Snort Author's note with contact information and more details on collegiate affiliation, etc.

This report is my own work. Any assistance I received in its preparation is acknowledged within, in accordance with academic practice. For any material, from whatever source, quoted or not, I have cited sources fully and completely and provided footnotes and bibliographical entries. The report was prepared by me for this class, has not been submitted in whole or significant part to any other class at UMUC or elsewhere, and is not to be used for any other purpose except that I may submit this material to a professional publication, journal, or professional conference. In adding my name to the following word "Signature," I intend that this certification will have the same authority and authenticity as a document executed with my hand-written signature.

Abstract

Snort was created by Martin Roesch in 1998. Sourcefire, Inc. is the company that provides Snort. Roesch is the founder and Chief Technical Officer of Sourcefire, Inc. Snort is free of charge. In 2009, InfoWorld entered Snort into its Open Source Hall of Fame as one of the greatest pieces of open source software of all time. Granted, the Internet has not existed as long as ancient ruins, yet still the accolade comes with a certain sense of gravity. The paper describes the primary traits and uses for Snort. The paper attempts to expose Snort's strengths and weaknesses as well as imagine the implementation in a relevant, yet hypothetical professional situation.

Comprehending and Using Snort

Snort is an open source network intrusion prevention system (NIPS). It is also an intrusion detection system (NIDS). There are two kinds of intrusion detection systems: signature-based intrusion detection systems and anomaly-based intrusion detection system. Snort is an example of a signature-based intrusion detection system. Ryan Trost provides a clear explanation as he writes:

"A signature-based IDS works by scanning through packets, looking for a particular set of well defined characteristics that, when seen together, typically constitute an attack in progress. As a result of this architecture, a signature-based IDS is only as good as its signatures; it cannot possibly detect attacks for which it has no signatures. A poorly written signature can either cause an enormous number of false positives or allow legitimate attacks to go undetected (commonly referred to as 'false negative')." (Trost, 2010,-Page 60)

Anomaly-based IDS requires a baseline of normal activity in order to discern what is normal activity and what is abnormal activity, thus necessitating an alert. Anomaly-based IDS searches for activity outside the prescribed parameters; or in other words, it searches for anomalies or anomalous activity before sending an alert. Signature-based IDS such as Snort constantly scan for dubious activity and then when noticed in conjunction with simultaneous suspicious network activity, detects a threat, alerts the system, and tries to eliminate the threat.

There are three primary uses for Snort. Snort can be used as a packet sniffer, a packet logger, or exclusively as a NIPS. When configured for sniffer mode, Snort reads network packets to display on the console. When configured for packet logger mode, Snort simply logs packets to the disk. When Snort is configured for intrusion detection mode, it monitors network traffic and analyzes the traffic against a specific ruleset defined by the individual user. Snort then performs a previously determined action as set in the parameters provided by the user. Users may configure Snort with the use of command lines as Roesch explains:

"Snort is configured using command line switches and optional Berkeley Packet Filter [BPF93] commands. The detection engine is programmed using a simple language that describes per packet tests and actions. Ease of use simplifies and expedites the development of new exploit detection rules…Snort's architecture is focused on performance, simplicity, and flexibility. There are three primary subsystems that make up Snort: the packet decoder, the detection engine, and the logging and alerting subsystem." (Roesch, 1998)

Snort is capable of several functions and configurations. Snort performs protocol analyses, content searching & matching, and Snort detects attacks and probes such as CGI attacks, OS fingerprinting attempts, and buffer overflows. Snort also proves useful for network traffic debugging. Snort is further capable of real-time traffic analysis on Internet Protocol (IP) networks. Snort has the potential to be of service in many different industries as well as to private citizens. Cox and Gerg succinctly describe the brief history of Snort as they write:

"Snort is perhaps the best known open source intrusion detection system available. Snort is designed...

Many third-party applications have been engineered around its use. Snort is actively maintained, and it is possibly the best open source IDS available for download. Snort was first developed in November 1998. It was originally intended to function as a packet sniffer. Since then it has grown to become much more. Each week Snort is downloaded by thousands of users and developers. It is currently used in most IDS situations, from small office and home networks to corporate and IT offices worldwide. It has been ported to a variety of platforms, so finding a release for your particular operating system should be no problem." (Cox & Gerg, 2005,-Page 55)
This software appeals to many kinds of users because it is open source in nature and for the practical security services it provides.

Cox & Gerg concisely describe the advantages to Snort and some of the top reasons why it is popular among users:

"Snort is a versatile solution for both packet sniffing and intrusion detection. Snort: Is descriptive and verbose; Is more versatile than tcpdump in output and readability; Determines each entry's value; Identifies individual fields and computes corresponding fields; Can be customized to print out all varying fields in the headers; Has rules that are relatively easy to configure and understand; Can report on separate wireless networks using specialized patches; Generates alerts (it's a network intrusion detection system)." (Cox & Gerg, 2004,-Page 59)

This software is more agile than a tcpdump. Technology users of the 21st century love the ability to customize their hardware and software. Though Snort is capable of complex computations, rules, and field values, it is highly customizable, has rules that do not require advanced knowledge or skill, and actually warns users of network intrusions. Cox and Gerg aptly describe Snort as versatile. The software is easy to use, modifiable/customizable, and effective.

There are several steps to installing Snort on Mac OS X Lion (10.7). The first step is to set a firmware password. This requires Mac OS X Lion and a broadband Internet connection. The firmware password is also called an EFI password. The Mac must be booted from the recovery hard drive by pressing the option key while the computer starts. Users can follow dialog boxes instructing them on how to set the EFI password. After which point, the computer must be booted again and then a default boot media must be set. (Murauer, 2011) Then it is recommended that the inherent security features within the machine be activated and/or maximized if not already done so. Such features may include the firewall, limiting sharing capacity, scheduling updates, and other general privacy settings. (Murauer, 2011) Then the user must access the Terminal program in the Mac. This is where Snort is accessed and where users provide information in the command lines. Users should also have some form of (free where possible) decryption and verification software in conjunction with Snort. After writing commands, users should test them and then manage them using Terminal.

Let us consider the use of Snort in the environment of a commercial or corporate media production company. The company theoretically has an assortment of networks. There are networks among the entire staff. There are ones among specific departments that have frequent and/or intense contact such as accounting and production management or art direction and production design. There are networks with limited access such as those connected among the parties who document, govern, and accrue the finances; those networks would not be public. There would networks for communication between public relations, client relations, middle and upper management, marketing, and clients or consumers. Communication among all departments within the company and the consuming public would be unnecessary and potentially dangerous to the company. There would also have to be robust networks through which the creative departments shared larger media files with ease in a timely manner. Thus, there would be a great deal of traffic of various sorts flowing during the course of a workday at this production company.

Most production companies of the 21st century are completely digital, especially in regards to their workflow, data management, and postproduction. Therefore, Snort would prove useful in such an environment. The IT department in this production company would be very busy and because media production is a high demand profession, that department truly needs to anticipate the needs of the networks and the equipment. Production companies consume a lot of energy and bandwidth. They demand universal access and incredible speeds. The media and film industry demonstrates…