What is Snort?
Snort is an Open Source Intrusion Detection System which can be downloaded free of cost. It is a software package which needs to be installed (along with other software in many cases) in a standard server which acts as the sensor. For a small company with single Internet/leased line connectivity, a single instance Snort implementation next to the router might be enough but for larger company, it is better if the network is monitored in multiple places (possibly at every point of entry/exit and in the individual network segments) by using an IDS like Snort. When Snort is set up, it can either passively monitor the network for threats (using signatures, patterns of known threats) and log the network activity for the security administrators to have a look later on or it can generates alerts (through emails, pop-up windows, SNMP traps etc) for instant notification of the administrators when an activity closely resembling to a known attack signature is found.
What are the Components of Snort?
Snort is logically divided in to the following five major components.
¤ A Packet Decoder is the first component which collects packets from different network interfaces and prepares the packets to be preprocessed.
¤ The second component, Pre-processors are used to arrange and modify packets before being analysed by the detection engine. There are pre-processors that detect some basic anomalies by de-fragmenting packets (which are fragmented by hackers as a method of deception), HTTP URL Decoding (If hexadecimal characters are used by hackers as a method of deception). There are pre-processors that detect and log port scanning activities, detect anomalies in ARP packets (to identify ARP spoofing), etc.
¤ The third component, the Detection engine is the heart of Snort. Its responsibility is to analyse all the packets passing through it for signs of intrusion by using certain pre-defined rules. It can dissect a packet and apply rules to different parts of the packet like IP header, transport layer header, application layer header and packet payload.
¤ The fourth component is the Logging and Alerting System – Upon the detection of intrusion by the detection engine, either the activity is logged for the perusal of the network engineers or an alert is generated.
¤ The fifth component, Output modules or plug-ins are used to control the type of output produced by the logging and alerting system. Some of its functions may be generating log reports, logging alert reports in a file, sending SNMP traps, logging in to a database (like MySQL), sending a message to Syslog server, etc.
In some installations, some additional tools might be used along with snort like MySQL database to log the alert data, Apache could act as the web server, PHP could be the interface between the web server and MySQL database, a PHP package like ACID could be used to view and analyse Snort data, etc.
What are the different installation methods with Snort?
If it is a very small organization, just a single sensor (on a PC/Server) will do (Of course, with a pre-installed Operating system). This, when put up just behind a router or firewall (in single Internet line scenarios) would generate alarms if any intrusion activity is found. For slightly bigger organizations, Snort could generate alarms and send it to an NMS (Network Management System) that they might be using, provided they support SNMP traps, which most of the NMS vendors do. Snort could also be configured to integrate with a database (like MySQL, which stores the Logs), and a web interface (through PHP) could be provided to view the required data from the database. This is a more structured way of using and retrieving log information. For small organizations all these three components could be in the same server too.
In the case of a bigger organization with multiple locations, Snort might be needed to be installed in multiple locations. Maintaining and managing multiple databases in this scenario is difficult. So, multiple sensors of Snort could be configured to the same centralized database from where the logs could be viewed.
Network Sniffer Mode:
If Snort is configured to operate in the network sniffer mode, it logs all packet data in to the database or in binary/text files. Some of the information that is available to the network administrators are: Date and Time of capture of packet, Source IP address, Source Port number, Destination IP address, Destination Port, Transport Layer protocol used, TTL/TOS/Packet ID values, Length of IP header, IP Payload, TCP header length etc.
Network Intrusion Detection Mode:
In Network Intrusion Detection mode, Snort logs only those packets which match a certain rule (pre-defined attack signatures) and generates alarms. Common rules (signatures) can be obtained from the installation files itself, and new rules keep updating regularly. These alerts can be of different categories like high priority, low priority etc and for each category, different actions can be taken. Snort itself maybe configured to operate in stealth mode where the presence of an IDS machine is not visible to intruders (One way is to not configure any IP address for the Snort sensor server).
Based on the Snort rules, a Snort sensor can take various decisions like ignoring a packet (passing them), log a packet, generating an alert, activate another action after generating an alert, or take a user-defined action like sending messages to syslog, sending SNMP traps, logging data as xml files or do multiple such actions at the same time. The standard Snort rules can also be changed as per the network conditions.
There are a lot of categories of rules written for Snort and an example could be a rule written to generate an alert if a user tries to ‘su to root’ through a telnet session or generating an alert for incorrect login in a telnet session.
In case you have any questions, you can contact us using the contact form or leave a comment below. You can also subscribe with your email address (on the right side of this site) to get notified (title and summary) when a new article is published on this site.