- Snort is an open source network intrusion detection system (IDS) that was created in 1998 and has continued to evolve, with a focus on detection capacity, speed and output plugin functionality. - Snort examines packet flows and compares them to configured rule sets, utilizing variables, preprocessors and output plugins. Common preprocessors perform functions like stream reassembly and portscan detection. - Output is configured through plugins to perform actions like logging to files or databases. Signatures use a standardized language to define common network attacks and anomalies. - Unified log files were created to offload alerting from Snort to other applications, improving performance for detection. Compatible spool readers like Barnyard and Mudpit can

1. Introduction to Snort IDS Introduction to Snort IDS Linux User Group Singapore Friday 7 th May 2004 By Michael Boman <michael.boman@boseco.com>

2. What we will cover: Short overview on the history of Snort Packet flow inside Snort Configuring Snort Configuring variables Configuring preprocessors Configuring output modules The anatomy of signatures Snort compatible spool readers Q & A

3. History of Snort Dec. 1998 snort.c created Jan. 1999 Rule sorting implemented Mar. 1999 Pattern search engine rewritten from a brute force approach to use Boyer-Moore algorithm Aug. 1999 New detection engine using a 2 dimensional linked list. 200%-500% speed improvement.

4. History of Snort (2) Dec. 1999 Preprocessors introduced Detection plugins introduced Variables introduced Jan. 2000 Portscan preprocessor added Jul. 2000 IP (de)fragmentation preprocessor added Database output plugin added MySQL PostgreSQL unixODBC

5. History of Snort (3) Jan. 2001 XML (IDMEF) output plugin added ORACLE output plugin added SPADE anomaly preprocessor added Apr. 2001 Priority and classification of signatures VLAN support Back Orifice detection plugin added uricontent support added Jul. 2001 New de-fragment preprocessor Added stateful inspection

6. History of Snort (4) Aug. 2001 MSSQL output support added SNMP output support added IDMEF support compiled in by default First commit from a @sourcefire.com address Feb. 2002 Portscan2 preprocessor added May. 2002 XML (IDMEF) output plugin removed Oct. 2002 pthread support killed (never worked anyway)

7. History of Snort (5) Nov. 2002 Removed IPv6 and IPX printing (never did much anyway) Mar. 2003 Removed ASN1 and fnord preprocessor Removed XML and SNMP output plugins Oct. 2003 Removed WinPopUp output plugin

8. Snort, today and tomorrow 2.1.3 is soon out (RC1 was released Apr. 21) Signature quality and documentation is taken very seriously Detection capacity and speed main concern More output plugins will be removed from Snort and moved to Barnyard.

9. A packet's journey through Snort

10. Configuring Snort Variables Preprocessors Output plugins Signatures

11. Snort variables Variables can be specified both in the configuration file and from the command line. snort.conf syntax: var HOME_NET [192.168.0.0/24] var EXTERNAL_NET !$HOME_NET Command line syntax (escape it properly): -S HOME_NET=[192.168.0.0/24] Variables are usually specified in snort.conf

12. Snort preprocessors Snort preprocessors offers additional detection capabilities Stream re-assembly/de-fragmentation Portscan detection etc. Configuration examples: preprocessor flow: stats_interval 2 hash 0 preprocessor bo

13. Snort output plugins Two output facilities Alert Log Example of log formats Syslog Log files (text, pcap, unified) Databases (mysql, postgresql etc) Configuration examples: output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort \ pass=dbpass dbname=db dbhost=localhost \ sensor_name=sensor1

14. Snort signatures Simple, straight forward signature language. Has become a de-facto standard with open source NIDS software, and some proprietary vendors has support for at least a sub-set of the functionality. Format: facility protocol src_ip src_port direction dst_ip dst_port (options) Example (alerts on all IP packets): alert ip any any -> any any (msg:”IP packet”;)

15. The unified log format Reading files written in the unified log format Unified log format was created so that Snort could offload the alerting to other applications, so Snort can concentrate on intrusion detection instead of generating alerts. Unified log format can be best described as a glorified pcap format, where snort specific options has been added (signature id, interface etc..). Database and ASCII logging is very expensive, resource vise, for Snort A missed packet is a lost packet.

16. Unified log readers Barnyard QPL By the same guys who made Snort Can only process either alert or log stream per instance Mudpit GPL Can process both alert and log stream at the same time Personal note: Never got it to compile

17. What we have learned The history of Snort How it started How it continued What we might see in the future Packet flow inside Snort Configuring Snort Variables Preprocessors Output plugins Signature syntax Snort compatible spool readers

18. Questions? Got any questions? Now is the time to ask them!

19. Suggested reading material Snort 2.0 Intrusion Detection Brian Caswell, Jay Beale, James C. Foster, Jeremy Faircloth; ISBN: 1931836744 Intrusion Detection with Snort Jack Koziol; ISBN: 157870281X http://www.snort.org/docs/