Prettying up the Pig

Earlier this year, Cisco purchased SourceFire, the original developers of the popular Snort intrusion detection tool [1], and the world is understandably curious to know what plans the router giant might have for Snort. I spoke recently with Cisco engineer and education specialist James Risler about the Snort purchase, and he had some good insights and news.

According to Risler, the primary reason for the purchase was that Cisco needed code that improved the interoperability of Cisco devices with other security devices in the network. He also said that the purchase of Snort would make it possible to eventually support NetFlow and other protocols more easily. Risler assured me that Snort will continue to use the clever pig motif that we all know and love. The most important reason for the purchase of Snort, though, is that Cisco felt the need to improve the ability of network security professionals to analyze information.

When I was asked to take a closer look at the first Snort version since the Cisco purchase (Snort 2.9.6.2), I figured it was a good time to take a look underneath the hood and see what has changed. I'm happy to say I found some very interesting new features. This article explores what's new and improved in the latest version of Snort. If you're new to Snort, you'll also find some tips on how to get started.

What Is Snort?

The Snort Network Intrusion Detection System (NIDS) runs on various platforms, including Linux, Windows, and BSD versions of Unix. Snort can also run on dedicated hardware. Cisco hopes to install Snort on various switches, routers, and even firewall devices. As of 2005, Snort can also serve as an Intrusion Prevention System (IPS). (See the box titled "IDS or IPS.")

Snort is a signature-based or "rule-based" system. You, the security community, and Snort's developers are responsible for creating and maintaining the rules, which act as the "brain" of the Snort application. If you are using overly-simple or old rules, your system won't capture and react to the most current attacks. Even worse, if you have rules that are too "wide open," you will receive too much information. As a result, you will be overwhelmed with alerts that really aren't attacks. It is also possible to receive "false positives," which is where Snort can issue alerts on traffic that is perfectly acceptable. If misconfigured, Snort can also ignore attacks, which some call "false negatives."

Snort lets the user configure preprocessors to identify and act upon specific attacks. You can configure these preprocessors through the Snort configuration file, snort.conf, which is usually found off of the /.../snort/ directory – usually in the system /etc/ directory or in the /usr/local/ directory. James Risler, my Cisco contact, assured me and about 50 other people that Cisco is going to keep Snort open source.

New Features

One handy new feature in the latest Snort release is the ability to capture entire files as they fly across the network. Snort can now do more than identify filenames within emails or network streams and indicate that attachments exist. Now you can use Snort to capture and store a file. This feature improves your ability to analyze files after an attack, and it even lets you analyze the contents of files end users are sending across the network.

This file-capture feature, which I consider the most exciting new feature of the latest Snort release, is available with the HTTP, FTP, SMTP, POP, IMAP, and SMB preprocessors. The new Snort can also identify and capture an entire network session. From the TCP three-way handshake all the way to the final teardown, Snort can capture the sequence for further analysis.

Snort now has the ability to detect issues with the Simple Authentication and Security Layer (SASL) framework, which is used to authenticate email and reduce spam. The latest version can identify attacks against the Cyrus SASL library, which makes it possible to support additional email security measures.

All these new features are important, but they aren't as significant as the Data Acquisition Library (DAQ).

The Data Acquisition Library (DAQ)

The DAQ makes it possible to use loadable networking modules with Snort. By using this library, you can choose to add elements at run time. The library also helps Snort run on more devices, including routers and switches. The result is that Snort can now use separate, loadable modules for certain activities, including active intrusion prevention. Snort also becomes much more capable of withstanding certain attacks.

If you're interested, for example, in using Snort to terminate suspicious TCP traffic, you'll want the Data Acquisition Library (DAQ). The library also helps improve packet capture.

Default DAQ modes include:

• PCAP – The standard mode for turning a system into an IDS or IPS device.
• AFPacket – For using Linux on two bridged (i.e., connected) interfaces.
• IPQ and NFQ – For using netfilter. If one doesn't work, try the other.
• IPFW – For inline filtering using OpenBSD and FreeBSD firewalling.
• Dump – For testing the DAQ system.

If you still want to use the PCAP API, you're covered. However, if you want to use netfilter, you have that option available as well. To use the DAQ, download it from the Snort website [2]. The current repository is called daq-0.1.tar.gz. You can configure Snort to use DAQ using snort.conf or the command line.