Click here to load reader

Snort Implementation - Amazon Web Services · PDF fileSession Abstract Snort has become the de facto open standard for intrusion detection and intrusion protection. With the acquisition

  • View

  • Download

Embed Size (px)

Text of Snort Implementation - Amazon Web Services · PDF fileSession Abstract Snort has become the de...

  • Snort Implementationin Cisco Products


    Eric Kostlan, Technical Marketing Engineer

    Security Technologies Group, Cisco Systems

  • Session Abstract

    Snort has become the de facto open standard for intrusion detection and intrusion protection. With the acquisition of Sourcefire in October, 2013, Snort is now one of the technologies used in Cisco products. This session will cover how Snort is implemented and deployed in Cisco product.

    No prior knowledge of Snort will be assumed, but some familiarity with IDS/IPS and firewall technologies is assumed.

  • Session Objectives

    Upon successful completion of this session, the attendee will be able to

    Describe the architecture of the Snort engine

    Describe the syntax of the Snort language

    Describe OpenAppID

    Describe how Snort is implemented in Cisco Sourcefire products

    Describe how Snort is implemented in other Cisco products

  • Agenda


    Snort Fundamentals


    Cisco Sourcefire Products


    Other Cisco Products

    The Internet of Things


  • Introduction


  • What is Cisco Sourcefire?

    Snort created

    Created by Martin Roesch in 1998

    Snort is both a language and an engine

    Open source rapidly adopts and develops Snort

    Sourcefire founded

    Founded in 2001 by Martin Roesch

    Created a commercial version of Snort

    Sourcefire acquires Immunet cloud based anti-malware vendor

    Acquisition completed 2011

    Cisco acquires Sourcefire

    Acquisition completed 2013 for $2,700,000,000

    Historical perspective

  • NSS Report on IPSBased on Sourcefire IPS technology

  • NSS Report on Breach DetectionBased on Sourcefire AMP technology

  • New, Adaptive, Threat-focused NGFW

    Identity-Policy Control

    & VPN

    URL Filtering(subscription)


    Analytics &


    Advanced Malware


    Intrusion Prevention (subscription)


    Visibility & Control

    Network Firewall

    Routing | Switching

    Clustering &

    High Availability


    Cisco Collective Security Intelligence Enabled

    Built-in Network


  • NSS Report on NGFWBased on Cisco and Sourcefire technology

  • Snort Fundamentals

  • Snort Engine

    Packet sniffer Packets are read using the Data AcQuisition library (DAQ)

    Packet decoder Decodes datalink, network and transport protocols

    Preprocessors Normalize traffic

    Detection engine Uses Snort rules to create signatures for threats

    Output module Handles the task of writing and displaying events

    High-level Snort architecture


    Packet decoder

    Alert and log files


    Detection engine

    Output module

    DAQ libraries


  • Snort EnginePacket sniffer (DAQ)

  • Snort Engine

    Snort uses a Data Acquisition Module (DAQ) to collect packets The DAQ

    There is no native Snort packet capture library

    Different capture libraries may be used without the need to recompile Snort

    The DAQ promiscuously picks packets off the wire and passes it to the packet decoder

    DAQ mode inline, passive or read from file

    DAQ type

    PCAP The default DAQ

    AFPacket Like PCAP DAQ but with better performance, and allows inline operation

    IPQ The old way to process iptables packets. This replaces the compile option--enable-inline used in previous versions of Snort

    NFQ - This is the new and improved way to process iptables packets

    IPFW - Is used by BSD systems. It replaces the compile option --enable-ipfw

    Packet sniffer (DAQ)

  • Snort EnginePacket decoder

  • Snort EnginePacket decoder

  • Snort Engine

    Decodes Layer 2 and Layer 3 protocols

    Focused on TCP/IP protocol suite

    Stores decoded packet information in data structures help in memory

    Data structures are utilized by the detection engine

    Configured at Snort start time (using CLI options of the configuration file)

