Research of Intrusion Preventio System based on Snort

北京邮电大学本科毕业设计（论文）
Graduation Design of Undergraduate
（Dissertation）
Title 《Research of Intrusion Prevention System
based on Snort》
Name Xirui Yang ___________
School School of Computer Science
Major Network Engineering ____
Class 2011211313 _____________
Student ID 2011211472 ____________
Class No. 03 ____________
Tutor Hongying Han _______
June, 2015

Research of Intrusion Prevention System based on Snort
ABSTRACT
Nowadays with increasing frequency of cybersecurity events, Intrusion Detection System (IDS)
has become the heated issue of academia and industry in cybersecurity area. It can detect and
alert the intrusion action before the damage on system by intrusion, which effectively improves
system security, as a dynamic security technology collecting detection, alert, log and manipulate
actions together. However, Intrusion Detection System does not have independent defensive
ability, thus it requires highly on operators, while Intrusion Prevention System (IPS) has, which
utilizes its detection engine.
This essay designs and realizes the intrusion prevention function module based on Snort, the
most representative open-source program. Through the brief introduction of Network Intrusion
Detection System and Network Intrusion Prevention System, including the concept, structure,
application scene and difference, this essay does a deep research on Snort, uses Barnyard2,
mysql and BASE to build and deploy environment, writes, improves and tests some rules and
designs methods of changing NIDS to NIPS.
This essay presents two design method. We use multithreading technology to let core traffic
pass through IP_QUEUE, a buffer queue in core module managed by Netfilter framework.
Another thread will store the source/destination IP and port of alerted packet generated by Snort
into a quadruple blacklist. Then we modify filter rules of Iptables firewall, and send semaphore
to IP_QUEUE to let the traffic pass Iptables, reject the alerted traffic by Iptables’s firewall rules.
In the second design method, we use Netlink socket to connect core space and user space. We
also save the core traffic into IP_QUEUE, and the actions generated by Snort will send to core
space through Netlink, using Netfilter to drop packets or reject traffic. Because the limitation
of platform and environment, which is hard to perform multithread, we choose the second
method to modify Snort’s packet capture module, intrusion detection module and response
module, and use tcpreplay and tcpdump to observe the result on two network adapters.
KEY WORDS IDS IPS Snort Netlink libipq

Content
Chapter1 Introduction………………………………………………………………………......5
1.1 Background and significance of this paper………………………………………………….5
1.2 Research status……………………………………………………………………...............7
1.3 Main content of this paper…………………………………………………………………..7
Chapter2 Introduction of IPS and IDS………………………………………………………….9
2.1 Introduction of IDS system…………………………………………………………………9
2.1.1 Network Intrusion Detection System…………………………………..............................9
2.2 Introduction of IPS system………………………………………………………………...10
2.2.1 Network Intrusion Prevention System………………………………..............................11
2.3 Differences and relations among IDS, IPS and firewall…………………………………...11
2.4 CIDF standard……………………………………………………………………………..13
2.4.1 Architecture of CIDF system……………………………………………………………13
2.4.2 Communication mechanism of CIDF……………………………………………………14
2.4.3 CIDF common intrusion specification language………………………………………...14
2.4.4 CIDF API interface…………………………………………………………...................14
Chapter3 Analysis of Snort……………………………………………………………………15
3.1 Introduction of Snort………………………………………………………………………15
3.2 Characteristics of Snort……………………………………………………………………15
3.3 Build Snort environment…………………………………………………………………..16
3.3.1 Snort installation………………………………………………………………...............16
3.3.2 Barnyard2 installation…………………………………………………………………...16
3.3.3 BASE installation……………………………………………………………………….17
3.4 Theoretical analysis of Snort………………………………………………………………18
3.4.1 Snort architecture and modules………………………………………………………….18
3.4.2 Snort workflow……………………………………………………………….................19
3.5 Snort rules parsing………………………………………………………………………...21
Chapter4 Design and Realization of IPS based on Snort………………………………………24
4.1Introduction of Netfilter……………………………………………………………………24

4.1.1 Understand Netfilter…………………………………………………………………….24
4.1.2 Structure of Netfilter…………………………………………………………………….24
4.1.3 Netlink sockets…………………………………………………………………………..25
4.2 NIPS system top layer design……………………………………………………...............26
4.2.1 Use Iptables as linkage……………………………………………………......................26
4.2.2 Design of NIPS using Netlink sockets…………………………………………………...28
4.3 NIPS Design and Implementation……………………………………………....................29
4.3.1 Packet capture module…………………………………………………………………..29
4.3.2 Intrusion detection module………………………………………………………………34
4.3.3 Response module………………………………………………………………………..36
4.3.4 Alarm output module……………………………………………………………………38
4.4 Test and Results…………………………………………………………………...............39
4.4.1 Rules Adding…………………………………………………………………................39
4.4.2 ICMP PING test…………………………………………………………………………39
4.4.3 DNS test for internet access……………………………………………………………...40
4.4.4 XSS intrusion access……………………………………………………….....................41
Chapter5 Summarization and Prediction……………………………………………………...44
5.1 Summarization…………………………………………………………………………….44
5.2 Future expectation…………………………………………………………………………44
Reference……………………………………………………………………………………...46
Appreciation…………………………………………………………………………………..48

Chapter 1 Introduction
1.1 Background and significance of this paper
Cybersecurity have been focused by industry since internet born. Security defense has also been
developing as various network attacks emerge. When we perform normal activities, such as
browsing websites, watching videos, downloading music, manipulating e-mails, etc., we might
suffer attacks such as malicious mobile applications, phishing emails, website redirection
attacks. Especially high-level hackers who have clear purposes will find information of target
person through social engineering and then send malicious links, combining with zero-day
vulnerabilities, which lead to incalculable destruct. In 2010, Iranian government confirmed their
Bushehr nuclear power plant was attacked by Stuxnet worm virus; In 2011, RSA corporation’s
SecureID technology and customer data were partly stolen. According to Symantec's statistics,
in 2014 there had been 10,000,000 alarm IDs disclosure, 8,000,000 times in 2013, 1,000,000
times in 2012 [1].
Risk Based Security and the Open Security Foundation studied 2,164 security incidents in 2013
and corresponding 822,000,000 times of alarm, in which business accounted for 53.4% of
security incidents, government accounted for 19.3%, medicine accounted for 11.5%, and
education accounted for 8.2%. Among countries and regions, the United States is the most
attacked country, which has suffered 66.5% of 822,000,000 alarms; South Korea ranked the
second, accounting for 17.1%; Australia ranked the third, accounting for 5.2%; Sweden ranked
the forth, accounting for 3.5 %; Japan ranked the fifth, accounting for 2.7%; China ranked the
sixth, accounting for 1.5%; UK ranked the seventh, accounting for 1.4%; Taiwan ranked the
eighth, accounting for 0.8%; Germany ranked the ninth, accounting for 0.3%; Canada ranked
the tenth, accounting for 0.2%. The quantity of security incidents in recent years, also exhibits
the trend of exponential growth. As shown in Figure 1.1 [1].
Figure 1-1 Security incidents statistics in the past five years
【1】
Leading telecommunication operator company Verizon made a survey of data leakage (Data
Breach Investigations Report, DBIR) in 2014, which analyzed data breaches and major
accidents in 2013. DBIR collected information of 1,367 cases confirmed of data leakage and
63,437 security incidents from 50 companies, among 95 countries. Verizon experts classified
these mainstream accidents into following nine kinds: 1.POS invasion; 2 web application

attacks; 3 internal misuse; 4 physical theft or loss; 5 miscellaneous error; 6 malicious software;
7 card skimming persons; 8.DoS attack; 9. cyber espionage. Data are as following
【1】
：
Figure 1-2 Security Type Statistics
As shown, cybersecurity events such as web application attacks, DoS attacks, malicious
software, internet spyware, account for around 60 percent, and thus it becomes the main
problem of security incidents. Most companies emphasis much more on network security issues
in order to protect trade secrets and property security. To protect their host or server from attacks,
enterprises often deploy intrusion detection or prevention systems, firewalls, anti-virus software
and other security software or hardware products in their internal network or individual hosts.
However, in such a more and more complex network environment, it is almost impossible to
design an absolutely secure and reliable network defense system which can resist all the
invasions. Conventional security measures include access control, password authentication,
firewall, intrusion detection and intrusion prevention, and so on. Access control, password
authentication, firewalls are very traditional defensive measures which are difficult to
effectively block many new invasions. Therefore, we need a device which can be quickly
deployed, and promptly add rules to block latest attacks. Intrusion detection systems and
intrusion prevention systems have such features. Intrusion detection technology can produce
warnings through analysis of intrusion traffic packets and rules matching, which will be blocked
by defense systems by discarding these alarmed packets. When new vulnerabilities generated,
it can play a role of intercepting new attacks as long as new files are added to intrusion detection
or prevention systems, and granted permission to make it in force.
But intrusion detection technology only detects alarms, but does not block attacks. Although
this might reduce risks of false positives, for non-IT companies lacking skilled security staffs,
it will still cause information leaks and other security incidents. In February 1998, Secure
Networks Inc. pointed out many weaknesses of IDS: the detection of data; protection of attack
against IDS itself. With the rapid development of network, network transfer rate is greatly

