snort - an network intrusion prevention and detection system student: yue jiang professor: dr. bojan...
Post on 19-Dec-2015
218 views
TRANSCRIPT
![Page 1: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/1.jpg)
Snort - an network intrusion prevention and detection system
Student: Yue JiangProfessor: Dr. Bojan CukicCS665 class presentation
![Page 2: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/2.jpg)
Overview
What’s snort? Snort architecture Snort components Detection engine and rules in snort Possible research works in snort.
![Page 3: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/3.jpg)
What’s snort?
NIDS: A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by
monitoring network traffic. Snort: an open source network intrusion prevention and
detection system. It uses a rule-based language combining signature, protocol and anomaly inspection methods
Snort: the most widely deployed intrusion detection and prevention technology and it has become the de facto standard technology worldwide in the industry.
![Page 4: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/4.jpg)
Snort
1. A packet sniffer: capture and display packets from the network with different levels of detail on the console
2. Packet logger: log data in text file
3. Honeypot monitor: deceiving hostile parties 4. NIDS: network intrusion detection system
![Page 5: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/5.jpg)
Typical locations for snort
![Page 6: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/6.jpg)
Requirement of snort
lightweight NIDS small, flexible highly capable system
![Page 7: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/7.jpg)
Snort architecture
From: Nalneesh Gaur, Snort: Planning IDS for your enterprise, http://www.linuxjournal.com/article/4668, 2001.
![Page 8: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/8.jpg)
Snort components
From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
![Page 9: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/9.jpg)
Logical components of snort
Packet Decoder: takes packets from different types of network interfaces (Ethernet, SLIP,PPP…), prepare packets for processing
Preprocessor: (1) prepare data for detection engine; (2) detect anomalies in packet headers; (3) packet defragmentation;(4) decode HTTP URI; (5) reassemble TCP streams.
Detection Engine: the most important part, applies rules to packets
Logging and Alerting System Output Modules: process alerts and logs and generate
final output.
![Page 10: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/10.jpg)
TCP/IP layer
Snort work on network (IP) layer, transport (TCP/UDP) layer protocol, and application layer
Physical layer
![Page 11: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/11.jpg)
Detection Engine
※ Requirement 1. Time critical 2. Fast
※Things need to be done for detection engine: •The IP header of the packet
•The transport layer header. TCP, UDP, ICMP etc.
•The application layer level header. Header of DNS, FTP, SNMP, SMTP
•Packet payload
※ How to do these? Apply rules to the packets using a Boyer-Moore string matching algorithm
![Page 12: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/12.jpg)
Detection engine
Number of rules Traffic load on the network Speed of network and machine Efficiency of detection algorithm
![Page 13: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/13.jpg)
Rules In a single line Rules are created by known intrusion signatures. Usually place in snort.conf configuration file.
rule header rule options
![Page 14: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/14.jpg)
Rule examples
Alert will be generated if criteria met
Apply to all ip packets
Source ip address
Source port #
destination ip address
Destination port
Rule options
Rule header
![Page 15: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/15.jpg)
Detection engine order to scan the rules
Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the order is:
1. Alert rules2. Pass rules3. Log rules
![Page 16: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/16.jpg)
Challenges with snort
Misuse detection – avoid known intrusions Rules database is larger and larger It continues to grow snort version 2.3.2, there are 2,600 rules 80% of them are signatures Snort spends 80% work time to do string match
Anomaly detection – identify new attacks Probability of detection is low
![Page 17: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/17.jpg)
Snort components
From: Rafeeq Ur Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID.
![Page 18: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/18.jpg)
Attempts to improve
Increasing preprocessing ability --- offload partial work from detect engine
Using hardware to reduce workload - a hybrid architecture --- software has more flexibility, hardware has relatively higher throughput
Better detection algorithm
![Page 19: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/19.jpg)
Possible ways?
Organize the well-known rules into better data structure to achieve better performance
A detector with acceptable detection probability
![Page 20: Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d3f5503460f94a18f53/html5/thumbnails/20.jpg)
Thank you !