The document provides a comprehensive overview of the Snort Intrusion Detection System (IDS), detailing its significance in monitoring network security through anomaly and signature-based approaches. It covers the technical aspects of Snort, including installation, configuration, rule management, and performance evaluation, as well as advanced features like packet capture and integration with Security Information and Event Management (SIEM) systems. Overall, the document emphasizes the essential role of Snort in enhancing network integrity and protecting against intrusions.

1. 1
Jazan University
College Of Computer Science Fundamentals
of Information Security
Case Study
SNORT Intrusion Detection System
by
Name ID
Raghad Abdullah 202102358
Shouq faye 202210038
Zahra Alamodi 202108161

2. 2
1. Introduction to Intrusion Detection Systems (IDS)
1. Introduction Intrusion Detection Systems (IDS) are pivotal in current
networking environments and cyberspace, where confidentiality,
integrity, and availability are explicitly addressed. The penetration of
intrusions into IT and communication infrastructures is a matter of
concern in a technology-driven world. Intrusion is defined as any set of
actions that aim to abuse the security policy of a system. Anomaly,
misuse, strain, weakness, false positive, and performance are the
keywords, where anomaly represents a strange experience and misuse
is the act of acting poorly. The decrease in legitimate data transfer is
referred to as strain, and prioritizing defect scanning is leniency. A false
positive is a baseless alert, taking into consideration the constraints of
this survey.
A state-of-the-art periodic literature review has been conducted for the
sake of reviewing a single system, known as SNORT. It is reported that
off-the-shelf segmentation has been used in this survey to find the
strengths and future directions of IDS. Although the attacks have
advanced, the distinction has played an important role in reducing the
number of intrusion attacks. It has been reported that the new attacks
are sophisticated in such a way that they remain undetected by IDS that
use the distinction mechanism. In general, the detection mechanisms
include signature-based and anomaly-based approaches, where the
detection mechanisms can be in terms of network analysis, protocol,
payload, or application. There has been a growing trend to execute
detection systems for the majority of them, where network integrity is
of utmost importance. More rovers are reported for the web-based
intrusion detection system. Therefore, SNORT is reported to be used as
the prototype of IDS that combines detection mechanisms and
approaches. The surveys are generally expected to explore various
points; SNORT, as well as their legal aspects, are presented in the form
of system analysis, while others are introduced in system-external
reviews.

3. 3
2. Overview of SNORT IDS
Snort is developed by a leading operation in network security. Snort has
an open-source feature and can also be used in Windows and Unix
environments. The methodology of Snort is based on designed
techniques to detect attacks from the network at the time they occur.
Basically, this technique is very useful in identifying abnormal patterns
involved in network attacks. The machine generates events when
abnormal patterns are detected. Finally, they can be stored in the log file
by the administrator for further investigation. Snort is a very important
tool in network security. This is due to its higher accuracy using
sophisticated signature-based and anomaly-based detection techniques.
It also categorizes numerous Internet abuse activities and software
vulnerabilities in the network. Various domains that heavily use Snort
include government organizations, military, and business purposes. In
the current decade, an enormous number of intrusion detection systems
have been developed. Snort is an open-source intrusion detection
system.
It has many advantages over other IDS. Firstly, the tool provides
flexibility for users to write their own rules. Essentially, this technique
classifies all the usability of the features of the network for a particular
organization. The tracking features of Snort are very suitable for
controlling the network from the network protocol types, which include
IP, ICMP, TCP, and UDP. Users can also allow network traffic to be
monitored over time, for instance, by filtering alerts with a predefined
start time. Snort is divided into four major components, which include a
packet decoder, detection engine, logging, and alerting options. It has a
very promising packet decoder that aids users in extracting raw
network traffic for detection. The detection engine can generate alerts
and log files by using the specified rule set. Furthermore, Snort can track
network traffic with different protocols such as ARP, FDDI, Linux, PPP,
RAW, SLIP, Ethernet, and Token Ring. In addition, it can track
performance involving signs of attacks on the network. Snort is heavily
contributed to by public users. Contributors generally write rules to fit