accelerated, resulting in a great burden on IDS which also means not very reliable of aggressive
behavior detections. In response to attacks against themselves meanwhile, the detection of other
transports will also be suppressed [2]. Therefore, it is important for many enterprises that an
intrusion prevention system could not only detect intrusions, but also intercept in real time.
1.2 Research status
For now, intrusion detection systems are generally divided into two major categories as open
source and commercial. Due to instability of maintenance organization (loss of core staffs,
major changes of structure of organization, business acquisitions, etc.), open source intrusion
detection system are usually updating slowly, poor stability and compatibility, uneasy to use
and incomplete documentation. Commercial intrusion detection systems have great advantages
in these areas with better service, but their costs are usually high which SMEs can hardly afford.
The intrusion prevention system does not have open source version so far, mainly because the
detect engine is generally the same with that of intrusion detection system, which could reduce
the cost of development’s man-hours.
In open-source area, snort is the industry standard of intrusion detection system these years. It’s
developed by Professor Marty Roesch of Carnegie Mellon University in 1998. After Roesch
founded Sourcefire company, Snort was maintained by Sourcefire during 2003 and 2013. Then
Cisco acquired Sourcefire in 2013, so now Cisco engineers are maintaining Snort project.
Suricata maintenance organization OSPF (Open Information Security Foundation, funded by
the Department of Homeland Security) has released a new signature-based intrusion detection
engine in 2009. Suricata is an open source engine, aims to become the next generation of
intrusion detection system. Suricata has native multi-threaded operation, practical features to
enhance network bandwidth. Suricata also has improved the analysis based on state compared
to Snort. A typical Snort can process network traffic at a rate of 100-200 megabytes per second
before reaching the CPU limit or compensating for packet loss, which many of today's networks
have approached or exceed this limit. So Suricata will definitely become a popular product with
many features as soon as it comes out. Due to its open source nature, as well as is its heated
community and successful business operation, it has been able to contend with Snort. Therefore
it is of significance to evaluate its value.
1.3 Main content of this paper
We will base on the most representative IDS open-source project Snort to design and realize its
intrusion prevention module. Through the brief introduction of network intrusion detection
system NIDS and Network Intrusion Prevention System NIPS, including concept, structure,
application scenario and differences, this paper made a thorough study of Snort. We use
Barnyard2, mysql, BASE to deploy infrastructure, write, optimize and test rules, and design a
method to transform NIDS to NIPS.

This essay presents two design method. We use multithreading technology to let core traffic
pass through IP_QUEUE, a buffer queue in core module managed by Netfilter framework.
Another thread will store the source/destination IP and port of alerted packet generated by Snort
into a quadruple blacklist. Then we modify filter rules of Iptables firewall, and send semaphore
to IP_QUEUE to let the traffic pass Iptables, reject the alerted traffic by Iptables’s firewall rules.
In the second design method, we use Netlink socket to connect core space and user space. We
also save the core traffic into IP_QUEUE, and the actions generated by Snort will send to core
space through Netlink, using Netfilter to drop packets or reject traffic. Because the limitation
of platform and environment, which is hard to perform multithread, we choose the second
method to modify Snort’s packet capture module, intrusion detection module and response
module, and use tcpreplay and tcpdump to observe the result on two network adapters.

Chapter2 Introduction of IPS and IDS
2.1 Introduction of IDS system
Intrusion Detection System (IDS, Intrusion Detection System), is a software or network security
device that could monitor the health of network transmission in real time, in accordance with a
certain degree of security policy. When it finds suspicious transfer, it will alert or take proactive
response measures, and then generate reports to management stations. Compared to other types
of network security device that, IDS is a positive security technology to ensure availability,
confidentiality and integrity of network systems. By collecting and analyzing information of
some key points in computer network or system, it can check whether there are signs of attacks
or violation behaviors of security policy in the network or system. IDS first appeared in April,
1980. James P. Anderson made a technical report for US Air Force entitled "Computer security
threat monitoring and surveillance" that put forward the concept of IDS, which is recognized as
a groundbreaking work of intrusion detection technology. In the mid-1980s, IDS gradually
developed into the Intrusion Detection Expert System (IDES). In 1990, according to the
monitoring objects, IDS differentiated into network based Intrusion Detection System NIDS
and host based intrusion detection system HIDS, and later appeared DIDS Distributed Intrusion
Detection System [2]. Since the cost of host based intrusion detection system is extremely high,
and its application is not popular, in this paper we discuss Network Intrusion Detection System,
NIDS.
2.1.1 Network Intrusion Detection System
Network Intrusion Detection System usually utilizes NIC working in promiscuous mode to
monitor in real time and analyze data streams passing through. Deployed at a strategic point, or
a network point which could capture all the traffic of devices, packet sniffer module will capture
all the traffic of a certain network segment, analyze the traffic of the entire subnet, and match
the traffic transferred to the subnet with known attack library. Then decoding module will
decode packets by protocols and packet analysis module will utilize statistical analysis, pattern
matching, integrity analysis tools to analyze packets, using pattern matching algorithm to match
rules and identify attacks. Once attack is identified, or malicious behavior is sensed, response
analysis module will make response, and send alarm message to administrator. An example of
NIDS is to install it in the subnet with firewall deployed to see if someone is trying to break
into the firewall. Ideally, it will scan all the incoming and outgoing flow, but it might create a
bottleneck and be detrimental to the overall speed of network. Both OPNET and NetSim are
common tools of simulating network intrusion detection [4].
The number of rules in rule base and data processing capability determine the ability of intrusion
detection of NIDS. Current commercial NIDS’s processing capacity has reached 10 trillion
level. NIDS takes little host resource and does not care about the difference of architectures of
hosts.

All intrusion detection systems use one of two detection methods: abnormal statistics-based or
signature-based.
Abnormal statistics-based IDS will monitor network traffic and compare it with the established
base, which could identify what would be the normal network, what would be the level of
bandwidth, which protocol, what ports and devices using to connect to each other. When
abnormal flow severe different from the reference is detected, an alarm will be sent to the
administrator. When the reference is not intelligently configured, it might generate an active
alarm to a reasonable bandwidth usage. [5]
A signature based IDS will monitor the network and compare it with properties from the threat
of malicious packets in signature database. This is similar to most anti-virus software on
detecting malicious software. There is a delay between the new threats detected and threat
signature of IDS, which IDS could not detect new threats.
2.2 Introduction of IPS system
Intrusion Prevention System (IPS), also known as intrusion detection and prevention systems
(IDPS), is a device which could monitor network and / or system malicious acts. The main
function of intrusion prevention system is to identify malicious behaviors, record information
of behaviors, attempt to block and report [6].
Directly embedded into the network traffic (receive external network traffic through uplink
NIC), IPS will check to ensure it without abnormal or suspicious contents, and then pass it
through downlink NIC to the internal system. Packet detected with problem and subsequent
packets from the same session (the source IP and port) will be promptly blocked and dropped
by IPS.
Intrusion prevention system can be defined as four different types [6] [7]:
1. Network Intrusion Prevention System (NIPS): monitor suspicious traffic throughout the
entire network by analyzing the actions.
2. Wireless Intrusion Prevention System (WIPS): monitor suspicious traffic via wireless
network protocol analysis.
3. Network Behavior Analysis (NBA); check network traffic to identify abnormal traffic threat,
such as Distributed Denial of Service (DDoS) attacks, special form of malware and policy
violations.
4. Host Intrusion Prevention System (HIPS): is installed packages that could analyze events
within host range to monitor suspicious behaviors of a host.

