Snort is an open source intrusion detection system that can be run on many platforms including windows, BSD, Solaris or MacOS X and Linux [5], it uses a rule-based language combining signature, protocol and anomaly inspection methods [17]. Snort can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks [16].
2.2 Snort Components
Snort is consisting of many components that works together to detect attacks and generate required format from the detection system. The major components of snort are Packet Decoder, Preprocessors, Detection Engine, Logging and Alerting System and Output Modules.
Figure 2-1 Components of Snort
A brief description of each component of Snort is presented in this chapter.
2.2.1 Packet Decoder
The job of the packet decoder is to get packets from different type of network interface such as Ethernet, SLIP (Serial Line Interface Protocol) and PPP (Point to Point Protocol) and prepare these packets to be preprocessed or sent to the detection engine.
2.2.2 Preprocessors
Preprocessors are important components that can be used with snort to perform many important jobs on data packets before they pass to the detection engine. Preprocessors used to arrange and modify data packets to find out if the packet is being used by intruder, it can be used to prepare data packets to be analyzed against rules in the detection engine and some preprocessors can perform detection by finding anomalies in packets headers and generating alerts. Preprocessors are also used for packet defragmentation. When a large data is transferred to a host, the packet is usually fragmented and on IDS, the packet should be reassemble before applying any rules or trying to find a signature. These functions are a very important part of the intrusion detection system.
Example :
If a rule created a rule to find a signature for example "scripts/iisadmin" in HTTP packets, hackers uses different techniques to fool IDS in different ways by making slight modifications to this string. For example:
• "scripts/./iisadmin"
• "scripts\iisadmin"
• "scripts/.\iisadmin"
If the IDS is looking for an exact match of the string, it is not able to detect this attack, because hackers can insert in the web Uniform Resource Identifier (URI) hexadecimal characters or Unicode characters which are perfectly legal as far as the web server is concerned. The web servers usually understand all of these strings and are able to preprocess them to extract the intended string "scripts/iisadmin". A preprocessor can rearrange the string so that it is detectable by the IDS.
2.2.3 The Detection Engine
The detection engine is the most important part of snort, its apply snort rules on different parts of a packet such as the IP header, the transport layer header (TCP, UDP, ICMP or other transport layer headers), the application layer level header (DNS, FTP, SNMP, and SMTP header) and packet payload to detect if any intrusion activity exists in that packet. After applying the rules against all packets, the detection engine will take appropriate action by logging the packet or generating alerts if a packet matches any rule or dropping the packet if not.
Detection engine is the time critical component of snort, its efficiency and its amount of time to respond to different packets depends on many aspects, some of these aspects are number of rules have been defined, power of the machine that snort running on, speed of internal bus used in the snort machine and the load of the network.
The detection engine works in different ways for different versions of Snort. When comparing snort version 1.x with snort version 2.x we can find a lot of differences such as:
In Snort version 1.x the detection engine take its action by logging the packet or generating an alert depending on the first matched rule, if there is multiple rules regardless of the priority of the rule, this can led to the problem of generating the low priority alert even if a high priority rule meriting a high priority alert is located later in the rule chain. While in snort version 2.0 the highest priority rule is selected to generate the alert after matching all the rules against a packet.
The detection engine of snort version 2.x is rewritten so that it is a lot faster compared to snort version 1.x.
2.2.4 Logging and Alerting System
Packets sometimes used to log the activity or generate an alarm depending on what the detection engine find inside a packet. The logs are kept inside a simple text files, tcpdump-style files or some other form.
2.2.5 Output Modules
The main job of the output modules is to process alerts and logs and generate final output, output modules can do other things such as logging to files, sending SNMP traps, logging to a database like MySQL or Oracle, generating eXtensible Markup Language (XML) output, modifying configuration on routers and firewalls and sending Server Message Block (SMB) messages to Microsoft Windows-based machines.
Name
Description
Packet Decoder
Prepares packets for processing.
Preprocessors or Input Plugins
Used to normalize protocol headers, detect anomalies, packet reassembly and TCP stream re-assembly.
Detection Engine
Applies rules to packets
Logging and Alerting System
Generates alert and log messages
Output Modules
Process alerts and logs and generate final output.
Table 2-1 Components of Snort
2.3 Snort Modes
Snort can be run on different modes; network sniffer mode and Network intrusion detection mode are the two basic modes.
2.3.1 Network Sniffer Mode
Snort in network sniffer mode acts like tcdump, it can capture and read the packets from the network and display them in continues stream on the console or logging them to a log file, no configuration file is needed to run snort in this mode.
