Exploring the latest version of Snort
Prettying up the Pig
Get ready for a bigger and better Snort. If you're used to protecting your systems with this trusty intrusion detection tool, you'll appreciate the new features in the latest version.
Earlier this year, Cisco purchased SourceFire, the original developers of the popular Snort intrusion detection tool [1], and the world is understandably curious to know what plans the router giant might have for Snort. I spoke recently with Cisco engineer and education specialist James Risler about the Snort purchase, and he had some good insights and news.
According to Risler, the primary reason for the purchase was that Cisco needed code that improved the interoperability of Cisco devices with other security devices in the network. He also said that the purchase of Snort would make it possible to eventually support NetFlow and other protocols more easily. Risler assured me that Snort will continue to use the clever pig motif that we all know and love. The most important reason for the purchase of Snort, though, is that Cisco felt the need to improve the ability of network security professionals to analyze information.
When I was asked to take a closer look at the first Snort version since the Cisco purchase (Snort 2.9.6.2), I figured it was a good time to take a look underneath the hood and see what has changed. I'm happy to say I found some very interesting new features. This article explores what's new and improved in the latest version of Snort. If you're new to Snort, you'll also find some tips on how to get started.
What Is Snort?
The Snort Network Intrusion Detection System (NIDS) runs on various platforms, including Linux, Windows, and BSD versions of Unix. Snort can also run on dedicated hardware. Cisco hopes to install Snort on various switches, routers, and even firewall devices. As of 2005, Snort can also serve as an Intrusion Prevention System (IPS). (See the box titled "IDS or IPS.")
IDS or IPS
An intrusion detection system is capable of sending only logs and alerts. An intrusion prevention system is capable of reconfiguring network devices, such as routers and firewalls. More importantly, an intrusion prevention system can actually detect and then terminate suspicious TCP-based network connections: Snort, if configured correctly, can actually identify a suspect connection, and then send out a network packet to "bust up" the connection. The latest version of Snort has some significant new features that allow Snort to go after suspicious connections.
Snort is a signature-based or "rule-based" system. You, the security community, and Snort's developers are responsible for creating and maintaining the rules, which act as the "brain" of the Snort application. If you are using overly-simple or old rules, your system won't capture and react to the most current attacks. Even worse, if you have rules that are too "wide open," you will receive too much information. As a result, you will be overwhelmed with alerts that really aren't attacks. It is also possible to receive "false positives," which is where Snort can issue alerts on traffic that is perfectly acceptable. If misconfigured, Snort can also ignore attacks, which some call "false negatives."
Snort lets the user configure preprocessors to identify and act upon specific attacks. You can configure these preprocessors through the Snort configuration file, snort.conf
, which is usually found off of the /.../snort/
directory – usually in the system /etc/
directory or in the /usr/local/
directory. James Risler, my Cisco contact, assured me and about 50 other people that Cisco is going to keep Snort open source.
New Features
One handy new feature in the latest Snort release is the ability to capture entire files as they fly across the network. Snort can now do more than identify filenames within emails or network streams and indicate that attachments exist. Now you can use Snort to capture and store a file. This feature improves your ability to analyze files after an attack, and it even lets you analyze the contents of files end users are sending across the network.
This file-capture feature, which I consider the most exciting new feature of the latest Snort release, is available with the HTTP, FTP, SMTP, POP, IMAP, and SMB preprocessors. The new Snort can also identify and capture an entire network session. From the TCP three-way handshake all the way to the final teardown, Snort can capture the sequence for further analysis.
Snort now has the ability to detect issues with the Simple Authentication and Security Layer (SASL) framework, which is used to authenticate email and reduce spam. The latest version can identify attacks against the Cyrus SASL library, which makes it possible to support additional email security measures.
All these new features are important, but they aren't as significant as the Data Acquisition Library (DAQ).
The Data Acquisition Library (DAQ)
The DAQ makes it possible to use loadable networking modules with Snort. By using this library, you can choose to add elements at run time. The library also helps Snort run on more devices, including routers and switches. The result is that Snort can now use separate, loadable modules for certain activities, including active intrusion prevention. Snort also becomes much more capable of withstanding certain attacks.
If you're interested, for example, in using Snort to terminate suspicious TCP traffic, you'll want the Data Acquisition Library (DAQ). The library also helps improve packet capture.
Default DAQ modes include:
- PCAP – The standard mode for turning a system into an IDS or IPS device.
- AFPacket – For using Linux on two bridged (i.e., connected) interfaces.
- IPQ and NFQ – For using netfilter. If one doesn't work, try the other.
- IPFW – For inline filtering using OpenBSD and FreeBSD firewalling.
- Dump – For testing the DAQ system.
If you still want to use the PCAP API, you're covered. However, if you want to use netfilter, you have that option available as well. To use the DAQ, download it from the Snort website [2]. The current repository is called daq-0.1.tar.gz. You can configure Snort to use DAQ using snort.conf
or the command line.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome Fans Everywhere Rejoice for the Latest Release
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.