Professional Documents
Culture Documents
STUDENT NAME
ASSIGNMENT
GROUP PROJECT
SUBMISSION DATE
: 10/11/2016
ASSIGNMENT TOPIC
STUDENT
DECLARATION
I declare that this material, which I now submit for assessment, is entirely
my own work and has not been taken from the work of others, save and to
the extent that such work has been cited and acknowledged within the
text of my work.
I understand that plagiarism, collusion, and copying are grave and serious
offences in the university and accept the penalties that would be imposed
should I engage in plagiarism, collusion or copying. I have read and
understood the Assignment Regulations set out in the assignment
documentation.
I have identified and included the source of all facts, ideas, opinions, and
viewpoints of others in the assignment references. Direct quotations from
books, journal articles, internet sources, module text, or any other source
whatsoever are acknowledged and the source cited are identified in the
assignment references.
This assignment, or any part of it, has not been previously submitted by
me or any other person for assessment on this or any other course of
study
DATE
: 30/10/2016
MARKS
COMMENT
INTRODUCTION
Snort is one of the network and host based intrusion detection system (IDS) that is most
widely deployed in the market nowadays since it was introduced by Martin Roesch in 1998. It is a
free and open source, rule-based intrusion prevention and detection system and currently under the
development of a company called Sourcefire which is founded by Martin Roesch as well in 2001.
Martin Roesch serves as the Chief Technology Officer (CTO) in Sourcefire. Snort has gained its
popularity by chosen to be in use of plenty large organizations, for instance Verizon, AT&T, the
United States State Department, most of the United States military bases and numerous medium to
large sized businesses in the world. However, later on 7 th October 2013, Cisco has owned and
acquired Sourcefire for USD 2.7 billion in aim to assist Cisco to expand the business coverage from
corporate level up to the government customers along with Ciscos growth in cybersecurity to
combine their open source roots with proprietary innovation to deliver the most effective and
comprehensive real-time network defensive solution, leading Snort to be the maintain its rank as the
dominant intrusion detection system today. The rank is consolidated with its entitlement as Greatest
[piece of] open source software in InfoWorlds Open Source Hall of Fame in 2009.
Snort has been promised lightweight solution to system intrusion to the users all the time with
great performance no matter how the networks and protocols gradually develop to be more complex
as time goes, making it flexible and comprehensive. For a host-based intrusion detection system,
Snort appears to be one of the straightforward software to be set up and configured because all the
instructional, training and reference material is provided for the users reference at all time thus
making it to be one of the easiest and simplest intrusion detection system to be used as well. Even the
script and guidance to automate the updates are provided for the users. However, for the scripted
updates, a code will be necessary to register if the administrators want to use them. Besides that,
Snorts nature to be an open source software has made it easy for the users to search for guidance and
answers if help is needed because there is a large community in Snort therefore any similar or related
contributions to the system can be found at the tip of fingers. Many active community are sharing
rules with each other there. SourceFire often releases new security rules that can be downloaded either
for free but only for some days after their releases or the user can choose to pay in order to get the
latest releases.
Though it is mentioned that Snort is lightweight but it is still a very compact platform with
low overhead, giving it is a free of charge software for installation already. Plenty of commercial
products in the market can be found with Snort integrated. Users can always find any required
commercial service, integration or support through Sourcefire with competitive pricing with large
base of support in service for the users. Snort supports logging to MySQL, Oracle, Microsoft SQL
Server, and ODBC databases on the Windows version. All the capabilities come in free, besides of the
0-day real-time updates of the rules database. Actually even the real-time updates of the Vulnerability
Research Team (VRT) are considered to be affordable with businesses version that costs $499 a year
per sensor for 1-5 sensors.
FUNCTION
As we know, Snort can be configured in three main modes (sniffer, packet logger, and
network intrusion detection). In sniffer mode, the program will read network packets and display them
on the console, returning everything it sees with detailed packet decodes. Further than that, Snort can
also be configured just to present alerts from its rule sets. In packet logger mode, the program will log
packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyse
it against a rule set defined by the user. With its add-ins/ons, Snort can perform solidly across large
network infrastructures, though challenging but likely possible. Almost all commercial Security
Information and Event Management (SIEM) products can take Snort input, either as tcpdump binary
files or as a text file for further correlation and analysis.
