Professional Documents
Culture Documents
Name:
Institution:
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 2
Table of Contents
Introduction................................................................................................................ 4
Hardware Requirements.......................................................................................... 6
Other Software........................................................................................................ 8
Exploit:......................................................................................................... 10
Denial-of-Service (DoS):...............................................................................10
Reconnaissance:........................................................................................... 10
Misuse:......................................................................................................... 10
Signature Micro-Engines........................................................................................ 10
Attack Mitigation................................................................................................... 10
Environment-centric Research...............................................................................11
IPS actions............................................................................................................. 16
Conclusion................................................................................................................ 17
References................................................................................................................ 19
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 4
Introduction
Organization systems face different kinds of attacks every day. Intrusion is one of the
attacks that organizations are battling with. Because of the constant intrusions experienced in the
organization systems, technical experts had to come up with intrusion detection and, prevention
mechanisms and, tools to help mitigate the risks. These are the processes of monitoring the
systems, the networks and, analyzing them for any imminent attack to facilitate prevention of the
attacks. There are various tools in existence that are utilized for intrusion detection and
Snort is an open system network intrusion detection system that is designed for both
Windows and, Linux systems to help eliminate intrusion threats. Snort is a modern security
system that has three major roles: it can be used as a packet sniffer, a packet logger, or even serve
as a Network-based Intrusion Detection System (NIDS). There are also many add-on
applications in Snort to provide different ways of recording and, managing Snort system log-
les, fetching and, maintaining current Snort rulesets, and alerting to let system administrator
know when potentially malicious traffic has been detected. Even though not part of the core
Snort suite, the add-ons help in providing a rich variety of features to the security administrator.
As will be discussed, there are many different ways to use Snort as part of a companys security
design. Usually, Snort only supports the use of TCP/IP protocols. Although with custom
extensions, Snort can be made to support other network protocol suites, such as Novells IPX,
although, TCP/IP is the main protocol used for supporting the Internet (Team, 2016).
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 5
Log system
Pattern
matchin
g
Before commencing the official work, Snort starts to parse the command line arguments
and sets the flag command to fill and initialize the PV structure. Followed by initialization of
plug-in, then the list of linked rules are generated according to rule files while calling correlated
protocol initialization preprocessing module and the output module. Snort then captures the
packet by calling LINPAC structure function and processes the corresponding packet. The main
process is shown in the figure above. Snort network protocol analytic function is called to
hierarchically parse the packet and then stores the parsed results into the structured packet.
Packet structure stores useful packet information extracted from the data package to facilitate
follow-up procedure calls. It mainly stores a pointer pointing to the packet header information,
To a large extent, determining what type of hardware and software configuration the
organization will need to run an optimal Snort installation is a matter of understanding its entire
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 6
network architecture. First, the organization must have the questions of scale. Roughly, it is
assumed that the larger the network is, the better machines the organization need to serve as its
Snort sensor(s). Snort will need to be able to keep up with the organization's network, have
enough disk space to log its alerts, and have a fast enough processor and enough memory to
handle the normal traffic flow in the network, with some room built in for intense attacks and
traffic spikes. While some optimizations can be done to speed Snort up significantly, these are
the basic issues that the network administrators will need to consider (Garg & Maheshwari,
2016).
Hardware Requirements
One of the most important things the network administrators need, especially if they are
using Snort for the purpose of Network-based Intrusion Detection System (NIDS), is a big hard
drive. If they are storing their data or information as either Syslog files or in a database, they will
need so much memory space to store all the data that the Snort's detection engine requires to help
it check the system for any form rule violations. Another highly recommended system hardware
device for Snort is an additional Ethernet interface. One of the ethernet interfaces is significant
for typical network connectivity (SSH, Web services, and so forth), and the additional interface is
for Snorting activities. This detection interface that does the "snorting" is the organizations' Snort
sensor. Snort does not have any specific hardware specifications that the system operating system
does not already need to run. Running any application or program with a faster processor always
makes the application or program work much faster. However, the organization will be limited in
the amount of data it collects by its network connection and by its hard drive (Liao et al. 2013).
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 7
To run Snort, it will be necessary to have a reasonable-sized network interface card (NIC)
to help with the collection of the correct amount of network packets. For instance, if the
organization's system is running on 100MB, it will need a 100MB network interface card to
collect the correct amount of packets generated from the network. Otherwise, the organization
will miss some packets and thus it will be unable to collect the initiated alerts accurately. In
addition, the organization will need a good-sized external hard drive to help with its data storage.
