SNORT review

by A. Lizard
Wednesday, January 23, 2002

The only way to reliably protect a network is to use multiple layers of defense. A firewall offers good protection for external network connections and also provides privacy (IP address masking), authentication (remote access), and some protection against users who don't update their OS patches regularly.

However, simply depending on a firewall to defend network security is not recommended except as a very basic start because the threat level from attacks that a firewall won't stop is just too high. As the value of the network and the information it secures increases, you'll need to add products to supplement the firewall if you want to safeguard your assets. A firewall is essential as a sort of fence around your network's perimeter, to keep unauthorized people out, but a properly configured IDS will stop cold anyone who manages to slip through.

A firewall classifies data packets by what addresses or ports they address, what direction (inside or outside the local zone) and in some cases, what applications are intended to generate or receive them. It throws the bad ones away and can log the origin, etc. to a log file. For single-user Windows environments, I recommend the ZoneAlarm firewall, which provides the port and application-based filtering you need. A personal firewall really should have specific IP/port blocking capability, which you can get by upgrading to payware ZoneAlarm Pro or adding the freeware Tiny Personal Firewall to supplement the free ZoneAlarm, which lacks IP/port blocking. You can also look into Open Source firewalls, most of which are built into current Linux distributions. You can generally find freeware products and how-to information for your *nix distribution on the sites that are specific for it.

An intrusion detection system typically consists of a software package that continuously scans packets circulating within the network for things that just don't look right, i.e. data flows that don't seem to match legitimate or expected system usage and that might be consistent with an intrusion. It uses one or more workstations or servers as "sensors" to probe for trouble and warn system administrators if there is a problem, like a port scan or DOS attack. The "host-based" IDS variant gathers information from logs kept on individual systems, most often sensitive servers, and does analysis based on that.

This article looks at a few IDS tools appropriate for the small to medium-sized network, notably, the open-source IDS SNORT.

The SNORT IDS

"Just doesn't look right" is determined by signature analysis. Signatures consist of specific attack characteristics embodied into rules within the IDS internal database that permit statistical analysis of data relating to network operation, i.e. server CPU utilization, specific types of network traffic, and other numeric characteristics easily measurable and likely to be affected by an intrusion. SNORT is mainly a signature analysis tool, but can be configured for some statistical functionality. It is totally driven by its user-configurable internal rule bases.

SNORT is also the most popular open-source IDS. Is it secure? I won't go into the Open Source vs. proprietary product religious dispute in this article; most readers have taken sides. You already do or should know if you want to recommend to your organization open source security products. If you don't know, use the search facility here and use "open source" as a keyword to get both sides of the debate. If you believe that open source is the root of all evil, skip down to the Shrinkwrap part of the next section.

I will say that SNORT has up-to-date intrusion detection (signature, etc.) rule files, a very large and happy user base, free user support forums, and commercial support service available. It allows installation with a MySQL database as an option, allowing alerts and related information to become accessible via ordinary SQL-related tools for user-defined analysis. It can also be installed with an analysis tool called ACID (Analysis Console for Intrusion Databases).

I think it reasonable to use part of the savings on the price of a commercial proprietary IDS to pay for per-incident technical support for problems that can't be handled in-house and for system administrator training time. Others may feel differently.

Obtaining SNORT

Simply go to http://www.snort.org and download the distribution that matches your OS. It'll run in most Linux / BSD / Solaris / Win32 environments, and there's even an unofficial BeOS port. One important caveat: don't try it with an analog modem in Win32.You might be well advised to check the user forums (see below) for specific information on how well it runs in your specific environment.

While SNORT is available packaged with a number of *nix distributions, you will want the latest stable version and you get that via download. The very latest version is available built by CVS snapshot every half hour, but if your network security is at stake, I recommend you let others do your beta-testing for you and go with the stable version. You can also get a number of add-on tools for SNORT on the Snort Add-ons Download Page. They include Analysis Frontends, Administrative Frontends, Log Maintenance, and less classifiable items.

You can get updated versions of the program by simply returning to the SNORT site. Or simply subscribe to the SNORT mailing list (see below) and learn about major updates when they come out as you learn from the pooled expertise of others. Also note that you can get rule file updates in the same manner as you can get them for antivirus programs.

Where to get help with SNORT

Newsgroups, Web forums, and other free help are widely available. The Snort.org site and the associated forums are a good place to get free help from knowledgeable people. You can also find the mailing list archived at Google Groups; look under mailing.unix.snort and use keywords relating to your problem, or join the list (advisable if you decide to use SNORT).

Commercial support is also available, for a price, of course. For example, Silicon Defense currently charges on a "per-issue" basis with fees ranging from $250/problem to $125/"issue" for a 10-pack advanced payment. They are "normal business hours" only at this point. If your vendor supplies a SNORT distribution with whatever OS you purchased, you might see if the vendor supports it according to the usual terms and conditions attached to your support contract, if any.

