Snort presentation notes
Here are the notes from our 9/6/07 BLUG meeting
presentation submitted by Jeremiah Gray
for posting to the BLUG list.
IDS & IPS with Snort
Intrusion detection and intrusion prevention have been popular topics of
computer security, and many of those conversations probably involve Snort at
some point or another. Snort is a highly configurable intrusion detection
system, that can work as either a host-based or network-based IDS or IPS.
The key difference between an IPS and an IDS is that an IDS generates
sophisticated logs based on rules regarding attack signatures, but it does
not take action against the attackers. An IPS, on the other hand, can be
used to rewrite firewall rules on the fly to keep out traffic that has been
detected as malicious. Snort is a popular open source application that is
used by over 100,000 businesses worldwide and has portions of its code
embedded into no less than 45 commercially-available appliances.
An IDS monitors network traffic and will generally work in one of the
– Signature detection – where it inspects packets and compares them to a
list of known attack signatures. Because Signature detection systems check
against an existing list of attack signatures, it is more likely that new
and innovative attacks can pass through the IDS undetected. This is called
a false negative.
– Anomaly detection – where the software learns what is “normal” on your
network and alert you to abnormal traffic. Anomaly detection will more
often result in producing false positives, which is to say you will be
alerted about normal activity.
Snort uses Signature detection, with rules available in various locations:
http://snort.org/pub-bin/downloads.cgi – ($, sub, unsub)
* Oinkmaster (perl script) recommended for rules management
An IDS will generally be deployed in one of two fashions:
– Host-based IDS
– Monitors incoming packets and compares against rules to determine
– Examine system logs for unusual entries such as repeated login
attempts (with statefulness)
– Verifies filesystem integrity
– Network-based IDS
– Monitors all subnet traffic, requiring the NIC to be in promiscuous
mode (achieved with libpcap)
– Generates real-time alerts for attacks
– Writes log files to help with the subsequent exploitation
– Expects CIDR notation (ie class c ip 192.168.1.0 with subnet
255.255.255.0 becomes 192.168.1.0/24)
Path of a Packet in IDS System:
1. PCAP sends unprocessed data link frame from NIC to Snort
2. Packet Decoder decodes data link, then network, then transport layers
3. Preprocessor plugins operate on network (IP) layer and initially divert
packets away from detection engine – statefulness comes from these
– Preprocessors include:
– Stream4 – TCP stream reassembly & stateful analysis, combats
“stick” and “snot” attack tools
– frag2 – Similar to Stream4 but for protecting against fragmented
– SnortSam – plugin that allows sophisticated targeting based on IP
4. Detection engine performs the main task which is to determine what gets
marked as what and why
– Snort has the following output modules:
– alert_syslog – writes alert out to /var/log/messages
– alert_fast – writes single lines to a designated file
– alert_full – slow and not recommended for production use
– log_tcpdump – writes to binary file, accessible like other tcpdump
– database – logs file to user-configured database
– Snort’s Detection Engine has the following Rules which apply to icmp,
ip, tcp, and udp:
– alert – generates an alert and logs the packet
– log – logs the packet
– activate – alert and then turn on a dynamic rule
– dynamic – like a log rule but only when activated by activate rule
– Snort Rules have the following Options:
– meta-data – provide info about rule but don’t affect detection
– payload – look for data in packet payload
– non-payload – look for non-payload data
– post-detection – rule-specific triggers that happen after rule
– A Snort rule might look like this:
– drop tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:”BACKDOOR
subseven 22″; flow:to_server,established;content:”|0D 0A|[RPL]002|0D 0A|”;
classtype:misc-activity; sid:103; rev:7;)
* Note, do not run Snort as root.
** You will need to run Snort as root if you run IPS mode (inline) and
therefore should probably have a dedicated snort box – a dedicated Snort
sensor generally runs ~130 processes total.
Visual presentation apps: Sguil, ACID
Snort Inline as Intrusion Prevention System
Snort can also be used in conjunction with libipq instead of libpcap in
order to rewrite iptables rules as needed to divert malicious packets.
Snort Inline used to be a separate app, but is now included as part of
snort. Obviously you have to be careful to not lock yourself out, and
moreover, to patch all of your code because however handy Snort is, once
you’re exploited, it’s working against you. As such, using a preprocessor
like SnortSAM and whitelisting a specific IP you can always reach might not
be a bad idea.