Most intrusion prevention systems use one of the following three detection methods:
signature-based, statistical anomaly-based, and stateful protocol analysis [8].
1. Signature-based detection: Signature based IDS monitors packets in the Network and
compares with pre-configured and pre-determined attack patterns known as signatures.
2. Statistical anomaly-based detection: A statistical anomaly-based IDS determines the normal
network activity —like what sort of bandwidth is generally used, what protocols are used, what
ports and devices generally connect to each other— and alerts the administrator or user when
traffic is detected which is anomalous (not normal).
3. Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by
comparing observed events with “predetermined profiles of generally accepted definitions of
benign activity.”[9].
2.2.1 Network Intrusion Prevention System
Since the host-based intrusion prevention system costs extremely high, including other types of
intrusion prevention systems are not widely applied, so we mainly discuss network-based
intrusion prevention system in this paper.
By detecting the network traffic flow, network intrusion prevention system would provide
security defense for the network system. As it is connected in series, once the intrusion action
is identified, NIPS can block the entire network session, rather than just reset the session.
Because it is online in real time, NIPS need to have very high performance, to avoid becoming
a bottleneck of network. Therefore NIPS is typically designed as a network device like switch,
which could provide several network ports with decent throughput rate. Based on particular
hardware platform, it could achieve hardware platform at gigabit level to inspect gigabit level
of traffic packet and implement block actions. And this particular hardware platform can
generally be divided into three categories: The first category is the network processor, NP
network chip; the second category is specific ASIC chip; the third category is dedicated FPGA
chip programming. Now, most of the security manufacturers to produce 100M level NIPS, few
can produce gigabit-level NIPS, but the performance is not ideal. Technically, NIPS absorbed
all the mature technologies of IDS, including protocol analysis, feature matching and anomaly
detection. Feature matching is the most widely applied, with high speed and accuracy. Feature-
based matching could detect not only attack features, but also session status of current network,
to avoid suffering deceived attacks. To ensure the performance of IPS, most commercial IPS
devices utilize protocol analysis to classify packets and detect packets using multiple rules to
match parallel. [10]
2.3 Differences and relationships of IPS, IDS and firewall

In general, intrusion prevention system is considered as an extension of intrusion detection
system, because they all monitor network traffic and / or systems’ malicious behaviors. But in
fact, IPS largely have the essential characteristics of IDS and firewall. Similar to the deploy
location of firewall, it is connected in series in the network. All the network traffic must flow
through IPS to avoid omission problem caused by bypass. Meanwhile, it also maintain a same
session table containing source and destination IP and port. Similar to IDS detection engine, it
has such as statistical analysis and pattern matching. The detection engine part is the core of
device, so commercial security equipment manufacturers are able to produce both IDS and IPS
simultaneously, because both are the same detection engine and that’s why there’s only IDS
project in current open source project.
Intrusion detection system (IDS) is different from firewalls because firewall prevent the
intrusion from the outside. Firewall restricts accesses between networks to defend intrusions,
rather than alarm attacks from internal network. In the event of an alarm, IDS will evaluate
suspicious invasions. IDS also observes attacks from the internal system. Those system that can
terminate connections are called intrusion prevention system, an application layer firewall of
other forms.
Traditional firewall can only inspect packets at network layer and transport layer, with inability
of contents at application layer. In other words, firewall only checks the header of packet, with
nothing to do inside, so in fact it only examines a small part of packet. For example, a HTTP
worm virus attacks www server through TCP port 80. Firewall will regard it as normal
connection request because its packet structure is normal, and allow it access www server; while
IPS will check the packet by byte, recombine fragments and restore it into data stream to
monitor, thereby being able to discover network attacks [11].
The main difference between IPS and IDS, unlike intrusion detection system working in bypass
of monitoring bypass operation host, intrusion prevention system can be placed in-line and
block intrusion in real-time [9] [12]. Deploy position is shown in Figure 2-1. Series formula can
work to ensure that all network traffic pass through IPS devices. With respect to the intrusion
detection systems tend to provide proactive protection, IPS can implement these actions, such
as sending a warning to discard malicious packets, resetting the connection and blocking the
offending IP address traffic [13]. IPS can correct CRC (cyclic redundancy check) errors,
reassemble data streams fragments, prevent TCP sorting and remove unwanted routing and
network layer options [12] [14]. The IDS can not provide additional level of security, but also
increase the complexity of enterprise security operations. In a passive system, intrusion
detection system’s sensor detect potential security vulnerabilities, recording information, and
process at the console or the user as a warning signal[13]. In real-time systems, it is also known
as Intrusion Prevention System (IPS), which could block malicious network traffic connection
through resetting or reprogramming at the firewall.

The relative successful intrusion prevention system can almost detect or filter all the network
traffic flowing passing through and we could see its much more powerful active blocking ability
than firewalls and IDS.
人
主机
人
主机
攻击者外网
防火
墙
交换机
主机
IDS
攻击者外网
防火
墙交换机主机IPS
Figure 2-1 Deployment of IDS and IPS
2.4 CIDF standard
CIDF, Common Intrusion Detection Framework, a project initiated by DARPA, Defense
Advanced Research Projects Agency. CIDF try in some way to standardize the intrusion
detection, develop some protocols and application interfaces, to enable sharing information and
resources between the intrusion detection research projects, and intrusion detection components
can utilize it again in other systems. CIDF model define the data needed to analyze as event.
Event generator detector gets events from the entire computing environment, and provide this
event to other parts of the system; event analyzer analysis data obtained, and generate analysis
results; response unit is a functional unit responding to the results of analysis and could
disconnect or merely make alarm; event database is general term of places storing various
intermediate and final data, which could be a database or a text file.
CIDF works in four aspects: IDS architecture, communication mechanisms, description
language and interface API of application program [15].
2.4.1 Architecture of CIDF system
CIDF propose a general model based on IDES and NIDES, which divides intrusion detection
system into four components:
Event Generator (Event Generators): Event Generator gets events from the entire computing
environment, but it does not deal with these events. The event will be converted to generalized
intrusion detection objects, GIDO, to submit a standard format to other components to use;
Event Analyzer (Event Analyzers): Event Analyzer analyzes data obtained, and generate
analysis results;

Response Unit (Response Units): a response unit is the functional unit to respond to the result
of the analysis, it can react strongly like changing file attributes or a simple alarm;
Event Database (Events Database): event database is the general name of places storing various
intermediate and final data, which could be a database or a text file.
The first three are usually presented in form of application while event database is presented as
file or data stream. These four components are only logical entities. A component might be a
process or even a thread on a computer, or maybe multiple processes on multiple computers,
which exchange data in GIDO (unified intrusion detection Object) format. Their operation
relationship is shown as below:
Figure 2-2 CIDF framework
【16】
2.4.2 Communication mechanism of CIDF
CIDF construct communication mechanism as a three-layer model: GIDO layer, message layer
and transport negotiation layer. GIDO layer is to improve interoperability between components
and be responsible for considering the semantics of information conveyed. Message level
ensures the reliability that encryption and authentication messages transmitted through devices
such as firewall and NAT. transport negotiation layer specifies the transport mechanism of
GIDO among various components.
2.4.3 CIDF common intrusion specification language
The general object of CIDF is to realize software reuse and interoperability between intrusion
detection and response components. CIDF defines an application layer Language: Public
intrusion specification language, to describe the information transferred between intrusion
detection components, and make a set of protocols for encoding these information.
2.4.4 CIDF API interface
CIDF’s API interface is for encoding, decoding, and transmission of GIDO. Through the
callback function it provides, programmers could construct and deliver GIDO in a simple way
without knowing the details of encoding and delivery process. GID0’s generation could be
divided into two steps: firstly constructing tree structure of representing GID0, and then compile
this structure into bytecode.

Chapter 3 Snort system analysis
3.1 Introduction of Snort
Snort is a free open source network intrusion detection system developed by professor Martin
Roesch at Carnegie Mellon University using C language in 1998. Snort was developed by
Sourcefire whose founder and CTO was Martin Roesch during 2003 to 2013. In 2009, Snort
entered the honorary open source hall of InfoWorld as the "greatest open source software"[17].
In 2013, Cisco acquired Sourcefire, so now Cisco’s engineers are maintaining Snort project.
Snort has heated open source community, in which worldwide technicians can participate in
group discussions and give advices via e-mail. The community manager could feedback to their
developers.
Snort is an open source network intrusion detection system, with the ability of real-time traffic
analysis and recording IP packet of network protocol. Snort utilizes combination of protocol
analysis and pattern matching to detect abnormalities, misuse and attacks. These basic services
have many purposes, including application triggering quality of service, and reducing chunks
priority of traffic when delay-sensitive applications are being used [18]. Snort can also be used
to detect attack and detection, including but not limited to operating system fingerprinting,
public ingress interface, buffer overflows, service information blocking detect and stealth port
scans [19].
3.2 Characteristics of Snort
(1) Open Source
Snort comply with GPL (GNU General Public License) standard, any organizations and
individuals are free to use. Snort is a very good open source project, considered to be the
industry standard for intrusion detection technology.
(2) Plug-in mechanism
Snort’s plug-in mechanism makes it highly scalable. Plug-ins currently supported XML plug-
in, port scan detection plug-in, database log output plug, HTTP URL normalization plug-in,
broken packet inspection plug-in and so on, which makes it a dynamic part of the overall
network security system solutions.
(3) Cross-platform, lightweight deployment
Snort can run on windows x86 platform, Linux, FreeBSD, OpenBSD, NetBSD and other
operating systems. In addition, Solaris, Spare, MacOS X, PowerPC and other operating systems
also support Snort. Cross-platform and lightweight deployment features are more flexible and
powerful than commercial systems.
(4) Flexible and powerful rules language
Snort uses a flexible and powerful language of rules to describe activities considered as
malicious activities. Snort can also be used as analysis engine with plug-in modules, discarding,

