By: Loras R. Even
As a long time implementer and user of Microsoft products (Starting with NT version 3.0) Iíve long been frustrated with the wealth of security products available for the Unix operating system as compared those available for Microsoft. The Microsoft compatible solutions line have suffered with bug filled and expensive security solution alternatives to solutions that are relatively inexpensive and work trouble-free on the Unix platform.
As part of my practical, I have had an opportunity to work with the Microsoft NT version of the popular intrusion detection tool called Snort along with many other tools designed to work with Snort.
I will discuss the tools used, review the installation of the tools, discuss configuration considerations and provide a brief opinion regarding my opinions regarding the products capabilities.
Snortís official web site is: http://www.snort.org. This site has links to most tools youíll need to get snort up and running. A brief review of the site confirms that many of snortís tools will run on only Unix, but closer inspection still turns up some excellent tools that you will want to use as part of your snort installation.
The current version is 1.7 as of the time of this report.
The binaries needed to install Snort can be found in the downloads section. The link is: http://download.datanerds.net/binaries/snort-1.7-win32-static.zip
This is the REQUIRED promiscuous driver used to sniff the packets. Installation is easy and it can be found at: http://netgroup-serv.polito.it/winpcap/install/2.1beta/WinPcap.exe.
IDS Center (Version 1.08) is an excellent tool that provides alert notification among other niceties. Some of the more useful features I found in IDSCenter are:
After you have downloaded the files referenced above, installation is pretty straightforward. Iíd recommend the following process:
Using Snort (Observations and Tips)
I quickly discovered that snort is a very useful intrusion detection system; itís not only very small and reliable but very extensible and configurable with itís use of rule sets. I found the rule sets so easy to understand that I was able to create my own fairly quickly and easily.
After some experimenting with the default rule sets over a two week period, I can make the following recommendations regarding how you may want to configure snort to help avoid missing information while still not being overwhelmed in false positives.
Even though the Microsoft system port of snort is very useable, if you wish to build a true IDS with capabilities such as Secure Shell management, e-mail notification and others using snort, you will still need to use the Unix version.
Opinion of Snort as an IDS
There are currently over 92 IDS systems available for a variety of platforms. As an IDS, the Win32 version of snort is excellent: it is very extensible with itís rule set support which means that it can be updated quickly when new exploits are released.
When it comes to network traffic analysis the ability of snort to detect crafted packets is limited only by your ability to create (or download) a rule to detect the packet. Luckily, snort was written with a rule interpreter that is very easy to learn. Most users that have written a couple of lines of code or created a script or batch file will be writing their own detects within minutes of reviewing the examples.
I have and use an older version of Data Generals Sniffer, which allows me to capture, edit and replay Ethernet traffic. The sniffer is very handy if you want to test the ability of a system to actually detect "crafted" packets. We found that snort was able to detect any "crafted" packet we could throw at it as long as the rule is correctly defined.
I also monitored resource utilization of the snort application. My system is configured as follows:
In addition to network traffic analysis, content analysis is also desirable in an IDS. Snort is also able to perform content filtering as evidenced by the number of "anonymous ftp" alerts I received from starting my FTP server on my snort-enabled system. Further inspection of the downloaded rule sets reveals many other content inspection alerts, such as HTTP content. Some of the commercial systems we have considered implementing also perform content filtering in addition to network traffic analysis but for server thousands of dollars!
Alert reporting is another important element in an IDS. The reporting capabilities of snort are somewhat limited and can seem confusing to the average user due to itís design of creating a new directory for every host detect and the technical detail in the alerts.ids file. I did not have time to experiment with the SQL version of snort but I did download and run the tool Win32 version Snort2Html which creates a much friendlier HTML version report of the alerts in the alerts.ids file. Network administrators might find it easier to browse an HTML formatted report than the alerts.ids file itself.
Overall, Iím relatively pleased with the results Iíve been able to obtain with snort on my Windows 2000 system. As an IDS, snort fulfills many of the basic requirements. Long-term, heavy weight analysis of attacks may require a more through analysis tools such as Shadow, RealSecure or other commercial offerings.