COURSE

STUDENT NAME

ASSIGNMENT

BIT2413 INFORMATION ASSURANCE AND

SECURITY

GROUP PROJECT

SUBMISSION DATE

: 10/11/2016

ASSIGNMENT TOPIC

: SECURITY TOOL (SNORT)

STUDENT
DECLARATION
I declare that this material, which I now submit for assessment, is entirely
my own work and has not been taken from the work of others, save and to
the extent that such work has been cited and acknowledged within the
text of my work.
I understand that plagiarism, collusion, and copying are grave and serious
offences in the university and accept the penalties that would be imposed
should I engage in plagiarism, collusion or copying. I have read and
understood the Assignment Regulations set out in the assignment
documentation.
I have identified and included the source of all facts, ideas, opinions, and
viewpoints of others in the assignment references. Direct quotations from
books, journal articles, internet sources, module text, or any other source
whatsoever are acknowledged and the source cited are identified in the
assignment references.
This assignment, or any part of it, has not been previously submitted by
me or any other person for assessment on this or any other course of
study

DATE

: 30/10/2016

MARKS

COMMENT

INTRODUCTION
Snort is one of the network and host based intrusion detection system (IDS) that is most
widely deployed in the market nowadays since it was introduced by Martin Roesch in 1998. It is a

free and open source, rule-based intrusion prevention and detection system and currently under the
development of a company called Sourcefire which is founded by Martin Roesch as well in 2001.
Martin Roesch serves as the Chief Technology Officer (CTO) in Sourcefire. Snort has gained its
popularity by chosen to be in use of plenty large organizations, for instance Verizon, AT&T, the
United States State Department, most of the United States military bases and numerous medium to
large sized businesses in the world. However, later on 7 th October 2013, Cisco has owned and
acquired Sourcefire for USD 2.7 billion in aim to assist Cisco to expand the business coverage from
corporate level up to the government customers along with Ciscos growth in cybersecurity to
combine their open source roots with proprietary innovation to deliver the most effective and
comprehensive real-time network defensive solution, leading Snort to be the maintain its rank as the
dominant intrusion detection system today. The rank is consolidated with its entitlement as Greatest
[piece of] open source software in InfoWorlds Open Source Hall of Fame in 2009.
Snort has been promised lightweight solution to system intrusion to the users all the time with
great performance no matter how the networks and protocols gradually develop to be more complex
as time goes, making it flexible and comprehensive. For a host-based intrusion detection system,
Snort appears to be one of the straightforward software to be set up and configured because all the
instructional, training and reference material is provided for the users reference at all time thus
making it to be one of the easiest and simplest intrusion detection system to be used as well. Even the
script and guidance to automate the updates are provided for the users. However, for the scripted
updates, a code will be necessary to register if the administrators want to use them. Besides that,
Snorts nature to be an open source software has made it easy for the users to search for guidance and
answers if help is needed because there is a large community in Snort therefore any similar or related
contributions to the system can be found at the tip of fingers. Many active community are sharing
rules with each other there. SourceFire often releases new security rules that can be downloaded either
for free but only for some days after their releases or the user can choose to pay in order to get the
latest releases.
Though it is mentioned that Snort is lightweight but it is still a very compact platform with
low overhead, giving it is a free of charge software for installation already. Plenty of commercial
products in the market can be found with Snort integrated. Users can always find any required
commercial service, integration or support through Sourcefire with competitive pricing with large
base of support in service for the users. Snort supports logging to MySQL, Oracle, Microsoft SQL
Server, and ODBC databases on the Windows version. All the capabilities come in free, besides of the
0-day real-time updates of the rules database. Actually even the real-time updates of the Vulnerability
Research Team (VRT) are considered to be affordable with businesses version that costs $499 a year
per sensor for 1-5 sensors.

