Running Head: SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 1

Snort as Intrusion Detection and Prevention Tool

Name:

Institution:
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 2

Table of Contents
Introduction................................................................................................................ 4

Understanding Snorts System Requirements.........................................................5

Hardware Requirements.......................................................................................... 6

Operating System Requirement.............................................................................. 7

Other Software........................................................................................................ 8

Detection or Prevention Technology........................................................................9

Exploit:......................................................................................................... 10

Denial-of-Service (DoS):...............................................................................10

Reconnaissance:........................................................................................... 10

Misuse:......................................................................................................... 10

Signature Micro-Engines........................................................................................ 10

Attack Mitigation................................................................................................... 10

Activities for Detected Signatures.........................................................................11

Environment-centric Research...............................................................................11

IDS and IPS............................................................................................................ 13

Signature-Based IDS/IPS Systems..........................................................................14

Policy Based IDS/IPS Systems................................................................................14

Anomaly Based IDS/IPS Systems...........................................................................15

Honeypot-Based IDS/IPS Systems.........................................................................15

IPS actions............................................................................................................. 16

Deny the attacker inline:.................................................................................... 16

Deny Association in line: ................................................................................... 16

Local attacker packets:...................................................................................... 17

Log pair packet:.................................................................................................. 17

Log victim parcels:............................................................................................. 17

SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 3

Produce verbose available:................................................................................ 17

Request SNMP Trap:........................................................................................... 17

Request piece Association:................................................................................. 17

Conclusion................................................................................................................ 17

References................................................................................................................ 19
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 4

Introduction

Organization systems face different kinds of attacks every day. Intrusion is one of the

attacks that organizations are battling with. Because of the constant intrusions experienced in the

organization systems, technical experts had to come up with intrusion detection and, prevention

mechanisms and, tools to help mitigate the risks. These are the processes of monitoring the

systems, the networks and, analyzing them for any imminent attack to facilitate prevention of the

attacks. There are various tools in existence that are utilized for intrusion detection and

prevention. However, this paper focuses on SNORT.

Snort is an open system network intrusion detection system that is designed for both

Windows and, Linux systems to help eliminate intrusion threats. Snort is a modern security

system that has three major roles: it can be used as a packet sniffer, a packet logger, or even serve

as a Network-based Intrusion Detection System (NIDS). There are also many add-on

applications in Snort to provide different ways of recording and, managing Snort system log-

les, fetching and, maintaining current Snort rulesets, and alerting to let system administrator

know when potentially malicious traffic has been detected. Even though not part of the core

Snort suite, the add-ons help in providing a rich variety of features to the security administrator.

As will be discussed, there are many different ways to use Snort as part of a companys security

design. Usually, Snort only supports the use of TCP/IP protocols. Although with custom

extensions, Snort can be made to support other network protocol suites, such as Novells IPX,

although, TCP/IP is the main protocol used for supporting the Internet (Team, 2016).
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 5

Summary of Snort technology

Snort Workflow System output

Log system

Data sniffer Preprocessor Detection

Engine
Alarm system

Pattern
matchin
g

Before commencing the official work, Snort starts to parse the command line arguments

and sets the flag command to fill and initialize the PV structure. Followed by initialization of

plug-in, then the list of linked rules are generated according to rule files while calling correlated

protocol initialization preprocessing module and the output module. Snort then captures the

packet by calling LINPAC structure function and processes the corresponding packet. The main

process is shown in the figure above. Snort network protocol analytic function is called to

hierarchically parse the packet and then stores the parsed results into the structured packet.

Packet structure stores useful packet information extracted from the data package to facilitate

follow-up procedure calls. It mainly stores a pointer pointing to the packet header information,

and a pointer to the layers of the packet header structure.

Understanding Snorts System Requirements

To a large extent, determining what type of hardware and software configuration the

organization will need to run an optimal Snort installation is a matter of understanding its entire
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 6

network architecture. First, the organization must have the questions of scale. Roughly, it is

assumed that the larger the network is, the better machines the organization need to serve as its

Snort sensor(s). Snort will need to be able to keep up with the organization's network, have

enough disk space to log its alerts, and have a fast enough processor and enough memory to

handle the normal traffic flow in the network, with some room built in for intense attacks and

traffic spikes. While some optimizations can be done to speed Snort up significantly, these are

the basic issues that the network administrators will need to consider (Garg & Maheshwari,

2016).

