Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Building Snort-based IDS Infrastructure

News Foreword
(Critique of snort)
Recommended Books Recommended Links Recommended Articles FAQs Reference
Rules and Rulesets Snort compilations & Installation Acid/Base Snort Log Analysis Proactive Response Tools False positives  
Perl Tools Network Sniffers Snoop on Solaris Tcpdump on Solaris Humor Random Findings Etc

"In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications."

Eric Stats review of Jack Koziol
"Intrusion Detection with Snort"
 

As this is a "slightly skeptical" site the page should start with some critique of snort. Previously it was "in-line" but due to volume it was recently (as of Aug 12, 2006) converted into a separate article: "Slightly Skeptical View of Snort" .

Sourcefire provides only Red Hat binaries, but precompiled Snort 2.6 for Solaris (with MySQL support) is now available from www.sunfreeware.com. Also compiling snort for Solaris is a possibility. It's not easy especially with MySQL support.  Still Snort 2.4.x can be be compiled and does work on Solaris 10 both Sun release and OpenSolaris. You need gcc-3.4.2 or later. Earlier versions of gcc like gcc-3.3.2 do not work. On Solaris 10 it produces error in make like the following:

Making install in sfutil
make[2]: Entering directory `/export/home/snort/Snort/snort-2.6.0/src/sfutil'
rm -f libsfutil.a
false cru libsfutil.a sfghash.o sfhashfcn.o sflsq.o sfmemcap.o sfthd.o sfxhash.o ipobj.o mwm.o sfksearch.o getopt_long.o acsmx.o acsmx2.o mpse.o util_math.o util_net.o util_str.o asn1.o sfeventq.o sfsnprintfappend.o
make[2]: *** [libsfutil.a] Error 255
make[2]: Leaving directory `/export/home/snort/Snort/snort-2.6.0/src/sfutil'
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory `/export/home/snort/Snort/snort-2.6.0/src'
make: *** [install-recursive] Error 1

I used it with OpenSolaris since December 2005.  The information below was adapted from post by Jacob Ritorto on March 16, 2006 (Snort Forums Archive). You can omit snort compilation as precompiled version works OK.  Please note that PHP 4 needs to be compiled with MySQL support. In the notes blow Jacob  claims success with PHP 5: 

I deployed 2.4.3 on Solaris 10 1/06 x86 with BASE a couple of weeks ago to try for better reliability / performance than we were getting with former Linux installation. Pretty straightforward. Imagine its same on SPARC..

 I'll cut/paste my installation notes for you below. Note that they're a bit stale because i've tweaked for multiple interfaces since writing them.

Note links at bottom for references I used to prepare these instructions..

If you don't feel like building source, install the blastwave.org package via pkg-get. That''s really easy and all you have to do afterwards is dl the rules and adjust snort.conf.

Solaris 10 (x86) 1/06 Snort/BASE build and install notes

This procedure leverages mysql, libtool and openssl shipped with Solaris 10. Naturally, you should adjust pathnames to reflect optional software versions you use.

  1. Download sources for adodb, base, snort, pcre, libpcap, libxml2, php.

  2. Set your PATH environment variable to something that works for you. For example,

    /usr/sbin:/usr/bin:/opt/csw/bin:/usr/sfw/bin:/usr/ccs/bin

  3. Build and install libpcap: .
    ./configure –prefix=/opt/libpcap-0.9.4 && gmake && gmake install
    
  4. Build and install pcre:
    http://forum.sun.com/thread.jspa?messageID=104833 
    ./configure –prefix=/opt/pcre-6.3 && gmake && gmake install
  5. Build and install snort: 

    Set your LDFLAGS environment variable to -R/opt/pcre-6.3/lib

    ./configure --prefix=/opt/snort-2.4.3 --with-openssl --with-libpcap-includes=/opt/libpcap-0.9.4/include 
    	--with-libpcap-libraries=/opt/libpcap-0.9.4/lib --with-libpcre-includes=/opt/pcre-6.3/include 
    	--with-libpcre-libraries=/opt/pcre-6.3/lib –with-mysql=/usr/sfw && gmake && 
    gmake install 
  6. Unset your LDFLAGS environment variable.
  7. Go to snort.com to download rules. Untar them into /opt/snort-2.4.3/rules
  8. Fire up & tweak mysql:
    /usr/sfw/bin/mysql_install_db 
    groupadd mysql
    useradd -g mysql mysql

