Snort

Snort – one of the most known network IDPS used in more than a half of the companies of Fortune 500. Signatures are open and are used in many network intrusion detection systems. Also it is used in many hybrid IDS (Prelude, OSSIM) and supported by many monitoring systems of security (Cisco Secutity MARS)."

Snort was created by Martin Roesch, then founded Sourcefire company which continues his development and poderzhivat commercial hardware IPS based on Snort. Sourcefire is integrated with an end-to-end system of protection of Sourcefire 3D System – a corporate system of management of threats which contains also a control system of access and different instruments of monitoring and the analysis. Snort can be used free of charge. A system works in several modes:

• the sniffer mode – packets are read out from network, information on them is output in streaming mode to the console,
• the journalizing mode – packets register in a disk,
• the NIDS mode – packets are analyzed according to the rules determined by the user
• the embedding mode – packets are accepted not through libpcap library (allows to perform low-level observation of packets), and through iptables and can be discarded according to rules.

Add-on functional modules Snort:

• Basic Analysis and Security Engine, BASE is the web interface for an anliz and viewing logs
• Sguil – TCL/TK the interface for monitoring of network security
• RazorBack is implementation of the notification about detected signatures in real time
• ClamAV is a stream virus scanner
• IDS Policy Manager is management of rules of Snort

Pluses of Snort are ample opportunities from the used add-on modules and openness of signatures. Minuses – complexity of setup in the absence of convenient documentation.

Snort is the actual standard for an intrusion prevention developed by Sourcefire which contains more than 3.7 million loadings and more than 225,000 registered users. Snort use worldwide more often than any other technology of an intrusion prevention. For the last ten years the community Snort grew in the whole ecosystem, having passed a way from user groups before development of textbooks and rates which study in hundreds of colleges and universities. Snort is better known to IT security specialists, than any other IPS technology in the market. Customers of Sourcefire use advantages of an expanded ecosystem of Snort.

Snort 2.9.0

The most important improvements:

• The mode of prevention of the attacks (IPS) includes expansion of opportunities of a subsystem Stream (the processor/collector of TCP flows for control of separate sessions) for work in the active inline-mode (snort acts as the gateway and allows to make decisions on further passing of packets at the time of their receiving, but not on the basis of the passive analysis of traffic). Reaction for all packets is set through the uniform API supporting the modules Stream, Respond and React now. The new module of reaction - respond3 maintaining syntax both the module resp, and resp2 including a possibility of blocking and in configurations with the passive analysis of traffic is added. In case Snort is started in the active inline-mode, the new preprocessor for normalization of packets is used now, allowing to interpret packets by the same method, as the host receiving these packets;
• Involvement of the module DAQ (API for data collection, Data Acquisition API) which defines a set of different access methods to receiving packets, such as libpcap, netfilterq, IPFW and afpacket. When using libpcap at least version 1.0 of this library is required now. The DAQ code can be updated irrespective of Snort as now is the independent module.
• The code of inspection of HTTP traffic (HTTP Inspect) which can take and use the IP addresses from HTTP headers of X-Forward-For and True-Client-IP now is updated;
• The new option 'byte_extract' allows to use the values taken in the current rule a trace of the going options isdataat and byte_test, byte_jump inside and also in distance/within/depth/offset contents;
• In a SMTP preprocessor support of decoding of big MIME investments, requiring transfer more than one network a packet is implemented;
• Possibility of testing of rules of blocking of packets. In the Inline Test Mode mode packets are not discarded but only are reflected in a log as subject to blocking;
• New options of rules for decoding and inspection of base64-data units;
• Work of the code on decoding of IPv6-packets for the purpose of improvement of determination of anomalies is improved;
• The example of creating applications for data processing unified2 format used for compact storage of logs of Snort is added;
• The new processor of templates supporting involvements of the hardware accelerators compatible to Intel Quick Assist Technology for acceleration of comparison of masks is added.

Snort of version 2.9.1 RC.

The new version the Snort system has a preprocessor of assessment of reputations of the IP addresses which already received a set of positive reviews from the users who tested Snort of version 2.9.1 RC.

• New preprocessor of SIP

The preprocessor of SIP has new features of warning of the following types of anomalies:

• • Inadmissible version of SIP
  • Unknown SIP method
  • Mismatch to the SIP method
  • Lack of a packet header of data

• New preprocessors of POP3 and IMAP for decoding of investments of e-mail in the Base64, Quoted Printable and UUENCODE formats
• Support for reading the big PCAP files is added ​​
• New preprocessor of assessment of IP of reputation
• New preprocessor of dcerpc2
• Creation of reports on the received investments on point duty and the addresses of receivers
• Direct access to opportunities of decoding of GZIP
• Several corrected errors in Stream5 protocol

See Also

• Intrusion detection and prevention systems
• OSSEC
• OSSIM

Links

• Official site