Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Bulletin
Vol 19, No. 03 (July, 2007)

Bulletin 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

A Slightly Skeptical View on Snort

Dr. Nikolai Bezroukov

Version 1.0


Copyright 2005-2006, Dr. Nikolai Bezroukov. This is a copyrighted unpublished work. All rights reserved.

Abstract

Snort is an open source libpcap-based packet sniffer/logger which can be used as a network intrusion detection system or as a powerful and free network traffic analyzer.  The first function can be useful only with appropriate IQ and good placement of the sensors (and it very seldom makes sense to use sensors for analysis of incoming Internet traffic; internal traffic, especially traffic between different sites in a large corporation is much better approach). The second function is the most productive usage and it is greatly underestimated in a large corporate environment. From the architectural standpoint snort as an NIDS is inferior to earlier approach based on usage of two separate stages (recoding of traffic and processing of traffic) with scripting language used on the second stage. The latter approach was pioneered by Shadow.


Snort is a very democratic tool. To create a snort sensor you do not need a very powerful server. A regular PC with a 1.5GHz or better CPU and a decent network cards can record 100Mb/s feed. RTL8139 cards are OK, cards based on the TG3 chipset are better, Intel cards are the best.  To get signatures you need to create an account on snort.org site and you be able to download rulesets that are developed by Sourefire with a week delay for free (getting them on time costs $1760 and which is not much money for any large corporation).

Still despite all those good things I suspect that the value of snort as IDS is too inflated. Yes, it is better then any commercial NIDS I know for simple reason: they are useless and cost money; and snort is free :-). Actually like most successful open source program snort deviated from its initial modest roots and became pretty bloated pig with huge codebase ;-). As a result it tries to do too many things simultaneously and only few of them done right.

The level of snort mini-language for analyzing data stream is very ad-hoc. Addition of Perl-style regular expressions was a nice afterthought but if it is properly used it defeats the capability of real time analysis. The main problem for snort is that designers were sitting between two chairs: one creating of reasonably fast traffic analyzer able to work in real time, the second creating of powerful alert generation capabilities. As a result alert generation capabilities are crippled and ad-hoc: premature optimization if root of all evil.  You can do much more using TCPdump reading prerecorded traffic stream and processing decoded packets with Perl (the approach pioneered in shadow that was developed by NSWC).

I am convinced that in open source development the traffic recoding and traffic analysis should be split into two separate programs and the second one should not be oriented on real time processing. that permits usage of significant subset or even full version of a scripting language not ad-hoc combination of directives that smell  early 70 of the last century (yes, pre-Unix days: like David Korn used to say many Unix developers do not understand Unix, they only program for it).  

Due to this commercial-style "swiss army knife" design approach the best way of using snort is not in real time but reading TCPdump stream. 99.9% of alerts in typical snort deployment are false positive and that the value of real time analysis is either zero or negative (it just produces more spam). It's better to cluster processing of pre-recorded data stream using a suitable interval, for example 10-15 minute of large pipes, one hour on small pipes.  In a typical corporation nothing can be done in less then three hours. Therefore it does not matter if  you get alert one hour later.

But in case you are reading TCPdump captures you can configure snort with all the necessary plugins and use more complex rule sets without the fear that it will start skipping packets. Also you can get a free 'blackbox" capability.

But if as an IDS snort has some shortcomings, it is an excellent and very pretty powerful traffic analyzer, the fact that is underemphasized in most snort related books and articles. It features quite powerful rules based filtering of traffic  and can perform protocol analysis, content searching/matching useful for troubleshooting. Any packet or group of packets with specific fields and or belonging to a specific protocol (for example streaming) can be described in snort mini-language (enhanced TCPdump mini-language).  Snort can read TCPdump binary logs and that further increases its usefulness for troubleshooting.

Snort holds an inherent advantage over closed source IDSs, in that the IDS itself can be tailored and customized for particular environment to a level not possible for closed source competitors. Also the price is right and because of very low return on investment for most IDS this is especially important.

Snort is much easier (and probably more productive) to use on internal network, especially on ingress to the local site router then on ingress to the corporate wide internet gateway. In the latter case that is the favorite way of extortion of many from naive clients of security companies (and you cannot lose betting on stupidity in any business) the signal is buried in the noise of false positives including scanning attempts from all over the world, any university where students like to experiment with nmap by scanning B-class networks as if scanning C-class networks is only for suckers.  If traffic is internal then an attempt to scan a network with nmap weight much more and usually represent a useful information that deserves some investigation. 

If you have an opportunity to work with a rigid, uncustomizable, IDS like ISS RealSecure you will see Snort as a big improvement.  As Eric Stats  noted in his review of  "Intrusion Detection with Snort":

In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility.

Still even with Snort if you don't know your network, servers, routers, and what they should be doing, you can't implement IDS effectively. And that's a real problem in implementing effective IDS sensors.

Snort has an  alerting capability, with alerts being sent to syslog, a separate "alert" file, database (like MySQL with ACID/BASE front-end) or even as a WinPopup message via Samba's smbclient. Alerts sent to syslog can be integrated with Tivoli using standard Tivoli log adapter.  that gives possibility to use TEC correlation engine for working with Snort alerts.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: October, 11, 2015