Embed Size (px)
DESCRIPTION
Snort Lite. Members Michael Attig (mea1@arl) Hardware Design / System Architecture Qian Wan (qw2@arl) Software Design Webpage http://www.arl.wustl.edu/arl/projects/fpx/snort_lite/. Motivation. Built up ability to do packet inspection Would like to add some form of packet-classification - PowerPoint PPT Presentation
Citation preview
CS/CoE 535 : Snort Lite - Fall 2003 1
Snort Lite
Members•Michael Attig (mea1@arl)
–Hardware Design / System Architecture•Qian Wan (qw2@arl)
–Software Design
Webpage http://www.arl.wustl.edu/arl/projects/fpx/snort_lite/
CS/CoE 535 : Snort Lite - Fall 2003 2
Motivation
• Built up ability to do packet inspection• Would like to add some form of packet-
classification • Combining these 2 features is a first step
toward implementing Snort in hardware– Ideally reach line rates– Inspect all packets– Turn Snort active
• Header Processing + Payload Processing
CS/CoE 535 : Snort Lite - Fall 2003 3
Assumptions
• Time constraints force several assumptions– Support Signature lengths from 10 to 32
characters long (80 to 256 bits)– 1 content-rule can be associated with only 1
header rule– Must have content and header rule
• Content + Header = Rule– No content Wildcards (no regular expressions)– Wildcards are allowed in Header Fields– Recognize IP, TCP, UDP protocols
CS/CoE 535 : Snort Lite - Fall 2003 4
Hardware Overview
Packet Data
SID
Matching Rule
CS/CoE 535 : Snort Lite - Fall 2003 5
Major Components Functionality
• Options Processing– Payload Processing via Multiple Bloom Filters
• 8 Hash Functions per BF• False Positive Probability 0.0039
– SDRAM Hash Table Implementation (Quadratic Probing)
• Expected Number of Lookups = ?
• Header Processing– SRAM table lookup– Header Fields Comparator
CS/CoE 535 : Snort Lite - Fall 2003 6
Chip Utilization
• Number of 4-input LUTs – 63%• Number of Occupied Slices – 88%• Number of Block RAMs – 123 of 160 – 76%• Speed – 34.7 MHz
– (this number doesn’t reflect current design)!
CS/CoE 535 : Snort Lite - Fall 2003 7
Control Opcodes
• x70 – Add String to Hash Table• x72 – Remove String from Hash Table• x74 – Set Bits in a Bloom Filter• x76 – Add Header Table Entry• x78 – Remove Header Table Entry• x80 – Change Alert Message Destination• x82 – Read Header Table Entry• x84 – Read Statistics• x86 – Test Functionality / Pass Through
CS/CoE 535 : Snort Lite - Fall 2003 8
Example Rule
• alert tcp 128.252.153.51/16 any 192.168.200.10 80 (content: “Look at my Sample content!”; sid:750;)
• Generic– action proto src_ip src_port dest_ip dest_port
(content: sid:)
CS/CoE 535 : Snort Lite - Fall 2003 9
Java Rule Parser
• Reads in a Rule File• Creates the payload for 3 control
packets to program Circuit– x70 – add signature to analyzer– x74 – set bits in appropriate
Bloom Filter– x76 – Add Header Entry
• Tells you if a rule doesn’t match assumptions
• Ignores other fields – Just extracts content and sid
CS/CoE 535 : Snort Lite - Fall 2003 10
Data Flow Overview
Add rules from web interface
Save rules into database
Construct rules to plain text
Parse rules into payloadsRecord matches in database
Output statistics to web page
Construct payloads to UDP
Update Bloom Counter
CS/CoE 535 : Snort Lite - Fall 2003 11
Updated Table definitions in DB snortlight
TABLES
BLOOMFILTER --------------------- Id INT ; // identity(1, 1) BlockRAM1 INT ; // the ID of BlockRAM 1 BlockRAM2 INT ; // the ID of BlockRAM 2 BlockRAM3 INT ; // the ID of BlockRAM 3 BlockRAM4 INT ; // the ID of BlockRAM 4 BlockRAM5 INT ; // the ID of BlockRAM 5
RULES ---------- Id INT ; // identity(1, 1) BloomId INT ; // FK of BLOOMFILTER Content VARCHAR(100) ; // NOT NULL SourceIP VARCHAR(30) ; DestIP VARCHAR(30) ; SourcePort VARCHAR(20) ; DestPort VARCHAR(20) ; NoCase ENUM(“FALSE”, “TRUE”) ; // 0 false InHardware ENUM(“FALSE”, “TRUE”) ; // 0 false Action CHAR(5) ; // actions to take Protocol CHAR(5) ; // type of protocol InsertTime DATE; DeleteTime DATE; KeepLog ENUM(“FALSE”, “TRUE”) ; // 0 false
BLOOMCNTR ------------------
BloomId INT ; BlockRAMId VARCHAR(10) ; BitPosition INT ; Counter INT ;
RULEMATCH ------------------
PacketID INT ; RuleID INT ; // FK of RULES EventDT DATE;
MATCHSTATIS // use 0 for false match -------------------- RuleID INT ; BloomID INT ; StartDT DATE; EndDT DATE; counter INT ;
CS/CoE 535 : Snort Lite - Fall 2003 12
Graphical Processes Illustrationalert tcp 127.0.0.0/9 any -> 128.252.153.0/24 801 (content: "CSE 535 is fun but harder!"; sid:68;)
•traffic first•match result
CS/CoE 535 : Snort Lite - Fall 2003 13
Web Interface– Add a Rule
CS/CoE 535 : Snort Lite - Fall 2003 14
Web Interface– Result of Adding a Rule
alert tcp 127.0.0.0/9 any -> 128.252.153.0/24 801 (content: "CSE 535 is fun but harder!"; sid:68;)
•-Temprulei.txt-
CS/CoE 535 : Snort Lite - Fall 2003 15
Web Interface– Display Rules
Actual Snort rules contents shown above.
CS/CoE 535 : Snort Lite - Fall 2003 16
Delete one rule just entered
CS/CoE 535 : Snort Lite - Fall 2003 17
Result page after one rule deleted
CS/CoE 535 : Snort Lite - Fall 2003 18
Append rule matches
CS/CoE 535 : Snort Lite - Fall 2003 19
Rule Matches Statistics
CS/CoE 535 : Snort Lite - Fall 2003 20
Future Work
• Redesign – too many assumptions• Allow Header-only and content-only rules• Implement more content-based features
– TCP flags– IP options– More header fields– Multiple Signatures per content rule
• Snort has many over-lapping rules
• Software to dynamically recreate VHDL to change Number of PBFs per LBF based on number of strings for a particular length– Statistical Modeling would help determine this