    chgrp -R mysql /var/mysql
    chmod -R 770 /var/mysql
    installf SUNWmysqlr /var/mysql d 770 root mysql
    cp /usr/sfw/share/mysql/my-medium.cnf /var/mysql/my.cnf
    /usr/sfw/sbin/mysqld_safe --user=mysql &
    mysqladmin -u root password 'password'
    mysqladmin -u root -h `hostname` password 'password'
    set mysql to stop/start at boot, etc: (not the proper smf(5) way; sorry; please fix*.):
    ln /etc/sfw/mysql/mysql.server /etc/rc3.d/S99mysql
    ln /etc/sfw/mysql/mysql.server /etc/rc0.d/K00mysql
    ln /etc/sfw/mysql/mysql.server /etc/rc1.d/K00mysql
    ln /etc/sfw/mysql/mysql.server /etc/rc2.d/K00mysql
    ln /etc/sfw/mysql/mysql.server /etc/rcS.d/K00mysql
  9. Cd to snort source directory.
    mysql -u root -p < schemas/create_mysql snort 
    mysql -u root -p snort
    mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
    mysql> set PASSWORD FOR snort@localhost=PASSWORD('password');
    mysql> flush privileges;
    mysql> exit
  10. Edit the /opt/snort-2.4.3/rules/snort.conf file.

    output database: log, mysql, dbname=snort user=snort password=password host=localhost
    output database: alert, mysql, dbname=snort user=snort password=password host=localhost
    comment out ftp_telnet preprocessor section
    comment out smtp preprocessor section

  11. Test snort & see if it's making database entries:
    snort -c /opt/snort-2.4.3/rules/snort.conf 
    echo "SELECT count(*) FROM event" | mysql -u root -p snort


  12. Build a newer libxml2
    ./configure –prefix=/opt/libxml2-2.6.23 && gmake && gmake install 
  13. Build, install and configure php and pear:
    ./configure --prefix=/opt/php-5.1.2 --enable-memory-limit=yes --with-apxs2=/usr/apache2/bin/apxs
    	--with-gettext=/usr/bin/gettext --with-exif --without-mm --with-mysql=/usr/sfw
    	--with-openssl=/usr/sfw --with-zlib --with-jpeg-dir=/usr/sfw --with-png-dir=/usr/sfw
    	--with-exec-dir=/opt/php-5.1.2/libexec --enable-cli --enable-sockets --with-libxml-dir=/opt/libxml2-2.6.23
    	–with-gd && gmake && gmake install 
    /opt/php-5.1.2/bin/pear install Image_Color
    /usr/local/php/bin/pear install Log
    /usr/local/php/bin/pear install Numbers_Roman
    /usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
  14. Install BASE by untarring it into /var/apache2/htdocs
  15. Install adodb by untarring it into /var/apache2/htdocs
    copy /var/apache2/htdocs/base/base_conf.php.dist to base_conf.php and edit:
    • $Dblib_path Full path to the ADOdb installation "/var/apache2/htdocs/adodb"
    • $Dbtype Type of database used "mysql"
    • $Use_Auth_System Set to 1 to force users to authenticate to use BASE 1
    • $BASE_urlpath The root URI of your site "/base"
    • $alert_dbname The alert database name "snort"
    • $alert_host The alert database server "localhost"
    • $alert_port The port where the database is stored (Leave blank if you're not running MySQL on a network socket.) ""
    • $alert_user The username for the alert database "snort"
    • $alert_password The password for the username "snort_user_password"
References:

http://meljr.com/~meljr/AMPSolaris10.html

http://www.sun.com/bigadmin/features/articles/intrusion_detection.html 

BigAdmin Feature Article Analyzing Snort Data With the Basic Analysis and Security Engine (BASE)

http://forum.sun.com/thread.jspa?messageID=104833 

http://www.sun.com/bigadmin/content/submitted/mysql_smf_tip.html 

After you solve configuration problems, Snort is very stable even on high volume of traffic (of course it is stupid to run it on high volume of data, in this case you would write the stream to the file with tcpdump and only then analyze it with snort. This is especially true if you try to write log in MySQL, in this case in no way snort can be used in true IDS mode listening to traffic).

In case you want to use complex snort.conf and large rulebase you will always benefit from using tcpdump on the first stage to provide blackbox capabilities and then reprocess tcpdump files on periodic basis (depending on the volume of the traffic;  for a O1 connections it can be say, once each 15 min; anyway any period less then an hour is probably an adequate period because just the latent period before any reaction on alert started in a large corporation is usually more then one hour; in this sense processing of data each quarter of an hour represents  real time monitoring  :-).


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Dec 1, 2007] Project details for Snort2PF

Written in Perl
freshmeat.net

With Snort2Pf, you can turn your local Snort installation easily into an "intrusion detection and prevention system", rather than simply using it for post-mortem analysis. Such a system also blocks the recognized violations.

