next up previous
Next: 2 Getting Started Up: The Snort FAQ Previous: The Snort FAQ

Subsections

1 Background

1.1 How do you pronounce the names of some of these guys who work on Snort?

For the record, `Roesch' is pronounced like `fresh' without the `f.' Additionally, `Ruiu' is pronounced like `screw you' without the `sc.' Jed's last name is like `pick-el,' not `pickle.'

1.2 Is Fyodor Yarochkin the same Fyodor who wrote nmap?

Nope. fyodor@insecure.org is the author of nmap, and he uses the same pseudonym as the other Snort Fyodor's real surname. Yeah, it messes up my mailbox too, but I think it's too late to change either of them.

1.3 Where do I get more help on Snort?

Check the website, http://www.snort.org/. Other good resources are available in the source distribution, including the Snort Users Manual and the USAGE file. There is also a excellent mailing list, snort-users. You can find info on how to signup at http://www.snort.org/lists.html. You can also join #snort on irc.freenode.net.


1.4 Where can I get more reading and courses about IDS?

All of the following offer courses on Intrusion Detection:

There are many good books on Intrusion Detection. Here are just a few:

Title Author(s) Publisher ISBN
Snort: The Complete Guide to Intrusion Detection Jeff Nathan, Dragos Ruiu, & Jed Haile Wiley & Sons 0471455970
Intrusion Detection with Snort: Advanced IDS Techniques Rafeeq Rehman Prentice Hall I0131407333
Snort Intrusion Detection Ryan Russell Syngress Media 1931836744
Snort Intrusion Detection Jack Koziol New Riders 157870281X
Network Intrusion Detection: An Analyst's Handbook Stephen Northcutt New Riders 0735708681
Intrusion Signatures and Analysis Stephen Northcutt New Riders 0735710635
TCP/IP Illustrated, Volume 1 The Protocols W. Richard Stevens Addison-Wesley 0201633469
Intrusion Detection Rebecca G. Bace MacMillan Technical Publishing 1578701856

1.5 Does Snort handle IP defragmentation?

Yes, use preprocessor frag2.

1.6 Does Snort perform TCP stream reassembly?

Yes, check out the stream4 preprocessor (see FAQ [*]) that does stateful analysis session login, TCP reassembly and much, much more.

1.7 Does Snort perform stateful protocol analysis?

Yes. Stream4 does this as well. See (see FAQ [*]).

1.8 I'm on a switched network, can I still use Snort?

Short version:

Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the Snort machine's port.

Extended version:

There are several ways of deploying NIDS in switched environments which all have their pros and cons. Which method applies to your needs depends on what kind of segments you want to monitor and on your budget. Here are the most common methods:

  1. Switch mirror: If the switch can mirror traffic, then set the switch to mirror all traffic to the Snort machine's port.
  2. Hub: Insert a hub in line, so you can simply tap all traffic. Works fine for home networks, will lose data due to collisions at loads greater than 50%--so a 10Mbps hub should be fine for T1/E1, DSL or cablemodem. If you have a DS3 or greater, you should investigate taps.
  3. Network taps: Use network taps (e.g. Shomiti/Finisar [http://www.shomiti.com] and Netoptics [http://www.netoptics.com). You can find some rather good information in the papers by Jeff Nathan. You can find the papers at http://www.snort.org/docs/#deploy.

  4. Throw money at it: Tap switch ports (using the forementioned network taps) but only tap all incoming packets (RX lines of the switch ports), connecting those tap ports to a dedicated gigabit switch, which is capable of mirroring up to ten RX taplines to one single dedicated gigabit port, which is connected to a gigabit IDS machine.

1.9 Is Snort vulnerable to IDS noise generators like ``Stick'' and ``Snot''?

It is now possible to defeat these kinds of noise generators with the stream4 preprocessor (see (see FAQ [*])). Even without the stream4 preprocessor enabled, Snort will weather the alert storm without falling over or losing a lot of alerts due to its highly optimized nature. Using tools that generate huge amounts of alerts will warn a good analyst that someone is trying to sneak by their defenses.

1.10 Can Snort be evaded by the use of polymorphic mutators on shellcode?

Yes, and this could defeat some of the NOP sled detection signatures, but the ordinary exploit rules should not be affected by this kind of obfuscation. The fnord preprocessor attempts to detect polymorphic shellcode attempts.

1.11 Does Snort log the full packets when it generates alerts?

Yes, the packets should be in the directory that has the same IP address as the source host of the packet which generated the alert. If you are using binary logging, there will be a packet capture file (.pcap) in the logging directory instead.


next up previous
Next: 2 Getting Started Up: The Snort FAQ Previous: The Snort FAQ
2005-08-21