Skip to content

Snort Explained

Jump to bottom
platiumsecnet edited this page Feb 5, 2020 · 1 revision

Snort

1. What is Snort?

One of the most important open source projects in the field of network security is Snort. It has proved itself as one of the best network security tools for years now. It specializes as a Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS). Additionally, it has proved itself as the de facto standard for intrusion detection and prevention systems for years. In the meanwhile, Snort is a free software which is perfect for many.

In case you didn’t know and in order to get a little bit of more insight about the subject, I will elaborate what NIDS is in a nutshell. Fundamentally, monitoring of all network happens by use of such a software. This is just to make sure that everything is on track and under great control.

As long as there are any abnormal or malicious activities or if there is a violation of security policies for some reason, NIDS monitors these cases accordingly and reports to the security administrator.

Practically, there is what we call a Security Information and Event Management (SIEM) system. It acquires data –often known as logs—from diverse sources like Snort for instance. Depending on some predefined filters, this SIEM has the capability to trigger an alarm/alert message if any violations occur. Among such violations are definitely those malicious activities that Snort records and sends to SIEM.

Snort uses a rule-driven language that combines the benefits of signature, protocol, and anomaly-based inspection methods. With its dramatic speed, power, and performance, Snort quickly gained momentum. With nearly 4 million downloads to date, Snort has become the single most widely deployed intrusion detection and prevention technology in the world. Snort uses a flexible rule-based language to describe traffic that it should collect or pass. Snort’s job is to listen to TCP/IP network traffic and look for signatures in the data flow that might indicate a security threat to an organization’s network and computer systems. Rules are configured to take action. That action varies between passive responses (just logging it or sending an email) to active responses (doing something to stop the malicious activity from happening). Organizations can take advantage of applying new or existing rule-sets provided by the Snort community as well as writing and modifying their own rules according to the requirements of the network. Complex rules can be written to identify just about any type of traffic going across the network and perform some action. Snort rules are continually being reviewed, modified, and improved to detect new and evolving security threats by the support of the Snort community.

2. Features

Snort has three primary uses: It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion prevention system.

  1. Scalability: Snort can be successfully deployed on any network environment.

  2. Flexibility and Usability: Snort can run on various operating systems including Linux, Windows, and Mac OS X.

  3. Live and Real-Time: Snort can deliver real-time network traffic event information.

  4. Flexibility in Deployment: There are thousands of ways that Snort can be deployed and a myriad of databases, logging systems, and tools with which it can work.

  5. Speed in Detecting and Responding to Security Threats: Used in conjunction with a firewall and other layers of security infrastructure, Snort helps organizations detect and respond to system crackers, worms, network vulnerabilities, security threats, and policy abusers that aim to take down network and computer systems.

  6. Modular Detection Engine: Snort sensors are modular and can monitor multiple machines from one physical and logical location. Snort be placed in front of the firewall, behind the firewall, next to the firewall, and everywhere else to monitor an entire network. As a result, organizations use Snort as a security solution to find out if there are unauthorized attempts to hack in the network or if a hacker has gained unauthorized access into the network system.
  7. Shared configuration and attribute table
  8. Use a simple, scriptable configuration
  9. Plugin framework, make key components pluggable (and 200+ plugins)
  10. Auto-detect services for portless configuration
  11. Auto-generate reference documentation
  12. Scalable memory profile
  13. Rule parser and syntax (support sticky buffers in rules)
  14. Plenty of administrative front-ends

3. Snort’s History

It is often a great idea to know the history of successful figures in any field of interest. I perceived discussing the history of a highly proven successful security software tool as a must. This is because this really enriches our knowledge about the beginnings of such amazing projects.

In fact, Snort has witnessed several turning points in its history since its creation. Snort was initially developed back in 1998 by Martin Roesch. He later founded a technology company by the name Sourcefire in 2001. He became the Chief Technology Officer at this corporation he established.

In 2005, Check Point Software Technologies acquired Sourcefire for a deal worth $225 million. To be noted, the information technology media business InfoWorld named Snort as one of the “greatest [pieces of] open source software of all time,” reaching its famousness peak to be remembered at all the times since then.

A European organization specialized in testing network security called NSS Group compared Snort in practice with other IDS products created by other vendors such as Computer Associates, and Symantec. Snort outstandingly out-performed all of the other products in 2005.

When 2013 came, it was the start of a new era of Snort and Sourcefire in general, since the large company of Cisco systems owned it. Several versions of Snort got released, and a self-tuning engine was injected inside the versions starting in 2005. Such self-tuning engine aimed to achieve the maximum efficiency whilst keeping a minimum error.

4. What is the benefit of Snort?

Roesch divides the stages which Threat-centric Security should go through into three main chronological events:

  • Before the attack: a defender ought to hard the assets, build the biggest and thickest castle, such that an attacker or a hacker never even attempt to get in.
  • During the attack: The last point never works, so this stage is of a great importance. On the launch of an attack, detecting the attack and further blocking it should be the greatest aim at this critical time. Utilization of some technologies and techniques occurs in order to stop such attack as much as possible.
  • After the attack: However, sometimes these technologies may fail to detect and block the attack. Then, the attack managed to get through the system. Several stages represent a great threat from the perspective of a defender who may lose control over their own network.

5. Securing Networks with Snort Rule Writing Best Practices (SSFRULES)

Main contents:

  • Snort rule development
  • Snort rule language
  • Standard and advanced rule options
  • OpenAppID
  • Tuning

Objectives:

  • Upon completion of this course, you should be able to:
  • Describe the Snort rule development process
  • Describe the Snort basic rule syntax and usage
  • Describe how traffic is processed by Snort
  • Describe several advanced rule options used by Snort
  • Describe OpenAppID features and functionality
  • Describe how to monitor the performance of Snort and how to tune rules

6. Suitable environments

Refs

  1. https://learning.nil.com/training-schedule/course/securing-cisco-networks-with-snort-rule-writing-best-practices-ssfrules
  2. https://lumious.com/wp-content/uploads/SSFRULES.pdf
  3. https://infosecaddicts.com/snort/
  4. https://resources.infosecinstitute.com/open-source-ids-snort-suricata/#gref
  5. https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/211/original/Snort3.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20200204%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200204T035529Z&X-Amz-Expires=172800&X-Amz-SignedHeaders=host&X-Amz-Signature=7512c5c68770aa87be946710a37ba1319e3bcb92f110e4c53cb62d76f5dc4d58
  6. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/
  7. https://www.snort.org/documents

Clone this wiki locally