[Dec 21, 2006] Solaris Open Source Stack (SAMP=Solaris 10 OS, Apache 2.0.52, MySQL 5.0, and PHP 5) Quick-Start guide by Viet Pham

November 2006 (Bigadmin) This guide serves as a starting point for users to install, configure, and perform basic tuning of the open source stack SAMP (Solaris 10 OS, Apache 2.0.52, MySQL 5.0, and PHP 5). The article also covers PostgreSQL and Tomcat. The Solaris Zones feature (part of Solaris Containers technology in the Solaris 10 OS) is discussed to help users with scalability in mind.

Download the document as PDF.

[Oct 21, 2006] Brian Caswell Web site

This is a good idea as snort as hoc language sucks big way but not easy to implement

Last updated at 2005/02/17 20:50 in software :: snort-perl

I'm calling the latest version of the Snort+Perl patch snort-perl 1.0. For now, I am maintaining snort+perl as a seperate distribution of Snort. The changes for Snort to integrate with perl on a wide scale are rather large. Keeping up with that diff gets painful. As such, I plan on syncing features from Snort "regular" to Snort+Perl on a semi-regular basis.

The 1.0 distro of "snort+perl" is avaiable here.

[Oct 21, 2006] Re [Snort-users] perl preprocessor plugin


On Thu, Nov 18, 2004 at 12:07:30PM -0800, Cliff Massey wrote:
> There used to be a perl preprocessor for snort called snort-perl.
> Has this been discontinued? Does anyone know if there is a way to
> use a perl script as a preprocessor? This would be very useful.
snort-perl was never a preprocessor. snort-perl is a detection plugin
only ever available as a patch.

Jeff & I wrote it a few years ago.  It is a little out of date, but
still useful.

I'm currently working on a replacement for it that is much more
advanced, but don't expect to see my replacement for another few
months.  If you ask very nicely, I'll update snort-perl to work with
2.3.0RC1 (which should be out shortly).

Brian

[May 26, 2006] The Blog of Ben Rockwood

recently rolled out Snort at my place of employment. Sadly I had to make some serious compromises because I was given a Compaq DL360 (Gen 3) for deployment and Solaris 10 X86 was unhappy on the box. I was forced to use Linux and I was unsure of all the various best practices for Snort on Linux. Thankfully Mr. Patrick S. Harper was there to save the day! On the Snort.org documentation page you can find two of his papers:

Both these docs are extremely simple and follow and well tested. I printed both, put them in a binder, set it on top of my crappy DL360 and started installing CentOS. I followed it step by step and was never led astray. I've now got a pretty kickin' Snort box attached to mirror ports on each of our front-end switches. Thanks to BASE (Basic Analysis and Security Engine) there is a simple to user and understand web interface that my manager and network admin can access to get all the information they need without the need to log into the system or dig through dumps and logs.

If your thinking about playing with or deploying Snort I highly recommend that you consider these two docs as your guide through the Snort universe. I bought both the Managing Security with Snort & IDS Tools and Snort Cookbook books from O'Reilly, but frankly Patrick's papers where far more useful to me. If you want to learn about Snort or dig into any particular aspect of a snort system, buy the books... but if you want to deploy a system, go and see Mr. Patrick S. Harper.

[May 16, 2006] Snort ruleset downloads

This message is to announce the availability of an update for the Sourcefire community rule set, which can be downloaded free of cost or registration from http://www.snort.org/pub-bin/downloads.cgi.

Snort education/Catalog Search Results

  1. Building and Operating Snort® v2.4 Subscription: 30 days View Details TRN-BUILDING-ONLINE-30 30 Days 16 $695.00
  2. Building and Operating Snort® v2.4. Subscription: 60 days. View Details TRN-BUILDING-ONLINE-60 60 Days 16 $795.00
  3. Snort® Rules v2.4. Subscription: 30 days. View Details TRN-RULES-ONLINE-30 30 days 16 $695.00
  4. Snort® Rules v2.4. Subscription: 60 days. View Details TRN-RULES-ONLINE-60 60 Days 16 $795.00

Sourcefire

[Oct 14, 2005] Slashdot "Intrusion Detection with Snort"

In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility.

Why so many IDS deployments fail....

(Score:4, Insightful)

by saint10 (248611) on Thursday May 29, @01:34PM (#6068871)

"In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications."

This hits the nail right on the proverbial head. So many articles in the security industry focus on "IDS failures" [sans.org]. If you don't know your network, servers, routers, and what they should be doing, you can't implement IDS effectively.