Hardware Requirements

One of the most important things the network administrators need, especially if they are

using Snort for the purpose of Network-based Intrusion Detection System (NIDS), is a big hard

drive. If they are storing their data or information as either Syslog files or in a database, they will

need so much memory space to store all the data that the Snort's detection engine requires to help

it check the system for any form rule violations. Another highly recommended system hardware

device for Snort is an additional Ethernet interface. One of the ethernet interfaces is significant

for typical network connectivity (SSH, Web services, and so forth), and the additional interface is

for Snorting activities. This detection interface that does the "snorting" is the organizations' Snort

sensor. Snort does not have any specific hardware specifications that the system operating system

does not already need to run. Running any application or program with a faster processor always

makes the application or program work much faster. However, the organization will be limited in

the amount of data it collects by its network connection and by its hard drive (Liao et al. 2013).
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 7

To run Snort, it will be necessary to have a reasonable-sized network interface card (NIC)

to help with the collection of the correct amount of network packets. For instance, if the

organization's system is running on 100MB, it will need a 100MB network interface card to

collect the correct amount of packets generated from the network. Otherwise, the organization

will miss some packets and thus it will be unable to collect the initiated alerts accurately. In

addition, the organization will need a good-sized external hard drive to help with its data storage.

If its external hard drive is too small, there is the likelihood that it will not be able to write alerts

to either its database or its log files. A suitable setup for a single Snort sensor is said to be a 9GB

partition.

Operating System Requirement

It is always obvious that Snort was designed to be a lightweight NIS. Currently, Snort can

run on FreeBSD, NetBSD, x86 systems Linux, Windows and, OpenBSD. Other supported

systems include; PA-RISC HP-UX, PowerPC, MacOS X and MkLinux and, Sparc Solaris. Snort

will run on just about any modern OS today. There has always been an argument regarding the

best OS on which to run Snort. Previously, the *BSDs had the better IP stack. However, since

Linux has advanced to the 2.4 kernel, the IP stacks are similar. The ideal OS is NetBSD, but the

organization's preference might differ. Going for the latest LINUX version is also recommended.

In as much as the question of which OS has the best TCP/IP stack is essential, it also necessary to

figure out which operating system the people in the organization particularly the system

administrators are familiar with (Arney & Wang, 2016).

SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 8

Other Software

In addition to the basic operating system, if the organization intends to compile Snort

from source code, it will need the tools to do the code compilation. It must ensure that it has the

following installed;

Autoconf and automaker

GCC

Lex and yacc, or the GNU equivalents ex and bison

Libpcap software

Most of these are downloadable from the nearest GNU mirror. The administrators might

also want to install Snort add-ons or management tools, such as; the popular Analysis Console

for the Intrusion Detection (ACID) Web interface, which requires the Apache Web server (Secure

Socket Layer support is highly recommended), PHP, and a database for the alerts such as

MySQL or PostgreSQL. Some popular Snort add-ons include;

ACID

Oinkmaster

SnortSnarf

SnortReport

Additionally, there might be a need to install certain servers to help with the remote

management of Snort operations. Conducting manual configurations to make changes becomes

SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 9

quite tiresome as time goes by. The recommended servers are SSH server, or a Terminal server

depending on the type of operating system chosen. The two types of servers will make it

possible to link up the files against which comparisons are made to detect the potential threats to

the main servers that help in running the system activities. The servers that are linked first are

those that contain all the files that are received into the system (Paquet, 2013).

Detection or Prevention Technology

Intrusion detection and prevention is a very vital part of the overall Snort Self-Defending

Network arrangement. This innovation, when placed to work together with the firewalls and Net

flow administrations it gives other basic action and reaction to the assaults that are vindictive in

an organization. Snort Intrusion Prevention System (IPS) is an advanced version of the Snort

Intrusion Detection System (IDS) arrangement. These two components work in handy to

improve a companys security at all levels. Some of the examples of this time of development are

issues such as stateful example acknowledgment and convention irregularity investigation. These

two elements when working together, give out the most out of the points of interest that are

normally required to help in recognizing the most stretched out scope of significant assaults

precisely.

