Billions of data packets traverse through enterprise networks every day at the speed of light. Some packets are malicious; they're carefully designed to slip past firewalls and perimeter defenses and wreak havoc on any system in sight. You might have experienced the wrath of a packet-based attack such as Code Red, Nimda, SQL Slammer, and MSBlaster. All these malicious programs use trusted protocols (e.g., HTTP) or Microsoft networking traffic to carry out their dirty work. Blocking these protocols outright isn't an option, so organizations commonly use Network Intrusion Detection Systems (NIDSs) to detect this type of traffic as quickly as possible so that they can react accordingly.
A number of NIDSs are on the market, all with varying capabilities and price tags. Generally speaking, they all work well. I've been impressed with every commercial package I've had a chance to use. But what if your budget is limited and intrusion detection just isn't high enough on the priority list for your IT department? Fortunately, the open-source world offers a capable NIDS package called Snort. Unlike many open-source packages, this package runs on Windows.
Meet Snort
Martin Roesch originally developed Snort, which he released to the open-source development community under GNU General Public License (GPL). With a history going back to at least 1998, this flexible package has a long, proven track record. With contributions from open-source community members and network administrators around the world, Snort has grown into a very capable product. The current version of Snort can perform real-time traffic analysis and logging of IP traffic at Fast Ethernet and Gigabit Ethernet speeds.
Michael Davis originally brought Snort to the Windows community by porting Snort 1.7 to the Win32 platform. Since that time, Chris Reid has taken over the task of compiling the newer Snort versions into a prepackaged executable for easy implementation in the Windows world.
If you're unfamiliar with NIDS, think of it as a special breed of network sniffer. An NIDS dutifully watches every packet that comes across its interface, looking for specific data patterns within the payload of the packets, where malicious code typically resides. By using Snort to watch your networks, you can perform content searching and matching on every packet that traverses through your organization and detect a myriad of attacks and hostile traffic—all in real time.
Snort Prerequisites
At a bare minimum, you need a Windows system with at least one NIC to run Snort. Preferably, you should have two NICs: one that can sit in the network to be monitored and one that can sit in your production network and provide reporting. I said Windows system because you can run Snort not only on Windows 2000 Server or later but also on Windows XP Professional Edition, XP Home Edition, and Win2K Professional. A server license isn't required. Because I connect my XP Pro laptop to many different client networks daily, I typically run Snort as a service. Thus, it runs in the background, detecting any attacks that client networks are directing toward my system. In a way, Snort is acting as a portable sensor for me—it can act as an NIDS on any port I connect my laptop to.
If you're going to implement Snort in an organization, a low-end server can be a decent choice, depending on the size of your network. If you're dedicating the system to intrusion detection, you don't need a lot of horsepower for the box. For example, I've read stories about Snort nodes with 1GHz processors and 1GB of RAM on a FreeBSD platform effectively handling networks of 15,000 users and multiple T-3 (digital signal 3—DS3) WAN links. Because the Snort code is efficient, a lot of horsepower isn't necessary.
You need to determine where you want to place the NIDS on your network. Instinctively, your first thought might be to place it in front of your firewall. Although placing an NIDS at that location would collect the most results, it would also collect the most noise. Thus, you would receive a lot of alerts that provide little value. You shouldn't worry about what gets stopped in front of your firewall. Instead, you should care about what gets through your firewall. So, under most circumstances, placing Snort behind your firewall is a good start.
However, if you have users coming into your network through a VPN connection (either over the Internet or a wireless connection), you should think about placing your NIDS further behind your firewall, such as behind the VPN server or concentrator, where packets are decrypted as they exit the VPN tunnel. Otherwise, the NIDS will be blind to any attacks embedded in the VPN traffic because the packets that Snort is analyzing are encrypted. The same holds true for encrypted SMTP traffic, encrypted .zip files in email attachments, and other types of encrypted data.
Ideally, you should place the NIDS far enough back to get behind any components that are encrypting traffic but far enough forward to capture traffic across as many segments and subnets as possible. If you're operating in a switched network environment, your switch will likely need a diagnostic port that collects copies of all the packets going through your network. That way, the NIDS will have good visibility of all your network traffic.
Now that you know what Snort is and what you need to deploy it, you're ready to set up and test your NIDS. (For more information about Snort, check out the references in the Web-exclusive "Resources" box, http://www.winnetmag.com, InstantDoc ID 42606.) This process involves 7 steps:
- Install WinPcap.
- Install Snort.
- Test the Snort installation.
- Configure Snort.
- Configure the rules.
- Set up the alerts and logs.
- Run as a service.