Snort: A Network Intrusion

Detection Software

Matt Gustafson
Becky Smith
CS691 Semester Project
Spring 2003
 Intrusion Detection Systems are used to
discover “attempts to comprise the confidentiality,
integrity, and availability… of a computer or
network.” (Bace, p.5)

 Snort is a Network IDS with three modes:

sniffer, packet logger, and network intrusion
detection. Snort can also run in the background as
a daemon.

 Analysis Console for Intrusion Databases

(ACID) is a viewer for IDSs which supplies a web
based interface for monitoring and analyzing
possible intrusions.
 Why choose Snort?
When deciding what type of IDS to incorporate,
there are two main requirements to consider:
• Accountability – Who attacked?
• Response – What action to take when an attack is
found?
Snort focuses on response because accountability is
difficult to accomplish due to techniques such as
IP Masquerading. Snort is easy to maintain and
administrate. Snort can monitor small or large
networks. Snort contains multiple output options.
For instance, unsock, sends alerts to a UNIX
socket that a program can listen on (i.e. firewall).
Figure 1 from Snort Installation Manual (Scott, p. 7)
Figure 2 from Snort Installation Manual (Scott, p. 7)
 Software Required to run Snort
 Redhat 8.0 ftp://ftp.redhat.com
 Snort v2.0, Snort Daemon
http://www.snort.org/dl/
 MySQL v3.23.52
http://www.mysql.com/downl
oads/mysql-3.23.html
 Webmin v.99
http://www.webmin.com/
 NetSSLeay v1.20
http://symlabs.com/Net_SSL
eay/
 ACID v0.9.6b23
http://acidlab.sourceforge.net
/ http://msbnetworks.net/snort/
 OpenSSL v1-0.9.7b
http://www.openssl.org/
 PHP v 4.1.2-7.3.6
ftp://updates.redhat.com/8.0/
en/os/i386/
 ADODB v 2.50
http://php.weblogs.com/adod
b
 PHPLOT v4.4.6
http://www.phplot.com/
 GD v1.8.4
http://www.boutell.com/gd/
 Mozilla
http://www.mozilla.org/
 Snort Webmin module v1.08
Configuring and Operating Snort
1. Install all recommended software and snort.
2. Configure SSL Encryption with Webmin
http://<snortmachinename>:10000/
3. Setup Module Configuration from the Snort IDS Admin.
a. Decide what options to run Snort with.
b. Specify location of Snort configuration file and rule files.
4. Create a MySQL database for Snort.
5. Setup appropriate users and passwords for Snort,
MySQL, and ACID.
6. Edit the snortd daemon file to project same information
from step 3.
7. Start the snortd daemon.
8. Login to ACID: http://<snortmachinename>/acid/
Primary Methods to IDS Analysis
 Misuse Detection
– Misuse detection looks for signatures (patterns for known attacks)
within network activity. Many misuse detectors minimize the
number of false positives. Snort provides a large base-line of rules
for detecting many well-known attack signatures and issues new
releases frequently. Snort also allows development of unique rules
by the network’s administrator.
 Anomaly Detection
– Anomaly detection responses to abnormal events on a network.
These detectors create profiles of the network that contain normal
activities. The downfall to Anomaly detection is that it produces an
extremely large number of false positives. It also requires a large
history of network activities to build the profiles. Snort also does
some Anomaly Detection but it is based on the rules not history.
 Format of Snort Rules
Snort rules are made up of two parts: rule header and
rule options.
–The header consists of: the action, protocol, source and
destination IPs and netmasks, and source and destination
ports.
–The options section consists of: alert messages and portions
of the packet to examine for intrusion.

Syntax:
<action> <protocol> <src IP/mask> <port> -> <dest
IP/mask> <port> (msg: <alert message>; content:”search packet
for”; … etc)
 Some of the Rules We Wrote
A Scan Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(flags: A; ack: 0; tag: host, 500, packets, src; msg: “NMAP
TCP ping”;)

A Local Rule:
pass tcp $HOME_NET any -> 128.198.1.250 53 (msg:
“DNS zone transfer – Transfer uccs.edu domain:; flags:
A+; content: “|00 00 FC|”; offset: 13; reference: arachmids,
212; classtype: attempted-recon; sid: 255; rev:5;)
 IDS Responses to Detection

 IDSs are not designed to response to or counter an attack.

They merely notify and log the possible intrusions. Some
more powerful IDS, like Snort, can alert specific Intrusion
Response Systems to an attack. Data collected from IDSs
can aid in Intrusion Prevention methods as well. An IDS
alone is not enough to protect your network, but it is a
main collaborator in your system’s security.
Conclusion
 Snort is a well written and
designed Network IDS.
 Snort is free and
enormously flexible.
 Snort is easy to manage
and configure.
 Snort works for small or
large networks.