4. 4
their organization's specific needs and provide them to the user
community.
3. Installation and Configuration of SNORT
This section practically explains the installation, system requirements,
and configuration process for Snort for Linux, Windows, and Mac
operating systems, to ensure the audience can easily access and use it.
These instructions contain installation prerequisites, some common
issues, configuration options, options in snort.conf files, system
configurations, monitoring, and common practices and file locations for
the installer and configurator audience. This way, they can easily
monitor or manage the network traffic and behavior with predefined
rules. Before diving deeply into the Snort installation and its operational
process, we recommend capturing a failsafe on your servers.
Snort is an Intrusion Detection System (IDS) that works by monitoring
network traffic and behavior. If there is a flow and pattern in
accordance with the default rules, Snort will issue an alarm. Snort is
released in open-source mode; as a result, it can be used in various
operating systems, including Unix, Linux, Windows, and Mac.
Prerequisites: Before proceeding with Snort installation, you need to
install all necessary utilities that can be used in Linux systems. We need
to install vim and net-tools; for that, we will use the apt-get repository
for apt-based Linux distributions and the yum repository for dnf-based
Linux distributions. It is necessary to ensure that the Linux system can
access the Internet due to the need for additional Snort and library
imports. System Requirements for Linux: There are many decisions to
make when it comes to the process of network intrusion detection.
Snort's lightweight architecture allows its use on virtually any platform.
Managing and operating an efficient and maintainable intrusion
detection system, however, can be a difficult undertaking. Snort is not a
protocol analyzer; it is an IDS. This can cause false positives because
Snort must be configured to monitor network traffic from network and
system protocols. Essentially, Snort rule detectors must operate
efficiently, generate a stable system, and not generate unnecessary

5. 5
system resource demands. Practice is a wonderful idea. Let's go through
how to install Snort to monitor and manage all network activities.
4. SNORT Rule Management
Snort is a packet sniffer and network monitor that is used for both
passive monitoring and detecting packets that have been sent over a
network. The rule set that the Snort engine uses to search through data
to find information about intrusive activity contains more than 3,200
rules. The rule set mainly consists of keywords that describe activities
that are deemed an intrusion. There can be many types of detection
policies by creating custom rulesets, and this will help network and
security teams manage and maintain these complex systems, data
relations, databases, and other critical systems. Snort uses rules to
detect intrusions and logs the traffic violating the rules. In other words,
a Snort rule can help you manage and categorize many custom detection
policies; rules can psychologically make sense. There are two types of
rules: alert rules and log rules. The rules in the Snort rule set are divided
into two main categories: alert and log. To make sure your IDS is
working, your IDS must examine all traffic on your network to look for
possible intrusions. An IDS must have rules that tell the system what
"normal" or "bad" traffic looks like. In order to keep the false positives
down, you should tune your rules carefully. You should also test your
rules to make sure that your new rules are working correctly and not
causing false positives, especially before you place rules into a live
environment. To control the performance of the IDS system, placement,
organization, and disabling of rules and rule groups are used. You can
place a rule into a group; a rule can be associated with other rule
groups, and a rule can even be associated with other rules. New rules
can be created by grouping the rules together; this way, you can reduce
a considerable amount of redundancy. Snort does support the use of a
database to help tune and maintain the rules. Snort is an open-source
tool, and there is no technical support offered to the Snort user, but the
Snort user can easily use the tool. However, a novice user could find it
difficult to use the tool. In "enterprise mode," it also comes equipped