Very important topic, I'm glad this point so often missed made it into this book. Should be a good read.

You need HISTORY to develop good detection rules

(Score:3, Insightful)

by GringoGoiano (176551) on Thursday May 29, @04:04PM (#6070265)

Snort and the other intrusion detection systems perform to varying degrees at monitoring corporate resources resources and alerting personnel when something is amiss, according to the rulesets they've been given. The article assumes the rulesets are known in advance: your work is to take those rulesets and implement them in Snort or your favorite IDS.

The real world isn't so simple. IT personnel can only guess at all the possible security problems with the network equipment, hardware, server software, clients, external network connections, malicious hackers and information thiefs out there -- as well those rare dishonest insiders. A more effective security implementation includes plenty of logging, and subsequent log analysis.

Logs are easy to generate for all varieties of hardware and software. Collecting and centralizing log data lets you:

Having the history lets an organization more effectively implement the "detailed network and business context" within the real-time IDS solutions.

Of course, the real problem is the $2 million for the Oracle DB to manage all that log data. And querying all that history is a bear. And the DBAs, the software developers, etc. to manage that log history. I've heard that addamark's log management system [addamark.com] (LMS) is a good alternative. Someone told me their product replaced a DB2 cluster at one organization after a two-hour DB2 query took three minutes on an Addamark cluster. The cost savings, storage capacity, and log compression were phenomenal too.

Are there other log centralizing solutions out there you've heard of? Addamark seems to work because it's not a full-fledged traditional DB, but optimized for this log management problem -- can a traditional DB keep pace?

Building an Ethernet Tap

(Score:4, Interesting)

by cjsnell (5825) on Thursday May 29, @05:14PM (#6070946)
(Last Journal: Friday October 04, @09:30PM)

I read this review and looked through the Snort site and I've come to the conclusion that you must implement one of the following to use Snort to monitor incoming traffic between your router and a switch:

I have no spanning capabilities on my switch and I'm not about to put some $40 CompUSA hub on my production network so the only real choice for me is an ethernet tap. However, I'm having a very difficult time finding schematics for building a 100Mbit ethernet tap. The best I could find is this brief PDF [snort.org] that discusses a bi-directional tap. Unfortunately, this method also requires a spanning port on a switch.

I've found commercial ethernet taps [comcraftfr.com] for sale but they all cost upwards of $400. Surely there is a way to build one of these in a home workshop. Does anyone have schematics?

Chris

[Oct 14, 2005] BigAdmin Feature Article Introduction to Intrusion Detection With Snort

[Oct 5, 2005] HNS - Check Point to Acquire Makers of Snort

The deal failed to materialized because of security concerns (Checkpoint is an Israeli company).

"Check Point Software Technologies Ltd. and Sourcefire, Inc., developers of Snort, today announced that they have signed a definitive agreement for Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million.

"Martin Roesch Founder and CTO of Sourcefire, Inc. said the following:

"'I am very excited to announce that Check Point has signed an agreement to acquire Sourcefire, the company that develops the Snort project and maintains the snort.org domain. I know that many of you are probably going to ask 'what does this mean for Snort?,' so I'd like to take a few minutes to talk about that...'"

HOWTO Build Snort with ACID

Building Snort with ACID (Analysis Console for Intrusion Databases) is not that difficult. On some level it may seem complex because there is a lot to compile, recompile, configure, install and reinstall. Don't throw in the towel. Stick with it and you shall prosper. It's well worth it. I have built snort with ACID more than 10 times in the last two months. Based on those experiences, I have done everything to make your experience quick and easy.

But, before we get started let's clear up a few things first.

Using ACID and SnortSnarf with Snort - Chapter 6 of Intrusion Detection with SNORT

This book excerpt is from Chapter 6 of Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID by Rafeeq ur Rehman, ISBN 0-13-140733-3, copyright 2003. All rights reserved. This chapter, titled "Using ACID and SnortSnarf with SNORT" is posted with permission from Prentice Hall PTR.

Analysis Console for Intrusion Databases (ACID) is a tool used to analyze and present Snort data using a Web interface. This chapter provides information about ACID and discusses how to install it with MySQL and Snort to view and analyze the intrusion detection data logged by Snort into the database.

In addition to ACID, the chapter also provides basic information about SnortSnarf, another tool that can be used with a web server. SnortSnarf is able to parse Snort log files and generate HTML pages that can be viewed using a Web browser. Author: Rehman, Rafeeq ur Download:
To obtain Using ACID and SnortSnarf with Snort - Chapter 6 of Intrusion Detection with SNORT go to: http://searchenterpriselinux.t...

