BRKSEC-2137 – Snort Implementation in Cisco Products
Presenter: Eric Kostlan, Technical Marketing Engineer, Cisco Security Technologies Group
Above all, Snort is a community –Eric
Snort stats
- over 4 million downloads
- nearly 500,000 registered users
Snort was created in 1998 (!!). Sourcefire founded in 2001.
The Snort engine
- Packet sniffer (DAQ)
- Packet decoder
- Preprocessors
- Detection engine
- Output module
DAQ – packet acquisition library(ies?). Snort leverages this to pull packets off the wire (Snort doesn’t have its own built-in packet capture abilities). DAQ provides a form of abstraction between the Snort engine and the hardware where the bits are flowing. DAQ – Data AcQusition. DAQ modes: inline, passive or read from file.
Packet decoder – look for header anomalies, look for weird TCP flags, much more. Generator id (GID) is 116 for the packet decoder. Decodes Layer and Layer 3 protocols with a focus on TCP/IP suite.
Preprocessors – apply to Layer 3, 4, and 7 protocols. “Protocol decoders”. Normalizes traffic. Major preprocessors: frag3 (reassembly), stream5 (reconstruct TCP streams), http_inspect (normalizes http traffic), protocol decoders (telnet, ftp, smtp, so on).
Detection engine – various performance settings (eg, how long to spend on regex). Two components: rule builder and inspection component. Rule builder: assembles the rules into Continue reading