6. 6
with a database to store and manage the millions of packets it may
analyze in one hour. There are several different preprocessors also
available to use with Snort; this can greatly increase the versatility of
the Snort system. However, Snort itself is limited by what is available in
the free version of Snort. More complex tasks will need a more complex
and advanced version, but you do not get any technical support with
Snort. An example of this is the flexresp2 preprocessor and also sample
configuration, which runs as root. I could get into possibly a lot more
detail on this topic; it would make this guide a huge amount more
informative, but doing so would also make it too informative for a
primer and basic installation guide. Best practice suggests that you
manage rules only within their own respective files. Don't manage rules
into others; don't waste your processing power in IDS/IPS. Be frugal
with resources, and balance is good. Do not always enable all rules in a
rule group or category just because you enable the rule group or
category. Do effective rule management and monitoring for you. There
are community-contributed open-source rule sets you can subscribe to
in order to assist in detecting attacks or intrusions on the network. Test
rule functionality, especially before placing rules into a product
environment or situation where customer data can be involved, and
utilize community feedback.
5. Packet Capture and Analysis with SNORT
Packet capture and analysis functionality is inherent in SNORT. It has
the capability to capture traffic in real-time for the purposes of
monitoring network operations. This feature of SNORT can be run in
three possible modes. The most common is the sniffer mode, where the
program reads the captured packets. It can also operate in the inline
mode, where it performs the action of dropping malicious packets that
match rules when acting as an inline IDS/IPS. Lastly, SNORT can be run
as a Table ID, and scans can be performed on the PCAP.
The primary purpose of packet capture is to provide a tool to help
system administrators monitor and troubleshoot a network. If the
network is over-utilized, it can be monitored. Network packets can be

7. 7
sent to a file. These packets can be written to a file and subsequently
filtered with any commands. The NIDS functionality that scans these
packets in real-time for threats is not only powerful but absolutely
essential. Although helpful, packet capture is not very effective for
protecting networks by itself. Captured packets can be analyzed to
detect suspicious anomalies such as large amounts of small packet
traffic or having a web server password file sent out of the network
through FTP protocol.
Once the packets are captured, they must be analyzed to detect, delay,
or respond to any monitored threats. When a system is damaged,
administrators require visibility for any recent suspicious activities.
These activities are displayed in the SNORT logs in one of four basic
formats that contain the packet payload in clear text, ASCII, hex, and
PCRE. In the logs, each line of the log file represents one packet in two
connected frames. Line "a" denotes a packet while line "b" describes a
received response in a new frame with id+1. Packets a and b are
technically seen as a transaction. Although logs give some information,
security professionals are better off using a combination of SNORT with
comma-separated values, pseudo-XML, or JSON formatted logs and full
PCAP support for analysis. Collaborating with tools is also helpful for
investigations.
6. Advanced Features of SNORT
Recently, Snort has been equipped with several advanced features. First,
Snort provides a set of preprocessors to cope with normalization and
traffic analysis issues. Preprocessors are designed to manipulate the
raw packet by altering its data and bypassing it to the detection core
engine. The final result is a packet with normalized data, which can be
further processed by the detection system. Second, emerging
technologies, such as artificial intelligence in the form of machine
learning, are incorporated within the detection capabilities of Snort. An
alert output and log file are customizable such that only specific
information can be seen either on the terminal or log/alert file. Third,
Snort provides capabilities to log and alert via different protocols. The