If its external hard drive is too small, there is the likelihood that it will not be able to write alerts
to either its database or its log files. A suitable setup for a single Snort sensor is said to be a 9GB
partition.
It is always obvious that Snort was designed to be a lightweight NIS. Currently, Snort can
run on FreeBSD, NetBSD, x86 systems Linux, Windows and, OpenBSD. Other supported
systems include; PA-RISC HP-UX, PowerPC, MacOS X and MkLinux and, Sparc Solaris. Snort
will run on just about any modern OS today. There has always been an argument regarding the
best OS on which to run Snort. Previously, the *BSDs had the better IP stack. However, since
Linux has advanced to the 2.4 kernel, the IP stacks are similar. The ideal OS is NetBSD, but the
organization's preference might differ. Going for the latest LINUX version is also recommended.
In as much as the question of which OS has the best TCP/IP stack is essential, it also necessary to
figure out which operating system the people in the organization particularly the system
Other Software
In addition to the basic operating system, if the organization intends to compile Snort
from source code, it will need the tools to do the code compilation. It must ensure that it has the
following installed;
GCC
Libpcap software
Most of these are downloadable from the nearest GNU mirror. The administrators might
also want to install Snort add-ons or management tools, such as; the popular Analysis Console
for the Intrusion Detection (ACID) Web interface, which requires the Apache Web server (Secure
Socket Layer support is highly recommended), PHP, and a database for the alerts such as
ACID
Oinkmaster
SnortSnarf
SnortReport
Additionally, there might be a need to install certain servers to help with the remote
quite tiresome as time goes by. The recommended servers are SSH server, or a Terminal server
depending on the type of operating system chosen. The two types of servers will make it
possible to link up the files against which comparisons are made to detect the potential threats to
the main servers that help in running the system activities. The servers that are linked first are
those that contain all the files that are received into the system (Paquet, 2013).
Intrusion detection and prevention is a very vital part of the overall Snort Self-Defending
Network arrangement. This innovation, when placed to work together with the firewalls and Net
flow administrations it gives other basic action and reaction to the assaults that are vindictive in
an organization. Snort Intrusion Prevention System (IPS) is an advanced version of the Snort
Intrusion Detection System (IDS) arrangement. These two components work in handy to
improve a companys security at all levels. Some of the examples of this time of development are
issues such as stateful example acknowledgment and convention irregularity investigation. These
two elements when working together, give out the most out of the points of interest that are
normally required to help in recognizing the most stretched out scope of significant assaults
precisely.
In addition, like Snort IDS, Snort IPS is also made up from the approaches that are
similar in arrangement methods. To ensure different system sections, Snort IPS 4200 is
constructed in such a way that they are devoted to the gadgets. Moreover, integrated systems are
also accessible to assess the Snort version 6500 IDS modules that also assess the subsequent
modules of the systems. Therefore, it is also worth noting that Snort IPS gives a subset of IPS
abilities using Snort Software on the meter. These components also improve the working abilities
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 10
of each other, in that they improve the work of the process from an inline gadget that only
screens the systems to inline responsive and avoidance device. Attacks that are generated by
Exploit: This is a system that integrates the bargained framework or system approach.
either a system or structure. The main aim of this type of campaign is to disturb typical
operations.
Reconnaissance: This is a movement that gathers data on structure and system assets. It
Misuse: An action that goes against the corporate approach (Low, 2015).
Signature Micro-Engines
Snort applies signature micro-engines (SMEs) to insert (into the switch's memory) and
sweep for an organization of assault marks. Every motor is designed for analyzing a Layer 4 or 7
conventions and its related fields and contentions. Inside any parcel transmitting information for
that meeting, it looks for an organization of legal parameters that have allowable ranges or sets of
qualities. It also filters for a destructive action particular to that conference that uses a parallel
mark checking system to examine for different examples inside of an SME at any given time.