Snort is designed to perform real-time traffic and protocol analysis, packet-logging on

Internet Protocol (IP) network, content searching & matching and detect attacks and probes, for
example buffer overflows, stealth port scans, Common Gateway Interface (CGI) attacks, Server
Message Block (SMB) probes, Operating System (OS) fingerprinting attempts, server message block
probes and stealth port scans. There are four modes available for Snort to carry out its functions,
namely Sniffer Mode, Packet Logger Mode, Intrusion Detection System (IDS) mode and Intrusion
Detection System (IPS) mode. In the Sniffer Mode, Snort will read the network traffic and output
them onto the screen for the users while in the Packet Logger Mode, Snort will collect and record the
network traffic on a file to be stored. Moreover, network traffic matching security rules will be
recorded in the IDS Mode. Besides of named as Intrusion Prevention System (IPS), it is also known
as Snort-Inline. Snort combines the benefits of signature-, protocol-, and anomaly-based inspection
methods to deliver flexible protection from malware attacks and detect any incoming threats at high
speeds.

FUNCTION

As we know, Snort can be configured in three main modes (sniffer, packet logger, and
network intrusion detection). In sniffer mode, the program will read network packets and display them
on the console, returning everything it sees with detailed packet decodes. Further than that, Snort can
also be configured just to present alerts from its rule sets. In packet logger mode, the program will log
packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyse
it against a rule set defined by the user. With its add-ins/ons, Snort can perform solidly across large
network infrastructures, though challenging but likely possible. Almost all commercial Security
Information and Event Management (SIEM) products can take Snort input, either as tcpdump binary
files or as a text file for further correlation and analysis.
The program will then perform a specific action based on what has been identified. These
basic services have many purposes including application-aware triggered quality of service, to deprioritize bulk traffic when latency-sensitive applications are in use. It is interfacing with a few of the
third party tools for administration, reporting, performance and log analysis. Some of the sample third
party tools that are working together with Snort are Snorby, a ruby on rails web application for
network security monitoring, BASE, an application that provides web front-end to query and analyse
the alerts from IDS system, Sguil, a collection of free software components for Network Security
Monitoring and event driven analysis of IDS alerts and Aanval, a product to provide security event
monitoring and reporting from a web-browser.

POPULAR ATTACK USING SNORT & HOW TO USE THE

TOOLS.
Snort is an open-source NIDS (network intrusion detection system) that is widely used in the
world. It is estimated that its market share is at over 60% (2013). It is commonly used by large
organization such as Verizon, AT&T, U.S State Department, most U.S. military bases and millions of
medium to large business around the world. On July 2013, Cisco announced that they would be
acquiring the parent company of Snort, Sourcefire Inc. of Columbia, MD, and Cisco managed to
acquire Sourcefire for $2.7 billion. This insures that Snort will remain the dominant NIDS for some
time to come.
As the information implies, Snort is designed to be the best NIDS. NIDS is intended to detect
any malicious activity on the network and to alert the system administrator of network-based
intrusions. Snort is basically network traffic sniffer that can apply rules to traffics to determine
whether it contains malicious traffic. We can start Snort in sniffer mode by opening any terminal in
BackTrack and typing snort vde. Fortunately, Snort is built into our BackTrack, so we dont need to
install it.

Figure 1 Snort starts in Sniffer mode

After we press Enter, we begin to see the packets going past the screen in rapid succession.
Snort is simply sniffing all the packets from the wire and displaying the packets to us. To stop Snort,
hit the Control C. When we stop Snort, it will displays our statistics on the packet capture.

INTRUSION DETECTION MODE

To get Snort to operate in Intrusion Detection (IDS) mode, we need to get Snort to use its
configuration file. Almost all applications in Linux are controlled by a configuration file which is a
simple text file. This also applies to Snort. Snorts configuration file is named as snort.conf and is
usually found at path /etc/snort/snort.conf. So, to get Snort to use its configuration file, we need start
with snort vde c /ect/snort/snort.conf. Where c means to use the configuration file and
/etc/snort/snort.conf is the location of configuration file.
When Snort start in IDS mode, we will get the output such in Figure 2. Eventually, the screen
will stop loading and Snort will begin to watch your network traffic. After that, Snort will sniff into
our wire and will alert when something malicious appears.

