugin added </li></ul></ul><ul><ul><li>uricontent support added </li></ul></ul><ul><li>Jul. 2001 </li></ul><ul><ul><li>New de-fragment preprocessor </li></ul></ul><ul><ul><li>Added stateful inspection </li></ul></ul>
  6. 6. History of Snort (4) <ul><li>Aug. 2001 </li></ul><ul><ul><li>MSSQL output support added </li></ul></ul><ul><ul><li>SNMP output support added </li></ul></ul><ul><ul><li>IDMEF support compiled in by default </li></ul></ul><ul><ul><li>First commit from a address </li></ul></ul><ul><li>Feb. 2002 </li></ul><ul><ul><li>Portscan2 preprocessor added </li></ul></ul><ul><li>May. 2002 </li></ul><ul><ul><li>XML (IDMEF) output plugin removed </li></ul></ul><ul><li>Oct. 2002 </li></ul><ul><ul><li>pthread support killed (never worked anyway) </li></ul></ul>
  7. 7. History of Snort (5) <ul><li>Nov. 2002 </li></ul><ul><li>Removed IPv6 and IPX printing (never did much anyway) </li></ul><ul><li>Mar. 2003 </li></ul><ul><ul><li>Removed ASN1 and fnord preprocessor </li></ul></ul><ul><ul><li>Removed XML and SNMP output plugins </li></ul></ul><ul><li>Oct. 2003 </li></ul><ul><ul><li>Removed WinPopUp output plugin </li></ul></ul>
  8. 8. Snort, today and tomorrow <ul><li>2.1.3 is soon out (RC1 was released Apr. 21) </li></ul><ul><li>Signature quality and documentation is taken very seriously </li></ul><ul><li>Detection capacity and speed main concern </li></ul><ul><li>More output plugins will be removed from Snort and moved to Barnyard. </li></ul>
  9. 9. A packet's journey through Snort
  10. 10. Configuring Snort <ul><li>Variables </li></ul><ul><li>Preprocessors </li></ul><ul><li>Output plugins </li></ul><ul><li>Signatures </li></ul>
  11. 11. Snort variables <ul><li>Variables can be specified both in the configuration file and from the command line. </li></ul><ul><ul><li>snort.conf syntax: </li></ul></ul><ul><ul><ul><li>var HOME_NET [] </li></ul></ul></ul><ul><ul><ul><li>var EXTERNAL_NET !$HOME_NET </li></ul></ul></ul><ul><ul><li>Command line syntax (escape it properly): </li></ul></ul><ul><ul><ul><li>-S HOME_NET=[] </li></ul></ul></ul><ul><li>Variables are usually specified in snort.conf </li></ul>
  12. 12. Snort preprocessors <ul><li>Snort preprocessors offers additional detection capabilities </li></ul><ul><ul><li>Stream re-assembly/de-fragmentation </li></ul></ul><ul><ul><li>Portscan detection </li></ul></ul><ul><ul><li>etc. </li></ul></ul><ul><li>Configuration examples: </li></ul><ul><ul><li>preprocessor flow: stats_interval 2 hash 0 </li></ul></ul><ul><ul><li>preprocessor bo </li></ul></ul>
  13. 13. Snort output plugins <ul><li>Two output facilities </li></ul><ul><ul><li>Alert </li></ul></ul><ul><ul><li>Log </li></ul></ul><ul><li>Example of log formats </li></ul><ul><ul><li>Syslog </li></ul></ul><ul><ul><li>Log files (text, pcap, unified) </li></ul></ul><ul><ul><li>Databases (mysql, postgresql etc) </li></ul></ul><ul><li>Configuration examples: </li></ul><ul><ul><li>output alert_syslog: LOG_AUTH LOG_ALERT </li></ul></ul><ul><ul><li>output database: log, mysql, user=snort </li></ul></ul><ul><ul><li>pass=dbpass dbname=db dbhost=localhost </li></ul></ul><ul><ul><li>sensor_name=sensor1 </li></ul></ul>
  14. 14. Snort signatures <ul><li>Simple, straight forward signature language. </li></ul><ul><li>Has become a de-facto standard with open source NIDS software, and some proprietary vendors has support for at least a sub-set of the functionality. </li></ul><ul><li>Format: </li></ul><ul><ul><li>facility protocol src_ip src_port direction dst_ip dst_port (options) </li></ul></ul><ul><li>Example (alerts on all IP packets): </li></ul><ul><ul><li>alert ip any any -> any any (msg:”IP packet”;) </li></ul></ul>
  15. 15. The unified log format <ul><li>Reading files written in the unified log format </li></ul><ul><ul><li>Unified log format was created so that Snort could offload the alerting to other applications, so Snort can concentrate on intrusion detection instead of generating alerts. </li></ul></ul><ul><ul><li>Unified log format can be best described as a glorified pcap format, where snort specific options has been added (signature id, interface etc..). </li></ul></ul><ul><ul><li>Database and ASCII logging is very expensive, resource vise, for Snort </li></ul></ul><ul><ul><ul><li>A missed packet is a lost packet. </li></ul></ul></ul>
  16. 16. Unified log readers <ul><li>Barnyard </li></ul><ul><ul><li>QPL </li></ul></ul><ul><ul><li>By the same guys who made Snort </li></ul></ul><ul><ul><li>Can only process either alert or log stream per instance </li></ul></ul><ul><li>Mudpit </li></ul><ul><ul><li>GPL </li></ul></ul><ul><ul><li>Can process both alert and log stream at the same time </li></ul></ul><ul><ul><li>Personal note: Never got it to compile </li></ul></ul>
  17. 17. What we have learned <ul><li>The history of Snort </li></ul><ul><ul><li>How it started </li></ul></ul><ul><ul><li>How it continued </li></ul></ul><ul><ul><li>What we might see in the future </li></ul></ul><ul><li>Packet flow inside Snort </li></ul><ul><li>Configuring Snort </li></ul><ul><ul><li>Variables </li></ul></ul><ul><ul><li>Preprocessors </li></ul></ul><ul><ul><li>Output plugins </li></ul></ul><ul><ul><li>Signature syntax </li></ul></ul><ul><li>Snort compatible spool readers </li></ul>
  18. 18. Questions? <ul><li>Got any questions? Now is the time to ask them! </li></ul>
  19. 19. Suggested reading material <ul><li>Snort 2.0 Intrusion Detection </li></ul><ul><ul><li>Brian Caswell, Jay Beale, James C. Foster, Jeremy Faircloth; ISBN: 1931836744 </li></ul></ul><ul><li>Intrusion Detection with Snort </li></ul><ul><ul><li>Jack Koziol; ISBN: 157870281X </li></ul></ul><ul><li> </li></ul>