Snort: IDS Done Well (and Good)

A few years ago, when we spoke of network intrusion security
systems, we spoke of IDS (Intrusion Detection System) appliances.
Recently, as the emphasis has shifted from detection to prevention,
IDS has become IPS (Intrusion Prevention Systems).

The compelling force behind this change is the same one that has
thrust an open source software company named SourceFire to the
front of the Network Intrusion Prevention System Appliances market
sector; that is, a fast changing threat environment. In an article
for Military Information Technology, Deputy Undersecretary of
Defense Sue Payton writes that “if the boots-on-the-ground
community is urged to ‘train as you fight,’ the
technology community that supports warfighters must similarly be
urged to code as we fight,” which is her way of saying that
rapidly changing threats requires the agility of rapidly modifiable
and accessible source code.

In other words, open source.

There are many reasons why open source software is finding a
home in this country’s most security-conscious departments of
government. Payton is inspired by an oft-quoted truism in the open
source community known as Linus’ Law: “Given enough
eyeballs, all bugs are shallow.” This truism has been proven
to the satisfaction of decision makers at DARPA, GSA, NIST, NSA as
well as the Armed Forces, all of whom are implementing open source
solutions for their software needs – Snort among them.

The open source part of SourceFire is known as Snort. It started
out as a weekend project for a software engineer named Martin
Roesch in 1998. Martin was looking to develop a “light-weight
intrusion detection technology.” In 2001, Roesch decided to
expand on what he had accomplished with Snort and added some
proprietary tools that would improve ease of operation for network
administrators. The new company was named SourceFire. While Snort
remained an open source, rules-based detection engine, SourceFire
added proprietary modules that dramatically improved Snort’s
capabilities.

In 2006, Check Point Software Technologies, an Israeli
enterprise security company that owns Zone Alarm, tried to acquire
SourceFire for $225 million dollars. The deal never happened due to
red flags raised by FBI and Pentagon officials. Check Point
voluntarily withdrew its offer to purchase SourceFire. Seven months
later, SourceFire announced that it had filed papers with the SEC
to become a publicly traded company. This news has generated a lot
of excitement in the security software community for two reasons:
one, because it’s the first security IPO to come along in a
very long time, and two – because it would validate the open
source model as a commercially viable one. The latest news on the
SourceFire IPO is that it will offer 5.77 million shares of stock
at an estimated $12 – $14 per share.

Gartner’s Magic Quadrant for Network Intrusion Prevention
System Appliances (2006) lists SourceFire as one of 5 leaders in
this market sector; 3com’s TippingPoint, IBM, McAfee, and
Juniper Networks make up the other 4.

Gartner defines Intrusion Protection appliances as
“in-line devices that perform full-stream assembly of network
traffic, and they provide detection using several methods including
signatures, protocol anomaly detection, and behavioral or
heuristics.” In other words, where simple attack signature
detection used to be the norm, an IPS system must be able to block
vulnerability-based signatures, recognize a variety of anomalies as
attacks, and let everything else through.

Snort: Pure Open Source

Snort is, by far, the gold standard among open source NIDS
systems, with over 100,000 users and 3 million downloads to date.
Snort signatures are kept up-to-date by its dedicated users and the
Snort website has ample documentation including tutorials. It is
not, however, easy to use and requires an experienced security IT
professional to configure it properly. The fact that it’s
free makes it the darling of small and medium-sized businesses that
cannot afford the fancy GUIs and wizards of commercial network
security products.

In 2004, InfoWorld published a review of 4 network intrusion
detection systems (ISS, Lancope, Snort, and StillSecure), and found
that although they were all equally effective in recognizing
attacks on a network, there were differences “ranging from
ease of setup and management to depth of packet analysis and
reporting, but especially the fundamental approach taken in
detecting threats.” Snort 2.10 with ACID scored high in
configurability, but low in its dependence on signatures. The
reviewers acknowledged that all signature-dependent systems
suffered from the same problem – how do you defend against an
attack whose signature you don’t yet know? Overall, Snort
scored a “Very Good” rating of 7.3, which put it in
last place among the 4 contenders, however it was the only open
source candidate in the group.

In October, 2006, UnixReview.com published a review of Snort
2.6. The author liked the upgrade from ACID to BASE (Basic Analysis
and Security Engine), which is Snort’s latest user interface,
although she acknowledged that was still a challenge to manage the
output of data in a way that was easily readable.

SourceFire: The Open Source/Proprietary Hybrid

SourceFire’s proprietary advances have not only addressed
the challenges that reviewers have mentioned about Snort, but have
propelled SourceFire into a leadership role in IPS appliances.

The SourceFire 3D product (Discover, Determine, Defend) has 3
layers: SourceFire Intrusion Sensors and Agents, SourceFire RNA
Sensors, and the SourceFire Defense Center. According to the
company’s website, “(b)y closely integrating and
correlating the threat information provided by Sourcefire Intrusion
Sensors and Agents with the network intelligence provided by
Sourcefire RNA Sensors, the Sourcefire Defense Center prioritizes
the millions of security events to determine the most critical
events to an organization’s business, and takes the
appropriate actions.”

Victor Garza and Charles Herring evaluated SourceFire 3D for
InfoWorld and were impressed by the product. They found the RNA
sensor interface “remarkably intuitive,” along with the
Defense Center, which allows users to “start at a 10,000-foot
view of the network and drill down to the granular aspects of
security events.” The reviewers at SC magazine were equally
happy with the RNA sensor, particularly its ability to “match
what it knows about network resources with its vulnerability
signature database.” If SourceFire were defending against a
storm of Slammer traffic, according to the SC review, the RNA
sensor would know that, for example, its Microsoft SQL servers
weren’t vulnerable, and mark the attack as a low priority.
Other IDS vendors would be “lit up like a Christmas
tree.”

One area that was found wanting in the SC review was
SourceFire’s ability to analyze data for trends. Their
solution was to use a different product (ArcSight ESM) to further
manipulate the data. The InfoWorld reviewers commented on
SourceFire’s inability to protect against VOIP-based attacks,
however they acknowledged the edge given to SourceFire by its
“bleeding-edge” Snort community.

Snort’s influence is strongly present in the Intrusion
Sensor aspect of SourceFire, as it’s built atop the Snort IDS
engine. This has pluses and minuses attached. On the plus side,
Garza and Herring liked the ability to customize simple Snort
signatures to fit the demands of their particular network. On the
minus side, they needed to invest a few hours in adjusting those
signatures to reduce the number of false positives they received.
Gartner analysts also pointed out the need for more SourceFire
developed signatures versus its dependency on Snort signatures.

Regarding future trends in the Network Intrusion sector, Gartner
projects a problem area in “malicious executables that do not
look to exploit known vulnerabilities.” It’ll be
interesting to see how SourceFire, TippingPoint, StillSecure and
other vendors address this potentially complex threat in the
future.

Article courtesy of eSecurityPlanet

Latest Articles

Follow Us On Social Media

Explore More