Snort: IDS Done Well (and Good)

Wednesday Jun 20th 2007 by Jeffrey Carr

Open source IDS Snort went from a weekend hobby to a multi-million dollar best of breed industry leader.

A few years ago, when we spoke of network intrusion security systems, we spoke of IDS (Intrusion Detection System) appliances. Recently, as the emphasis has shifted from detection to prevention, IDS has become IPS (Intrusion Prevention Systems).

The compelling force behind this change is the same one that has thrust an open source software company named SourceFire to the front of the Network Intrusion Prevention System Appliances market sector; that is, a fast changing threat environment. In an article for Military Information Technology, Deputy Undersecretary of Defense Sue Payton writes that "if the boots-on-the-ground community is urged to 'train as you fight,' the technology community that supports warfighters must similarly be urged to code as we fight," which is her way of saying that rapidly changing threats requires the agility of rapidly modifiable and accessible source code.

In other words, open source.

There are many reasons why open source software is finding a home in this country's most security-conscious departments of government. Payton is inspired by an oft-quoted truism in the open source community known as Linus' Law: "Given enough eyeballs, all bugs are shallow." This truism has been proven to the satisfaction of decision makers at DARPA, GSA, NIST, NSA as well as the Armed Forces, all of whom are implementing open source solutions for their software needs – Snort among them.

The open source part of SourceFire is known as Snort. It started out as a weekend project for a software engineer named Martin Roesch in 1998. Martin was looking to develop a "light-weight intrusion detection technology." In 2001, Roesch decided to expand on what he had accomplished with Snort and added some proprietary tools that would improve ease of operation for network administrators. The new company was named SourceFire. While Snort remained an open source, rules-based detection engine, SourceFire added proprietary modules that dramatically improved Snort's capabilities.

In 2006, Check Point Software Technologies, an Israeli enterprise security company that owns Zone Alarm, tried to acquire SourceFire for $225 million dollars. The deal never happened due to red flags raised by FBI and Pentagon officials. Check Point voluntarily withdrew its offer to purchase SourceFire. Seven months later, SourceFire announced that it had filed papers with the SEC to become a publicly traded company. This news has generated a lot of excitement in the security software community for two reasons: one, because it's the first security IPO to come along in a very long time, and two – because it would validate the open source model as a commercially viable one. The latest news on the SourceFire IPO is that it will offer 5.77 million shares of stock at an estimated $12 – $14 per share.

Gartner's Magic Quadrant for Network Intrusion Prevention System Appliances (2006) lists SourceFire as one of 5 leaders in this market sector; 3com's TippingPoint, IBM, McAfee, and Juniper Networks make up the other 4.

Gartner defines Intrusion Protection appliances as "in-line devices that perform full-stream assembly of network traffic, and they provide detection using several methods including signatures, protocol anomaly detection, and behavioral or heuristics." In other words, where simple attack signature detection used to be the norm, an IPS system must be able to block vulnerability-based signatures, recognize a variety of anomalies as attacks, and let everything else through.

Snort: Pure Open Source

Snort is, by far, the gold standard among open source NIDS systems, with over 100,000 users and 3 million downloads to date. Snort signatures are kept up-to-date by its dedicated users and the Snort website has ample documentation including tutorials. It is not, however, easy to use and requires an experienced security IT professional to configure it properly. The fact that it's free makes it the darling of small and medium-sized businesses that cannot afford the fancy GUIs and wizards of commercial network security products.

In 2004, InfoWorld published a review of 4 network intrusion detection systems (ISS, Lancope, Snort, and StillSecure), and found that although they were all equally effective in recognizing attacks on a network, there were differences "ranging from ease of setup and management to depth of packet analysis and reporting, but especially the fundamental approach taken in detecting threats." Snort 2.10 with ACID scored high in configurability, but low in its dependence on signatures. The reviewers acknowledged that all signature-dependent systems suffered from the same problem – how do you defend against an attack whose signature you don't yet know? Overall, Snort scored a "Very Good" rating of 7.3, which put it in last place among the 4 contenders, however it was the only open source candidate in the group.

In October, 2006, UnixReview.com published a review of Snort 2.6. The author liked the upgrade from ACID to BASE (Basic Analysis and Security Engine), which is Snort's latest user interface, although she acknowledged that was still a challenge to manage the output of data in a way that was easily readable.

SourceFire: The Open Source/Proprietary Hybrid

SourceFire's proprietary advances have not only addressed the challenges that reviewers have mentioned about Snort, but have propelled SourceFire into a leadership role in IPS appliances.

The SourceFire 3D product (Discover, Determine, Defend) has 3 layers: SourceFire Intrusion Sensors and Agents, SourceFire RNA Sensors, and the SourceFire Defense Center. According to the company's website, "(b)y closely integrating and correlating the threat information provided by Sourcefire Intrusion Sensors and Agents with the network intelligence provided by Sourcefire RNA Sensors, the Sourcefire Defense Center prioritizes the millions of security events to determine the most critical events to an organization's business, and takes the appropriate actions."

Victor Garza and Charles Herring evaluated SourceFire 3D for InfoWorld and were impressed by the product. They found the RNA sensor interface "remarkably intuitive," along with the Defense Center, which allows users to "start at a 10,000-foot view of the network and drill down to the granular aspects of security events." The reviewers at SC magazine were equally happy with the RNA sensor, particularly its ability to "match what it knows about network resources with its vulnerability signature database." If SourceFire were defending against a storm of Slammer traffic, according to the SC review, the RNA sensor would know that, for example, its Microsoft SQL servers weren't vulnerable, and mark the attack as a low priority. Other IDS vendors would be "lit up like a Christmas tree."

One area that was found wanting in the SC review was SourceFire's ability to analyze data for trends. Their solution was to use a different product (ArcSight ESM) to further manipulate the data. The InfoWorld reviewers commented on SourceFire's inability to protect against VOIP-based attacks, however they acknowledged the edge given to SourceFire by its "bleeding-edge" Snort community.

Snort's influence is strongly present in the Intrusion Sensor aspect of SourceFire, as it's built atop the Snort IDS engine. This has pluses and minuses attached. On the plus side, Garza and Herring liked the ability to customize simple Snort signatures to fit the demands of their particular network. On the minus side, they needed to invest a few hours in adjusting those signatures to reduce the number of false positives they received. Gartner analysts also pointed out the need for more SourceFire developed signatures versus its dependency on Snort signatures.

Regarding future trends in the Network Intrusion sector, Gartner projects a problem area in "malicious executables that do not look to exploit known vulnerabilities." It'll be interesting to see how SourceFire, TippingPoint, StillSecure and other vendors address this potentially complex threat in the future.

Article courtesy of eSecurityPlanet

Mobile Site | Full Site