2010 International Conference on Networking and Digital Society

The Study on Network Intrusion Detection System of Snort

Zhou Zhimin, Chen Zhongwen , Zhou Ti echeng, Guan Xiaohui

Department of Computer Science Zhejiang Water Conservancy And Hydropoeer College
Hangzhou, China
{zhouzhm@zjwchc.com, chenzw@zjwchc.com, zhoutch@zjwchc.com, guanxh@zjwchc.com }

Abstract-Network security is a complex and systematic project. structured and easy to read. The latest version of Snort is
The intrusion detection system is the first line of defense 2.8.5.2. The following subject of Snort is based on the
against network security. Snort is a famous intrusion detection version 2.8.5.2.
system in the field of open source software. It is widely used in
the intrusion prevention and detection domain in the world. In III. THE IMPLEMENTATION OF SNORT
this paper, we explain how Snort implements the intrusion
Before, the setup of Snort is very complex process, which
detection, which includes building the compiling environment
involves detecting the integrity of compiling environment
and analysizing the work-flow and rule tree. This paper will
and the setup of Apache, Mysql, PHP, ADODB and ACID
provide a valuable reference for the study of Snort.
components[3]. Now, the Snort official website has provided
Keywords-Network Security;Intrusion Detection;Snort some simple installation guides for Windows xp, Solaris
10 (SPARC) and Linux. We can quickly and easily build our
intrusion detection system according to the guide of
I. INTRODUCTION
installation documents.
With the fast development of computer technology, the Taking into account the stability and security of
Internet has permeated all aspects of everyday life. The operating system, we refer the Snort_Base_Minimal.pdfI4]
followed network security has become a urgent problem to to build Snort, Apache, SSL, PHP, MySQL, BASE and
be addressed. Now various network security tools have been NTOP on Linux. The following is the installation steps:
brought up, such as firewall, antivirus, etc. But there are still 1) Setup the operating system with minimal model.
many security risks in the network[l]. The intrusion 2) Make the unnecessary services disable.
detection is the primary and important task in the network 3) Setup the compiling environment using "yum"
security system. It collects the sensitive information of
command and install the Apache, Mysql and PHP
network flow and warns for the possible attacks. The people
component.
can reinforce our network contrapuntally and purposefully
4) Download and install the Snort source code and rule.
basing on all kinds of forecast information. Thereby this will
build a secure network environment. This paper proposes the 5) Modify the profile o/Snort.
Snort's implementation and application from the practical 6) Build the Snort database with Mysql.
point of view. It includes building the compiling 7) Install the ADODB and BASE.
environment of Snort on Windows and analyzing the Snort's 8) Start all the required service.
work flow and rule tree structure. We hope it can stimulate Snort monitors the network in the bypass mode. It
the discussion about Snort--a lightweight intrusion detection catches the suspected data which attaches the Intranet. The
system with the colleagues who are interested in the network monitoring result is shown on the Basic Analysis and
security. Security Engine (BASE), which can intuitively analyze the
catched data and display it. So the network security was
II. THE SUMMARY OF SNORT improved by the reference data of Snort.
Snort is a lightweight network intrusion detection system, Figure 1 is the home of BASE. The BASE mainly shows
which is written with C language. It arised in 1998 and the statistical result by time, IP address and port. We can find
experienced a constant revise and perfection for more than a SSH login test, SQL detecting overflow, ICMP redirect host
decade. it is open source. Now it has become a world-wide and other malicious acts as soon as the Snort is setup.
network intrusion detection and prevention software. Snort Figure 2 is the detail information of warning for a target
can strongly analyzes data flow and protocol in real time. It IP.
can be downloaded from the Internet and runs on almost all
hardware platforms and operating systems. The flow work of
Snort is composed of six parts: catching data package,
analyzing code of data, preprocessing the package, parsing
the rule, detecting the engine and logging [2]. Besides the
Snort is simple, short and has good programming style. It is