Linnet Solutions TCP-UDP Port Numbers

Neohapsis Archives -- archive of snort mail list -- pretty useful

[Snort-users] Improving the rule IDS212 - MISC - DNS Zone Transfer

Whitehats Network Security Resource

From FAQ:

How do I get Snort to log the packet payload as well as the header?

Use the "-d" command line option.

[Sept 30, 2005] BigAdmin Feature Article- Introduction to Intrusion Detection With Snort by Amy Rich

Abstract: After a brief discussion of intrusion detection systems (IDS), this article focuses on a pattern-matching network-based IDS, Snort.

Contents:

As soon as someone discovers a new computer security vulnerability, hordes of crackers start knocking at the doors of computers worldwide to see if they can penetrate their defenses. Many sites employ a combination of border router firewalls and host-based packet filters and wrappers to protect themselves, but what if the vulnerability is in the very mechanism that's used to secure a service? How can systems administrators know that their machines are under attack and/or have been compromised? The best way to catch the crackers in the act is to use an intrusion detection system (IDS).

[ May 20, 2005] Neohapsis Archives - Snort Discuss - #0125 - RE [Snort-users] Periodic DB Pruning

http://www.ntsug.org/downloads/archivePlus.tar.gz

Say thank you Paul :)

Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com

In a world of compromise, some don't.

-----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Dan Mahoney,
System Admin
Sent: Friday, May 20, 2005 5:54 AM
To: Snort Mailing List
Subject: [Snort-users] Periodic DB Pruning

Hey,

Does anyone have any scripts to troll the snort databases and/or logfiles and prune any reports older than a day (or some other period)?

-Dan Mahoney
12/2/02

[May 18, 2005] Chrooted Snort on Solaris by Andre Lue-Fook-Sang With Solaris 10 zones you probably can do better then chrooting.

Do most people ever worry about the security of their Intrusion Detection System (IDS)? They should. With high speed Internet access being so common around the world, many personal PCs are being hijacked or shared by hackers these days. These hijacked PCs serve as a launch point for attacks, making it easier and more tempting for anyone to try their latest exploit because a reverse trace will most likely lead back simply to a compromised PC. Having a secure IDS is a necessary tool to see what kind of attacks or exploits are being tested against your network and systems. It can also reveal traffic from a prior hack if the intruder is still occasionally logging in. Hopefully, the latter never occurs.

With the addition of an IDS to your network, you do not want to neglect securing it and you do not want to also add the possibility of an attack or entry point. This would be all around embarrassing, especially if the IDS was a hard sell to management to begin with.

This paper will focus on installing a Snort IDS on the Solaris operating system, and securing it in a chrooted environment. Snort is an easy to use, cost effective, lightweight IDS that compiles and runs on every major operating system. Snort has had one major security flaw in it's time, due to a RPC protocol buffer overflow, [ref 1] which is why we will chroot its installation.

The effect of chrooting a process minimizes the impact of future buffer overflows like this one. The IDS process would still likely crash, taking the IDS offline, but the hacker would not gain access due to the overflow because the chrooted environment would not contain a shell.

Chrooting is the process of executing commands relative to the directory provided, which to the application becomes the new system root. All future system calls by the chrooted process will use the new system root directory as its filesystem root. As an example, if /export/home/ids is to be the new system root and Snort is normally located in /usr/local/bin/snort, it would now be located in /export/home/ids/usr/local/bin/snort. Nothing outside of /export/home/ids would be accessible.

To further reduce the chances of an IDS exploit we will also:

It's a good idea to also read the following two articles on Snort before continuing with this article:

[Jul 17, 2003] The Long and Short of Snort Intrusion Detection - NewsFactor Network

Intrusion-detection systems (IDS) have a mixed reputation in the world of enterprise IT. Many IDSs have been accused of being overly sensitive and flooding system administrators with false alerts. They are also notoriously tough to manage. On the other hand, such vendors as Symantec and Network Associates have gone out of their way to gobble up makers of intrusion-detection products, believing that they will become a must-have for an organization"s security arsenal.

In the meantime, however, many organizations are still on the fence about intrusion detection. For them, the answer may lie with a product called "Snort," an open-source IDS distributed under the GNU GPL license by Martin Roesch, its creator. Snort allows IT organizations to start detecting intruders on the cheap, and it is a powerful program with a large following. But Snort is far from perfect, and potential users need to be aware of both its strengths and weaknesses.

