Amy Rich has written a Sun BigAdminSM article entitled \'Introduction to Intrusion Detection with Snort\' that begins with a survey of intrusion detection systems (IDS) and then moves on to consider Snort, a pattern-matching network-based IDS. The paper considers abundant examples of code.

Rich argues that systems administrators need to have some assurance that the mechanisms in place to protect against exploitation of vulnerabilities - firewalls, packet filters, wrappers - do not themselves have vulnerabilities that can be exploited. The means to provide such protection, she avers, is to use an intrusion detection system, whether it be a host-based intrusion detection system (HIDS), a network-based intrusion detection system (NIDS) or a combination of the two.

The strength of an HIDS, Rich continues, is in its ability to detect attacks local to the machine or on an encrypted or switched network. A disadvantage inherent to HIDS is the cost of administering and running them on each machine in the system. With NIDS, on the other hand, which employ either statistic anomaly detection or pattern-matching detection, attacks can be recognized before they are well publicized but both require frequent rule upgrades and both can be susceptible to false positives and obfuscation and evasive attacks.

Snort, itself a pattern-matching NIDS, "...can perform real-time packet logging, protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes such as stealth port scans, CGI-based attacks, Address Resolution Protocol (ARP) spoofing and attacks on daemons with known weaknesses. Snort utilizes descriptive rules to determine what traffic it should monitor and a modularly designed detection engine to pinpoint attacks in real time. When an attack is identified, Snort can take a variety of actions to alert the systems administrator to the threat," Rich asserts.

Snort employs a variety of tools to accomplish this impressive number of tasks: the packet sniffer, preprocessors, detection engine, logging and alerting mechanisms and output processors. These tools enable Snort to address such considerations as monitoring and decoding IP packets, defragmentation of decoded packets, pattern matching of the data stream, defining responses to recognized attacks and defining the appearance of the logging and alerting systems.

Rich provides instructions on installing prerequisites to Snort and then Snort itself, including code for each. She follows this information up with considerations of the Snort Configuration File and the Snort Preprocessor Statements.

Snort's detection engine, Rich points out, a simple, flexible rules description language - similar to shell code - that describes the manner of handling data. Again, she provides illustrative code.

Given that Snort is a pattern-matching IDS, Rich writes, its rules require frequent updating, which can be done in one of the four ways Sourcefire, its developer, has provided. One can download the latest Snort source distribution to obtain the latest rules; obtain the rules from the Snort Download Rules page; subscribe to receive VRT rules, which are later released free to registered users; or use the Snort rules developed by the open source community. [...read more...]

		fullsource
Print Email Current Profile Archive Blog Generate newsletter