Chapter 7. Creating and Managing Snort Rules

Snort is a signature-based intrusion detection system. While the preprocessors do not rely on signatures to generate alerts on potential malicious traffic, the heart of Snort's ability to detect intrusion is the catalog of signatures located in the rules files. Being a signature-based IDS is both a strength and weakness.

Because Snort is signature-based, it can be configured for specific threats—the latest worm, the latest IIS exploit, and so on. The rules watch for the specific contents of a packet or for strange settings in the headers. This allows the security administrator to quickly determine the nature of the potential attack since he can easily examine the rule that triggered the alert (as well as the packet itself with some of the other tools available, like ACID or SnortCenter). A comparison is commonly made between signature-based IDS and antivirus software. Both have a catalog of signatures that they use to match against a stream of data flowing by a sensor component. In antivirus software, this process is accomplished by a software component that watches memory and filesystem access. An IDS, on the other hand, watches packets traveling the network.

To detect the latest attack methods, you need the latest signatures (although I've been surprised at how often a generic signature will draw my attention to a new kind of attack that does not have its own rule). As a result, it is important to keep the rules as up to date as is reasonable. I stick to a schedule of updating the entire rule set once every two weeks. I do create my own rules for new threats that spring up in the interim period between updates (these are stored in the local.rules file). To keep up to date on the latest rules and threats, I closely follow the snort-sigs mailing list and some of the major security web sites. CERT and SANS very often include Snort rules with their security bulletins for newly discovered threats.

Another potential issue that arises when you use the catalog of signatures as your primary detection method is that the bad guys have access to the catalog, too. They can craft their attacks so as not to trigger the signature catalog (sometimes this is quite difficult, since an attack may trigger multiple types of rules). As we discussed in Chapter 4, one of the strategies of attackers is to flood an IDS with packets that will trigger alerts, either hiding their actual attack in the noise or simply overwhelming the IDS sensors. Snort copes with these attacks by using the stream4 preprocessor.

All in all, given the ease of use, cost, and balance of strengths and weaknesses, Snort is usually a valuable component for a defense-in-depth strategy for network security.