detecting and making response in real time, sending alarms, recording records, or discarding
session or packet deployed inline [20], which allows Snort can react quickly to new network
attacks, and filled in network security vulnerabilities very quickly.
(5) A variety of operating modes
Snort can be configured in three main modes; sniffing, packet logging and network intrusion
detection. In sniffer mode, the program can be used as a network packet sniffer to read packets
and display them in console. In packet recording mode, the program could record data packets
as a packet logger on hard disk. In intrusion detection mode, the program will monitor network
traffic, and make analysis of user-defined set of rules, and then the program will make particular
actions based on rules and generate and output alarms.
(6) Multiple output modes
Snort output module are varied, including log files, syslog files, alert files and other formats.
These output formats can be selected in snort.conf. Snort logs use binary or ASCII format. Snort
can also output alarms to database, including Mysql, Postgresql, Oracle or any unix ODBC
databases. But this part of code is removed after snort 2.9.x version and developers set up a new
project barnyard2, which could imported snort records into database (Please see snort blog
"Database output is dead. RIP", Wednesday, July 18, 2012,
http://blog.snort.org/2012/07/database-output-is-dead-rip.html).
3.3 Build Snort environment
3.3.1 Snort installation
Firstly install flex, bison, build-essential, checkinstall, libpcap-dev, libnet1-dev, libnet1-dev,
libpcre3-dev, libmysqlclient15-3dev, libnetfilter-queue-dev and iptables-dev these dependency
packages, and then extract, configure and install libdnet, DAQ, Snort and snortrules. After
installation, we need to modify snort.conf configuration file to modify HOME_NET,
EXTERNAL_NET, RULE_PATH, etc. Rules should also be added to the configuration file.
Finally, running snort under NIDS mode to see whether installation is successful. Rule set
Snortrules’s installation requires registration an account on the official website snort.org to
download tar.gz.
3.3.2 Barnyard2 installation
We need to install mysql-server, libmysqlclient-dev, mysql-client, autoconf and libtool firstly.
And then configure MYSQL user name and password to establish a database and grant it with
privilege. At this point we must pay attention to change snort.conf, to make its output file
become binary format, because barnyard2 only deals with snort binary logs. Run snort in alarm
mode and ping eth0 port that Snort is listening from another host. Snort will produce time-
stamped logo binaries. Then use barnyard2 to handle this file and import it into mysql. If success,
you can enter mysql to view the status.

Figure 3-1 Use Barnyard2 to import records into mysql
Figure 3-2 Event statistics of Barnyard2 output module
3.3.3 BASE installation
After installing and configuring Snort, Barnyard2 and mysql, we would find there are only id
and time in event table when we enter mysql, without specific warning content and type.
Content in data table is also binary format, which is very intuitive. So the front-end interface is
necessary.
The initial interface was ACID(Analysis Console for Intrusion Databases)developed by
Carnegie Mellon University as front-end interface When Snort came out, but it wasn’t being
maintained 2 years after it came out, and could no longer be used five years ago. Although
BASE (Basic Analysis and Security Engine) is also quite dated, which also wouldn’t be
developed, it still can be used. Both BASE and ACID are based on LAMP framework. In the
recent two years, Snorby which’s based on Ruby on Roils is the latest project, maintained by
Threat Stack company, even with a mobile client APP. (For details, see snort blog "GUIs for
Snort", Thursday, January 13, 2011, http:. //blog.snort.org/2011/01/guis-for-snort.html) Article
here is BASE interface.
Before installing BASE we will have to install apache2, libapache2-mod-php5, php5, php5-
mysql, php5-common, php5-gd, php5-cli, php-pear and Image_Graph these dependent
packages, then download and install ADODB which is a drawing program, as well as BASE.
Then configure Base.conf to configure mysql, and start apache. Fill in the address bar of
browser to enter the configuration page of BASE, and then go step by step. We will see the
alarm information in mysql imported through barnyard2 from snort. As shown in Figure 3-3
and 3-4.

Figure 3-3 BASE frontend interface
Figure 3-4 Alert interface of BASE frontend
3.4 Theoretical analysis of Snort
3.4.1 Snort architecture and modules
Snort is comprised by packet capture module, protocol decoder, pre-processing module,
detection engine and alarm output module.

(1) Packet capture module
Snort uses libpcap to capture packets, monitors on the promiscuous network card and copies
flow to analyze. The WIN32 platform’s version of Libpcap is winpcap, which is the capture
engine of Wireshark.
(2) Protocol decoders
Protocol decoder uses pre-defined data structure, according to the definitions of data link layer,
network transport layer and application layer’s protocols, parses protocol information from
sniffing network packets and fills into the data structure. According to the from bottom-up order
of protocol stack, protocol decoder makes the callbacks, from data link layer to network
transport layer, and finally to application layer’s protocols.
(3) Pre-processing module
After data packets manipulated by protocol decoders, they will be sent to pre-processor.
Preprocessor uses plug-in mechanism to detect anomaly, reassemble data of TCP stream,
specify and restructure IP packets’ fragmentations, thereby improving the speed and accuracy
of detection.
(4) Detection Engine
Through various rule files loaded by application configuration files, detection engine judge and
deal with the packets, the existence of malicious traffic, the need for alarm output and so on.
(5) Alarm output module
Output module output results based on the results detected by the detection engine. The ways
of outputting are:
a. Output to Unix syslog;
b. Output to Unix Socket;
c. Output to Winpcap or Samba: alarm monitoring software under Win32 or Unix / Linux
platform;
d. Exported to database: MySQL, Oracle, SQL Server, Postgresql and any UNIX ODBC-
compliant database;
e. Output to log files: unified log format, Tcpdump format, Snort custom format, XML format,
PCAP format, CSV format.
3.4.2 Snort workflow
Snort has three modes. Since this paper needs to study its detection engine, so we mainly discuss
the third one, intrusion detection mode.
Snort.c is the entrance file, in which main () function is the entry function, but the actual entry
function SnortMain () function constitutes the body of the entire system whose working process
is shown in Figure 3-5:

SnortInit () function initializes (Figure 3-6); GetPacketSource () obtains the addresses of source
packets; DAQ_Init (snort_conf) initializes DAQ according to Snort.conf’s information;
snortStartThreads () starts multithreading; DAQ_Start () starts DAQ; SetPktProcessor ()is
used to set packet decoding function according to data link layer protocol; PacketLoop () loops
and captures packets; CleanExit (0) clears, stops DAQ and exits.
Figure 3-5 snortmain ()’s workflow [21] Figure 3-6 snortinit ()’s workflow [21]
InterfaceThread() starts intercepting and handling process of data packets, calls Libpcap’s
library’s function pcap_loop to fetch data packets in loops, then decodes packets according to
the processing function ProcessPacket, then calls the function Preprocess to pretreat, after
pretreatment calls detect () to detect packets, and finally calls the output module plug-ins to
output alarms and log information. Packet processing flow is shown in Figure 3-7:
Figure 3-7 Packet processing flow

Figure 3-8 Snort functions’ callback relationships
3.5 Snort rules parsing
Most attacking actions have their unique characteristics in the packet header or payload. Snort
is rule-based intrusion detection system and Snort rule is built on intrusion feature. Rule is how
to detect, analyze or report package. Snort uses a lightweight and simple rule description
language, which is flexible and powerful.
Most snort rules are written in a single line, or separated with / among multiple rows. Snort
rules are divided into two logical parts: rule head and rule options. Rule header contains rules,
protocols, source and destination ip addresses, network masks, and source and destination port
information; rule option section contains alert messages and specific part of packet to check.
E.g: alert icmp 10.14.73.1 any -> 10.14.73.3 any (msg: "Getting pings from 10.14.73.1 !!"; sid:
10000004;)
When the host makes a PING equipped eth0 port of ubuntu server with snort, if snort works in
console output mode, it will generate alarms in real time, and store them in log files. If you want
to use application control, you can write like this:
alert tcp $ HOME_NET any -> any any (content: "www.taobao.com"; msg:! "Someone is
accessing TAOBAO !!"; sid: 10000001;
Other attack or detections are in the same way, as long as put rule files in the / etc / snort / rules
directory and add them to snort.conf when packets with attacking characteristics are replayed
at NIC, snort will generate alarms.

Figure 3-9 Alarm and output under Snort console module
Snort rules allow using variables in the head, to avoid repeat of strings input, but also can
simplify rule changes. Variable definition syntax:
var <variable name> <variable value>, for example:
var HOME_NET 192.168.1.0/24
Formats when using variables in a rule: $ variable name, the above example is $ HOME_NET.
Exclamation mark "!" is used to invert, for example, the previous example ! $ HOME_NET
represented the entire external network, played a role in the EXTERNAL_NET.
Content part before the first parenthesis is rule header, with rule options contained in
parentheses. Rule options comprises the core of snort detection engine, flexible, easy and
powerful. The word before the colon of rule options is option keywords. This part is not
necessary, just to define more strictly to the options of packets to collect, alarm or discarded,
and contents after colon are option contents. Rule options are separated with semicolon ";".
Keywords and parameters are separated with colon ":". There are a total of 42 snort rule option
keywords. When a plurality of elements of a rule are put together, it can be thought as a logical
AND statement. The different rules loaded by snort rule base can be considered as a large logical
OR statement. In another word, when a packet matches any rule condition, it will be a successful
match, and be processed by log or alarm afterwards.