2.3.2 Network Intrusion Detection Mode
In network intrusion detection mode the network traffic analyzed and the rules apply to all captured packets, the packet is logged or an alert is generated only when the packet matches a rule, otherwise the packet is dropped silently and no log entry is created. A configuration file contains Snort rules or reference to other files that contain snort rules is needed in the network intrusion detection mode, the configuration file also contains information about input and output plug-ins [16].
2.3.3 Packet Logger Mode
In packet logger mode the packets are logged to the disk into specified logging directory in a hierarchy of directories based upon the IP addresses of the packets in their ASCII format.(Antionline a look into ids/snort)
2.3.4 Inline (IPS) Mode
Snort inline mode allows snort to drop or pass packets based on the specific snort rules [1], it obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on Snort rules..
( http://forumny.org/index.php?controller=details&show=178)
2.4 Snort Rules
Snort rules are the most powerful part of snort, that are written in an easy way to understand syntax, they are used by the system to detect incidents and they can be used to generate an alert message, log a message or pass the data packet. Most of snort rules are written in a single line and they can be extended to multiple lines by using a backslash character at the end of lines, rules are usually kept in a configuration file and sometimes in multiple files by including them in a main configuration file. Snort rules are usually stored in a directory or subdirectory from the Snort binary. The rules files are categorized into different groups; for example, the file ftp.rules contains a selection of FTP attacks and exploits (harrykars)
2.4.1 Structure of a rule
Snort rules are divided into two logical sections rule header and rule options.
2.4.1.1 Rule Header
The rule header contains information about what action a rule takes. It also contains criteria for matching a rule against data packets. Rule header consists of the following parts:
Action This part decides which action should be taken after the criteria met and a rule is matched against a data packet such as generating an alert or log message or invoking another rule.
Protocol This part is responsible for applying the rule on packets for a particular protocol only such as IP, ICMP, and UDP.
Address This part is used to define the destination and source addresses based on the direction part. Address may be a single host, multiple hosts or network addresses; it can be also used to exclude some addresses from a complete network.
Port This part determines the source and destination ports of a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port numbers have no significance.
Direction Part of the rule actually determines which address and port number is used as source and which as destination.
Action
Protocol
Address
Port
Direction
Address
Port
Figure 2-2 Structure of snort rule header
2.4.1.2 Rule Options
The rule option contains alert messages and information on which parts of the packet should be used to generate the alert message; it contains additional criteria for matching a rule against data packets.
Rule options follow the rule header and are enclosed inside a pair of parentheses. There may be one option or many that form a logical AND, and the options are separated with a semicolon. The action in the rule header is invoked only when all criteria in the options are true, an option may have two parts: a keyword and an argument, arguments are separated from the option keyword by a colon.
Figure 2-3 Rule Header and Options Details
2.5 Snort Signatures
A signature is defined as any detection method that relies on distinctive marks or characteristics being present in an exploit. These signatures are specifically designed to detect known exploit as they contain distinctive marks; such as ego strings, fixed offsets, debugging information, or any other unique marking that may or may not be related to actually exploiting vulnerability.( http://www.snort.org/snort/faq/#2.2)
2.6 Snort Supported Platforms
There are number of supporting platforms and operating systems for snort such as (01314.pdf)
• Linux
• OpenBSD
• FreeBSD
• NetBSD
• Solaris (both Sparc and i386)
• HP-UX
• AIX
• IRIX
• MacOS
• Windows
Snort usually runs best under the OpenBSD, FreeBSD, and Linux systems. Although Snort works on windows, it is still not the perfect choice,it requires the Libpacap (Winpacap on windows) to be installed.
Snort also works on many CPU architectures:
i386
Sparc
PowerPC
Alpha
2.7 Type of Attacks
Snort can be used to detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI (common Gateway Interface) attacks, SMB (Server Message Block) probes, OS fingerprinting attempts, trojan horses, and much more. Snort at network layer can only detect packets that are part of TCP\IP protocol suite; it can't detect attacks that are carried out over other network protocols, such as Novell's IPX/SPX or AppleTalk.
2.8 snort notification
Snort Have two types of output facilities to notify the user about the attack. The first type is the alerting facilities that notify that something has happened; the second is the logging facility that logs the full packet information to the output format (pcap, ascii, database, etc).(antionline.pdf)
2.8.1 Alerting Mode
Alert is generating when a captured packet matches a snort rule, alert give information about the kind of attack, where it's coming from, where it's going and where to find more information about the attack. Snort can send alert in many modes that are configurable through command line and snort.conf file.
2.8.1.1 Fast Mode
Fast alert mode logs the alert with a simple format with information about timestamp, alert message and source and destination IP /ports; the actual packet is not logged in this file when using this alert mode.
Example:
05/28-22:16:25.126150 [**] [1:0:0] Ping with TTL=100 [**]
{ICMP} 192.168.1.100 -> 192.168.1.3
This alert message shows the following information:
Date and time the alert occurred.
