?
Solved

Snort's weaknesses

Posted on 2009-04-12
9
Medium Priority
?
1,081 Views
Last Modified: 2013-11-29
I'm trying to find information on what Snort's weaknesses are.  If you could provide some information, that would be greatly appreciated.

I'm trying to analyze Snort and see if it's suitable tool.
0
Comment
Question by:newbieal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 360 total points
ID: 24128436
snort is the definitive open source tool of its class, and a basis for many other open source products.

Its main weakness (particularly in snort-inline mode) is that it is usually packet based - so a pattern that should be matched, but which is split across two packets in a tcp stream can be missed.

it is also pretty slow - which (again) if you are running in inline mode, can lead to considerable latency before packets are forwarded. There are faster scanners, but on the whole this is a common weakness in IDP systems.
0
 
LVL 4

Author Comment

by:newbieal
ID: 24130612
Is there a remedy to resolve the slowness issue?  Maybe by adding more sensors?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 360 total points
ID: 24132012
adding a faster machine, usually.  with IDP, usually the snort acts as a gatekeeper, inspecting each packet before it is forwarded. for sniffing nodes, speed is not so much an issue unless it isn't keeping up (in which case it will usually start missing packets - not good, but not noticeable as it has no effect on traffic)
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 4

Author Comment

by:newbieal
ID: 24132737
What other solutions are there to minimize packet loss?  Or is this just unavoidable and indicative of all IDS tools, not just Snort?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 360 total points
ID: 24133233
it varies, depending on tool. Note that packet loss in an sniffing (IDS) system is not cause for interruption of service, but instead for risking missing a packet that should trigger an alarm. in a active packet filter (IDP) then it is rare that the packet speed causes loss, but instead will induce extra delay in the link due to the allow/deny decision on the packet being required before it is released (or discarded).

Snort is not the worst offender there, but it is certainly the case that there are faster (commercial) systems for IDS and IDP. size and ordering of the ruleset is more of an issue - if the most common path though the ruleset requires you to process almost the entire ruleset, and the ruleset is long, then no solution is going to be running at line speed. if however, many of the packets are decided upon within the first couple of rules, even a comparatively low speed machine could handle gigE traffic at line speed.

Given snort is free, the best path is really to build a test system on available hardware, and use that to estimate the thoughput the system can handle - tuning snort config, particularly for multithread/multicore, tends to be more of an art than a science though.
0
 
LVL 4

Author Comment

by:newbieal
ID: 24154190
You stated: so a pattern that should be matched, but which is split across two packets in a tcp stream can be missed.

So if Snort is installed inline, shouldn't it analysis packets that have already been reassembled, meaning there shouldn't be an issue with split data packets?  Or am I misunderstanding?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 360 total points
ID: 24155841
you are misunderstanding. this isn't a case of a single packet being broken (fragmented is the term of art used) but the fact that all packets in a tcp stream represent a single "conversation" which is broken up into packet-sized chunks.

it is possible (and there are tools to deliberately do this) that a single request to a webserver (say) is split so that half of the request is in one packet, and half in another - so a packet designed to match on "cmd.exe" say, will match:

GET /windows/cmd.exe http 1.1

but NOT match

GET /windows/c
md.exe http 1.1

even though the web server will "see" the two packets as one "stream" and thus a single line.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 140 total points
ID: 24157590
There are IDS evasion techniques, such as fragmenting/splitting packets, but snort is not that susceptible to them, well anymore. Please have a look at Frag3 and the Stream preprocessor doc's:
http://www.snort.org/docs/snort_htmanuals/htmanual_261/node33.html
Again fragmentation(evasion) is not limited to snort, and don't forget too that Snort has a commercial offering that uses specialized hardware I(ntel IXP2400) where the NIC's have cache and specialized processing so that links up to 10Gps can be processed.
I use snort at the 1Gps speed, standard dell quad-core p4 2.33 4gig ram and the integrated NIC's. There are some dropped packets, but not much, and I do use 90% of the processor during peak hours.
You would also be surprised how many IDS vendors repackage (and or fork) snort and pass it off as their own.http://www.sourcefire.com/products/snort
The main failing of the Free version of Snort is no real-time service or support. However there are quite a few mailing lists that you can sign up on and receive genuine help and answers to your questions in a reasonable amount of time. There are bugs and problems with snort, like a recent one relating to Frag3 (preprocessor) and by-passing detection by spoofing the TTL I believe, but it was quickly fixed. http://secunia.com/advisories/product/16919/?task=advisories_2008
-rich
0
 
LVL 4

Author Closing Comment

by:newbieal
ID: 31569404
Good information - thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question