– Need iptables with install-devel which loads libipq and allows QUEUEing in
– Need LibNet from packetfactory.net
Inline Rules slightly different – as such rules will need to change:
– drop – iptables drops packet, normal snort log
– reject – iptables drops packet, TCP reset sent and if that fails, UDP
– sdrop – iptables drops, no log entry
Snort Inline allows for replacing packet payload but the content must of the
Preprocessor options slightly different. For example, Streatm4 option
“inline_state” drops TCP packets not associated with existing TCP sessions
outright. Also, because we’re dealing with iptables for input, we lose
layer 2 data and are left with network and up.
Snort is a useful part of a security strategy; it does not protect against
exploits in your other apps and it does not detect anomalies. For
information on exploits and patching them, check out:
Regular BLUG mtg with Scribus
This Thurs, July 5th, from 7pm til 9pm,
in D bldg (usually room D-5), at BTC, will be the
regular monthly meeting of BLUG.
Carl Symons will be presenting Scribus:
“There’s more to open source Desktop Publishing than meets the eye.
Professional quality printed materials, eye-catching graphics. High-end page
layout capability on a par with Adobe and Quark.”
His presentation will include:
a Demo, Free samples, Color management, Gamma correction, and Scripting.
We’ll also have our usual Q&A and Linux news sessions, as well
as our open discussion.
See you there,
Tomorrow, Thurs June 7th, from 7pm til 9pm,
in D bldg (usually room D-5) at BTC, will be the
regular monthly meeting of BLUG.
Jim will be presenting on “system disaster recovery”.
An overview of DOS disk segmentation, and partition tables.
Issues having to do with the capture of information from a hard disk as
related to disaster recovery
How to backup and record information on optical media from the command line
A description of the SystemRescue rescue disk distribution and its
A demo of some scripts written in bash shell script for the purpose of
We’ll have our usual Q&A and Linux news sessions, as well
as open discussion.
See you there,
Dot Org Mtg at Marks Thursday 19th
This Thursday the 19th is the special meeting of Blug’s Fest Dot Org Committee.
A lot of last minute stuff has yet to be accomplished to pull this Fest off.
It’s this Thurs the 19th, 7pm till 9pm, at Mark’s house.
I’ll still have some of the large posters available.
If you’d like to attend and need directions contact Mark at xxxx
see you there,
bill at blug dot org
Jim Armstrong’s talk has been re-scheduled for another month.
Instead we will talk about plans for the Linuxfest coming up at the end of the month, and I will demo an open source hardware emulation system called QEMU http://fabrice.bellard.free.fr/qemu/index.html
QUEM is a virtual machine similar to Vmware that can be used to run virtual computers on a Linux host system.
Linux Virtualization with OpenVZ
John Blandford will be presenting: Linux Virtualization with OpenVZ
OpenVZ is an Operating System level server virtualization system
recently released under the GPL by SWsoft.
An OS level virtualization scheme runs a single OS kernel. It provides
resource isolation and management to divide up the system into multiple
virtual servers. These virtual servers look to their users like full
physical servers, but are really just containers of normal processes and
files in the underlying OS. This lite weight approach lets these
systems run hundreds of virtual servers on common hardware.
John will talk a bit about virtualization, and then show OpenVZ in action.
For more information, take a look at:
Blug BTC Meeting – Slackware
Aaron Miller will demonstrate a new version of Slackware. John will marvel at how much it has changed since the old days.
Blug Meeting – Ubuntu/Kubuntu
Install Ubuntu or Kubuntu and fatten up your machine with lots of useful additions from various Debian repositories. This will be an informal session with an MC at the front and lots of input from members of the audience. We plan on doing a live demo.
If you’ve been thinking about moving from Novell/SuSE to another distro this would be a good meeting to attend.
Blug Install Fest Thurs Oct 5th
On Thursday Oct 5th at BTC in D bldg 7pm til 9pm
BLUG will host an open to the public Linux install fest.
I have three SuSE Enterprise Desktop 10 and four SuSE Open Linux CD’s,
donated by Novell, that will be available.
Anyone else with other flavors please bring your CD’s.
BLUG’rs tell your friends who’ve been thinking about Linux and
come yourselves to lend support with technical assistance.
John B. will be there to talk about “Install HowTo’s, Tips and Tricks”
It should be fun, so spread the word “Now is the time to try
BLUG meeting Thrusday Sept 7th at BTC
Adrian will finish his talk on Base and Mark will use the second half of the meeting for Dynamically Generated Open Office Documents. The meeting will be held in D building at Bellingham Tech College from 7pm till 9pm.