In addition, like Snort IDS, Snort IPS is also made up from the approaches that are

similar in arrangement methods. To ensure different system sections, Snort IPS 4200 is

constructed in such a way that they are devoted to the gadgets. Moreover, integrated systems are

also accessible to assess the Snort version 6500 IDS modules that also assess the subsequent

modules of the systems. Therefore, it is also worth noting that Snort IPS gives a subset of IPS

abilities using Snort Software on the meter. These components also improve the working abilities
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 10

of each other, in that they improve the work of the process from an inline gadget that only

screens the systems to inline responsive and avoidance device. Attacks that are generated by

Snort IPS marks can be separated into four types as follows;

Exploit: This is a system that integrates the bargained framework or system approach.

Denial-of-Service (DoS): This is a campaign to send substantial quantities of solicitations to

either a system or structure. The main aim of this type of campaign is to disturb typical

operations.

Reconnaissance: This is a movement that gathers data on structure and system assets. It

majorly focuses on those assets that can later be traded.

Misuse: An action that goes against the corporate approach (Low, 2015).

Signature Micro-Engines

Snort applies signature micro-engines (SMEs) to insert (into the switch's memory) and

sweep for an organization of assault marks. Every motor is designed for analyzing a Layer 4 or 7

conventions and its related fields and contentions. Inside any parcel transmitting information for

that meeting, it looks for an organization of legal parameters that have allowable ranges or sets of

qualities. It also filters for a destructive action particular to that conference that uses a parallel

mark checking system to examine for different examples inside of an SME at any given time.

Attack Mitigation

Snort IPS can protect an organizations system from more than 3700 unique attacks,

malicious activities, worms, and infections. Attacks that are recognizable and can be stopped by
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 11

Snort IPS incorporate numerous Microsoft Windows Operating System and application

helplessness abuses, infections, and worms.

Activities for Detected Signatures

Every specific mark or class of targets chosen to output operation for coordinating

assaults can be designed to take any mix of the associated five activities when initialized;

Send an alert by Syslog alerts or log a warning in Secure Device Event Exchange (SDEE)

design

Drop a malicious bundle

Send TCP-reset commands to both ends of the association which will help terminate the

session

Reject all commands from the attacker (source address) incidentally

reject further bundles that have a place with the same TCP session (connection) from the

hackers i.e. source address (Modi et al. 2013).

Environment-centric Research

An IDS passively screens bundles on a given target system looking for malicious

activities. The run of the sessions through which the IDS identifies the malicious activities that

are set to disrupt the normal system operations is through utilizing mark analysis on previously

identified malicious packets to decide the type of attack. In the uncontrolled mode, the IDS

examine a duplicate of the checked transaction as opposed to the original package. If a packet or

arrangement of bundles triggers an alert based on Mark investigation, data that is identified with
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 12

this plausible interruption is taken to be analyzed to determine the integrity level. This data

allows the head of the IDS to determine ongoing attacks and additionally conduct a considerable

examination on previous attacks. Extra head configurable transactions could be conducted by the

IDS to incorporate system resets and design access or authentication control records to help in

locking out the attackers.

The limitations of interruption discovery are that the IDS cannot prevent the malicious

activity from achieving its intended focus for certain sorts of attacks. The countermeasures by the

IDS and post event reactions Furthermore always need help from other systems administration

gadgets such as switches and firewalls to react to attack. Interruption expectation

straightforwardly affects movement stream to stop attacks from achieving the intended target. In

an inline based mode, the IPS resides on the system which allows the IPS to stop attacks by

terminating recognized harmful activities. The IPS simplifies the real bundle. In any case that a

package or arrangement of parcels triggers a caution, drop container moves could be made

notwithstanding IDS activities (Technology, 2013).

Table 1: A Network Topology Using an IPSv6.0 Addressing Architecture

SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 13

IDS and IPS

IDS and IPS work together to give a security system organization. Intrusion Detection

System obtains parcels continuously, creates them, and can also respond to dangers, however,

chips away at copies of information transmission to identify suspicious activities by using marks.

This is called wanton mode. During the time taken distinguishing destructive activity, IDS grant

then permission to some malevolent movement to take place before the IDS can react to secure

the system. IDS examine a copy of the checked protocol as opposed to the sent bundle. The

advantage of working on a prototype of the game is that the IDS do not affect the package stream

of the transmission. The inconvenience of working on the same clone of the movement is that the

IDS can't stop the malicious activity from single-bundle attacks from achieving the intended

objective framework before the IDS can initiate a reaction to thwart the attack. IDS frequently

need assistance from other systems gadgets, for instance, switches, and firewalls, to react to any

form of an attack (Kurundkar et al. 2012).

