Intrusion Detection System Based on Snort

Download PDF
22 downloads 1198 Views 502KB Size Report
Comment
detection system can real-time detect network conditions, monitor network flow, .... Each packet processed by Linux kernel are located in a socket buffer structure.
Chapter 82

Intrusion Detection System Based on Snort Ruinan Chi

Abstract With the rapid development of the network, network bandwidth has been greatly improved. In high-speed network environment, higher requirement is needed to the intrusion detection system (IDS). The packet capture capability of IDS has become the bottleneck to enhance the system performance. At present most IDS apply LINPAC to capture packet. This paper analyzes and designees an packet capture module in IDS based on Snort, and then shows the design structure and work process. Keywords Intrusion detection

 Snort Pf  Ring packet  Capture

82.1 Instruction Intrusion detection systems play an important role in protecting the security of computer systems and the Internet, it is an active means of defense. Intrusion detection system can real-time detect network conditions, monitor network flow, and activity, as well as issue a warning, record the information to a database, on this basis, analyzes intrusions and raises intrusion logs, audits data, and prevents similar attacks, detects whether there are similar threats exist in network and prevent timely [1]. As a real-time intrusion detection system, active defense system can be installed on any node in network; select different places can be adapted to different network structures, which can form a three-dimensional depth of the defense system. At present, many companies are installed intrusion detection systems at access points of in-house or public network, such as mobile gateway access point, enterprise switch.

R. Chi (&) Shenzhen Polytechnic, Xili Lake, Shenzhen, Guangdong, China e-mail: [email protected]

X. Liu and Y. Ye (eds.), Proceedings of the 9th International Symposium on Linear Drives for Industry Applications, Volume 3, Lecture Notes in Electrical Engineering 272, DOI: 10.1007/978-3-642-40633-1_82, Ó Springer-Verlag Berlin Heidelberg 2014

657

658

R. Chi

However, the rapid growth of the network bandwidth, resulting in data traffic increased dramatically, which made the existing intrusion detection system, has become a bottleneck in the development of network security techno orgy for highspeed network packet capture and processing. How to reduce the packet loss rate in a high-speed network, and based on this data to parse packet, improve the accuracy of the alarm is the core of safety technology at the present stage.

82.2 Summary of Snort Technology 82.2.1 Snort Architecture Snort is a network intrusion detection systems based on misuse detection, which is to detect known threatening behaviors. It is a data sniffer, responsible for the capture of packet from network. Snort mainly consists of four parts: Data sniffers, preprocessor, detection engine as well as log and alarm system [2]. A packet read from the network card is first processed by the preprocessor, and then through rule detection packet in detection engine, if the packet matches the rule, it will be processed in accordance with the rules. The overall architecture is shown in Fig. 82.1.

82.2.2 Snort Workflow Before official work, Snort starting to parse the command line arguments and set the flag, to fill and initialize the PV structure. Followed by initialization of

system out put

log system

Data sniffer

Preprocessor

Detection engine alarm system

Pattem matching

Fig. 82.1 Snort architecture

82

Intrusion Detection System Based on Snort

659

plug-in, rules linked list are generated according to rules files, while calling correlated routine initialization preprocessing module, output module. Capture the packet by calling LINPAC structure function and process the corresponding packet. The main process is shown in Fig. 82.2. Snort network protocol analytic function is called to hierarchical parse the packet and then stored the parsed results into the structure packet. Packet structure stored useful packet information extracted from the data package to facilitate follow-up procedure calls. It is mainly stored a pointer pointing to the packet header information, and a pointer to the layers of the packet header structure

System initialization

Parse command line arguments

Parse rules

Capture packet

Generate rules linked list

Parse packet

N Match rules ?

Y Response and alarm

Fig. 82.2 Snort workflow

660

R. Chi

information, source/destination port number and the IP address, data pointer, data length of the data packets, TCP/IP decoding information, and so on. After the completion of packet parsing, Snort will compare the parsed results and given rules to determine whether intrusion occurred when the packet behavior consistent with a rule, the system will start process according to the rules of the appropriate way, and finally through the output module for logging or alarm.

82.3 Design of Snort-Based Intrusion Detection System 82.3.1 Data Acquisition Technology Data acquisition technology is the basis of the intrusion detection system, in order to detect intrusions, it must obtain the data information first, and then analysis (such as protocol analysis and pattern matching, etc.) the captured information. Therefore, packet capture module must be able to guarantee the access to all packets on the network. Efficiency of traditional packet capture technology is not high because of the system calls and memory copies during packet transmission. Moreover, with the increasing network bandwidth, the large flow of packet capture technology proposed higher requirements, so the existing packet capture technology has failed to meet the high-speed network needs. On the ethernet data packet is transmitted by broadcasting, the network interface worked in the same LAN has access to all of the packets on the network, but under normal circumstances, the application program receives only the packet with local destination IP address, the data packet will go through the filtration of the several levels: the link layer, network layer, and transport layer. In link layer, if the destination address of the packet is not the network card address (MAC), broadcast address, or multicast address, the packet will be discarded; In network layer, if packet’s destination IP is not the machine bounded IP packet will also be discarded; The port number of the packet will be checked in the transport layer, if the local machine did not open this port, packet will also be discarded [3, 4]. In order to capture all the data packets on the network, the NIC is set to the promiscuous mode, bypass the normal packet handling process, the NIC can receive all data packets passing through it, regardless of the packet’s destination address is the local machine or not the specific steps shown in Fig. 82.3.

82.3.2 Design of System Data Acquisition The system uses Snort architecture, high-speed network environment needs higher packet capture system, the traditional packet capture system has higher packet loss rate, which is easily lead to the phenomenon of false negatives and false positives.