Message present in the rule that generated this alert. In this example, the message is "Ping with TTL=100".
Source address which is 192.168.1.100.
Destination address which is 192.168.1.3.
Type of packet; in the above example, type of packet is ICMP.
2.8.1.2 Full Mode
Full alert mode is the default mode that prints the alert message and the packet header.
Example:
[**] [1:0:0] Ping with TTL=100 [**]
05/28-22:14:37.766150 192.168.1.100 -> 192.168.1.3
ICMP TTL:100 TOS:0x0 ID:40172 IpLen:20 DgmLen:60
Type:8 Code:0 ID:768 Seq:20224 ECHO
Additional information about the packet header are included
Time to Live (TTL) value in the IP packet header.
The Type Of Service (TOS) value in the IP packet header.
Length of IP packet header shown as IpLen:20.
Total length of IP packet shown as DgmLen:60.
ICMP Type field.
ICMP code value.
IP packet ID.
Sequence number.
ICMP packet type which is ECHO.
2.8.1.3 UNIXSOCK
Sets up a UNIX domain socket and sends alerts to it.
2.8.1.4 Sending Alerts to Syslog
Syslog is a system logger daemon and it generates log files for system events. in the syslog mode alerts will be send to Syslog daemon and depending on the configuration of the Syslog the alerts can be saved into a particular file.
2.8.1.5 Sending Alerts to SNMP
In this mode an output plugin will be configure to send messages in the form of SNMP traps to a network management system.
2.8.1.6 Sending Alerts to Windows
Snort can send alerts to Microsoft Windows machines in the form of pop-up windows. These pop-up windows are controlled by Windows Messenger Service. Windows Messenger Service must be running on Windows machine for pop-up windows to work.(16)
2.8.2 Logging Mode
The Logging mode just logs full packet information to the various sources without generating an alert.
2.9 Practical Example of using snort
After installing Snort 2.8.6 on my machine with windows 7 and learning how to write a rule, I create my own rule to test snort, and configured snort.conf file to include this rule.
The following example is going to assume that an organization policy prevents any user to access to youtube, and if any one tries to access youtube will violate organization rule and snort will alert, I simulate attack to do that.
Writing the rule
I used a simple program to write the rule "Programmers Notepad" and then saving the rule in the path c:\snort\rules with the name youtube.rules
Understanding the rule
Rule header:
Alert: This is the output format
TCP: This is the protocol that being used.
Any: this is the source ip address and by default it is any.
Any: this is the source port and by default it is set to any port
-> This arrow indicates direction of the conversation.
Any: this is the destination ip address and by default it is any.
Any: this is the destination port and by default it is set to any port
Rule options:
Content: Snort will try to match this content with the packet to find a match; in this case snort will match "www.youtube.com" with the packet.
Msg: The message "someone visiting youtube" will be displayed by the alert.
sid:1000002: This is the rule unique identifier.
Rev:1: This option refers to the version number for the rule.
Configure the Snort.conf file
After writing and saving the rule the snort.conf file should be configured to include the youtube rule.
Using snort:
First I run the prompt command and changing the path to c:\snort\bin where the snort application exists, then I wrote the command "snort -c c:\snort\etc\snort.conf -l c:\snort\log -A console -i 4" that tell the snort application to read the snort.conf configuration file that is available in the path c:\snort\etc, log the result in the path c:\snort\log, Sends "fast-style" alerts to the console (screen) and specify the interface that used.
Now the snort is running and the detecting engine is able to detect any behavior.
I opened internet explorer and accessed to the site www.youtube.com at 2:41 am to check my rule
Now I back to the prompt command to check if the snort catches the attack or not, the following alert appeared
This alert means that someone is trying to access www.youtube.com at 2:41 pm using TCP protocol
After checking the folder C:\snort\log to find out if snort log the output there or not, I found that a new file with the name snort.log.1288741012 has been created.
2.10 Conclusion
In this chapter the open source intrusion detection system "Snort" is discussed in theoretical and practical manner. Snort is an open source intrusion detection system that can be supported by different type of operating systems; it can be run on different type of modes such as network sniffer mode, network intrusion detection mode, packet logger mode and inline (IPS) mode. Snort is composed of many component that work together to detect variety of attacks and probes such as buffer overflows, stealth port scans, CGI (common Gateway Interface) attacks, SMB (Server Message Block) probes, OS fingerprinting attempts and trojan horses. Snort component are packet decoder that prepares packets for processing, preprocessors that used to normalize protocol headers, detect anomalies, packet reassembly and TCP stream re-assembly, detection engine is other important component that applies rules to packets, logging and alerting system that generates alert and log messages and the last component is the output modules that process alerts and logs and generate final output.
