Introduction
SNORT is a system that can be used to prevent unauthorized network access either internally or externally. SNORT is built on an open-source platform. It is a combination of anomaly inspections and signature protocols. SNORT remains the most popular IDS due to its robust capabilities coupled with the open-source platform. When snort is used to manage internal access, it is said to be working as a firewall.
SNORT can work in a variety of modes including packet logger, sniffer, inline, and Network Intrusion Detection (NIDS) modes (Orebaugh et al., 2009). The NIDS mode is the most widely used mode of SNORT. Rules are written via regex. The different packets will then be analyzed by SNORT against the rules set and when a match is realized, the predefined rule is fired.
Rule Created
To illustrate how SNORT works, I will set rules to monitor the access of an external website. I will select the Redtube server since it is likely that the server has been making unsolicited access to the network. The rule I set was # snort -dvCq src host daffy and DSTport 138 and dst net 209.222.138.10 mask 255.255.255.
The rule will watch out for intrusion of the network from the RedTubeserver (whose IP is given). The rule will arrest the intrusion from the IP. The next thing would be to set a rule that fires when attempted access is detected by the rule set above. For the source address, I took the variable $EXTERNAL_NET. The variable and the port are both set to any. The IP address for RedTube will be used as the destination address with port 138 as specified in the above rule. UDP protocol is used to broadcast. This can be summarized as follows:-
alert udp $EXTERNAL_NET any -> 209.222.138.10 138 (msg:” Redtube access detected!”; content: “SMB”; content: “MAILSLOT”;)
I saved the file in /etc/snort/rules/my.rules. This would need to be called by the string, include $RULE_PATH/my.rules
Later on in the day when I was checking the logs, I found the following string [**] [1:0:0] Redtube access detected! [**]
01/06-02:21:23.465726 209.222.138.10:138 -> 209.222.138.10:138
UDP TTL:64 TOS:0x0 ID:64503 IpLen:20 DgmLen:262
Len: 242
Analysis and Conclusion
As can be seen, the rule set helped identify the access of the external to the network with the relevant details like the date and the time of the access. This can be instrumental n the management of the network as the traffic can be monitored by the network administrator. Filters can also be applied to lock out any undesirable access to the network.
SNORT has the capability of outputting logs into the database. This has many advantages to the organization. Scalability is made possible. As the network of the organization grows, the logs will keep on increasing. Having the logs in the database makes it easier to manage. As seen in the example above, the administrator will often be searching for a section of the logs. SNORT’s capability of storing the logs in the database makes the logs raw material for statistical analysis through charts and other methods (Roesch, 1999).
On top of all the advantages, SNORT is desirable since there are no huge cost implications involved. SNORT is built on an open soopen-sourcerm which means later releases to fix bugs or add functionality will either cost very little or will be given at no cost. SNORT will therefore be a good option to consider not only because of its robust capabilities in network and traffic management but also because of the affordability of the system.
References
Orebaugh, A. et al. (2009). SNORT Cookbook. New York: O’Reilly.
Roesch, M. (1999). SNORT – lightweight intrusion detection for networks. Paper Presented at the Systems Administration Conference. Web.