Rule head defines who, what and where of data packets, as well as actions when a packet
matches the rules defined. The first part of rule is rule action, the measures to be taken when a
packet that matches the rule. Snort rule defines five actions as following [22]:
a. Alert: Generate alarms with the selected alarm mode, then make log of the data packets;
b. Log: Record the current data packets;
c. Pass: discard or ignore the packets;
d. Activate: Alarm and activate another dynamic rule;
e. Dynamic: Remain idle until activated by activate rules, and then manipulated as log rules.
Rule types can be customized and be added any number of additional output modules. The
following example creates rules recorded in Tcpdump.
Ruletype suspicious {
type log output
log_tcpdump: suspicious.log
}
Keyword content in the content option is an important keyword often used. The main object of
generally keywords is related information in detected packet header fields, such as ACK field
information in TCP header. But the content keyword allows users to search for matching packet
payload contents of specified rules and triggers a response in accordance with specified contents.
When content option is being pattern matched, Boyer-Moore pattern matching function will be
called and match the packet payload contents. Other parts of the rule option will be executed if
matched.
Content keyword that contains option data may contain a mixture of text and binary data. Binary
data is contained after the pipe character ( "|"), representing the 16 hexadecimal digits of
bytecode. E.g:
alert tcp any any -> 192.168.1.0/24 143 (content: "| 90C8 C0FF FFFF | / bin / sh"; msg: "IMAP
buffer overflow!";)

Chapter 4 Design and Realization of IPS based on Snort
4.1 Introduction of Netfilter
4.1.1 Understand Netfilter
To block alerts generated by Snort in kernel instantly, we must use Netfilter to control packets.
Netfilter is a packet filtering framework of kernel for linux 2.4.x and later versions. Generally,
it relates with iptables together. Softwares within this framework could filter packets, convert
network addresses and ports (NA (P) T) and so on. Compared to the previous linux 2.2.x linux
2.0.x ipchains and ipfwadm the system is reconstructed and significantly improved successor.
Netfilter is a series of hooks that allow the kernel stack unit by registered callback function [23].
Firstly, each protocol defines "hooks" (IPV4 defines) , points defined in transmission of
protocol stack. In each of these points, the protocol will use packet and port number to manifest.
Secondly, part of the kernel can register and listen to different hooks for each protocol. So when
a packet is passed to the netfilter framework, it will check whether anyone has registered for
that protocol and hook. If so, each of them will get the chance to inspect (and possibly change)
packets, and then discard the packet (NF_DROP), run it through (NF_ACCEPT), tell netfilter
to forget (NF_STOLEN), or ask netfilter to cache data packet to the queue for userspace
(NF_QUEUE).
In addition, the cached data packets are collected (by ip_queue drive) for user space; these
packets are handled asynchronously.
4.1.2. Structure of Netfilter
Netfilter is merely a series of hooks in various points of the protocol stack. (Ideal) IPV4 packet
transfer diagram looks like Figure 4-1:
Figure 4-1 Structure of Netfilter
On the left side is where data packet comes in. After having passed the simple detections (for
example, not being cut, IP checksum OK, no mixed accepted), they will be transmitted to the

hooks of NF_IP_PRE_ROUTING [1] of netfilter framework. Then they enter the routing
decision, which determines whether the packet is the destination of another interface or being
processed locally. Routing decisions may not discard routing packets. If a packet arrives at the
destination, netfitler framework calls NF_IP_LOCAL_IN [2] hook again, before being transfer
process. Then data packets pass through the final netfilter hook, NF_IP_POST_ROUTING [4]
hook, before being put on the wire again. NF_IP_LOCAL_OUT [5] hook is called by data
packets generated locally. Here we can see routing that occurs after the callback of this hook;
In fact, the routing decision is called firstly (to figure out the source IP address and some IP
options); If you want to change the routing, you must manually change the 'skb- > dst 'field in
the NAT code.
Hook function’s return values are the following five:
1. NF_ACCEPT: Continue normal transmission of data packets;
2. NF_DROP: Drop packets and does not continue to send;
3. NF_STOLEN: Takeover packets and are not transmitted;
4. NF_QUEUE: Put packets into the queue, typically to handle user space;
5. NF_REPEAT: Call this hook function again.
4.1.3 Netlink sockets
Only the codes of most important or closely related to system performance would be arranged
in the Linux kernel. Other programs, such as GUI, management and control part of the code,
usually are regarded as user mode applications. In linux system, the system is divided into
features in the kernel and user space (such as in Linux system, firewall is divided into the kernel
mode Netfilter and user mode Iptables).
Netfilter is working component in Linux kernel, in order to operate Userspace through
interfaces. Through a variety of user mode and kernel mode of IPC (interprocess
communication) mechanism, it communicates with the kernel user mode programs. For
example, the system callback, Ioctl interface, proc file system and Netlink socket.
Netlink socket is a special IPC used between kernel mode and user mode for data transmission.
By providing a special set of APIs for kernel modules, it provides a set of standard socket
interfaces for users’ programs, which implements a full duplex communication link. Similar to
TCP / IP which uses as address family AF_INET, Netlink socket uses address family
AF_NETLINK. Each netlink socket defines your own protocol type in the header files of kernel,
[24] which is as follows:
Include /linux/netlink.h
Here is the set of features of netlink socket and the current protocol it supports [25]:

NETLINK_ROUTE: Communication channel between routing daemon of user space, such as
BGP, OSPF, RIP and kernel data forwarding modules. Routing daemon program of user mode
updates the kernel routing table through this type of agreement.
NETLINK_FIREWALL: Receive packets transmitted by IPV4 firewall.
NETLINK_NFLOG: Iptables management tools of user mode and communication channel
between netfilter kernel modules.
NETLINK_ARPD: Use for managing ARP table of kernel in user space.
Netlink provides a method of asynchronous communication. Just as other socket APIs, it
provides a socket buffer queue. After adding the messages to the recipient queue, the system
callback of sending Netlink messages would trigger the handler function of recipient. Recipient
could decide to process the messages immediately or put them in a queue with other contexts
in the future to deal with (because we want to receive handler executed as fast as possible).
System call and netlink, which requires a synchronized process, so when we use a system call
to pass messages from user mode to kernel, if the processing of the message a long time, then
the particle size of the kernel scheduler will be affected. Code implemented in the kernel system
calls are statically linked at compile time into the kernel, so it is inappropriate for dynamic load
module to include the practice of a system call, which is the way of most device drivers. When
using netlink socket, netlink program in dynamically loaded modules will not generate
dependencies with linux kernel during compilation.
ip_queue netfilter is the method provided by netfilter to transfer packets from the kernel to user
space. The kernel need support of ip_queue. After opening a netlink socket in user space, it can
accept packets passed through ip_queue in kernel. Specific packet type could be checked by the
iptables command, as long as the rule action is set to "-j QUEUE".
The reason of calling ip_queue is that it’s a process queue, which iptables rules send specified
data packets to QUEUE, and the user space program acquire packets through Netlink socket,
and results would return to core, to be operated out of the queue. In iptables’ code, it provides
libipq library which encapsulates some of the operations of ipq, in which user-level program
can use libipq library functions directly to process data.
Netlink sockets provide a set of API functions familiar by developers with BSD-style. Therefore,
compared to the complicated use of system APIs , it is much easier to develop using netlink.
4.2 NIPS system top layer design
4.2.1 Use Iptables as linkage

Next, what we need to do is to convert Snort into IPS. Snort is an open source IDS, based on
libpcap which works on the copy of traffic, so there is no blocking capability. The main
difference between IDS and IPS is that the former works at the mirror port, with only a piece
of card in bypass to monitor traffic; the latter embedded directly between the external network
/ firewall and switch traffic directly through its two network cards, so it could discard traffic
alarmed packets in real time.
Because the IPS could drop packets after alarm automatically, rather than manually configure
the firewall iptables to block by the NMS. It is necessary to let Snort alert is automatically
generated in real-time blocking behavior.
To make the alarms generated by Snort take effect to block immediately, such as adding session
into table blacklist, we need to use Netfilter to control packet traffic. Netfilter is the packet
filtering framework for linux 2.4.x and later kernels. Software within this framework could filter
packets, convert network address and ports (NA (P) T). Netfilter is a series of hooks in linux
kernel that allow the kernel unit to register callback functions through protocol stack.
Therefore, there is a very natural idea at the beginning: Instead of listening on the eth0 network
card by entry function of Snort, we change it into registering at the entry netfilter hook function
NF_IP_PRE_ROUTING. After generating alarms, Snort will set the flag of alarmed packets or
add the source and destination IP / port to the session table’s blacklist (similar to the ACL quad
as following). Netfilter’s NF_DROP hook function would DROP these packet flow alarms, and
the last remaining flow would go into the downstream network card and intranet.
Source IP Source Port Destination IP Destination Port
But later we found, Libpcap would only copy the mirror traffic to kernel space from user space,
so perhaps there is not enough time to block the possible snort alarms, traffic had passed. Snort
entry function main () is registered on NF_IP_PRE_ROUTING, with the return value
NF_QUEUE, so it will put kernel flow into the buffer queue IP_QUEUE before the kernel
routing decisions. Otherwise the flow in the IP_QUEUE will DROP off by default. After Snort
modify the session table to block source IP / port of alarms, Snort will take control of return.
Then kernel traffic in IP_QUEUE will make the next step routing decision. Afterwards alarmed
flows as well as session, will be blocked by modified session table. Of course, these operations
of blocking need to set the aging time.
System architecture design is as shown in Figure 4-2:

Figure 4-2 Design of NIPS using Iptables
4.2.2 Design of NIPS using Netlink sockets
Through the description of Snort, Netlink and Netfilter above, this section use CIDF
architecture described in the second chapter to design a network intrusion prevention system.
As shown in Figure 4-3:
Figure 4-3 NIPS system’s top layer’s design

Each of the components are as following:
(1) Event Generator (packet capture module): Netfilter, netlink, libipq.
Copy the network packets from kernel space to user space. Workflow of event component are:
Use libipq to intercept network packets through Netlink sockets, read packets from network
layer to user space.
(2) Event Analyzer (intrusion detection module): Snort.
Analyze the data transmitted from event usage patterns of event assembly passed over matching
technology and state detection technology for detection. Workflow analysis component are:
Snort acquires data from IP_QUEUE in kernel space, through Netlink interface and libiPq
interface functions, using pattern match and the state detection technology to use snortrules set
to match detection.
(3) Response unit (response module): Netfilter, libipq, Netlink.
Achieve replacement of the attack code or discard. Workflow of response components:
If the match is successful, according to the appropriate settings of IPS rules when
communicating with Netfilter in the kernel, ip_Set_verdict function and Netlink interface
process the corresponding data packets through communication with the kernel. If the match is
unsuccessful, then process according to the policy settings of Netfilter. Netfilter itself also has
packet filtering functions, which could filter or allow certain special network packets.
(4) Event database (alarm output module): (under LAMP framework) Snort, Barnyard2,
MySQL database, BASE front end.
Collect, store and display alarm data.
4.3 NIPS Design and Implementation
4.3.1 Packet capture module
Packet capture module will place the data packets passing through or forwarding in the buffer
queue and copy data in the kernel space to user space, for programs in the user space to process
intrusion detection, where the intrusion detection module program in user space is naturally
snort. Before processing operation orders through netlink from snort, data in IP_QUEUE would
not be processed. The difference with Libpcap capturing is, what the linux library function
Libipq obtain are packets transmitted currently from kernel space IP_QUEUE buffer queue in
real time; Packets Libpcap fetchs can not control the transmission of actual packets, which is
the key of IPS to filter alarmed traffic packets in real time.

Figure 4-4 Workflow of capturing packets using Libipq
The process of capturing packets by library function Libipq is shown in Figure 4-4. Specific
steps are as follows:
(1) Function ipq_create_handle () initializes Libipq library and allocates space. It will firstly
create handle structure (struct ipq_handle * h), and then create the Netlink Sockets:
a. Binding
With the same as TCP / IP’s socket, netlink's bind () function is to associate a local socket
address (source socket address) with an open socket. The structure of netlink address is as
follows [24]:
struct sockaddr_nl {
sa_family_t nl_family; / * AF_NETLINK * /
unsigned short nl_pad; / * zero * /
__u32 nl_pid; / * process pid * /
__u32 nl_groups; / * mcast groups mask * /
} Nladdr;

When the structure above is called by bind () function, the value of nl_pid property of
sockaddr_nl can be set as the PID of current process and nl_pid could be as the local address of
netlink socket. Applications should choose a unique 32-bit integer to fill in nl_pid’s value.
nl_pid = getpid ();
After filling out the structure nladdr, bind it as follows:
bind (fd, (struct sockaddr *) & nladdr, sizeof (nladdr));
b. Send
Then we can apply the netlink address to the struct msghdr msg structure, to be called by
function sendmsg () [24]:
struct msghdr msg;
msg.msg_name = (void *) & (nladdr);
msg.msg_namelen = sizeof (nladdr);
After completing the above steps, called once sendmsg () function which will be able to send
out the netlink message:
sendmsg (fd, & msg, 0);
c. receiving
Receiving program need to apply a large enough space to store netlink message headers and
message payload section. It will use the following method to fill in structure struct msghdr msg,
and then use the standard function interface recvmsg () to receive the netlink message, assuming
nlh point to the buffer [24]:
struct sockaddr_nl nladdr;
struct msghdr msg;
struct iovec iov;
iov.iov_base = (void *) nlh;
iov.iov_len = MAX_NL_MSG_LEN;
msg.msg_name = (void *) & (nladdr);
msg.msg_namelen = sizeof (nladdr);
msg.msg_iov = & iov;
msg.msg_iovlen = 1;
recvmsg (fd, & msg, 0);
Finally, close (fd) can closed off the netlink socket descriptor fd represents.

(2) Function ipq_set_mode () set the mode of data packet that the the kernel space read as packet
metadata (metadata) and packet load (payload) of the copied data.
(3) In the circulation section, function ResetIV () initializes structure variable IV, then reads the
packets from the buffer queue ip_queue in the kernel using ipq_read, and stores in the array buf
[PKT_BUFSIZE].
(4) It will report error if abnormal (non-packet, timeout, does not successfully read), otherwise
ipq_get_packet () function will format data read by ipq_read () function into a corresponding
data packet structure ipq_packet_msg_t * m.
(5) ProcessPacket () function and HandlePacket () function parse and process the data packet
structure ipq_packet_msg_t * m in detection module. Statements and comments of functions
written by the module and other functions are listed as below:
int IPS_Mode (); / * Set the flag of constant value * /
int IPS_Drop (Packet * p);
/ * Call stream_api-> drop_packet and stream_api-> drop_traffic to drop packets * /
int InitIPS (); / * Initialize ipq_create_handle, ipq_set_mode, ResetIV * /
void InitIPS_PostConfig (void); / * Parse tcp, udp, icmp packets respectively * /
void IpqLoop (); / * Loop and make exception checking * /
void TranslateToPcap (ipq_packet_msg_t *, struct pcap_pkthdr *);
/ * Through string manipulation, convert ipq_packet_msg_t * m into pcap_pkthdr * phdr, for
packet flows * /
void TranslateToPcap (struct pcap_pkthdr * phdr, ssize_t len);
/ * Through string handling, Read ipq_packet_msg_t * m’s offset to ssize_t len * /
The main code of the module is as following:
① Initialize packet captured
InitIPS () {
ipqh = ipq_create_handle (0, PF_INET); // Initialize library Libipq
status = ipq_set_mode (ipqh, IPQ_COPY_PACKET, PKT_BUFSIZE); // set copy mode
ResetIV (); // Reset IV structure, clear the variable
}
Here, the data structures used are as following:
Struct ipq_handle {
int fd; // File descriptor
u_int8_t blocking; // Obstruction identifier
struct sockaddr_nl local; // Address structure of local netlink

struct sockaddr_nl peer; // Address structure of the kernel
};
② Capture packets in loops
IpqLoop () {
While (1) {
Status = ipq_read (ipqh, buf, PKT_BUFSIZE, 0); // fetch a packet from the buffer
ip_queue
If (Status <= 0) ipq_error ( "IpqLoop: TIMEOUT"); // return value less than or equal
to 0, timeout
ipq_message_type (buf); // determine whether it’s packet
m = ipq_get_packet (buf); // copy packets from buffer to
ipq_packet_msg_t structure
PcapProcessPacket (NULL, & PHdr, (u_char *) m-> payload); // parse the data packet
HandlePacket (m); // Process, forward, or discard the
packet according to the variable value of IV structure
}
}
Wherein, the two data structures used in libipq are as following:
struct pcap_pkthdr {
struct timeval ts; // timestamp
bpf_u_int32 caplen; // the length of the data packet captured
bpf_u_int32 len; // actual length of the packet
};
typedef struct ipq_packet_msg {
unsigned long packet_id; // queued packet ID
long timestamp_sec; // data packet arrival time
unsigned long mark ; // Netfilter identity value
unsigned int hook ; // Netfilter hook point of identity values
char indev_name [IFNAMSIZ]; // entrance interface name
char outdev_name [IFNAMSIZ]; // exit interface name
unsigned short hw_protocol; // hardware protocol
unsigned short hw_type; // type of hardware
unsigned char hw_addrlen; // hardware address length
unsigned char hw_addr [8]; // hardware address
size_t data_len; // packet payload length
unsigned char payload [0]; // optional package content
} Ipq_packet_msg_t;

