Snort IDS

Presented by:
Mansi Sharma (09030241219)
Ujjwal Kohli (09030241235)
IDS – General Observations
 Definition of IDS is Tricky…
 “..“Intrusion Detection” addresses a range of
technologies that are involved in the detection,
reporting, and correlation of system and network
security events”. - “The Hackers Handbook” (Young, Aitel)
 IDS Solutions are Diverse and becoming
more Hybrid
 Host-based Intrusion Detection (HIDS)
 Network-based Intrusion Detection (NIDS)
 Behavior (Policy) based IDS
 Signature (Knowledge) based IDS
 Intrusion Prevention (IPS)
 Change Auditing
 Security Information Management (SIM)
Snort – What it is, What it does
 So Where does Snort fit within the IDS
Landscape?
 Developed by Martin Roesch
 Open Source Network Intrusion Prevention
System (NIPS)
 Sourcefireoffers commercial version of Snort
(Sourcefire Intrusion Sensor)
 Performs Real-time traffic analysis, logging, and
alerting
 Supports 2 types of IDS/IPS functionality:
 Normalized analysis of traffic
 Signature-based analysis of traffic
Snort – Basic Configuration Modes
 Snort can be run in one of several
configuration modes
 Sniffer Mode – Snort reads packets off of the network
and displays them on console
 Packet Logger Mode – simply logs packets to disk
 Network Intrusion Detection System (NIDS)
mode – Snort grabs traffic from the network using libpcap,
analyzes for matches to a defined rule set and generates
alerts (as appropriate)
 Inline Mode – obtains packet data from iptables (versus
libpcap) and signals iptables to drop or pass packets using
inline-specific rules
Sizing up Snort…
 Free can be a good thing…
 Snort is Open Source, covered under the GPL
 Rules are readily editable and freely available
 Snort Development efforts proceed under the GPL and
have contributed to Snort being a robust IDS solution
 Good way to get started with IDS for a minimal
investment (time and $$)
 The Snort Community is very active
 Signature updates are often made available within
hours of a new exploit
 Several commercial vendors use Snort as a basis for
commercial IDS solutions (or to supplement third party
IDS)
 Snort is considered to be an enterprise-grade IDS
A Basic Snort Architecture
Sensor(s)

Server
 Snort IDS
 Detect Events
 Forward Alerts
 MySQL, Apache
Syslog
Console
 Receives &
Stores Alerts
 Web Browser
 Displays Alerts
Snort (Sensor) Technical Details

10111010001010101
1011101000101010111..

Packet
libpcap Preprocessor
Decoder

Detection Engine Output Plugin

Snort (Sensor) – Packet Decode
 libpcap
 External Packet Capture Library (UNIX, Windows ports
(winpcap))
 Captures raw packets (required for Snort processing)
 Packet Decoder(s)
 Series of Packet Decoders decode specific protocol
elements of each packet (working up OSI Model)
 As packets are decoded, decoded packet data is stored
in a Snort data structure for analysis
Snort (Sensor) – Preprocessors
 Preprocessor(s)
 Perform a couple of functions
 Examine suspicious packets (non-signature)
 Manipulate packets to prepare for Detection Engine inspection
(signature matching normalization)
 Packets are passed through every Preprocessor
 Ensures thorough packet inspection process
 Guards against attacks designed to circumvent the IDS
 Key Preprocessors
 Frag2  ARPSpoof
 Stream4  ASN1_Decode
 HTTP Inspect  Flow
 RPC_Decode  SfPortscan
 Telnet_Decode  Performance Monitor
Snort Sensor – Detection Engine
 Detection Engine
 Performs Several Functions
 Rule Parsing – rules are loaded into internal data structures,
and guide packet inspection
 Signature Detection – attack signatures are constructed by
parsing Snort rules
 Rules are divided into two sections
 Rule Header – information that governs application of the
signature (e.g. protocol, IP, etc.)
 Rule Option – contains the attack signature, priority level, and
attack information
 Each packet is tested against increasingly specific
signatures until there is a match (or the packet passes)
Thank You…!!!!