8. 8
logs or alerts can be logged not only via the system log file but also via
the database. Snort itself already supports various databases. Finally,
Snort is also able to support some features required to run the program,
such as IP and address variables, port lists, dynamic engine for rules,
etc. Therefore, it makes Snort versatile to be implemented in its
environment. The details of each Snort advanced feature for IDSs are
detailed in the next subsection. Snort Preprocessors The preprocessors
within Snort are designed to add an extra level of detection capabilities
up to the raw packet data (before detection took place). Some of the
Snort preprocessors are as follows: - Frag2 is a preprocessor used for
reassembling IP fragmented packets into one piece of packet data. Like
the UDP Stream5, it aims to reduce evasion by normalizing fragmented
IP packets. - HTTP inspect is a preprocessor designed to analyze and
enforce the content of HTTP data between the client and the server
using various advanced analysis methods as part of the deep packet
inspection techniques. Snort is able to identify real Unicode characters
and decode them up to six stages of encoding. - Reassemble service
within Snort implies that this preprocessor is designed to make sure
that no abnormal sequence of the reassembled TCP/IP packets passes
through Snort. It is able to monitor up to 65,535 packet data. - SDF
preprocessor. The SDF preprocessor within Snort is a framework used
to hold the packet data and anomaly-based rules across the
preprocessor. Snort is able to generate a list of signatures which point to
potentially corrupted data in the host-based process. - SFPortscan. Snort
is capable of passing scan detection as a form of service through the
preprocessor. The usage of the SFPortscan is not as flexible in practice. -
UNIDATA Variable Preprocessor. The UNIDATA variable is a data
structure within Snort that stores multiple types of data. Snort can
access part of it using native preprocessors. Snort Detection Core
Engine Intrusion detection and prevention are performed by deep
packet inspection using the plug-ins rule files or other services. Snort
Output The output generated by Snort consists of two types, namely: a)
Logging/Alerting output which is then recorded/logged into the
system/native logging system. b) The receiving view of its output logged

9. 9
is presented on the terminal where Snort is triggered using an address
or Domain Name System.
7. Performance Evaluation of SNORT
Using different network configurations, interfaces, and topologies, there
are more than seventy performance tests that can be performed to give
general and focused results on data loss, rate of packets analyzed per
second, false positives per time unit, features detection rate, and
average response time for different signatures and configuration
parameters. The data comes from many performance tests already
performed by running on several actual testbeds. Statistical analysis has
been derived from 144 results pertaining to 12 procedures on five
different machines. Average values and standard deviation have been
studied with values of throughput and memory occupation with and
without swap memory. Comparative evaluations among several other
IDS have been performed considering features efficiency. Three
different case studies have also been developed and presented.
Anticipated results, performance predictions, and choices for free
parameters have been devised and suggested for several prototypical
real-world scenarios. Some useful suggestions and key points have been
made from these studies to possibly increase performance in actual
environments.
The most common parameters to evaluate an IDS's performance are the
detection rate, the number of false positives (or false alarms) that occur,
and the overhead to the network. There are several methods to carry
out intrusion detection. Anomaly detection searches in data for unusual
behavior that appears to be unique and may result. Usage detection
tracks activities that violate predefined rules. Intrusion Detection
Systems can be divided into two main categories: one includes misuse
detection, and the other includes profile-based and specification-based
anomaly detection. In this chapter, we are interested in the efficiency of
misuse detection with popular specialization in systems. We intend to
study many peculiarities of misuse detectors and develop some
prototypical scenarios using pre-installed IDS and typical service

10. 10
environments. Methodology for performance testing is also presented.
What we aim to do with these observations is estimate efficiency in
intrusion detection and possible improvements of the test outcomes.
The metric measures the maximum values of the number of packets that
did not analyze for every second and the percentage of packets that did
not analyze correctly. Detection rates have also been studied. Some
useful rules for choosing parameters are presented. General
performance tests are pointed out for testing intrusion detection
systems' efficiency and reliability. Moreover, some case studies are
presented for representative scenarios in order to demonstrate how can
be used in practice. Depending on the cases, it is also suggested how
some possible add-ons to an enforcing system can improve efficiency.
8. SNORT Integration with Security Information and Event
Management (SIEM) Systems
8. SNORT Integration with Security Information and Event Management
(SIEM) Systems
8.1 Coupling SNORT Features with SIEM
SIEM can combine alerts from many sources, including different SNORT
sensors installed within a network, to determine if a single event occurs
in many different network locations. By doing correlation, SIEM is able
to provide analysts with the capability to receive alerts about an event
or an attack as it occurs; this is known as real-time detection.
Additionally, companies are now leveraging SIEM technology to comply
with laws, standards, and regulations. This assumes that a SIEM is a
device that provides the compliance officer or systems administrators
with event log data in a form that is consumable or manageable.
8.2 SIEM Integration Techniques
There are several ways to technically integrate a SNORT engine with a
SIEM system. Some of the most common are log forwarding, Syslog, or
the Simple Network Management Protocol, which is used to send the
events to the SIEM device in the form of a log. Most SIEM systems have
event correlation tools that could be used to perform analysis on event