An IPS conducts its activities in line with the information stream to give assurance from

malicious assaults gradually. It is called inline detection mode. Different from IDS, an IPS does

not allow parcels to access the private side of the network system. An IPS scans transactions at

Layer 3 and Layer 4 to ascertain that their headers are those predetermined in the set standards.

In any event, the IPS detection system (sensor) examines from Layer 2 to Layer 7 payload of the

bundles for more modern inserted attacks that may incorporate malicious information. This more

intense examination gives the IPS an opportunity to distinguish and stop attacks that would

typically bypass a conventional firewall device. At the point when a bundle comes in through an

interface on an IPS, that particular parcel is not transmitted to the outbound or trusted interface

unless the package has been verified to be okay. An IPS improves upon previous IDS innovation;
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 14

Snort IPS stages use a mix of identification techniques, including; a profile-based interruption

location, signature-based interruption identification, and conventional investigation break

identification.

Signature-Based IDS/IPS Systems

A mark based IDS or IPS sensor looks for particular, pre-defined designs or patterns in

system transactions. It matches the system transactions against a database of known attacks and

triggers an alarm or forestalls correspondence if a match is detected. The pattern can be found on

a solitary packet or a sequence of bundles. A new criminal activity that does not coordinate a

target does not bring about identification. Thus, the database being used to detect any new

malicious actions should always be redesigned. Signature-based example coordinating is a

criterion that is rigid, however, simple to use. Most of the time, the pattern is organized against

just if the suspicious parcel is related to an explicit organization or, more precisely, bound to and

from a particular system port. This coordinating technique reduces the measure of analysis done

on each parcel. It is always troublesome for frameworks to manage activities that don't reside on

characterized ports, for instance, Trojan steeds and their related activities, which can be

transmitted freely (Kenkre et al. 2015).

Policy Based IDS/IPS Systems

In arrangement based frameworks, the IDS or IPS detectors are preconfigured about the

system security policy. An organization should make the various approaches used as a part of an

agreement based IDS or IPS. Any activity defined outside the policy will produce an alert or will

be blocked. Making a security policy requires a detailed knowledge of the entire system

functionality and should also be given adequate time. Policy based marks use a certain form of
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 15

calculation to determine if a caution ought to come to an end. Frequently, approach based target

estimates are accurate assessments of the movement stream. For example, in an arrangement

based mark used to identify a port size, the calculation gives out an alert when the limit numbers

of particular ports are filtered on a given machine. Policy based target calculations can be aimed

at breaking down just certain sorts of parcels (for example, SYN bundles, where the SYN bit is

turned on along with the handshaking process at the start of the transaction session).

Anomaly Based IDS/IPS Systems

Anomaly based or profile-based marks usually search for system activities that veer off

from what is basically seen. The major concern with this strategy is that the system

administrators should first define what is typical and necessary. If during the learning stage the

system is a victim of an attack and the administrators ignore to recognize it, the oddity based IPS

frameworks will classify that malicious activity as typical, and no alarm will be activated when

the same attack occurs. A few frameworks have hard-coded definitions of unique transaction

designs and, for this situation, could be viewed as heuristic-based frameworks. Different frames

are done to identify typical activity behaviour; be that as it may, the test with these kinds of

structures is taking out the likelihood of malice showing unusual traits as ordinary. Also, if the

activity example being found out is accepted as common, the framework must be able to

differentiate between the known passable deviations, and those differences that are not allowed

or that are suspected to be attack based movement. It can be very hard to characterize average

system activity due to the dynamic nature of transaction taking place within the system (Kizza,

2015).
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 16

Honeypot-Based IDS/IPS Systems

Honeypot frameworks use a sham server to draw in attacks. The reason for the honeypot

technique is to keep attacks far from genuine system infrastructure. By organizing unique sorts of

vulnerabilities and threats in the honeypot server, the system administrators can thwart eminent

sorts of attacks and malicious movement designs. The system administrators can utilize honeypot

examination to tune the system sensor marks to help in identifying new types of harmful system

transaction. Honeypot frameworks are used as a part of design situations, regularly by substantial

associations that tend to be fascinating focuses for network programmers and designers, for

instance, financial endeavours, administrative offices, et cetera. Additionally, antivirus and other

security vendors tend to use them for the role of examination (Vukalovi & Delija, 2015).

