Snort
| Snort | |
|---|---|
| Basic data
|
|
| developer | Sourcefire |
| Current version |
3.0.0-270 ( March 25, 2020 ) |
| operating system | platform independent |
| programming language | C. |
| category | Intrusion Detection System |
| License | GPL |
| German speaking | No |
| snort.org | |
Snort is a free Network Intrusion Detection System (NIDS) and a Network Intrusion Prevention System (NIPS). It can be used to log IP packets as well as to analyze data traffic in IP networks in real time. The software is mainly used as an intrusion prevention solution in order to automatically and immediately block attacks based on events. Snort was programmed by Martin Roesch and is now being further developed by his company Sourcefire . This was taken over by Cisco in October 2013. In 2009, Snort was inducted into InfoWorld's “Open Source Hall of Fame” as one of the best representatives of free open source software (“ greatest open source software of all time ”). The mascot of Snort is a piglet with big, snorting (English snort ) nose.
functionality
Snort "reads" all passing network data traffic directly on the network hardware. The content of the stream of data packets is compared with characteristic patterns of known attacks. These patterns are commonly called signatures, which Snort records in "Rules". The Aho-Corasick algorithm is used for pattern recognition at Snort . There are now several thousand signatures for Snort. Since new methods of attack on computers and networks become known very often internationally, the collection of signatures (similar to virus scanners) should be updated regularly. Snort is widely used to actively block network traffic or passively detect various forms of attack. Snort can also be combined with other software, such as BASE (" Basic Analysis and Security Engine "), Sguil , OSSIM , SnortSnarf and Snorby for convenient control of the software and clear graphical representation of possible intrusion data .
Network-based IDS (NIDS)
Snort can be used to discover known attacks on the vulnerabilities of network software. Snort performs protocol analyzes, searches and compares content in order to passively identify different forms of an attack such as a buffer overflow , port scans , attacks on web applications or SMB probes. Opportunities for attacks are given by so-called exploits , or specially designed programs, such as Internet worms (e.g. Sasser or W32.Blaster ) which in turn contain a backdoor program (originally the administrator's back door or maintenance access ) can (or are themselves one) through which the actual attack ultimately takes place. If an attack is detected, an alarm can be triggered, for example, and the network packets can be recorded for later analysis or preservation of evidence.
Network Intrusion Prevention System (NIPS)
Snort performs protocol analysis, searches, and compares content to actively block network traffic. With patches for the Snort source code of “Bleeding Edge Threats”, ClamAV can be used for virus scanning in the data stream. In addition, the data stream can be scanned for network anomalies (including historical data) using SPADE in network layers three and four . At the moment (2010/2011), however, it appears that these patches are no longer being maintained.
Network analysis tool
Snort is also very good at assisting the network administrator with network analysis. It can be used as a sniffer , similar to tcpdump , to output filtered network traffic. Snort has more options and can completely replace tcpdump. Snort can also record a network dialog between server and client for later analysis and merge the pure user data (payload) as a type of communication protocol.
Importance in Security Incident Information Sharing (SIIS)
In IT espionage, criminals often use standard tools, but slightly modify them before using them against a victim so that they are not recognized by signatures from IPS and antivirus providers that have already been published. If the victim recognizes the attack anyway and has his provider create a signature, the latter publishes the signature. The perpetrators are warned and, under certain circumstances, can even use the signature to identify which victim has discovered their tool.
In many countries, authorities, certain industrial sectors, but also NGOs and charitable institutions, which are typical targets of IT espionage, exchange information about security incidents within the framework of SIIS projects. Since SNORT-compatible rules have become the de facto standard, this has also become the standard format for exchanging IPS signatures.
Commercial providers and authorities who perform counter-espionage tasks have also specialized in SNORT-compatible signatures.
SNORT itself has the advantage that targets that are aggressively spied out can use it without initiating a procurement process. The latter can easily monitor perpetrators and thus determine which tools their victims are using for defense in order to adapt. Typically, in such cases, SNORT is used passively. The perpetrators therefore do not know whether and how their movements are recognized in the victim network. Their behavior can be observed in such detail and the victim can identify the infrastructure they have built and thus prepare a concentrated action to undermine and remove them, their tools and preferred methods of distribution.
history
Snort was first published in 1998 in a Unix version. His programmer Martin Roesch later founded the Sourcefire company . In addition to the version of Snort under the GNU GPL , Sourcefire also offers a commercial version that offers additional detection and analysis methods. Sourcefire sells enterprise solutions for Network Security Monitoring (NSM) with specially developed hardware and commercial support. In early October 2005 tried to Check Point with international headquarters in Tel Aviv , Israel , Sourcefire to take over. The purchase price was given at around $ 225 million. The purchase failed in early 2006 due to opposition from the US federal government . In October 2013, the American company Cisco Systems announced that it had completed the acquisition of Sourcefire.
Security story
Even Snort itself has not been spared from security vulnerabilities. For example, in the spring of 2003, two ways of creating a buffer overflow in Snort were found.
Airsnort logo
There is no direct connection with the Airsnort program - despite the similar name and the fact that Airsnort adopted the Snort logo in a modified form: the same piggy, but with wings.
See also
literature
- Ralf Spenneberg : Intrusion Detection and Prevention with Snort 2 & Co. (with CD-ROM). Addison-Wesley , November 2005 & December 20, 2007, ISBN 3-8273-2134-4 .
- Brian Caswell, Jay Beale, Andrew Baker: Snort Intrusion Detection and Prevention Toolkit . (Jay Beale's Open Source Security with CD-ROM), Elsevier Science & Technology; December 17, 2006, ISBN 978-1-59749-099-3 .
- Kerry J. Cox, Christopher Gerg: Managing Security with Snort & IDS Tools . 1st Edition, O'Reilly Verlag August 2004, ISBN 0-596-00661-6 reading sample
- Peer Heinlein , Thomas Bechtold: Snort, Acid & Co. Open Source Press , June 2004, ISBN 3-937514-03-1 .
Web links
- Homepage
- sourcefire.com - maker of Snort
- emergingthreats.net - Community for Snort rules
- Free IDS / IPS tool Snort being tested
- Chris Riley: The Snort IDS detects attempted break-ins. In: ADMIN magazine. Linux New Media AG, accessed March 15, 2010 .
Interfaces
- Snorby - a new and modern Snort IDS front-end - Ruby on Rails web front-end
- sguil.sf.net - Tcl / Tk interface
- IDS Policy Manager - Rules administrator
- dragos.com/cerebus - ncurses browser for Snort logs
- Basic Analysis and Security Engine - Web Frontend
Individual evidence
- ↑ Release 3.0.0-270 . March 25, 2020 (accessed March 26, 2020).
- ^ The Greatest Open Source Software of All Time. August 17, 2009, accessed January 2, 2016 .
- ↑ Cisco Completes Acquisition of Sourcefire from (English)
- ↑ Sourcefire: Cisco Acquires Intrusion Detection System Supplier Snort - Golem , July 24, 2013
- ↑ Cisco buys Sourcefire - Admin Magazine , July 25, 2013