A Foot in the Door

In short, Snort is capable of performing real-time traffic analysis and packet logging on IP networks. It uses protocol analysis and content matching to detect attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes and others. Snort also boasts real-time alerting capabilities for Syslog, user-specified files, or via other means. Primarily, it is used as a straight packet sniffer, a packet logger for network traffic debugging, or as a full-blown intrusion-detection system.

Many organizations bring Snort into the enterprise when they do not yet have the budget to support a commercial IDS, Michael Rasmussen, a director at Forrester Research, told NewsFactor. "It"s in a lot of large-scale enterprises," he said, and is useful when management refuses to budget for intrusion detection because they do not understand its value.

"It"s better than nothing, but most people will use it as a step along the journey" to using a commercial intrusion-detection system, Rasmussen said. Oftentimes, Snort is used to augment commercial IDSs, he noted.

Richard Stiennon, vice president of research at Gartner, said he frequently recommends installing Snort to organizations thinking of purchasing an IDS. "In doing so, you get 90 percent of the value of an IDS and get up to speed with the sorts of things an IDS is going to tell you," he pointed out. "You also learn what a pain in the butt [IDSs are] to manage."

Open Advantage

The strength of Snort is in its sensing capabilities, Stiennon said. "The goal of Snort is to have an efficient engine that identifies signatures of attacks and is quickly updateable," he added. Snort has a comprehensive database of such signatures maintained and updated by the open-source community.

The fact that Snort is open source also gives it a very robust programming language for organizations to build their own rule base, Dave Wreski, CEO of Guardian Digital, told NewsFactor. An administrator can take a particular string and use it to search for keywords that might be generated from someone across the Internet trying to attack a server.

Snort"s rules language for describing traffic that should be collected or passed is flexible, and its detection engine utilizes a modular plug-in architecture. The plug-in capabilities, enhanced in version 2.0 of Snort, are powerful and enable administrators to develop an additional set of features -- like the ability to analyze a new type of traffic or log to a new type of database. These features can be plugged into a running version of Snort without having to recompile or obtain an additional license, Wreski said.

Other enhancements to version 2.0 include the ability to coexist with and analyze traffic in gigabit Ethernet and other fast networks. The Snort code base also was subjected to a third-party professional security audit. Additionally, the Snort developers have begun to introduce stateful pattern matching into the product, Wreski said, so that it can keep track of the state of network connections and analyze them as a whole rather than as individual parts.

Experts Only

Snort is not for the faint of heart. It requires a high level of technical aptitude, as well as knowledge about software security, Wreski said. And like most intrusion-detection products, it requires time to be tuned to a particular network environment. "Snort right off the Web is a framework for building an intrusion-detection system," said Wreski. "It"s not automatically going to protect your network. It requires a level of commitment by management and technical staff."

Like most IDS products, there is a huge amount of overhead to running Snort, Rasmussen noted. "You can get it up and running in a basic implementation, but to get the full value of it requires a lot of time, dedication and experience," he said. "It takes a detailed understanding of the Snort source code."

Scalability Issues

On large networks, Snort does not scale as well as commercial systems, according to Rasmussen. Snort requires the skills to manage a number of different sensors across disparate networks. But with many commercial intrusion-detection products, IT staff can purchase a sensor for each network and use a single management console to collate the information. Snort developers are working on features that will facilitate that capability in Snort, Wreski said.

Meanwhile, Snort"s data-management and workflow-management capabilities are not up to the standards of commercial software, Stiennon said. "Open-source software developers usually aren"t half interested in GUIs and distributed management," he said. Stiennon recommends enterprises use an independent security-management console to gather the security-event data that Snort produces.

SourceFire, the company started by Roesch to offer a commercial version of Snort, recently announced that it has integrated the SourceFire Intrusion Management System with GuardedNet"s neuSECURE security-management platform. As a result, customers will be able to correlate data from SourceFire"s intrusion-detection products with data from firewalls, routers and other IDSs.

If SourceFire manages to take some of the kinks out of Snort and make it more suitable for large networks, there is no telling how far the product can go.

Snort-Setup for Statistics HOWTO

This document was written when I created an IDS sensor with Snort and using some statistic tools in order to help others implementing it. ...
www.faqs.org/docs/Linux-HOWTO/ Snort-Statistics-HOWTO.html - 91k -

FLoP - Fast Logging Project for Snort

This project uses a modified unix domain socket output plugin of the network intrusion detection system snort. The alerts generated by snort are read from the unix domain socket by another process called sockserv. This process reads from a socket and sends the alerts via TCP to a central server. On the central server a program called servsock reads these data and writes them via an unix domain socket to a database.