Attack Mitigation
Snort IPS can protect an organizations system from more than 3700 unique attacks,
malicious activities, worms, and infections. Attacks that are recognizable and can be stopped by
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 11
Snort IPS incorporate numerous Microsoft Windows Operating System and application
Every specific mark or class of targets chosen to output operation for coordinating
assaults can be designed to take any mix of the associated five activities when initialized;
Send an alert by Syslog alerts or log a warning in Secure Device Event Exchange (SDEE)
design
Send TCP-reset commands to both ends of the association which will help terminate the
session
reject further bundles that have a place with the same TCP session (connection) from the
Environment-centric Research
An IDS passively screens bundles on a given target system looking for malicious
activities. The run of the sessions through which the IDS identifies the malicious activities that
are set to disrupt the normal system operations is through utilizing mark analysis on previously
identified malicious packets to decide the type of attack. In the uncontrolled mode, the IDS
examine a duplicate of the checked transaction as opposed to the original package. If a packet or
arrangement of bundles triggers an alert based on Mark investigation, data that is identified with
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 12
this plausible interruption is taken to be analyzed to determine the integrity level. This data
allows the head of the IDS to determine ongoing attacks and additionally conduct a considerable
examination on previous attacks. Extra head configurable transactions could be conducted by the
IDS to incorporate system resets and design access or authentication control records to help in
The limitations of interruption discovery are that the IDS cannot prevent the malicious
activity from achieving its intended focus for certain sorts of attacks. The countermeasures by the
IDS and post event reactions Furthermore always need help from other systems administration
straightforwardly affects movement stream to stop attacks from achieving the intended target. In
an inline based mode, the IPS resides on the system which allows the IPS to stop attacks by
terminating recognized harmful activities. The IPS simplifies the real bundle. In any case that a
package or arrangement of parcels triggers a caution, drop container moves could be made
IDS and IPS work together to give a security system organization. Intrusion Detection
System obtains parcels continuously, creates them, and can also respond to dangers, however,
chips away at copies of information transmission to identify suspicious activities by using marks.
This is called wanton mode. During the time taken distinguishing destructive activity, IDS grant
then permission to some malevolent movement to take place before the IDS can react to secure
the system. IDS examine a copy of the checked protocol as opposed to the sent bundle. The
advantage of working on a prototype of the game is that the IDS do not affect the package stream
of the transmission. The inconvenience of working on the same clone of the movement is that the
IDS can't stop the malicious activity from single-bundle attacks from achieving the intended
objective framework before the IDS can initiate a reaction to thwart the attack. IDS frequently
need assistance from other systems gadgets, for instance, switches, and firewalls, to react to any
An IPS conducts its activities in line with the information stream to give assurance from
malicious assaults gradually. It is called inline detection mode. Different from IDS, an IPS does
not allow parcels to access the private side of the network system. An IPS scans transactions at
Layer 3 and Layer 4 to ascertain that their headers are those predetermined in the set standards.
In any event, the IPS detection system (sensor) examines from Layer 2 to Layer 7 payload of the
bundles for more modern inserted attacks that may incorporate malicious information. This more
intense examination gives the IPS an opportunity to distinguish and stop attacks that would
typically bypass a conventional firewall device. At the point when a bundle comes in through an
interface on an IPS, that particular parcel is not transmitted to the outbound or trusted interface
unless the package has been verified to be okay. An IPS improves upon previous IDS innovation;
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 14
Snort IPS stages use a mix of identification techniques, including; a profile-based interruption
identification.
A mark based IDS or IPS sensor looks for particular, pre-defined designs or patterns in
system transactions. It matches the system transactions against a database of known attacks and
triggers an alarm or forestalls correspondence if a match is detected. The pattern can be found on
a solitary packet or a sequence of bundles. A new criminal activity that does not coordinate a
target does not bring about identification. Thus, the database being used to detect any new
criterion that is rigid, however, simple to use. Most of the time, the pattern is organized against
just if the suspicious parcel is related to an explicit organization or, more precisely, bound to and
from a particular system port. This coordinating technique reduces the measure of analysis done
on each parcel. It is always troublesome for frameworks to manage activities that don't reside on
characterized ports, for instance, Trojan steeds and their related activities, which can be
In arrangement based frameworks, the IDS or IPS detectors are preconfigured about the
system security policy. An organization should make the various approaches used as a part of an
agreement based IDS or IPS. Any activity defined outside the policy will produce an alert or will
be blocked. Making a security policy requires a detailed knowledge of the entire system
functionality and should also be given adequate time. Policy based marks use a certain form of
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 15
calculation to determine if a caution ought to come to an end. Frequently, approach based target
estimates are accurate assessments of the movement stream. For example, in an arrangement
based mark used to identify a port size, the calculation gives out an alert when the limit numbers
of particular ports are filtered on a given machine. Policy based target calculations can be aimed
at breaking down just certain sorts of parcels (for example, SYN bundles, where the SYN bit is
turned on along with the handshaking process at the start of the transaction session).