IPS actions

At the point when the IPS recognizes malicious movement, it can look over any or all the

accompanying activities:

Deny the attacker inline: This action ends the present bundle and future parcels for any

predominant timeframes. The sensor in the system keeps check to the system to deny any attacks

to the said system. To cover this, an organization IT section can run down any suspects that are

believed to have hacked the system. If any unknown data is found, the organization can then

expel the section. On the other hand, if the system sensors identify entry by any unauthorized

third parties, it can then notify the administrators who in turn lock them out or block the systems.

Consequently, if assailant is right now being denied, yet issues another assault, the clock for

aggressor Ais reset, and assailant A remains parts of the denied attacker list until the timer
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 17

terminates. On the off chance that the denied assailant rundown is at the limit and cannot include

another passage, the bundle is still denied.

Deny Association in line: This activity ends the present package and future parcels on TCP

streams. It furthermore alludes to refute as flow.

Local attacker packets: This packet operates in such a way that it recognizes the IP address of

the attacker and sends caution to the person. This action then set up the alarm device that is

connected to the Snort switch regardless of the fact that the produce ready activity is not chosen.

Produce caution is talked about later in the slug (Kizza, 2015).

Log pair packet: This process signs in the IP address of device that tries to hack the system.

This action forces a caution to be composed on the occasion store regardless of the fact that the

produce ready activity is not chosen.

Log victim parcels: This is the process that signs the bundles of the casualties IP address and

sends in alarm. The subsequent action is that an alarm is set off by this process.

Produce verbose available: This event incorporates an encoded dump of the bundle in the

caution. The subsequent action is that an alarm is composed to the occasion store, regardless of

whether or not the product is not chosen.

Request SNMP Trap: The Simple Network Management Protocol (SNMP) notice is activated

when a solicitation network is sent to the system. This action causes a caution to be composed to

the occasion store, regardless of the possibility that delivers ready business is not chosen.

Request piece Association: This blocks the overall gadget in the area by sending a solicitation

request (Modi et al. 2013).

SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 18

Conclusion

In todays business settings, keeping away intruders who can interfere with the system is

the most important thing an organization can invest in. Consequently, it is also worth noting that

these attacks do not just originate from outside, some of these attacks are normally organized by

insiders who want to sabotage the business. To manipulate these systems, these attackers

manipulate the internet associations; when these are not kept at bay, they can multiply and fill the

systems in minutes. Opportunities to change this after the attack are also minimal since the

damage is already done. The Snort Intrusion Prevention System (IPS) is an open source, inline,

profound bundle review based arrangement that helps organizations system administrators,

successfully alleviate an extensive variety of system attacks and, vulnerabilities. This system is,

therefore, used by the organization to safeguard their data from attack or manipulation by third

parties.
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 19

REFERENCES

Arney, C. A., & Wang, X. (2016, September). Active Snort Rules and the Needs for Computing

Resources: Computing Resources Needed to Activate Different Numbers of Snort Rules.

In Proceedings of the 5th Annual Conference on Research in Information Technology

(pp. 54-54). ACM.

Garg, A., & Maheshwari, P. (2016, January). Performance analysis of Snort-based Intrusion

Detection System. In Advanced Computing and Communication Systems (ICACCS),

2016 3rd International Conference on (Vol. 1, pp. 1-5). IEEE.

Kenkre, P. S., Pai, A., & Colaco, L. (2015). Real time intrusion detection and prevention system.

In Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing:

Theory and Applications (FICTA) 2014 (pp. 405-411). Springer International Publishing.

Kizza, J. M. (2015). System intrusion detection and prevention. In Guide to Computer Network

Security (pp. 273-298). Springer London.

Kurundkar, G. D., Naik, N. A., & Khamitkar, S. D. (2012). Network intrusion detection using

Snort. International Journal of Engineering Research and Applications, 2(2), 1288-1296.

Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A

comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.

Low, K. X. (2015). Intrusion detection system.

Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., & Rajarajan, M. (2013). A survey of

intrusion detection techniques in cloud. Journal of Network and Computer Applications,

36(1), 42-57.
SNORT AS INTRUSION DETECTION AND PREVENTION TOOL 20

Paquet., C. (2013). Network Security Using Snort IPS.

Team, S. (2016). Snort: Open source network intrusion prevention system.

Technology, T. (2013). Snort Intrusion Prevention System (IPS) Version 6.0 Security Target.

Vukalovi, J., & Delija, D. (2015, May). Advanced Persistent Threats-detection and defense. In

Information and Communication Technology, Electronics and Microelectronics

(MIPRO), 2015 38th International Convention on (pp. 1324-1330). IEEE.