So this project is developed for environments with several remote sensors and one central server gathering the informations. With the normal database output plugin there would be several SELECT and INSERT statements via the network which would slow down the INSERT rate. Additionally in this scheme snort is blocked until all data is spooled to the database. The only reason why you will not loose traffic in between is the buffering in the kernel and/or libpcap. If this results in a buffer overrun in the kernel buffer you will not even notice it. In contrast the libpcap will report the dropped packets if it drops them. (With Linux you should use the libpcap version of Phil Woods at http://public.lanl.gov/cpw/ to get useful statistics.)

The advantage of this method is the complete decoupling of the output processing from snort. The programs sockserv and servsock buffer all alerts in cases of a slow network or a slow database access (or a heavy attack is going on generating a lot of alerts in a very short period). Both programs use two threads, one to receive data and one to forward this data either to the central server or to the database.

In addition to avoid an overrun of the internal buffer of the programs there exists a drop feature. Herein the alerts were dropped before they were forwarded to the central server (sockserv) or the database (servsock). A short description of each dropped alert can be e-mailed to a list of recipients.

Finally there is an alert feature which is able to send alerts as e-mails if the priority reaches a given level. This feature is intended to inform an admin on a high level alert. (There is still a problem in the definition of a high level: Is this a high priority value or a low one? This seemed to be changed sometimes between snort-1.8 and snort-2.0.)

Two further programs/features were added:

[Jul 27, 2000] Sysadmin, September 2000

Snort - A Look Inside an Intrusion Detection System by Kristy Westphal. This article will explore setting up Snort, how to use the various plugins, how to interpret the output of packet captures from Snort, and how it can complement other IDS's.

[Jul 27, 2000] Network Intrusion Detection Using Snort By Dave Wreski & Christopher Pallack

[Jul 27, 2000] Snort Tools and Info


Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

Snort - The Lightweight Network Intrusion Detection System -- main Snort site

Snort-Setup for Statistics HOWTO

Activeworx.org - Links

Snort Websites

Snort Books

Snort Documentation

Snort Add-Ons

Sourcefire Network Security - Intrusion Sensor -- commercial version of Snort (appliances).

Alternative source download page http://www.scorpions.net/~fygrave/snort-current.tar.gz (Fyodor ([email protected]))

Debian Administration Using the 'snort' Intrusion Detection System

Third Party Tools - Snort Forums Archive

Neohapsis Archives - Snort Discuss

Whitehats Network Security Resource -- contain a useful database of snort rule interpretations

Snort Documentation -- by Andrew R. Baker (in HTML)

Neohapsis Archives -- snort mail list -- pretty useful

WIN32 port of snort

Snort Tools and Info

snort internals -- Fyodor's document

Incident.org's Snort Database Plugin Page Contains the latest information about database support for the Snort. The latest database plug-in provides support for logging to MySQL, Postgresql, and any database supported by unixODBC

Reference

[PDF] Snort Users Manual 2.4.0

Snort-Setup for Statistics HOWTO

Snort Documentation Patrick Harper documents.

Snort Documentation (2000, slightly outdated)

the Bleeding Edge of Snort - Documentation

Snort Installation Guide with BASE and MySQL
Wednesday, December 08 2004 @ 08:38 PM EST
Contributed by: jonkman
Views: 2435
Documentation Ghaith Nasrawi has just posted a very detailed and useful installation guide to get you going with BASE and snort on Mysql. Very useful if you're trying to get into the IDS arena and need a little push.

Maillist Archive

Neohapsis Archives -- snort mail list -- pretty useful

[Snort-users] Improving the rule IDS212 - MISC - DNS Zone Transfer


Recommended Articles and Documents

[Sept 30, 2005] BigAdmin Feature Article- Introduction to Intrusion Detection With Snort by Amy Rich. Pretty superficial article. Still can serve as a template for creation of your own documentation.

Abstract: After a brief discussion of intrusion detection systems (IDS), this article focuses on a pattern-matching network-based IDS, Snort.

Contents:

As soon as someone discovers a new computer security vulnerability, hordes of crackers start knocking at the doors of computers worldwide to see if they can penetrate their defenses. Many sites employ a combination of border router firewalls and host-based packet filters and wrappers to protect themselves, but what if the vulnerability is in the very mechanism that's used to secure a service? How can systems administrators know that their machines are under attack and/or have been compromised? The best way to catch the crackers in the act is to use an intrusion detection system (IDS).

An Introduction to Snort A Lightweight Intrusion Detection System What Is An Intrusion Detection System

Snort is an Open Source, multiplatform, lightweight Intrusion Detection System. What does that really mean, and why should you consider deploying it? In this first of two articles on Snort, Joseph Dries helps you decide whether it is a good choice for your needs.