11. 11
data to find patterns or relationships between them. By allowing a
unifying tool in the form of a SIEM system, data can be filtered, ensuring
more accurate analysis can be achieved.
8.3 Current Lessons Learned
There is one specific leader in the field of SIEM that has great ratings. In
addition to this, a few other companies have tried and proven the
compatibility with SNORT as being possible. There are a few challenges
that one could encounter when integrating SNORT with SIEM: data
integrity—making sure that event logs and data are not tampered with
or destroyed; the integrity of the data would need to be maintained.
Ultimately, NSM combines different network components such as the
network itself, end devices, NIDS, HIDS, and SIEM. SNORT is a tool used
to perform NIDS; it is used to alert on and detect vulnerability scans,
attacks, and probes. By coupling their features with a SIEM engine, it
would allow for a much more mature electronic evidence support plan.
9. Real-World Applications of SNORT
Owing to its several useful features, including flexibility and the
possibility of creating custom signatures, SNORT is in demand for the
development of intrusion detection systems in a variety of
organizations. These organizations include different sectors, such as
finance, education, healthcare, government, carriers, data centers, small
and medium-sized enterprises, industry, as well as network operators
and managers. A number of organizations also use SNORT,
complementing it with other security systems. The following reported
case studies are real-world SNORT applications.
In a real-case design, SNORT was used among other intrusion detection
systems in a cloud environment. SCCM at the University of Detroit
Mercy has been implemented in multiple network architectures, such as
large multi-campus universities, small four-year post-secondary
schools, and community colleges. SNORT has been deployed at the
University of Rhode Island and the University of South Florida. A real-
case SNORT application is shown in three different network

12. 12
architectures. A new custom lightweight machine-learning classification
algorithm has been proposed to increase the speed in detecting
intrusions. The algorithm was implemented and experimentally
evaluated using SNORT alerts from operators' logs. Detected classes in
alerts were compared with manual classification to define a confusion
matrix that shows the true and false positives as well as true and false
negatives after the performance and accuracy evaluation of the
proposed lightweight machine learning classification algorithm.
Challenges: Organizational entities face many difficulties when
deploying SNORT. These problems can include a lack of necessary
security specialists and financial capabilities, the compatibility of
SNORT with already used security systems, as well as organizational
changes related to deploying the new technology. Additionally, the used
signature-based solution may not catch unknown attacks. Components
based on SNORT can also be challenging to maintain. The difficult task
of signature management that is associated with SNORT is recognized
by network administrators who have implemented it. In order to keep
the SNORT detection engine up to date, many administrators are asking
for updates in the form of newer rules. For example, to lead SNORT for
better detection that can efficiently minimize these issues.
10. Comparison of SNORT with Other IDS Solutions
For the purpose of comparison, intrusion detection systems can be
assessed on the basis of various factors such as cost, ease of use and
installation, performance, stability, and detection accuracy, just to name
a few. Therefore, we have utilized key metrics for comparing SNORT
with other solutions due to their fundamental importance. These
metrics are detection accuracy, ease of use, the amount of resources
consumed, installation and maintenance costs, issue resolution, vendor
support, and community support.
SNORT is an open-source intrusion detection system with unique
capabilities that make it fitting for specialized environments. SNORT is a
network-based IDS designed to alert administrators about serious