Figure 2 Run Snort configuration file

Snort comes with a default configuration file that most of it part can be edited. What is good
about Snort is that, its configuration file has plenty of comments to explain each line and section does
where as a beginner, you can figure it out without outside assistance.
There are 3 important areas that need some attention and configuration.
1.

The EXTERNAL_NET variable. Most of cases, security admins will define their
EXTERNAL_NET as everything that is it not their HOME_NET.

2.

The HOME_NET variable is our IP address or the subnet.

3.

The path to Snort rules.

Without the Snort rules, Snort is just a sniffer or packet logger not the IDS that it can be.

BETTER UNDERSTANDING ON SNORT WITH ITS RULES.

These rules are designed to catch intrusions and alert the security admin. We can navigate to
the rules directory and list the rules out using cd /etc/snort/rules and ls l.

Figure 3 The list of Snort rules

Figure 3 shows the list of Snort rules. Snort rules files are simple text files. We can open and edit the
rules using any text editor such as KWrite. One of the listed rules is porn.rules, which is designed to
detect a variety of pornography on the wire. In order to open the rules, we need to write kwrite
/etc/snort/porn.rules. Now you know how your sysadmin knew you downloaded porn.

Figure 4 List of rules in porn.rules

HOW IS SNORT USED TO SECURE SYSTEM

Situation: Some attackers that has a malicious payload that contain in a
packet (network packet, packet header, and body of packet) is sent over
a network. He is trying to compromise a system that is at the end of
some Enterprise. Internet exists and your system that belongs to an
enterprise and he want to compromise the network security that is
traditionally been handled by firewall.
Snort using Intrusion Prevention System (ISP) in order to secure a system. A
firewall stand between an enterprise network and internet. All the traffic must go
through a firewall in order to penetrate into an authorized system. A firewall will
look at the packet and extract out that actual packet header and basic pieces of
information, such as the source of the packet and the source IP or internet
protocol address of the packet.
Firewall will look at the destination IP where the packet going and then it
would look at the port number report that a particular packet going to and then
based on these three pieces of information , it will check these three pieces of
information in a security policy.
Security policy contains a set of rules that control the access of traffic, as
example if the port number and particular range of IP address match to the rule ,
the traffic can access the system and if not, it will block the traffic entirely.
Basically, firewall are used in snort to secure a system which is two kinds
of a block by default mode that would allow certain packets through and if the
packet did not meet the criteria , it would go ahead and block it.
Firewall are too granular because if a packet has a malicious payload but
the source IP or destination IP and an actual port number that match with the
security policy will be allowed to access. It is suspicious about the actual a
header information with the actual content themselves could be malicious so it
would not be able to always make a blank distinction about whether or not
something was malicious within the context of those attribute.
IPS is designed to fix firewall problem which is the main goal of an IPS is to
actually examine the at the contents of the packet.
Some components of Snort are packet decoder, pre-processor, the
detection engine, logging and alerting system and output modules.

Analogy: A security guard(firewall) of the building who maybe checking

your credentials or someone at the beginning of the building was going to check
either you are authorized to go into that building or not. IPS act like a male
reporter in that building and that security guards, the mail man come in the mail
man obviously because he delivers mail on legitimate basis most of the time
would be allowed through the building but its only when the actual packages are
inspected by the mailroom clerk with you might infer identify that a particular
package has something malicious or bad in it.

