Snort 2.0 Detection Engine Comparison – V 1.x Sip: 220.127.116.11 Dip: 18.104.22.168 Dp: 80 (flags: A+; content: “”foo”;) (flags: A+; content: “bar”;) (flags: A+; content: “baz”;) alert tcp
Snort 2.0 Detection Engine Comparison – V 2.0 content: “”foo”; content: “bar”; content: “baz”; alert tcp Dip: 22.214.171.124 Dip: 10.1.1.0/24 Flags: A+; Sip: 126.96.36.199 Dp: 80
Acquisition Plugins • Libpcap allows us to be very cross platform but is also a bottleneck • Acquisition plugins allow arbitrary data input sources • Interesting applications – Netfilter/divert socket input stream – Gateway IDS… – Host-based IDS… • High speed platform specific acquistion capability
Decoder Plugins • Arbitrary protocol support in Snort • Snort is currently limited to… – Ethernet, FDDI, T/R, SLIP, PPP, ISDN, Raw – IP, ARP – TCP, UDP, ICMP • With plug-ins, new decoders can be painlessly dropped into Snort, automatically making Snort “aware” of that protocol and capable of performing traffic analysis on it • Additional support for “unknown” protocols will have to be added to the detection engine
Pluggable Detection Engines • Current signature based engine isn’t necessarily the only way to do NID • The current primary detection engine in Snort is really just a very involved preprocessor • Other possibilities – Snort + Netfilter (or Divert Sockets) = Gateway IDS (or “packet scrubber”) – Snort + NMAP = Target-based IDS – Snort + SAS = Statistical Anomaly IDS (ok, just kidding)
Learning More • – Writing Snort Rules • – FAQ, USAGE file, README file, man page – Snort mailing lists • Books – Intrusion Detection: An Analysts Handbook by Northcutt – Intrusion Signatures and Analysis by Northcutt – The Practical Intrusion Detection Handbook by Paul Proctor
You've reached the end of your free preview.
Want to read all 45 pages?
- Fall '08
- Transmission Control Protocol, snort, Network intrusion detection system, detection engine