978-1-4244-5161-6110/$26.00 ©201O IEEE

194

Authorized licensed use limited to: Staffordshire University. Downloaded on July 05,2024 at 10:25:31 UTC from IEEE Xplore. Restrictions apply.
 Basic Analysis and Security Engine (BASE) 1IDi.1:Signa1s: Initializing the Semaphore l
,... ,... _. ual_ t_... "_ .. IV U... ,n_. �1.J"'_'I"'... _" ...·•
_ ...... W_.o;J:<IQ;J .. � �
ISnor1:IDi.1:: Registering the pretreatment an�
LMI:"HIv'IO"",,,' u...... ''''''' !>_,--p 0_........ ...._........- k_Y_--='O'
LMln,,-,_ unl_ '..... Si_ .. U· 0-...-. • __ IR'_.(I.'··,.''lI....,.,q;� .. ••
.... 111(_�...-:. •..�"'_.. TCP U(If' 1('"
L.MIs..r..�.
UooIIo.--PotoI.
''''t .. -..
.""",_..
TO'
10>
UOf'
tiD.
.
.. ..
loutput plug-in and generating the rule tree. 1
..... '�S-t.""-I •..,,.-.. TO' UOf'
_f....-o..r....._�• ...,. ...__ !cpo UOf' ".,.. ..... 0 .. .
" ... Ntlflo.__ .. ..... �
U... ....
Mooo; �... llo ........1
,,'I)U.... -... ..
.._ .........'\ ..... No""
S_[. 0_,._

1IDi.1:Pcap: Initializing the process of catchin -a

1 package. -I
.
S..-wr....,1/1
""1 ... �11
�,....,-,

Snor1:Pos1:IDi.1:.
,-.. ......' .. oIrHn!Ic�
0000'"
Deploying the process of handlin�
.
.s..:P ..... l1M

.� . .
.0.",. ....1)
.... lI'It
• So¥t.P9<,l'.
-
-
"
package and generating the matching rule treE
o t(P(l) IJO'o'Cl"J based on the rule .
• Dt.. Po.. pw

Figure 1. The home of BASE Snor1:Process. Detecting the process of catching

package
.. . �...-. .
o .. .,,.....ItIo.J....... '_I".. ......,�...

Cl ·, f1��.'......, ,_,·..........tI... Figure 3. The working process of Snort

..!__!. llk ..ll...... ..JI.... "'l I_I � _'_••

Cl.,' '''!:?.I.�w. ,...,I....... '�t-tJ ....... _

n ... fI.�-:-
Il"'-� T .
C··'.......,�I-I.......,�.'lI(IM:eII.-I ............

... fI
--
B. The rule tree of Snort
__I ..�I...... ..,�t-I8t.L...- ___
O �-=� ....... .J � I -I SCA ,.... _.

[] .'��

c.,(I �-:-.!!._I .....,I. ...... ..II� e-18OI._ ._ . The rule tree is the important data structure in Snort. It is
o .. � ....Jt...-j�JjkalQl...... "IJ\'tuII
......IICI.. .... ...,...

. I helpful to grasp the rule matching of Snort. Figure 4 shows

... --
Ll"" .... 't_l1 __ {IuooI I........ll-.MJ I_ISQI. ,.,... '_

0--::
........... -

.
=.!-t-::!.!,W.I ....- .........,IJIoa4*-l8OL_-
O . I. Q foo'I l r -l ..... j
' __ on_
..,j ..... ·.'I--""\I1--11IO._._· the structure of rule tree.
o _Irq �""'IC""'o...o __ ..-__ c-.__ RuleLists
• 0..-- ........... -.....
., •• '(t�t"IOJ""""_I·_"""'�'"

c·':,f
..
...... .,...J....,T_.��..
a -':: ......-u�_I-.c)T_., ....... I�...
L:�: r�: r �I:L
l LiStNOde

e ,
1 LiStN ode

,
R iStNOde

c·� ....... _J... '.......... �,....

� leList uleList uleList
Figure 2. The detail information of suspected attack
Alel't: ListHead Dynamic: ListHead
:
ist iSI
List
c c List
IV. BUILDING THE DEBUGGING ENVIRONMENT OF SNORT d List d List
em List

You can analyze and modifY the Snort in your familiar R TN

compiling environment, for example Microsoft VC++ i ht

integrated environment. The following is the steps of Snort

in VC++:

A. Installing Cygwin O TN
I.
Cygwin is a simulation environment of Linux in
Windows. It can transplant the application software from Figure 4. The structure of rule tree
Linux to Windows. You don't have to install the Linux
virtual machine. When you setup the Cygwin, please keep From the figure 4, we can get that the node is classified
the default installation parameters. Or you will have to into several lists according to the action. Each list is divided
change the content of Snort project in VC++. into four nodes according to the protocol type. Every node
When you install the Cygwin, you should check the includes a RTN list basing on different IP and port. The
"Setup the bisoon related package" option, which is included different operations in the same RTN nodes form a OTN list.
in the Devel option. If you don't do this, there will be an The whole lists construct the rule tree. Figure 5 shows the
error: "Can't find the command file" in the compiling structure of rule tree. In this diagram, Snort firstly analyze
process. the protocol type, IP address and port when catching a
package before matching the rule. So the efficiency is very
B. Downloading the Snort source code low. In version 2, Snort add a matching data structure to
After downloading and unzipping the Snort source code, improve the matching efficiency. The revised structure of
you will compile it in VC++. Please modifY the profile of rule tree is shown in figure 6.
Snort before running the Snort. This will make the Snort
adapt the Windows. For more information, please refer the
Snort official website.

V. ANALYZING SNORT CODE

A. The working process of Snort

The SnortMain implements the initialization and
monitoring of Snort. Figure 3 is the working process.
Figure 5. The function call of rule tree

195

Authorized licensed use limited to: Staffordshire University. Downloaded on July 05,2024 at 10:25:31 UTC from IEEE Xplore. Restrictions apply.
 pnn U dpR TNX CM---- -

pnn IpRTN)( 1M--- •

pnnIctnpRTNX [3---- .
�
pnnT cpRT IpqLo I> IpfwL p Inte.'foceThl't;'od

P ORT_R fu E_MAP

nnSrcPort[] - Single sourctil port. tabllil

- Single desanation porllable
- Generic tahIti/for ruiesfron1.AlVY to AlVY
nn eneric

PORT ROD>'
- No Content
gHeadNC. pgTailNC. pgCurNC
- Uri ContBnt.
gUriHead. pgUriTait. pgUriCur
- Content
gHead. pgTail. pgCur

Rule ata

OTNX
�TN ""om

TN""Ttn
_

Figure 6. The fast matching structure of rule tree Figure 8. The function call of detecting package

The new rule tree includes four lists, and each list then is
VI. CONCLUSIONS
divided into several sub-lists according to the source port and
destination port. Each sub-list is composed of three Snort is a common intrusion detection system. This paper
RULE_NODE lists, which combing the OTNX and early proposes the process of Snort in Linux. It firstly shows how
OTN list. The matching rule is in the way of the following to debug the Snort in VC++ and then analyzes the important
figure 7. data structure and working process. The building process of
I Som:tInit, Main function I intelligent matching rule and the working process of
I fpEvalHeaderSW also been explored.
� �
!fpCreatePartGroups: fpCreateRuldaps: ACKNOWLEDGMENT
C all the sub-function four times and Add the PortGroup to prlllTcpRTIlX, This work is supported by Educational Commission of
get the PortGroup structure of TCP, prmUdpRTIlX, prmIclllpRTIlX and
Zhejiang Province of China NO (20070849)
fmP, ICM!' and IP. rlll IpRTIlX queues

• REFERENCES
fortObject2Dup
pDetectGetDebugPrintRuleGroupBuildDetails
[I] Yang Li. Research and Implementation of intrusion detection system
based on Snort[J]. Beijing: The Technology and Application of
ifpCreatePortTablePortGroups Network Security .2009.11.
ifpCreatePortObject2PortGroup
[2] JX Xu. The analysis of intrusion detection softwares. Journal of
Figure 7. The function call of fast rule tree Southwest Guizhou Teachers College for Nationalities. [J].2008.3
[3] FF Wu. The Solution of Snort intrusion detection system[M]. China
Machine Press. 2005. P86-11O
C. Detecting the package in Snort
[4] Patrick Harper. Snort and BASE Install on CentOS 4, RHEL 4 or
The function call of detecting package is showed in Fedora Core [EB/OL]
figure 8. The function of SnortProcess calls IpqLoop, http://assets.sourcefire. com/snortlsetupguides/Snort_Base_Minimal. p
df
IpfwLoop or InterfaceThread function according to different
parameters to grasp the package, pretreat, match the pattern
and output data. The rule matching of data package is done PROFILE
by fpEvalHeaderSW function. Once the rule is matched ZHOU Zhimin is an associate professor in department of
correctly, Snort will output the warning. computer science of Zhejiang Water Conservancy and
Hydropoeer College. She focuses on the research of
education.

196

Authorized licensed use limited to: Staffordshire University. Downloaded on July 05,2024 at 10:25:31 UTC from IEEE Xplore. Restrictions apply.