Example:
A CASE STUDY OF THREE OPEN SOURCE SECURITY MANAGEMENT
TOOLS.
Three open source security management tools Snort, Pakemon and Argus are
benchmarked against DARPA 1999 Intrusion Detection Evaluation Data Set.
Performance is characterized using multiple performance metrics. Snort is found
to have the best performance in terms of detection rate, however it creates more
false positive than desired. The results show that different tools perform well
under different attack categories; hence they can be run at the same time to
increase the detection rate of attack instances.
Result
Out of total number of 80 attack instances, Snort detected 35 and Pakemon
detected 27 in total. Indeed, Argus log file have only detected 70 attacks out of
the 80 present in the test data set. To actually determine which tool performs
better, two other parameters are analyzed: (1) the number of false alarms and

(2) the number of entries that it takes to be parsed by a network administrator to

detect those attacks. Figure 1 shows the number of attack related entire over the
total number of entries in the corresponding log files. Thus, in both cases it is
costly to examine all log files. On the other hand, when the attacks detected by
Snort and Pakemon are examined more closely, a strong commonality exists
between the types of attacks detected. As it can be seen in figure 2, Snort on its
own is much better than Pakemon, however if they work together their
performance increases by approximately 20%. For both of them though, the
confidence level of detection is mostly at level-3, figure 3.

Table 1 Summary of the confidence levels(X indicates the match required)

Figure 1Number of attack related entries in the corresponding log files.

Conclusion
The results show that none of the tools could capture all the different
attack instances: Snort captured ~44% and Pakemon ~34%. Moreover, Snort has
~99% false alarms whereas Pakemon has ~95%. In other words all three
generate very large log files, which in return makes it difficult to analyze for
network managers. Therefore, it is important to develop filters for these tools to
decrease the number of false alarms. Furthermore, we believe that different tools
need to be used together to increase the detection rate.

Figure 2 The distribution of attacks that are caught by Snort and Pakemon

Figure 3 Number of attacks and their corresponding confidence levels for each tool

CONCLUSION
According to a book Snort 2.1, the ultimate goal of installing and using
Snort is to help a security analyst monitor and study intrusion attempts.
Currently, intrusion-related traffic on the Internet is high. SnortSnaff provides
features for generation of static HTML reports from log files and Snort_Stat.pl is a
simple Perl script to extract event data summary reports from your Snort alert
files. SGUIL is one of the most powerful Snort event database front end. It is a
graphical tool that has been designed to be intuitive to an analyst. From the GUI,
an analyst can analyze event data and packet logs, populate reports, and send
abuse emails.
Besides that, Snort is a powerful tool, but maximizing its usefulness
requires a trained operator. It becoming proficient with network intrusion
detection. Snort is considered a superior NIDS when compared to most
commercial systems. Last but not least, it managed network security providers

should collect enough information to make decisions without calling clients to

ask what happened.

REFERENCE
1. Snort 2.1 Intrusion Detection second edition, Raven Alder, Jacob babbin etc
2. https://books.google.com.my/books?
id=rzd3PLH3vDsC&pg=PA435&lpg=PA435&dq=summary+snort+tools&source=bl&ots=0GhaH4NA9&sig=14J21n69X1zgG4xJ3HG5evS3as&hl=en&sa=X&redir_esc=y#v=onepage&q=summary%20snort
%20tools&f=false
3. https://en.wikipedia.org/wiki/Snort_(software)
4. http://null-byte.wonderhowto.com/how-to/hack-like-pro-evade-network-intrusion-detectionsystem-nids-using-snort-0148051/
5. https://openmaniak.com/snort.php

6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.

http://www.brighthub.com/computing/smb-security/reviews/40032.aspx
http://www.cisco.com/c/en/us/products/collateral/security/brief_c17-733286.html
http://www.scmagazine.com/snort/review/3027/
http://www.securityparagon.com/blog/?p=725
https://www.snort.org/faq
https://www.snort.org/faq/what-can-i-do-with-snort
https://www.snort.org/faq/what-is-snort
https://www.snort.org/faq/what-is-the-relationship-between-snort-and-cisco
http://www.webopedia.com/TERM/S/Snort.html
https://www.youtube.com/watch?v=7OTBlYB14Ww
Kayacik, H.G., Zincir-Heywood, A.N., A Case Study of Three Open Source Security
Management Tools, Dalhousie University, Faculty of Computer Science, Canada