Exploring the latest version of Snort
Prettying up the Pig

Get ready for a bigger and better Snort. If you're used to protecting your systems with this trusty intrusion detection tool, you'll appreciate the new features in the latest version.
Earlier this year, Cisco purchased SourceFire, the original developers of the popular Snort intrusion detection tool [1], and the world is understandably curious to know what plans the router giant might have for Snort. I spoke recently with Cisco engineer and education specialist James Risler about the Snort purchase, and he had some good insights and news.
According to Risler, the primary reason for the purchase was that Cisco needed code that improved the interoperability of Cisco devices with other security devices in the network. He also said that the purchase of Snort would make it possible to eventually support NetFlow and other protocols more easily. Risler assured me that Snort will continue to use the clever pig motif that we all know and love. The most important reason for the purchase of Snort, though, is that Cisco felt the need to improve the ability of network security professionals to analyze information.
When I was asked to take a closer look at the first Snort version since the Cisco purchase (Snort 2.9.6.2), I figured it was a good time to take a look underneath the hood and see what has changed. I'm happy to say I found some very interesting new features. This article explores what's new and improved in the latest version of Snort. If you're new to Snort, you'll also find some tips on how to get started.
What Is Snort?
The Snort Network Intrusion Detection System (NIDS) runs on various platforms, including Linux, Windows, and BSD versions of Unix. Snort can also run on dedicated hardware. Cisco hopes to install Snort on various switches, routers, and even firewall devices. As of 2005, Snort can also serve as an Intrusion Prevention System (IPS). (See the box titled "IDS or IPS.")
IDS or IPS
An intrusion detection system is capable of sending only logs and alerts. An intrusion prevention system is capable of reconfiguring network devices, such as routers and firewalls. More importantly, an intrusion prevention system can actually detect and then terminate suspicious TCP-based network connections: Snort, if configured correctly, can actually identify a suspect connection, and then send out a network packet to "bust up" the connection. The latest version of Snort has some significant new features that allow Snort to go after suspicious connections.
Snort is a signature-based or "rule-based" system. You, the security community, and Snort's developers are responsible for creating and maintaining the rules, which act as the "brain" of the Snort application. If you are using overly-simple or old rules, your system won't capture and react to the most current attacks. Even worse, if you have rules that are too "wide open," you will receive too much information. As a result, you will be overwhelmed with alerts that really aren't attacks. It is also possible to receive "false positives," which is where Snort can issue alerts on traffic that is perfectly acceptable. If misconfigured, Snort can also ignore attacks, which some call "false negatives."
Snort lets the user configure preprocessors to identify and act upon specific attacks. You can configure these preprocessors through the Snort configuration file, snort.conf
, which is usually found off of the /.../snort/
directory – usually in the system /etc/
directory or in the /usr/local/
directory. James Risler, my Cisco contact, assured me and about 50 other people that Cisco is going to keep Snort open source.
New Features
One handy new feature in the latest Snort release is the ability to capture entire files as they fly across the network. Snort can now do more than identify filenames within emails or network streams and indicate that attachments exist. Now you can use Snort to capture and store a file. This feature improves your ability to analyze files after an attack, and it even lets you analyze the contents of files end users are sending across the network.
This file-capture feature, which I consider the most exciting new feature of the latest Snort release, is available with the HTTP, FTP, SMTP, POP, IMAP, and SMB preprocessors. The new Snort can also identify and capture an entire network session. From the TCP three-way handshake all the way to the final teardown, Snort can capture the sequence for further analysis.
Snort now has the ability to detect issues with the Simple Authentication and Security Layer (SASL) framework, which is used to authenticate email and reduce spam. The latest version can identify attacks against the Cyrus SASL library, which makes it possible to support additional email security measures.
All these new features are important, but they aren't as significant as the Data Acquisition Library (DAQ).
The Data Acquisition Library (DAQ)
The DAQ makes it possible to use loadable networking modules with Snort. By using this library, you can choose to add elements at run time. The library also helps Snort run on more devices, including routers and switches. The result is that Snort can now use separate, loadable modules for certain activities, including active intrusion prevention. Snort also becomes much more capable of withstanding certain attacks.
If you're interested, for example, in using Snort to terminate suspicious TCP traffic, you'll want the Data Acquisition Library (DAQ). The library also helps improve packet capture.
Default DAQ modes include:
- PCAP – The standard mode for turning a system into an IDS or IPS device.
- AFPacket – For using Linux on two bridged (i.e., connected) interfaces.
- IPQ and NFQ – For using netfilter. If one doesn't work, try the other.
- IPFW – For inline filtering using OpenBSD and FreeBSD firewalling.
- Dump – For testing the DAQ system.
If you still want to use the PCAP API, you're covered. However, if you want to use netfilter, you have that option available as well. To use the DAQ, download it from the Snort website [2]. The current repository is called daq-0.1.tar.gz. You can configure Snort to use DAQ using snort.conf
or the command line.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.