What is Snort?
One of the most important open source projects in the field of network security is Snort. It has proved itself as one of the best network security tools for years now. It specializes as a Network Intrusion Detection System (NIDS) and Network Intrusion Prevention System (NIPS). Additionally, it has proved itself as the de facto standard for intrusion detection and prevention systems for years. In the meanwhile, Snort is a free software which is perfect for many.
In case you didn’t know and in order to get a little bit of more insight about the subject, I will elaborate what NIDS is in a nutshell. Fundamentally, monitoring of all network happens by use of such a software. This is just to make sure that everything is on track and under great control.
As long as there are any abnormal or malicious activities or if there is a violation of security policies for some reason, NIDS monitors these cases accordingly and reports to the security administrator.
Practically, there is what we call a Security Information and Event Management (SIEM) system. It acquires data –often known as logs—from diverse sources like Snort for instance. Depending on some predefined filters, this SIEM has the capability to trigger an alarm/alert message if any violations occur. Among such violations are definitely those malicious activities that Snort records and sends to SIEM.
Let’s know Snort’s History
It is often a great idea to know the history of successful figures in any field of interest. I perceived discussing the history of a highly proven successful security software tool as a must. This is because this really enriches our knowledge about the beginnings of such amazing projects.
In fact, Snort has witnessed several turning points in its history since its creation. Snort was initially developed back in 1998 by Martin Roesch. He later founded a technology company by the name Sourcefire in 2001. He became the Chief Technology Officer at this corporation he established.
In 2005, Check Point Software Technologies acquired Sourcefire for a deal worth $225 million. To be noted, the information technology media business InfoWorld named Snort as one of the “greatest [pieces of] open source software of all time,” reaching its famousness peak to be remembered at all the times since then.
A European organization specialized in testing network security called NSS Group compared Snort in practice with other IDS products created by other vendors such as Computer Associates, and Symantec. Snort outstandingly out-performed all of the other products in 2005.
When 2013 came, it was the start of a new era of Snort and Sourcefire in general, since the large company of Cisco systems owned it. Several versions of Snort got released, and a self-tuning engine was injected inside the versions starting in 2005. Such self-tuning engine aimed to achieve the maximum efficiency whilst keeping a minimum error.
What is the benefit of Snort?
Roesch divides the stages which Threat-centric Security should go through into three main chronological events:
- Before the attack: a defender ought to hard the assets, build the biggest and thickest castle, such that an attacker or a hacker never even attempt to get in.
- During the attack: The last point never works, so this stage is of a great importance. On the launch of an attack, detecting the attack and further blocking it should be the greatest aim at this critical time. Utilization of some technologies and techniques occurs in order to stop such attack as much as possible.
- After the attack: However, sometimes these technologies may fail to detect and block the attack. Then, the attack managed to get through the system. Several stages represent a great threat from the perspective of a defender who may lose control over their own network.
Therefore, scoping and containing the attack has to occur first so that the attack cannot spread any further through the network. Once this is achieved, a defender has to get rid of the attack which has to get remediated at this point. That is mainly the core of Snort.
The idea beyond Snort is to monitor a network traffic in real time, in order to scrutinize each packet of the network traffic closely. Analyzing such packets in this manner detects any payloads or anomalies.
Accordingly, there are three main fields where its role shines the best
- An ordinary packet sniffer such as tcpdump
- A packet logger, which debugs network traffic
- A full methodology and platform for the sake of network intrusion prevention system.
Get into more details
A library packet capture called libpcap is what Snort fundamentally relies on to sniff network traffic and analyze it thereafter. Most similar sniffers that work with Transmission Control Protocol/Internet Protocol (TCP/IP) use such library and harness it for their packet monitoring and detection purposes.
The role of Snort does not merely stop at the detection phase. Besides that, Snort has the ability to analyze such packets and search for some patterns to spot any suspiciously malicious packet. Whenever this happens, an alert is sent automatically to a pop-up window indicating the alert to Windows clients. This happens by utilizing Samba’s smbclient, a UNIX socket or just send it to syslog, where alerts of several other sources are fetched as well.
If we are into defining some types of attacks that are identifiable by Snort, mentioning of a list of attacks has to occur in this regard:
- Denial of service attack where legitimate users are prevented their basic privilege of accessing their computers, devices, or any other resources of the network.
- Attacks which target Common Gateway Interface (CGI), where data requested by a user from a web application could be captured and collected before sending it back to the user
- Stealth port scans which basically search for open ports to exploit and add any malware and apply their payloads through them.
- Attacks that depend on buffer overflow, where an attacker attempts to send a largely sized network packet when the network will not be able to withstand such big size.
- Server Message Block (SMB) probes attacks
Should I use Snort for my business?
One of the questions that a business owner has to be thinking of right now is a question of the uniqueness of Snort. What would drive him/her to utilize this Snort over all other NIDS or NIPS products? Throughout the few lines remaining for this article, I will propose three main reasons from my main point of view:
- Rapid response: Snort can protect the system from any new threats or malware through its real-time protection techniques. One of the best points about Snort is that Cisco Talos Security Intelligence and Research Group (Talos); they are able to spot any brand-new threats by updating Snort with any new threats every hour.
- Greater accuracy: Since Snort is an open source project, there is always a continual work on improving it and changing some of its features for the better. Several security teams improve the program through the Snort Community which is spread world wide.
- High adaptability: adding more functions to Snort through accessing its own source code is grants Snort a great privilege against its counterparts. This way could allow Snort to deal with any network security solutions.
Finally, take a look at my next post on Netcat and let me know your thoughts.