13. 13
security breaches, such as DoS, even before they penetrate the network.
The main advantage that SNORT enjoys over other IDS products in the
market is that it is an open-source product that is continuously being
improved by a massive community of security experts. The major
downsides of SNORT as a standalone IDS are that it is inflexible and that
there is no vendor support. It can only perform signature-based
intrusion detection, so it may not be very proficient at detecting never-
seen-before attacks like zero-day exploits.
With the latest versions and the available third-party tools, SNORT can
provide decent network-level, application-level, and protocol-level
protection from a wide range of attacks. This intrusion detection system
is not limited to detecting and logging, but can also be used to prevent
attacks by recognizing how an exploited protocol transmits and actually
generating packets that force applications or services to crash.
Therefore, SNORT proves very powerful for threshold and distributed
denial of service attacks. It also comes with a predefined signature
language. The transition in the trend of attacks has made SNORT a huge
tool for securing the application layer. Improvements and periodic
developments in the SNORT module and structure continue to make it
one of a kind, aiding its integration with various modern analysis tools.
It is a user-friendly and efficient tool to use for new detections. Its main
use case is in one organization, for personal use or for organizations
that are small in size. It provides low to medium protection when
applied to finance and banking software and organizations. To operate
optimally and to address the specific needs of different software, packet
analysis is necessary, which puts a limitation on SNORT’s efficiency. It is
particularly important to consider the level of protection that the
software provides before it is recommended. Also to be taken into
account is the strategy of detection and the capacity of the processor,
which are vital. Given the same, SNORT provides flow chart support
with low security. The need of the hour is a tool that is efficient in
producing accurate results regarding signature-based detection. SNORT
does not support payment and activity-based protection. It is not

14. 14
suitable to use SNORT for large purposes, particularly for security
organizations and security software products.
11. Future Trends and Developments in SNORT
Snort evolves with intrusion detection technology. A lot of work has
been conducted currently to integrate AI and ML capabilities into IDSs
to increase their accuracy and reduce the number of false positives. In
the future, we expect that Snort will also have some AI/ML-based
modules for detection enhancements. A unidimensional approach could
hardly provide the best results since cyber threats are evolving daily.
However, the coexistence of Snort with classical security defense
systems may require some adaptation steps. As we have seen before,
Snort is developed in an open-source community. Contributors like to
share their knowledge and expertise. In Snort, the community shares
use cases, signature development tricks, and tools to create a complete
incident response platform. So, the more the community grows, the
more Snort will be enhanced. New use cases and customizations will be
suggested.
Ongoing work on SDNs can enrich Snort. For example, we can have
security policies and alerts as rules coexisting with traditional Snort
rules. This new statement format paves the way for the development of
new DPMs because of its potential concurrency. Additionally, to
complement the cyber-physical world, new standards and proposals in
the Industrial Internet of Things sector should be considered. As we
mentioned before, cyber threats are growing rapidly. With the growing
development and investment in AI and ML, intrusion detection and
prevention will be modified significantly.
12. Conclusion and Recommendations
A wide range of research and development on Snort has been discussed
in this report, and several newer features of Snort can be helpful options
in the deployment of Intrusion Detection Systems. These newer features
cover some useful insights that can be gained by the users. It was also
revealed that most organizations require installation and configuration

15. 15
of Snort for the first time and may need it to be integrated with
monitoring systems, upgrade its rule database, and integrate it with
SIEM systems. Therefore, the installation of Snort needs to be clear not
only from the basic needs but also to the more advanced features. Some
limitations may have to be addressed as well. Based on the benefit
analysis of the system, this report recommends some advice on using or
deploying Snort.
Throughout the report, it was found that Snort is a comprehensive
security system that works in a multi-layered mode, right from basic
installations to advanced technologies. Hence, it is recommended that
organizations follow the instructions provided. Moreover, organizations
need to set up a suitable server for the deployment of Snort and MISP.
Finally, it is recommended that organizations enhance their monitoring
aspect to be more flexible about the current and emerging threats or
update their Snort intrusion detection systems and MISP server
periodically in order to make it more efficient and reliable. Snort is an
open-source network Intrusion Detection System that may be used to
monitor traffic and examine detected network traffic and threats. It is a
widely used Snort system that allows each user to plug in and access the
code to gain insight into whether the network will be the target of
boarding attacks or threats, as well as to respond to attacks when a
security breach occurs.