The program will then perform a specific action based on what has been identified. These
basic services have many purposes including application-aware triggered quality of service, to deprioritize bulk traffic when latency-sensitive applications are in use. It is interfacing with a few of the
third party tools for administration, reporting, performance and log analysis. Some of the sample third
party tools that are working together with Snort are Snorby, a ruby on rails web application for
network security monitoring, BASE, an application that provides web front-end to query and analyse
the alerts from IDS system, Sguil, a collection of free software components for Network Security
Monitoring and event driven analysis of IDS alerts and Aanval, a product to provide security event
monitoring and reporting from a web-browser.
Snort comes with a default configuration file that most of it part can be edited. What is good
about Snort is that, its configuration file has plenty of comments to explain each line and section does
where as a beginner, you can figure it out without outside assistance.
There are 3 important areas that need some attention and configuration.
1.
The EXTERNAL_NET variable. Most of cases, security admins will define their
EXTERNAL_NET as everything that is it not their HOME_NET.
2.
3.
Without the Snort rules, Snort is just a sniffer or packet logger not the IDS that it can be.
Example:
A CASE STUDY OF THREE OPEN SOURCE SECURITY MANAGEMENT
TOOLS.
Three open source security management tools Snort, Pakemon and Argus are
benchmarked against DARPA 1999 Intrusion Detection Evaluation Data Set.
Performance is characterized using multiple performance metrics. Snort is found
to have the best performance in terms of detection rate, however it creates more
false positive than desired. The results show that different tools perform well
under different attack categories; hence they can be run at the same time to
increase the detection rate of attack instances.
Result
Out of total number of 80 attack instances, Snort detected 35 and Pakemon
detected 27 in total. Indeed, Argus log file have only detected 70 attacks out of
the 80 present in the test data set. To actually determine which tool performs
better, two other parameters are analyzed: (1) the number of false alarms and
Conclusion
The results show that none of the tools could capture all the different
attack instances: Snort captured ~44% and Pakemon ~34%. Moreover, Snort has
~99% false alarms whereas Pakemon has ~95%. In other words all three
generate very large log files, which in return makes it difficult to analyze for
network managers. Therefore, it is important to develop filters for these tools to
decrease the number of false alarms. Furthermore, we believe that different tools
need to be used together to increase the detection rate.
Figure 2 The distribution of attacks that are caught by Snort and Pakemon
Figure 3 Number of attacks and their corresponding confidence levels for each tool
CONCLUSION
According to a book Snort 2.1, the ultimate goal of installing and using
Snort is to help a security analyst monitor and study intrusion attempts.
Currently, intrusion-related traffic on the Internet is high. SnortSnaff provides
features for generation of static HTML reports from log files and Snort_Stat.pl is a
simple Perl script to extract event data summary reports from your Snort alert
files. SGUIL is one of the most powerful Snort event database front end. It is a
graphical tool that has been designed to be intuitive to an analyst. From the GUI,
an analyst can analyze event data and packet logs, populate reports, and send
abuse emails.
Besides that, Snort is a powerful tool, but maximizing its usefulness
requires a trained operator. It becoming proficient with network intrusion
detection. Snort is considered a superior NIDS when compared to most
commercial systems. Last but not least, it managed network security providers
REFERENCE
1. Snort 2.1 Intrusion Detection second edition, Raven Alder, Jacob babbin etc
2. https://books.google.com.my/books?
id=rzd3PLH3vDsC&pg=PA435&lpg=PA435&dq=summary+snort+tools&source=bl&ots=0GhaH4NA9&sig=14J21n69X1zgG4xJ3HG5evS3as&hl=en&sa=X&redir_esc=y#v=onepage&q=summary%20snort
%20tools&f=false
3. https://en.wikipedia.org/wiki/Snort_(software)
4. http://null-byte.wonderhowto.com/how-to/hack-like-pro-evade-network-intrusion-detectionsystem-nids-using-snort-0148051/
5. https://openmaniak.com/snort.php
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
http://www.brighthub.com/computing/smb-security/reviews/40032.aspx
http://www.cisco.com/c/en/us/products/collateral/security/brief_c17-733286.html
http://www.scmagazine.com/snort/review/3027/
http://www.securityparagon.com/blog/?p=725
https://www.snort.org/faq
https://www.snort.org/faq/what-can-i-do-with-snort
https://www.snort.org/faq/what-is-snort
https://www.snort.org/faq/what-is-the-relationship-between-snort-and-cisco
http://www.webopedia.com/TERM/S/Snort.html
https://www.youtube.com/watch?v=7OTBlYB14Ww
Kayacik, H.G., Zincir-Heywood, A.N., A Case Study of Three Open Source Security
Management Tools, Dalhousie University, Faculty of Computer Science, Canada