Snort’s IDS Components

Snort has four main IDS components: the packet capture engine, the preprocessor plug-ins, the detection engine, and the output plug-ins, as illustrated in Figure 10-1. We’ll start with the packet capture engine.

Figure 10-1: The four main components of the Snort IDS

Packet Capture Engine

The first component is the packet capture engine that picks up traffic using libpcap or WinPcap (both of which will from now on be collectively referred to simply as “pcap”). pcap is a library that enables applications to receive datagrams, parcels through which datalink-level data (data at level two of the seven-layer OSI model) are carried. The network interface card (NIC) physically captures the network traffic and passes it on to drivers that interface with the OS kernel. After the kernel processes the data, pcap then takes the data from the kernel and passes them on to Snort applications, which are normally drivers that interface with the third Snort component, the preprocessor plug-ins. For example, the data go through a bpf interpreter if the kernel supports it. The interpreter decides to which applications the data will be passed. If the no interpreter exists, pcap sends all the packets to the applications, which need to have filters to avoid being bombarded with data.

Preprocessor Plug-Ins

Snort’s preprocessor plug-ins test and inspect packet data they receive from pcap, determining what to do with each packet—whether to analyze it, change it, reject it, and/or generate an alert because of it. The preprocessor plug-ins are highly advantageous because they establish a structure for dealing with packets before they’re sent to the next component. Preprocessors modify URIs and URLs to conform to a standard format, provide stateful analysis of TCP/IP traffic, detect portscans, decode RPC packets, decode telnet packets, as well as serve other functions. They also alleviate having to deal with a wide range of undesirable and potentially malicious packet data, including data that could crash Snort or radically deteriorate its performance. Unless a preprocessor plug-in has rejected certain input, it passes it to the next component, the detection engine.

Detection Engine

The third major component is the detection engine. Packets are first decoded in a manner that defines the packet structure for layer two protocols, and then layer three protocols, and so on. This enables the detection engine to systematically compare data within every packet it receives to the rule options. This engine then conducts basic tests on whatever part(s) of each packet contain(s) a particular string or value associated with a rule, and then performs another such test using the next rule, and so forth until tests for all rules Snort knows about have been done. Any match is a “hit.” The detection engine then moves on to the next packet. A variety of plug-ins (which at the latest count numbered 22, as of version 2.0.2) can also be used to conduct extra detection tests on packets. Every keyword option in every rule is, in fact, associated with a plug-in which, if used, increases the detection engine’s capability to identify attacks.

Output Plug-Ins

The final major component of Snort is the output plug-ins, the major purpose of which is to produce information to be displayed to intrusion detection analysts. Snort creates alerts based on alerting rules within the preprocessors, the decode engines, and the detection engine. An example of the output of the output plug-ins appears in section “Snort Output.” Other output plug-ins perform a variety of other functions, as discussed in the following technical note.