What Is Snort?


In short, Snort is a packet sniffer/packet logger/network IDS. Snort has an interesting history that began with a man named Marty Roesch. In November 1998, Roesch wrote a Linux-only packet sniffer called APE. Despite the great features of APE, Roesch also wanted a sniffer that would do the following:

  • Work on multiple OSs.

  • Use a hexdump payload dump (TCPDump later had this functionality).

  • Display all the different network packets the same way (TCPDump did not have this).

With these goals in mind, Roesch developed Snort. Snort was written as a libcap application to provide system administrators with an alternative to TCPDump (the only other sniffer using libcap at the time—Libcap allows Snort to be portable from a network filtering and sniffing standpoint).

Snort became available at Packet Storm (www.packetstormsecurity.com) on December 22, 1998. At that time, Snort was only about 1,600 lines of code and had a total of two files. Roesch's first uses of Snort included monitoring his cable modem connection and debugging network applications that he coded.

Note

The name Snort came from the fact that the application is a "sniffer and more." In addition, Roesch said that he has too many programs called a.out, and all the popular names for sniffers called "TCP-something" were already taken.

Snort's first signature-based analysis (also known as rules-based within the Snort community) became a feature in late January 1999. This was Snort's initial foray down the path of intrusion detection, and Snort could be used as a lightweight IDS at the time.

By the time Snort version 1.5 came out in December 1999, Roesch had decided on the Snort architecture that is currently employed in versions up to 2.0. After version 1.5 was released, Snort was able to use all the different plug-ins that are available today. Because of Snort's increasing popularity, Roesch worked to make it easier to configure and get it working in an enterprise environment so that it would be useful to a greater number of people.

What started as a pastime for Roesch quickly became a full-time job. In an attempt to devote a full effort to the development of Snort, Roesch started a company named Sourcefire and hired most of the core team who developed Snort. However, Snort is still open source and will always be open source. Sourcefire has put a lot of work into Snort, but it's not Sourcefire's 2.0—it's Snort 2.0. The current version of Snort is 2.0.1, which is a rework of the architecture and at press time contains approximately 75,000 lines of code.

Even though Snort 2.0 is a complete rewrite and an improvement over the current Snort implementation, Snort has gone though a more in-depth evolution. Snort did not start out with preprocessing ability, nor did it start out with plug-ins. Over time, Snort grew to have improved network flow, plug-ins for databases such as MySQL and Postgres, and preprocessor plug-ins that check RPC calls and port scanning before the packets are sent to the rules to check for alerts.

Note

By supporting only the latest rules of the latest application, Snort ensures that users are using only the most recent version. As of press time, the latest revision is 2.0.1, so the rules only work with that version.

Speaking of rules, as time progressed, so did the number of rules. The size of the latest rules is increasing with the number of exploits available. To keep the rules organized, they have been categorized into several types including P2P, backdoor, distributed denial of service (DDoS) attacks, Web attacks, viruses, and many others. These rules are mapped to a number that is recognized as a type of attack or exploit known as a Sensor ID (SID). For example, the SID for the SSH banner attack is 1838.

Because of Snort's increasing popularity, other IDS vendors are adopting a Snort rule format. TCPDump adopted the hex encoding for packets, and community support is ever increasing. There are at least two mailing lists for Snort:

  • One on Snort's usage and application http://lists.sourceforge.net/lists/listinfo/ snort-users

  • One dedicated entirely to the Snort rules http://lists.sourceforge.net/lists/listinfo/snort-sigs




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net