A Slightly Skeptical View on Snort

http://www.softpanorama.org/Articles/a_slightly_skeptical_v...

May the source be with you, but remember the KISS principle ;-)

Bulletin

Latest

Past month

Top visited

Dr. Nikolai Bezroukov

Version 0.11 Copyright 2005-2006, Dr. Nikolai Bezroukov. This is a copyrighted unpublished work. All rights reserved.
Abstract Snort is an open source libpcap-based packet sniffer/logger which can be used as a network intrusion detection system or as a powerful and free network traffic analyzer. The first function can be useful only with appropriate IQ and good placement of the sensors (and it very seldom makes sense to use sensors for analysis of incoming Internet traffic; internal traffic, especially traffic between different sites in a large corporation is much better approach). The second function is the most productive usage and it is greatly underestimated in a large corporate environment. From the architectural standpoint snort as an NIDS is inferior to earlier approach based on usage of two separate stages (recoding of traffic and processing of traffic) with scripting language used on the second stage. The latter approach was pioneered by Shadow.

Snort is a very democratic tool. To create a snort sensor you do not need a very powerful server. A regular PC with a 1.5GHz or better CPU and a decent network cards can record 100Mb/s feed. RTL8139 cards are OK, cards based on the TG3 chipset are better, Intel cards are the best. To get signatures you need to create an account on snort.org site and you be able to download rulesets that are developed by Sourefire with a week delay for free (getting them on time costs $1760 and which is not much money for any large corporation). Still despite all those good things I suspect that the value of snort as IDS is too inflated. Yes, it is better then any commercial NIDS I know for simple reason: they are useless and cost money; and snort is free :-). Actually like most successful open source program snort deviated from its initial modest roots and became pretty bloated pig with huge codebase ;-). As a result it tries to do too many things simultaneously and only few of them done right. The level of snort mini-language for analyzing data stream is very ad-hoc. Addition of Perl-style regular expressions was a nice afterthought but if it is properly used it defeats the capability of real time analysis. The main problem for snort is that designers were sitting between two chairs: one creating of reasonably fast traffic analyzer able to work in real time, the second creating of powerful alert generation capabilities. As a result alert generation capabilities are crippled and ad-hoc: premature optimization if root of all evil. You can do much more using TCPdump reading prerecorded traffic stream and processing decoded packets with Perl (the approach pioneered in shadow that was developed by NSWC). I am convinced that in open source development the traffic recoding and traffic analysis should be split into two separate programs and the second one should not be oriented on real time processing. that permits usage of significant subset or even full version of a scripting language not ad-hoc combination of directives that smell early 70 of the last century (yes, pre-Unix days: like David Korn used to say many Unix developers do not understand Unix, they only program for it). Due to this commercial-style "swiss army knife" design approach the best way of using snort is not in real time

3 1

2011-11-09 5:21

A Slightly Skeptical View on Snort

http://www.softpanorama.org/Articles/a_slightly_skeptical_v...

but reading TCPdump stream. 99.9% of alerts in typical snort deployment are false positive and that the value of real time analysis is either zero or negative (it just produces more spam). It's better to cluster processing of pre-recorded data stream using a suitable interval, for example 10-15 minute of large pipes, one hour on small pipes. In a typical corporation nothing can be done in less then three hours. Therefore it does not matter if you get alert one hour later. But in case you are reading TCPdump captures you can configure snort with all the necessary plugins and use more complex rule sets without the fear that it will start skipping packets. Also you can get a free 'blackbox" capability. But if as an IDS snort has some shortcomings, it is an excellent and very pretty powerful traffic analyzer, the fact that is underemphasized in most snort related books and articles. It features quite powerful rules based filtering of traffic and can perform protocol analysis, content searching/matching useful for troubleshooting. Any packet or group of packets with specific fields and or belonging to a specific protocol (for example streaming) can be described in snort mini-language (enhanced TCPdump mini-language). Snort can read TCPdump binary logs and that further increases its usefulness for troubleshooting. Snort holds an inherent advantage over closed source IDSs, in that the IDS itself can be tailored and customized for particular environment to a level not possible for closed source competitors. Also the price is right and because of very low return on investment for most IDS this is especially important. Snort is much easier (and probably more productive) to use on internal network, especially on ingress to the local site router then on ingress to the corporate wide internet gateway. In the latter case that is the favorite way of extortion of many from naive clients of security companies (and you cannot lose betting on stupidity in any business) the signal is buried in the noise of false positives including scanning attempts from all over the world, any university where students like to experiment with nmap by scanning B-class networks as if scanning C-class networks is only for suckers. If traffic is internal then an attempt to scan a network with nmap weight much more and usually represent a useful information that deserves some investigation. If you have an opportunity to work with a rigid, uncustomizable, IDS like ISS RealSecure you will see Snort as a big improvement. As Eric Stats noted in his review of "Intrusion Detection with Snort":
In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility.

Still even with Snort if you don't know your network, servers, routers, and what they should be doing, you can't implement IDS effectively. And that's a real problem in implementing effective IDS sensors. Snort has an alerting capability, with alerts being sent to syslog, a separate "alert" file, database (like MySQL with ACID/BASE front-end) or even as a WinPopup message via Samba's smbclient. Alert send to syslog can be integrated with Tivoli using standard Tivoli log adapter.

Harry Potter and the Deathly Hallows... Daniel Radcliffe, ... New $19.99 Best $19.99

Harry Potter and the Deathly Hallows... Daniel Radcliffe, ... New $13.99 Best $13.99

Crazy, Stupid, Love New $3.99 Best $3.99

Copyright 1996-2011 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

3 2

2011-11-09 5:21

A Slightly Skeptical View on Snort

http://www.softpanorama.org/Articles/a_slightly_skeptical_v...

Disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose

Created May 16, 2005; Last modified: February 28, 2008

3 3

2011-11-09 5:21