[Jun 15, 2001] Implementing Snort A Lightweight Intrusion Detection System Installing Snort by Joseph Dries.

Implementing Snort can be a bit daunting for those unfamiliar with Intrusion Detection Systems. This second article on Snort walks you through the process of obtaining, installing, configuring, testing, and managing Snort in a multiplatform computing environment.

[Jul 27, 2000] Sysadmin, September 2000

Snort - A Look Inside an Intrusion Detection System by Kristy Westphal. This article will explore setting up Snort, how to use the various plugins, how to interpret the output of packet captures from Snort, and how it can complement other IDS's.

[July 17, 2000] SecurityFocus Snort Installation and Basic Usage by Dale Coddington <[email protected]> This is a Solaris specific article that addresses the installation and usage.

  • These instructions have been tested with the following:


  • Gathering the Required Software

    After downloading the required software packages store them in /usr/local

  • Installation

  • Using Snort

    To see how snort can be used to read packets off the wire try the following command:

    #snort -v

  • [Jul 27, 2000] Network Intrusion Detection Using Snort By Dave Wreski & Christopher Pallack

    "This document takes you through the basics of intrusion detection, the steps necessary to configure a host to run the snort network intrusion detection system, testing its operation, and alerting you to possible intrusion events."

    [Jul 27, 2000] Snort Portscan Preprocessor

    ZDNet eWEEK The software that cried wolf -- That is a universal problem for example for Snort too many false positives especially from virus rules is a real nuisance...

    Chances are, your company's intrusion detection software stopped suspicious-looking traffic today. Chances are, it was a false alarm, too.

    Network attacks, including distributed denial-of-service and buffer overflow incursions, have put intrusion detection software on the front line in the battle against hackers. But the wider the deployment of intrusion detection, the more administrators are realizing the technology's limits and frustrations.

    The reason: Too often, the software puts out false-positive alerts, which warn administrators about traffic that turns out to be innocuous but still send IT managers scurrying to plug security holes.

    "It got to an absurd point, where every other day we were literally just blowing away our log file," said Robert Boyle, CEO of Tellurian Networks Inc., a managed-service provider in Newton, N.J.

    Technically, false-positive intrusions are a hard problem for software companies to solve. The technology is a slave to a statistical phenomenon called the base rate fallacy. Attacks are rare relative to the amount of traffic coming into a network. The rarer the event, the more accurate the test must be to be useful. Right now, intrusion detection is not accurate enough and returns more false positives than true positives.


    Proactive Response Tools

    Note: This is a very questionable approach...


    False positives

    Neohapsis Archives - Snort discussion - [snort] smtp-chameleon-overflow rule wrong - From [email protected]

    Random Findings

    FLoP - Fast Logging Project for Snort

    This project uses a modified unix domain socket output plugin of the network intrusion detection system snort. The alerts generated by snort are read from the unix domain socket by another process called sockserv. This process reads from a socket and sends the alerts via TCP to a central server. On the central server a program called servsock reads these data and writes them via an unix domain socket to a database.

    So this project is developed for environments with several remote sensors and one central server gathering the informations. With the normal database output plugin there would be several SELECT and INSERT statements via the network which would slow down the INSERT rate. Additionally in this scheme snort is blocked until all data is spooled to the database. The only reason why you will not loose traffic in between is the buffering in the kernel and/or libpcap. If this results in a buffer overrun in the kernel buffer you will not even notice it. In contrast the libpcap will report the dropped packets if it drops them. (With Linux you should use the libpcap version of Phil Woods at http://public.lanl.gov/cpw/ to get useful statistics.)

    The advantage of this method is the complete decoupling of the output processing from snort. The programs sockserv and servsock buffer all alerts in cases of a slow network or a slow database access (or a heavy attack is going on generating a lot of alerts in a very short period). Both programs use two threads, one to receive data and one to forward this data either to the central server or to the database.

    In addition to avoid an overrun of the internal buffer of the programs there exists a drop feature. Herein the alerts were dropped before they were forwarded to the central server (sockserv) or the database (servsock). A short description of each dropped alert can be e-mailed to a list of recipients.

    Finally there is an alert feature which is able to send alerts as e-mails if the priority reaches a given level. This feature is intended to inform an admin on a high level alert. (There is still a problem in the definition of a high level: Is this a high priority value or a low one? This seemed to be changed sometimes between snort-1.8 and snort-2.0.)

    Two further programs/features were added:



    Etc

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


    Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to to buy a cup of coffee for authors of this site

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Created May 15, 2003; Last updated: March 12, 2019