Snort (software)
Snort is a free Network Intrusion Detection System ( NIDS ) and a Network Intrusion Prevention System ( NIPS ). It can be equally used for logging of IP packets, such as for the analysis of data traffic over IP networks in real time. The software is mainly used as intrusion prevention solution for event-driven immediately to block attacks automatically. Snort was written by Martin Roesch and is now being further developed by his company Sourcefire. This was taken in October 2013 by Cisco. In 2009, Snort has been included in the "Open Source Hall of Fame " by InfoWorld as one of the best representatives of free open source software (" greatest open source software of all time "). The mascot of Snort is a pig with a large, snorting (English: snort ) nose.
- 2.1 Safety History
- 2.2 Airsnort logo
- 6.1 interfaces
Operation
Snort "read" directly to the network hardware all passing network traffic with. The contents of the stream of data packets is compared with characteristic patterns of known attacks. These patterns are commonly called signatures, which are held in Snort in "Rules" (rules). For pattern recognition is used in Snort the Aho Corasick algorithm. There are now several thousand signatures for Snort. As internationally very often new methods of attack on computers and networks are known, the collection of signatures (similar to virus scanners ) should be updated regularly. Snort is commonly used to actively block network traffic or passively to recognize different forms of attack. Snort can also be combined with other software, such as BASE ( " Basic Analysis and Security Engine " ), Sguil, OSSIM, SnortSnarf and Snorby for convenient control of the software and clear graphical representation of possible break dates.
Network -based IDS ( NIDS )
Snort can be used to detect known attacks on the weak points of network software. Snort performs protocol analyzes, examines and compares content to such as to recognize passive various forms of attack a buffer overflow, port scans, attacks on web applications or SMB probes. Possibilities for attacks are given by so-called exploits, or specially certain programs, such as Internet worms (eg Sasser or W32.Blaster ) which in turn is a backdoor program (originally the administrator back door or the maintenance access ) include can (or are themselves a ) is carried out finally by the actual attack. In an attack is detected, for example, an alarm can be triggered and the network packets for later analysis or evidence be logged.
Network Intrusion Prevention System ( NIPS )
Snort performs protocol analyzes, examines and compares contents to actively block network traffic. With patches for the Snort source code of " Bleeding Edge Threats " the use of ClamAV for virus scanning in the data stream is possible. In addition, the data stream by SPADE can be ( including historical data ) scanned into the network layers three and four on network anomalies. Currently (2010/2011), however it seems that these patches are no longer maintained.
Network analysis tool
Snort can also be very good help in network analysis by the network administrator. You can use it as sniffer, similar to tcpdump, let the network traffic filtered output. But Snort has more options and can completely replace tcpdump. Snort can also record for later analysis to a network dialog between server and client and merge the pure payload (payload ) as a kind of communication protocol.
Importance in the Security Incident Information Sharing ( SIIS )
For IT espionage perpetrators use although often standard tools, convert this but before use against a victim easily, to avoid being detected by previously published signatures from IPS and anti-virus vendors. Detects the victim create a signature attack yet, and leaves from his supplier, this released the signature. The perpetrators so be warned and can use the signature under certain circumstances even realize what sacrifice has discovered her tools.
Therefore, but for exchange in many countries, authorities, certain industrial sectors also NGOs and charities, the typical goals of IT espionage are, in the context of information SIIS projects on security incidents among themselves. Since SNORT -compatible rules have become the de facto standard, it has also become the standard format for the exchange of IPS signatures.
Commercial vendors and agencies that perform functions within the counterintelligence, have also specializes in SNORT -compatible signatures.
SNORT itself has the advantage that objects which will be spied aggressively, can take it to the application, without triggering a procurement process. Latter can easily monitor offenders and thus determine what tools you used to sacrifice defense to adapt. Typically used SNORT passive in such cases. The perpetrator is not know if and what their movements are detected in the victim network. Their behavior can be observed in such detail and the victim can identify the infrastructure of them built up and so prepare a concentrated action to overturn it, their tools and preferred dissemination methods and remove.
History
Snort was released in a first version of Unix in 1998. His programmer Martin Roesch later founded the company Sourcefire. In addition to the area under the GNU GPL version of Snort, Sourcefire is also a commercial version, which offers additional discovery and analysis methods. Sourcefire sells enterprise solutions for Network Security Monitoring ( NSM) with specially designed hardware and commercial support. Early October 2005, tried Check Point has its International Headquarters in Tel Aviv, Israel, to take Sourcefire. The purchase price was reported to be about 225 million dollars. The purchase failed in early 2006 because of opposition from the federal government of the United States. In October 2013, the American company Cisco Systems announced that it has completed the acquisition of Sourcefire.
Security history
Also Snort itself is not spared from security vulnerabilities. For example, two ways to create a buffer overflow was found in Snort in spring 2003.
Airsnort logo
No direct relationship with the Airsnort program - despite the similar name and the fact that Airsnort the Snort logo modified took over: the same pig, but with wings.