Commercial products based on SNORT are becoming increasingly available, either for purchase (e.g., as an appliance) or through managed service providers, and typically come with support. You can, for example, outsource your network security through Guardent, which rents a managed platform security appliance that bundles such open source applications as an IP Chains firewall, Snort IDS, and Nessus vulnerability scanning with an internal database used to control the system and feed alerts back to Guardent. The box and 24 / 7 / 365 monitoring from the Guardent facility cost $1500 per month per box. It might be worth spending $1500 a month per network segment to simply make the problem go away, especially if your organization doesn't have the staff to support security in-house.

Of course, do you want to really trust a third-party vendor with the keys to your network, and what happens if Guardent's security appliances can't get to Guardent technical support because of the trouble that needs to be reported - for instance, a DDoS attack? Just a few things to think about and, if you're considering outsourcing, to ask your potential provider.

Alternatives to SNORT?

Yes, open-source alternatives to SNORT exist. Here are just a few.

Freeware/shareware

In the Windows NT/2000 camp we have LANGuard S.E.L.M. (Security Event Log Monitor), available in a single-server/five-workstation evaluation version.

ISS (Internet Security Systems) has several different products for NT/2000 and Solaris, including the RealSecure IDS, available for evaluation download.

For *nix platforms (Linux / BSD / Solaris, mainly), take a look at this list of tools which are, for the most part, open source running in various *nix environments. I can't comment on them because SNORT is the only open source IDS that either has received significant media coverage or appears to have a significant user base.

Shrinkwrap

For Windows NT/2000/XP Server, LANGuard S.E.L.M. is available at prices ranging from $150 for five workstations to $3,995 for 2500 workstations. You can also purchase the server version, which costs $495 for three servers up to to $3,995 for 1000 servers.

On the *nix (Linux / BSD / Solaris, mainly) side, the ISS RealSecure product line offers different IDS-related functions that users can configure for small to midsized networks all the way up to enterprise-class installations. The network engine license fee is $9,000 and up. ISS also offers comprehensive security information on its X-Force page.

Bottom Line

Get a good firewall running first before you think about IDS. You have no business connecting anything to the Internet without a firewall - this includes your toaster. However, IDS systems do certain things by definition that firewalls can't, though firewalls may start growing some IDS capabilities (e.g. attack signature detection) if the threat becomes great enough. Also, firewall capability can be built into some IDS systems. The near future will very likely see the development of hybrids, for better or for worse.

I believe SNORT can be an invaluable tool to anyone wanting to secure a WindowsNT/2000 or *nix-based network and that the learning curve required to acheive the ability to configure and use the tool is perfectly reasonable. I think the tradeoff between software acquisition cost (free, as in beer) and paying for training time and (if need be) commercial support seems completely reasonable.

Perhaps in time you will need or want a commercial proprietary product that has capabilities that SNORT lacks or can't be conveniently configured. However, if you've developed experience with the SNORT and IDS concepts in general and want to try another open source or commercial product, you'll know what you're looking for and why.

While SNORT is an interesting piece of software to experiment with for individuals learning computer security tools, don't bother if you have a Windows workstation connected to the Net by a modem. It won't run. A modem connection on a Linux workstation apparently will work.

Afterword

Speaking as both a journalist and a consultant, one of the biggest irritations I find when researching a commercial product is when I have to waste time carefully searching a site to find out what it costs or worse, have to do an inquiry form to Sales/Marketing to get information about this when I'm Websurfing the site after hours or on weekends. Unless a product is the only one of its type, or has a very clear performance or popularity edge in its market, I frequently won't bother trying to find this out, that product will simply get left out of the article or client report.

While I understand how difficult it can be to get an up-to-the-minute price on a specific item onto a Web page without having to revise this constantly, most of the time, all I need is a ballpark price range number. I can live with disclaimers plastered all over the page stating that the price may not be up to date and for the most current price, contact Marketing. While the difference between a product costing $2200 and $2500 isn't going to be critical in most cases in an IT product recommendation saying "You really ought to check this out", or showing a group of products in a comparable price range, I'd prefer to know if a product is in the $2,500 or $250,000 range.

So if your product isn't mentioned here and there isn't an easy to find posted price of some sort, blame yourself, not me.

Resources

The SANS IDS FAQ, a 100+ page training document from The SANS Institute, offers detailed information on implementing and using an IDS.

The SNORT IDS FAQ details how to use this tool.

This site points to a collection of various software-based intrusion security tools.

A. Lizard is the online pseudonym of an Internet consultant living in the San Francisco Bay Area. He is now working on a new technology alternative to EBPP.

