Introduction to Snort IDS

Introduction to

Snort IDS

Linux User Group Singapore

Friday 7th May 2004

By

Michael Boman

What we will cover:

Short overview on the history of Snort

Packet flow inside Snort

Configuring Snort

Configuring variables

Configuring preprocessors

Configuring output modules

The anatomy of signatures

Snort compatible spool readers

Q & A

History of Snort

Dec. 1998

snort.c created

Jan. 1999

Rule sorting implemented

Mar. 1999

Pattern search engine rewritten from a brute force approach to use Boyer-Moore algorithm

Aug. 1999

New detection engine using a 2 dimensional linked list. 200%-500% speed improvement.

History of Snort (2)

Dec. 1999

Preprocessors introduced

Detection plugins introduced

Variables introduced

Jan. 2000

Portscan preprocessor added

Jul. 2000

IP (de)fragmentation preprocessor added

Database output plugin added

MySQL

PostgreSQL

unixODBC

History of Snort (3)

Jan. 2001

XML (IDMEF) output plugin added

ORACLE output plugin added

SPADE anomaly preprocessor added

Apr. 2001

Priority and classification of signatures

VLAN support

Back Orifice detection plugin added

uricontent support added

Jul. 2001

New de-fragment preprocessor

Added stateful inspection

History of Snort (4)

Aug. 2001

MSSQL output support added

SNMP output support added

IDMEF support compiled in by default

First commit from a @sourcefire.com address

Feb. 2002

Portscan2 preprocessor added

May. 2002

XML (IDMEF) output plugin removed

Oct. 2002

pthread support killed (never worked anyway)

History of Snort (5)

Nov. 2002

Removed IPv6 and IPX printing (never did much anyway)

Mar. 2003

Removed ASN1 and fnord preprocessor

Removed XML and SNMP output plugins

Oct. 2003

Removed WinPopUp output plugin

Snort, today and tomorrow

2.1.3 is soon out (RC1 was released Apr. 21)

Signature quality and documentation is taken very seriously

Detection capacity and speed main concern

More output plugins will be removed from Snort and moved to Barnyard.

A packet's journey through Snort

libpcapPattern matchingPreprocessorsOutput pluginsLog facilityAlert facility

Configuring Snort

Variables

Preprocessors

Output plugins

Signatures

Snort variables

Variables can be specified both in the configuration file and from the command line.

snort.conf syntax:

var HOME_NET [192.168.0.0/24]

var EXTERNAL_NET !$HOME_NET

Command line syntax (escape it properly):

-S HOME_NET=[192.168.0.0/24]

Variables are usually specified in snort.conf

Snort preprocessors

Snort preprocessors offers additional detection capabilities

Stream re-assembly/de-fragmentation

Portscan detection

etc.

Configuration examples:

preprocessor flow: stats_interval 2 hash 0

preprocessor bo

Snort output plugins

Two output facilities

Alert

Log

Example of log formats

Syslog

Log files (text, pcap, unified)

Databases (mysql, postgresql etc)

Configuration examples:

output alert_syslog: LOG_AUTH LOG_ALERT

output database: log, mysql, user=snort \

pass=dbpass dbname=db dbhost=localhost \

sensor_name=sensor1

Snort signatures

Simple, straight forward signature language.

Has become a de-facto standard with open source NIDS software, and some proprietary vendors has support for at least a sub-set of the functionality.

Format:

facility protocol src_ip src_port direction dst_ip dst_port (options)

Example (alerts on all IP packets):

alert ip any any -> any any (msg:IP packet;)

The unified log format

Reading files written in the unified log format

Unified log format was created so that Snort could offload the alerting to other applications, so Snort can concentrate on intrusion detection instead of generating alerts.

Unified log format can be best described as a glorified pcap format, where snort specific options has been added (signature id, interface etc..).

Database and ASCII logging is very expensive, resource vise, for Snort

A missed packet is a lost packet.

Unified log readers

Barnyard

QPL

By the same guys who made Snort

Can only process either alert or log stream per instance

Mudpit

GPL

Can process both alert and log stream at the same time

Personal note: Never got it to compile

What we have learned

The history of Snort

How it started

How it continued

What we might see in the future

Packet flow inside Snort

Configuring Snort

Variables

Preprocessors

Output plugins

Signature syntax

Snort compatible spool readers

Questions?

Got any questions? Now is the time to ask them!

Suggested reading material

Snort 2.0 Intrusion Detection

Brian Caswell, Jay Beale, James C. Foster, Jeremy Faircloth; ISBN: 1931836744

Intrusion Detection with Snort

Jack Koziol; ISBN: 157870281X

http://www.snort.org/docs/

Click to edit the title text format

Click to edit the outline text format

Second Outline Level

Third Outline Level

Fourth Outline Level

Fifth Outline Level

Sixth Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline Level

Copyright 2004 Michael Boman. All Rights Reserved.