82

Intrusion Detection System Based on Snort

661

Network packet

NIC promiscuous mode?

Y Capture all packet

N Process and store

parse MAC address

Y Capture packet

Matching address? N Discard packet Fig. 82.3 Principle of NIC accept packet

So this system used the PF_RING data packet capture modules instead LINPAC. After the capture of packet from NIC, packets will go into PF_RING buffer first, and then call interface functions to access the buffer packet with the application of layer program, then the packet can be sent to the upper module for further processing. The overall workflow is shown in Fig. 82.4. Snort uses LINPAC as a basis for packet capture module, capture the packet from NIC by calling the library function. Following is the analysis of its workflow. First, if the command line does not specify the used NIC device or file interface, snort will call pap look net function returns to the corresponding network device interface name first, and then obtained the interface descriptor by calling pap open live function, call pap lookup net function to get network interface IP and subnet mask. Call pap compile function to compile filtering rules string. Finally, call pap set filter and pap free code for setting packet filter and releasing buff program structure. Then Snort has completed the work of open LINPAC interface, and then call pap loop cycle for capturing packet while call process packet function for packet processing, the specific process is shown in Fig. 82.5. Kemel mode

NIC

PE_RING interface PE_RING buffer

Fig. 82.4 The overall architecture

user model Snort packet architecture

Snort packet process

662 Fig. 82.5 Snort packet capture flow

R. Chi

System initialization

Device chose

Obtain desriptor

Obtain IP Set packet filter Call pcap_loop cycle to capture packet

Parse packet

PF_RING loading process implemented by ring init () function, mainly completed the initialization of data list (INIT_LIST_HEAD), initialize daemon (PROC process), register the PF_RING to the kernel. Uninstall work completed by ring exit () function. The kernel packet capture is mainly consisted by three parts: ‘‘protocol family registration,’’ ‘‘cache allocation,’’ and ‘‘packet writing and reading’’ [5, 6]. Through sock register (and ring family ops) function to implement the PF_RING protocol family registration, in which ring family ops defined create socket function is ring create. In the Linux system, protocol family is stored by an array with length of 32, at present, we can customized add four protocol families. PF_RING added a new protocol family in Linux protocol array, named the PF_RING. When the user application program created a socket, PF_RING actually allocated corresponding space for ring buffer, 4096 Flow Slot structures constitute a ring buffer and Flow Slot contains status information and the number of bytes of a cache block. Each socket corresponds to a ring buffer. In a ring buffer, use a Flow Slot Info structure to save the basic information for the entire cache, such as read and write pointers, Flow Slot data amount, size of the ring buffer, and the number of read packets, number of written packets. When to perform packet read and write operations, synchronization mechanism can ensure the correctness of the data of the buffer. When a packet arrives, find the device by device ring list, and then find the corresponding cache to perform the write operation of the packet. The Flow Slot Info and Flow Slot structure information in PF_RING are shown in Fig. 82.6.

82

Intrusion Detection System Based on Snort

663

Fig. 82.6 Flow Slot Info and Flow slot structure

Each packet processed by Linux kernel are located in a socket buffer structure ski buff, upper protocol layers will get packet data from ski buff. In Kernel sib pointer is usually used for pointing ski buff. PF_RING will call add sib to ring function to insert header portion of packet into its ring buffer. Since PF_RING only saved by default the packet header information, while we have to deal with the entire packet contents, so we need to modify add sib to ring function, to replicate the entire ski buff to PF_RING circular buffer when application program call interface for reading the packet, PF_RING use MMAP to enable applications to access the data packets in the kernel buffer without memory copy. Ski buff and ring buffer structure are shown in Fig. 82.7 [6]. In the PF_RING ring buffer, every unit are preserved a ski buff structure. Ski buff organize them in the form of a double-linked list, next and prepoint to last and next ski buff structure respectively; head and end point to the start and end positions of the data area; data and end point to the beginning and end of the actual packet data. Seen from the upper content, PF_RING put the packet into the ring buffer, and then the upper application can read packet contents from the buffer. Now the Snort LINPAC module has been changed to read packets from PF_RING buffer. The function paring open used to open NIC, and return to pointer of the parking structure. Parking structure has saved all the information on PF_RING buffer. Then you can use the paring revs receives network packets, this process is the data packet read from PF_RING, and mobile buffer read pointer, the same time the data in the MMAP way is available for application program to access parsing the data information coming from PF_RING to Snort Packet structure that is the completion of the improvements of packet capture module.

664

R. Chi

Fig. 82.7 Ski buff and ring buffer structure

82.4 Conclusion The paper first analyzed the Snort architecture and working principle, and mainly analyzed the data packet capture technology used in Snort system, eventually designed the improvement program of PF_RING based intrusion detection systems, and given test results. Under high-speed network environment, not only to take into account the IDS packet capture capabilities, but also enhance the efficiency of the upper packet processing and analysis, improve the existing data detection engine, which is a direction of the further improve of this system.

References 1. Tang Z, Li J (2004) Intrusion detection technology. Tsinghua University Press, Beijing 1(6):112–115 2. Snort IDS (2012) http://www.snort.org, p 315 3. Liu G (2007) Research and improvement of Linux intrusion detection system. Southeast University, Nanjing 3(6):146–149 4. Lin G, Wang X (2007) Update snort system by using multithreaded technology. Xi’an Univ Electron Technol 4(6):887–894 5. Wang Y (2010) The PF_RING socket-based network packet capture technology. Softw Guide 5(9):168–169 6. Luca D (2005) Improving passive packet capture: beyond device polling. http://luca.ntop.org/ Ring.pdf 22(4):676–679