Using SNORT for Intrusion Detection by A. Lizard Wednesday, January 23, 2002 The only way to reliably protect a network is to use multiple layers of defense. A firewall offers good protection for external network connections and also provides privacy (IP address masking), authentication (remote access), and some protection against users who don't update their OS patches regularly. However, simply depending on a firewall to defend network security is not recommended except as a very basic start because the threat level from attacks that a firewall won't stop is just too high. As the value of the network and the information it secures increases, you'll need to add products to supplement the firewall if you want to safeguard your assets. A firewall is essential as a sort of fence around your network's perimeter, to keep unauthorized people out, but a properly configured IDS will stop cold anyone who manages to slip through. A firewall classifies data packets by what addresses or ports they address, what direction (inside or outside the local zone) and in some cases, what applications are intended to generate or receive them. It throws the bad ones away and can log the origin, etc. to a log file. For single-user Windows environments, I recommend the ZoneAlarm firewall, which provides the port and application-based filtering you need. A personal firewall really should have specific IP/port blocking capability, which you can get by upgrading to payware ZoneAlarm Pro or adding the freeware Tiny Personal Firewall to supplement the free ZoneAlarm, which lacks IP/port blocking. You can also look into Open Source firewalls, most of which are built into current Linux distributions. You can generally find freeware products and how-to information for your nix distribution on the sites that are specific for it. An intrusion detection system typically consists of a software package that continuously scans packets circulating within the network for things that just don't look right, i.e. data flows that don't seem to match legitimate or expected system usage and that might be consistent with an intrusion. It uses one or more workstations or servers as "sensors" to probe for trouble and warn system administrators if there is a problem, like a port scan or DOS attack. The "host-based" IDS variant gathers information from logs kept on individual systems, most often sensitive servers, and does analysis based on that. This article looks at a few IDS tools appropriate for the small to medium-sized network, notably, the open-source IDS SNORT. The SNORT IDS "Just doesn't look right" is determined by signature analysis. Signatures consist of specific attack characteristics embodied into rules within the IDS internal database that permit statistical analysis of data relating to network operation, i.e. server CPU utilization, specific types of network traffic, and other numeric characteristics easily measurable and likely to be affected by an intrusion. SNORT is mainly a signature analysis tool, but can be configured for some statistical functionality. It is totally driven by its user-configurable internal rule bases. SNORT is also the most popular open-source IDS. Is it secure? I won't go into the Open Source vs. proprietary product religious dispute in this article; most readers have taken sides. You already do or should know if you want to recommend to your organization open source security products. If you don't know, use the search facility here and use "open source" as a keyword to get both sides of the debate. If you believe that open source is the root of all evil, skip down to the Shrinkwrap part of the next section. I will say that SNORT has up-to-date intrusion detection (signature, etc.) rule files, a very large and happy user base, free user support forums, and commercial support service available. It allows installation with a MySQL database as an option, allowing alerts and related information to become accessible via ordinary SQL-related tools for user-defined analysis. It can also be installed with an analysis tool called ACID (Analysis Console for Intrusion Databases). I think it reasonable to use part of the savings on the price of a commercial proprietary IDS to pay for per-incident technical support for problems that can't be handled in-house and for system administrator training time. Others may feel differently. Obtaining SNORT Simply go to http://www.snort.org and download the distribution that matches your OS. It'll run in most Linux / BSD / Solaris / Win32 environments, and there's even an unofficial BeOS port. One important caveat: don't try it with an analog modem in Win32.You might be well advised to check the user forums (see below) for specific information on how well it runs in your specific environment. While SNORT is available packaged with a number of nix distributions, you will want the latest stable version and you get that via download. The very latest version is available built by CVS snapshot every half hour, but if your network security is at stake, I recommend you let others do your beta-testing for you and go with the stable version. You can also get a number of add-on tools for SNORT on the Snort Add-ons Download Page. They include Analysis Frontends, Administrative Frontends, Log Maintenance, and less classifiable items. You can get updated versions of the program by simply returning to the SNORT site. Or simply subscribe to the SNORT mailing list (see below) and learn about major updates when they come out as you learn from the pooled expertise of others. Also note that you can get rule file updates in the same manner as you can get them for antivirus programs. Where to get help with SNORT Newsgroups, Web forums, and other free help are widely available. The Snort.org site and the associated forums are a good place to get free help from knowledgeable people. You can also find the mailing list archived at Google Groups; look under mailing.unix.snort and use keywords relating to your problem, or join the list (advisable if you decide to use SNORT). Commercial support is also available, for a price, of course. For example, Silicon Defense currently charges on a "per-issue" basis with fees ranging