    Specify DAQ mode

    Specify DAQ type

    Turn on or off alerting features of the decoder

    Exclude designated port/protocol pairs from inspection

    Packet decoder

  • Snort EnginePreprocessors

  • Snort EnginePreprocessors

  • Snort Engine

    Preprocessors play a vital function in network traffic inspection

    Present packets to the detection engine in a contextually relevant way

    Normalize traffic

    Alert if they detect anomalous conditions as defined by their settings

    Major preprocessors include the following

    frag3 Used to reassemble packet fragments prior to inspection

    stream5 Used to reconstruct TCP data streams so that inspection can be done in the context of a TCP conversation

    Protocol decoders Normalize TCP streams including: telnet, ftp, smtp, and rpc.

    http_inspect Normalizes http traffic

    DCE/RPC2 Used to decode and desegment DCE traffic

    sfPortscan Used to detect portscans


  • Snort EngineDetection engine

  • Snort Engine

    Consists of two components to perform inspection

    Rules builder

    Inspection component

    Rules builder

    On Snort startup, assembles rules into rule chains

    Optimizes rule matching by the inspection component

    Sources, destinations and port sources and destinations redundancies are eliminated

    Implements rules chains as linked lists

    Inspection component

    Matches traffic to a rule chain

    Further inspects traffic against the options in the matching rule chain

    Detection engine

  • Snort EngineOutput module

  • Snort Engine

    Handles the task of writing and displaying events

    Supports several output formats

    Can send output to files or Syslog

    Can send logs and alerts in straight ASCII

    Can send packets in PCAP format

    Can use Unified2 format (the replacement for Unified format) Fast and lightweight binary format

    Can be converted to other formats by utilities such as Barnyard2

    The output module can receive input from several sources

    The packet decoder sends data that can be use to produce PCAP output

    Preprocessors send alerts on detection of anomalous conditions

    The detection engine sends log and alert data when rules are matched

    Output module

  • Snort Language

    A simple lightweight language for identifying

    Security policy violations

    Known network attacks and IDS/IPS evasion techniques

    Snort language supports event filters

    Limit Alert on the a specified number of events during a specified time interval, then ignore events for the rest of the specified time interval.

    Threshold Only alert if the event is seen a specified number of times within a specified time interval

    Communication between rules is accomplished using flowbits

    Note: The snort engine is not restricted to the Snort language. It can use precompiled shared objects in addition to Snort rules.


  • Snort Language

    Rule header

    Used to match traffic and performAction (pass, drop, sdrop, alert, log)

    Protocol, Source, Destination 5-tuple

    Rule body

    Contains the message used for alerts

    Contains flow attributes

    Contains the Signature ID and revision number

    Can specify content or regular expressionsin combinations and locations in packet

    Can read packet contents to calculate offsets

    Can set and read flowbits to link to other rules

    Rule structure

  • Snort LanguageOversimplified rules (used for testing)

    alert tcp any any -> any any (msg:"ProjectZ detected";

    content:"ProjectZ"; sid: 1001001; rev:1;)

    alert tcp any any -> any any (msg:"ProjectQ replaced";

    content:"ProjectQ"; replace:"ProjectR" sid:1001002; rev:1;)

    Notes about rule action

    The second rule has replace in the body, so it performs an action not specified in the rule header

    In Cisco Sourcefire products,the action is typically configuredin the Management GUI

  • Snort Language

    alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306


    Buffer Overflow attempt";


    content:"|04|"; depth:1; offset:4;


    metadata:policy max-detect-ips drop,

    service mysql; reference:cve,2010-1850;


    sid:16703; rev:10; )

    Sample Rule

    Rule header

    Rule body

    Variables (set to any by default)

    Alert text

    Flow attribute

    Content search


    Signature ID and revision number

  • Snort Language

    XML file associated with a particular IP address

    Specifies OS and service to port associations on the host

    Affect on preprocessors

    Frag3 and Stream5 Uses OS information to determine policy, that is, the OS to emulate in packet re-assembly.

    Application layer preprocessors Users the service information to determine protocol to port mapping.

    Affect on Snort rules through metadata attribute see next slide

    Sourcefire builds Host Attribute Tables


    Through network discovery

    Host Attribute Table

  • Snort Language

    Example:alert tcp $HOME_NET any -> $

Search related