Anomaly based or profile-based marks usually search for system activities that veer off
from what is basically seen. The major concern with this strategy is that the system
administrators should first define what is typical and necessary. If during the learning stage the
system is a victim of an attack and the administrators ignore to recognize it, the oddity based IPS
frameworks will classify that malicious activity as typical, and no alarm will be activated when
the same attack occurs. A few frameworks have hard-coded definitions of unique transaction
designs and, for this situation, could be viewed as heuristic-based frameworks. Different frames
are done to identify typical activity behaviour; be that as it may, the test with these kinds of
structures is taking out the likelihood of malice showing unusual traits as ordinary. Also, if the
activity example being found out is accepted as common, the framework must be able to
differentiate between the known passable deviations, and those differences that are not allowed
or that are suspected to be attack based movement. It can be very hard to characterize average
system activity due to the dynamic nature of transaction taking place within the system (Kizza,
2015).
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 16
Honeypot frameworks use a sham server to draw in attacks. The reason for the honeypot
technique is to keep attacks far from genuine system infrastructure. By organizing unique sorts of
vulnerabilities and threats in the honeypot server, the system administrators can thwart eminent
sorts of attacks and malicious movement designs. The system administrators can utilize honeypot
examination to tune the system sensor marks to help in identifying new types of harmful system
transaction. Honeypot frameworks are used as a part of design situations, regularly by substantial
associations that tend to be fascinating focuses for network programmers and designers, for
instance, financial endeavours, administrative offices, et cetera. Additionally, antivirus and other
security vendors tend to use them for the role of examination (Vukalovi & Delija, 2015).
IPS actions
At the point when the IPS recognizes malicious movement, it can look over any or all the
accompanying activities:
Deny the attacker inline: This action ends the present bundle and future parcels for any
predominant timeframes. The sensor in the system keeps check to the system to deny any attacks
to the said system. To cover this, an organization IT section can run down any suspects that are
believed to have hacked the system. If any unknown data is found, the organization can then
expel the section. On the other hand, if the system sensors identify entry by any unauthorized
third parties, it can then notify the administrators who in turn lock them out or block the systems.
Consequently, if assailant is right now being denied, yet issues another assault, the clock for
aggressor Ais reset, and assailant A remains parts of the denied attacker list until the timer
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 17
terminates. On the off chance that the denied assailant rundown is at the limit and cannot include
Deny Association in line: This activity ends the present package and future parcels on TCP
Local attacker packets: This packet operates in such a way that it recognizes the IP address of
the attacker and sends caution to the person. This action then set up the alarm device that is
connected to the Snort switch regardless of the fact that the produce ready activity is not chosen.
Log pair packet: This process signs in the IP address of device that tries to hack the system.
This action forces a caution to be composed on the occasion store regardless of the fact that the
Log victim parcels: This is the process that signs the bundles of the casualties IP address and
sends in alarm. The subsequent action is that an alarm is set off by this process.
Produce verbose available: This event incorporates an encoded dump of the bundle in the
caution. The subsequent action is that an alarm is composed to the occasion store, regardless of
Request SNMP Trap: The Simple Network Management Protocol (SNMP) notice is activated
when a solicitation network is sent to the system. This action causes a caution to be composed to
the occasion store, regardless of the possibility that delivers ready business is not chosen.
Request piece Association: This blocks the overall gadget in the area by sending a solicitation
Conclusion
In todays business settings, keeping away intruders who can interfere with the system is
the most important thing an organization can invest in. Consequently, it is also worth noting that
these attacks do not just originate from outside, some of these attacks are normally organized by
insiders who want to sabotage the business. To manipulate these systems, these attackers
manipulate the internet associations; when these are not kept at bay, they can multiply and fill the
systems in minutes. Opportunities to change this after the attack are also minimal since the
damage is already done. The Snort Intrusion Prevention System (IPS) is an open source, inline,
profound bundle review based arrangement that helps organizations system administrators,
successfully alleviate an extensive variety of system attacks and, vulnerabilities. This system is,
therefore, used by the organization to safeguard their data from attack or manipulation by third
parties.
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 19
REFERENCES
Arney, C. A., & Wang, X. (2016, September). Active Snort Rules and the Needs for Computing
Garg, A., & Maheshwari, P. (2016, January). Performance analysis of Snort-based Intrusion
Kenkre, P. S., Pai, A., & Colaco, L. (2015). Real time intrusion detection and prevention system.
Theory and Applications (FICTA) 2014 (pp. 405-411). Springer International Publishing.
Kizza, J. M. (2015). System intrusion detection and prevention. In Guide to Computer Network
Kurundkar, G. D., Naik, N. A., & Khamitkar, S. D. (2012). Network intrusion detection using
Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., & Rajarajan, M. (2013). A survey of
36(1), 42-57.
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 20
Technology, T. (2013). Snort Intrusion Prevention System (IPS) Version 6.0 Security Target.
Vukalovi, J., & Delija, D. (2015, May). Advanced Persistent Threats-detection and defense. In