from $250/problem to $125/"issue" for a 10-pack advanced payment. They are "normal business hours" only at this point. If your vendor supplies a SNORT distribution with whatever OS you purchased, you might see if the vendor supports it according to the usual terms and conditions attached to your support contract, if any. Commercial products based on SNORT are becoming increasingly available, either for purchase (e.g., as an appliance) or through managed service providers, and typically come with support. You can, for example, outsource your network security through Guardent, which rents a managed platform security appliance that bundles such open source applications as an IP Chains firewall, Snort IDS, and Nessus vulnerability scanning with an internal database used to control the system and feed alerts back to Guardent. The box and 24 / 7 / 365 monitoring from the Guardent facility cost $1500 per month per box. It might be worth spending $1500 a month per network segment to simply make the problem go away, especially if your organization doesn't have the staff to support security in-house. Of course, do you want to really trust a third-party vendor with the keys to your network, and what happens if Guardent's security appliances can't get to Guardent technical support because of the trouble that needs to be reported - for instance, a DDoS attack? Just a few things to think about and, if you're considering outsourcing, to ask your potential provider. Alternatives to SNORT? Yes, open-source alternatives to SNORT exist. Here are just a few. Freeware/shareware In the Windows NT/2000 camp we have LANGuard S.E.L.M. (Security Event Log Monitor), available in a single-server/five-workstation evaluation version. ISS (Internet Security Systems) has several different products for NT/2000 and Solaris, including the RealSecure IDS, available for evaluation download. For nix platforms (Linux / BSD / Solaris, mainly), take a look at this list of tools which are, for the most part, open source running in various nix environments. I can't comment on them because SNORT is the only open source IDS that either has received significant media coverage or appears to have a significant user base. Shrinkwrap For Windows NT/2000/XP Server, LANGuard S.E.L.M. is available at prices ranging from $150 for five workstations to $3,995 for 2500 workstations. You can also purchase the server version, which costs $495 for three servers up to to $3,995 for 1000 servers. On the nix (Linux / BSD / Solaris, mainly) side, the ISS RealSecure product line offers different IDS-related functions that users can configure for small to midsized networks all the way up to enterprise-class installations. The network engine license fee is $9,000 and up. ISS also offers comprehensive security information on its X-Force page. Bottom Line Get a good firewall running first before you think about IDS. You have no business connecting anything to the Internet without a firewall - this includes your toaster. However, IDS systems do certain things by definition that firewalls can't, though firewalls may start growing some IDS capabilities (e.g. attack signature detection) if the threat becomes great enough. Also, firewall capability can be built into some IDS systems. The near future will very likely see the development of hybrids, for better or for worse. I believe SNORT can be an invaluable tool to anyone wanting to secure a WindowsNT/2000 or nix-based network and that the learning curve required to acheive the ability to configure and use the tool is perfectly reasonable. I think the tradeoff between software acquisition cost (free, as in beer) and paying for training time and (if need be) commercial support seems completely reasonable. Perhaps in time you will need or want a commercial proprietary product that has capabilities that SNORT lacks or can't be conveniently configured. However, if you've developed experience with the SNORT and IDS concepts in general and want to try another open source or commercial product, you'll know what you're looking for and why. While SNORT is an interesting piece of software to experiment with for individuals learning computer security tools, don't bother if you have a Windows workstation connected to the Net by a modem. It won't run. A modem connection on a Linux workstation apparently will work. Afterword Speaking as both a journalist and a consultant, one of the biggest irritations I find when researching a commercial product is when I have to waste time carefully searching a site to find out what it costs or worse, have to do an inquiry form to Sales/Marketing to get information about this when I'm Websurfing the site after hours or on weekends. Unless a product is the only one of its type, or has a very clear performance or popularity edge in its market, I frequently won't bother trying to find this out, that product will simply get left out of the article or client report. While I understand how difficult it can be to get an up-to-the-minute price on a specific item onto a Web page without having to revise this constantly, most of the time, all I need is a ballpark price range number. I can live with disclaimers plastered all over the page stating that the price may not be up to date and for the most current price, contact Marketing. While the difference between a product costing $2200 and $2500 isn't going to be critical in most cases in an IT product recommendation saying "You really ought to check this out", or showing a group of products in a comparable price range, I'd prefer to know if a product is in the $2,500 or $250,000 range. So if your product isn't mentioned here and there isn't an easy to find posted price of some sort, blame yourself, not me. Resources The SANS IDS FAQ, a 100+ page training document from The SANS Institute, offers detailed information on implementing and using an IDS. The SNORT IDS FAQ details how to use this tool. This site points to a collection of various software-based intrusion security tools. A. Lizard is the online pseudonym of an Internet consultant living in the San Francisco Bay Area. He is now working on a new technology alternative to EBPP.



Print this article \| Email to a Friend