4.3.2 Intrusion detection module
In the process of intrusion detection, the intrusion detection technology in the intrusion
prevention system is using a modified Intrusion detection technology of Intrusion Detection
System Snort. The decoding process of Snort is achieved by the decode () function to complete,
in accordance with the principles from the link layer to the transport layer for various protocols’
appropriate format to analyze the resulting data stream, and the results will fill in the data
structures Packet. In intrusion prevention system, the packet reading process has made the
fragmented restructuring work of packets. The packet sent to intrusion detection engine is
complete, and the data stream does not contain information of data link layer. Rule matching of
packets is fulfilled by decode () function, directly resolved from the IP layer. Data structures of
packets only contain information above the IP layer after modification. Intrusion detection
module is the main part of Snort project, responsible for detection and analysis of network
packets after pretreatment, the test results will be output by the response module. The processing
flow is shown in Figure 4-5:
Figure 4-5 Processing flow of intrusion detection
Intrusion detection system Snort is initialized based on the command-line parameters, with the
parameters to set its work. Packet processing function ProcessPacket () firstly call the analysis
functions set previously to analyze protocols of data packets, and set the data structure Packet,
and output or ignore the analytical results of protocol layers of data packets according to the
needs. Then call the main detection engine, parse rule base and use the rules in rule base to
generate a two-dimensional list. The detection function Detect () will detect in accordance with
certain rules applied. Rule list is shown in Figure 4-6:

Figure 4-6 Rule chain of intrusion detection
【26】
Snort have Activation, Dynamic, Alert, Pass, Log these five actions already, we only need to
add Drop, Reject actions in the final of chain. The data structure used is as following:
typedef struct _ListHead {
RuleTreeNode * IpList;
RuleTreeNode * TcpList;
RuleTreeNode * UdpList;
RuleTreeNode * IcmpList;
struct _OutputFuncNode * LogList;
struct _OutputFuncNode * AlertList;
struct _OutputFuncNode * DropList;
struct _OutputFuncNode * RejectList;
struct _RuleListNode * ruleListNode;
} ListHead;
Then declare variables:
extern ListHead Drop;
extern ListHead Reject;
Use CreateRuleType function to create a rule action;
CreateRuleType ( "drop", RULE_DROP, 1, & Drop)
CreateRuleType ( "Reject", RULE_DROP, 1, & Reject)

When libipq library function reads packets from ip_queue module in loops, intrusion detection
system Snort’s packet processing function ProcessPacket () will detect packets. Lastly
fpLogEvent () function in fpdetect.c will take different actions according to the results of
intrusion detection, to call different functions, as shown in Table 5-1.
Form 5-1 Action matching function callback form of fpLogEvent() function
Matched rule action Processing function Last called funciton
RULE_ACTIVATE ActivateAction()
RULE_PASS PassAction()
RULE_DYNAMIC DynamicAction()
RULE_ALERT AlertAction()
RULE_LOG LogAction()
RULE_DROP DropAction() InlineDrop()
RULE_REJECT RejectAction() InlineReject()
In the table, all the processing functions are implemented in detect.c file. The front five are
Snort rule actions and the latter two are the new rules of action, to implement active defense.
Once one of these two rule actions is matched, the corresponding handler will called, then these
handlers will eventually call the action functions of respond module, the "final called functions"
listed in the table, and set corresponding variables of IV structure (see section 4.3.3) to record
the test results.
4.3.3 Response module
Response module defines a global variable IV, whose value determines the active defensive
response policy, based on the detection result of the packes, and the verdict would be passed
back to Netfilter for implementation of positive defense. Its data structure is as following:
typedef struct vals {
int drop; // discard the packet
int reject; // blocking the session of the packet
int replace; // replace the string of the packet
int proto; // protocol packets, such as TCP, UDP, ICMP and IP
} IV;
Wherein, drop value of 1 means discard the packet; reject value of 1 indicates the connection
block for TCP protocol type of connection to send reset packets, ICMP packets for UDP
protocol to send connection port unreachable; replace with a value of 1 indicates a string literal
strings instead of data packets having predetermined attack signatures.

After packet inspection is completed, the response processing HandlePacket () function will
determine the value of the test results and the data packet to be processed, from top to bottom
in the final of NF_reinject netfilter kernel interface functions to achieve blocking traffic
according to IV structure variables. Response module function call relationship shown in Figure
4-7.
Figure 4-7 Callback graph of functions in response module
As it can be seen from the figure, HandlePacket () function checks the value of a variable drop,
reject, replace in the structure of IV and calls ipq_set_verdict () function to verdict packets. This
function firstly calls ipq_find_dequeue_entry () function, finds ipq_queue_entry structure entry
previously stored in QUEUE queue according to the packet ID, then calls ipq_issue_verdict ()
function to make final decision of packets, and finally calls nfreinject () function to re-injected
packets in the queue and filtering parameters into the Netfilter filter, processing active response
by Netfilter according to the verdict value. The key part of HandlePacket () function is as follow:
void HandlePacket (ipq_packet_msg_t * m) {
if (iv.drop == 1) { // drop packets if drop is 1
status = ipq_set_verdict (ipqh, m-> packet_id, NF_DROP, 0, NULL);
stream_api-> drop_packet (m);
} If (iv.reject == 1) // block this packet
stream_api-> reject (m);
if (iv.replace == 0) // if replace is 0, replace string of packet
ipq_set_verdict (ipqh, m-> packet_id, NF_ACCEPT, 0, NULL);
else // allows the packet through
ipq_set_verdict (ipqh, m-> packet_id, NF_ACCEPT, m-> data_len, m-> payload);
}
In addition, some function declarations are as follows:
void RejectFuRestart (); / * release memory, close the thread * /

int IPS_Reject (Packet *); / * for tcp, udp, icmp packets, set drop of IV
structural as 1 * /
int IPS_RejectBoth (Packet *); / * for tcp, udp, icmp IP packets, set drop of IV
structural as 1 * /
int IPS_RejectSrc (Packet *); / * for tcp, udp, icmp source IP packets, set drop of
IV structural as 1 * /
int IPS_RejectDst (Packet *); / * for tcp, udp, icmp destination IP packets, set
drop of IV structural as 1 * /
int IPS_Accept (); //pass, for tcp, udp, icmp packets
4.3.4 Alarm output module
Snort system introduced export plug-ins from version 1.6. This plug-in allows the alarm and
log with a more flexible format and forms presented to the administrator. After the pre-processor
and testing engine executed, the output plug calls snort alarms and logging subsystem. If there
is no output plug-in to process, store and format data, packet analysis and traffic analysis are
not of significance. Plug-in defines the way data stored, formatted, and transmitted. Just
understanding the mechanism of plug-ins will be able to understand how to produce their own
output plug-in, to achieve custom output. Related source code of output plugin mainly stored in
plugbase.c and files prefixed with spo. In addition, snort can output alarms to database through
Barnyard2, and output alarms generated by Barnyard2 to the web front end. See Section 3.3,
environmental structures section of snort.

4.4 Test and results
4.4.1 Rules Adding
First, create a new file in the / etc / snort / rules directory, and then use the editor to write the
rules. Open with vim editor or something to open /etc/snort/snort.conf and use ":? To find a
matching string" to find the line. Fill in some values of key variables, like as below:
ipvar HOME_NET 10.8.58.117/24 (depending on the case)
ipvar EXTERNAL_NET! $ HOME_NET
var RULE_PATH / etc / snort / rules
And then use ":? Include $ RULE_PATH" command to find the line of rules added, and add the
rules written by ourselves, for example:
include $ RULE_PATH / zzzalert.rules
include $ RULE_PATH / xss.rules
Save and exit. Such hand written rules would be added to the Snort rule base. Snort has its own
rule base containing dozens of written rules, including ddos.rules, sql.rules, p2p.rules, ftp.rules,
telnet.rules etc., because of limited space and time of this writing here we test three types of
access rule: ICMP PING access, DNS access to the Internet browser, XSS intrusion visit.
4.4.2 ICMP PING test
First, write the following rule:
alert icmp any any -> $ HOME_NET any (msg: "Getting pings from someone !!"; sid: 10000004;
rev: 001)
PING Eth0 NIC with intrusion prevention system from another PC, snort will generate alarms:
Figure 4-8 test results of ICMP PING access, 1
On eth1 card, use tcpdump to view data packets sent by the host machine:

Figure 4-9 test results of ICMP PING access, 2
NIC eth1 does not have packets from source host 192.168.155.1. The session has been blocked.
4.4.3 DNS test for internet access
First, write the following rules:
alert tcp any any -> any any (content: "www.taobao.com"; msg: "Someone is accessing
TAOBAO !!"; sid: 10000001; rev: 001;)
Before snort starts, playback flow using tcpreplay from eth0 to eth1 NIC card:
Figure 4-10 Test result of DNS access when browsing, 1
With pipe symbol |, command grep taobao can filter out data packets associated with the web,
we find a large number of packets sent from taobao.com at eth1. After Snort starts, playback
flow pack taobao.pcap again, snort alarms will be generated:

Command tcpdump -i eth1 -v | grep taobao, using tcpdump to view at eth1 card, there will be
a lot of data packages matching taobao content.
There is no packets from taobao at eth1 NIC. The session has been blocked.
4.4.4 XSS intrusion access
Next, make rule test to the intrusion access behavior. This paper selected the very common XSS
invasion here.
XSS attacks can be used for theft of authentication cookies, and access restricted portions of
WEB sites or other Web applications. The common practice is to input malicious code with
script tag on both sides in the input box, such as <script> alert ( "XSS") <script>. If the dialog
box appears, we can determine the existence of XSS vulnerability in this page. A key part of
the attacking packets with wireshark analysis is as follows;
Figure 4-13 Feature fields of XSS attacking packet

Since most XSS attacks would insert script tags in a particular page request, which would use
<SCRIPT> tag, according to this feature, it is natural to come up with the following rule:
Alert tcp any any -> any any (msg: WEB_MISC XSS attempt; content: "<SCRIPT>"; sid:
10000005)
Although XSS attack will trigger this rule, but many normal traffic will be triggered as well,
such as an e-mail with embedded Javascript, where snort also alerts. So we need to change this
rule, allowing it to trigger only in web traffic:
Alert tcp $ EXTERNAL_NET any ->> $ HTTP_SERVER> $ HTTP_PORTS (msg:
WEB_MISC XSS attempt; content: "<SCRIPT>"; sid: 10000005)
However, if the server sends a response packet with <SCRIPT> tag, it may be normal flow
(Javascript), so we need to use the flow option:
Alert tcp $ EXTERNAL_NET any ->> $ HTTP_SERVER> $ HTTP_PORTS (msg:
WEB_MISC XSS attempt; flow: to_server, established; content: "<SCRIPT>"; sid: 10000005)
If an attacker to change the script tag as <script>, <Script> tags, etc., you can avoid detection
of content options in rules, so we need to add nocase option:
alert tcp any any -> any any (msg: "XSS attempt!"; flow: to_server, established; content:
"<SCRIPT>"; nocase; sid: 10000005)
Before snort start, playback flow with tcpreplay from eth0 to eth1 NIC card:
Figure 4-14 XSS intrusion access test result, 1

At card eth1, view with tcpdump. Because the source IPs are 1.0.0.4, then use the command
tcpdump -I eth1 host 1.0.0.4 -v to find relevant content packets. Then terminal at eth1 card
would get a large number of data packets from 1.0.0.4. After Snort starts, playback packet
xss.cap again, snort alarms will be generated:
Now we use tcpdump to view at eth1 card:
There is no XSS flow packets at eth1. The session has been blocked.

Chapter5 Summarization and Prediction
5.1 Summarization
Nowadays network security issues become increasingly serious, not just for large enterprises,
but also for small and medium business. Large enterprises have mature experience and security
system, facing more completed security issues, such as APT attacks and so on. The security
issues enterprises facing are mostly XSS cross-site scripting attacks, SQL injection, CSRF,
DDOS attacks etc. But no matter how large or small businesses, are facing their own software
vulnerability issues, an attacker can take advantage of zero-day vulnerabilities to attack, which
requires companies to quickly respond to security threats. Traditional network security
measures are difficult to resolve within a few days. Intrusion detection technology can be rapid
deployed, but not playing a defensive role. Therefore the intrusion prevention system is the
ideal solution. When researchers analyzed the characteristics of vulnerability to attack,
attacking packets can be filtered by writing rules and adding them into rule bases. In short,
intrusion prevention technology is of great significance in the quick secure response, and thus
it becomes hot topic of current security manufacturers and research institutes.
Based on the purpose of study and design study, combined with the development trend of
today's network security technology, on the basis of network intrusion detection technology,
this paper does research of network intrusion prevention technology and general structure,
principles, grammatical structure of rules, detection algorithm and source documents of the
current representative open-source intrusion detection system Snort, as well as the related
projects Netfilter, iptables, and Netlink, and primarily does the following works:
(1) Achieve the linkage of Snort IDS, Barnyard2, mysql and BASE;
(2) Design and realize converting IDS into IPS: Design and override the packet capture module,
intrusion detection module and response module with snort, libipq libraries and netlink socket;
(3) Write rules of recognizing ICMP ping operation, external network access, XSS
attacks(being optimized and improved), and add to the snort rule base. After plackbacking
traffic at uplink card by tcpreplay, snort generates alarms and discards alarmed packets through
netlink interface, the result of which could be observed by tcpdump at downlink card.
5.2 Future expectation
Today a relatively new direction in the field of network security is convergence of security
technologies, and because a single network security product has been unable to meet the demand
of high-performance for enterprises. Therefore in the future, for a long period of time, the
linkage and integration of a variety of security technologies is still a trend of research in network
security field. In addition to firewall and intrusion detection technology, we should also
combine other defensive measures such as: vulnerability scanning and honeypot.

In addition, because of inadequacy of ability and time, this paper still needs further research
during perspective study and work:
(1) This paper hasn’t realize the performance improvement which is the bottleneck of IPS, so I
will strengthen the optimization on algorithm.
(2) This paper only uses several typical testing cases. For the consideration of depth and
generalization, I will do further research on intrusion testing and performance testing, making
the system more versatile.
(3) The tests in this paper still remain in analyzing in the back end terminal. Although the front
end BASE is built, it only contains intrusion detection module. So I will manage to implement
front end part if I still work on this area.

Reference
[1] INFOSEC INSTITUTE. 2013 Data Breaches: All You Need to Know.
http://resources.infosecinstitute.com/2013-data-breaches-need-know/
[2] 维基百科.入侵检测系统.http://zh.wikipedia.org/wiki/入侵检测系统
[3] 韩国华. Snort 入侵检测系统规则匹配方法研究[D].重庆，重庆大学,2012.4
[4] wikipedia. Intrusion Detection System. http://en.wikipedia.org/wiki/Intrusion_detection_system
[5] nitin, Mattord, verma. Principles of Information Security. Course Technology. pp. 290–301. ISBN 978-
1-4239-0177-8.
[6] NIST–Guide to Intrusion Detection and Prevention Systems (IDPS)"(PDF). February 2007. Retrieved
2010-06-25.
[7] John R. Vacca (2010). Managing Information Security. Syngress. pp. 137–. ISBN 978-1-59749-533-2.
Retrieved 29 June 2010.
[8] Engin Kirda, Somesh Jha, Davide Balzarotti (2009). Recent Advances in Intrusion Detection: 12th
International Symposium, RAID 2009, Saint-Malo, France, September 23– 25, 2009, Proceedings.
Springer. pp. 162–. ISBN 978-3-642-04341-3. Retrieved 29 June 2010.
[9] Michael E. Whitman, Herbert J. Mattord. Principles of Information Security. Cengage Learning
EMEA. pp. 289–. ISBN 978-1-4239-0177-8. Retrieved 25 June 2010.
[10] 王欣留.构建基于 Snort 的网络入侵防御系统.【学位论文】.中国知网.北京邮电大学：2008
[11] 刘金.基于 Linux 的入侵防御系统.【学位论文】.万方数据中国学位论文全文数据库.电子科技大
学：2OO6
[12] Robert C. Newman. Computer Security: Protecting Digital Resources. Jones & Bartlett Learning. pp.
273–. ISBN 978-0-7637-5994-0. Retrieved 25 June 2010.
[13] Tim Boyles. CCNA Security Study Guide: Exam 640-553. John Wiley and Sons. pp. 249–. ISBN
978-0-470-52767-2. Retrieved 29 June 2010.
[14] Harold F. Tipton, Micki Krause. Information Security Management Handbook.CRC Press. pp. 1000–.
ISBN 978-1-4200-1358-0. Retrieved 29 June 2010.
[15] 岳成刚.基于 Snort 平台的网络入侵检测系统研究.【学位论文】.中国知网.合肥工业大学：2009
[16] 韩运宝.基于 Snort 的入侵检测系统的研究与改进.【学位论文】.中国知网.北京交通大学：2007

[17] Doug Dineley, High Mobley. "The Greatest Open Source Software of All Time". Retrieved 2010-06-
23.
[18] wikipedia. Snort. http://en.wikipedia.org/wiki/Snort_(software)
[19] Mohan Krishnamurthy et al. (2008). "4. Introducing Intrusion Detection and Snort". How to Cheat at
Securing Linux. Burlington, MA: Syngress Publishing Inc. Retrieved 2010-06-24.
[20] snort.org. Readme. http://www.snort.org
[21] 张宇.网络入侵检测系统 snort 源码分析与研究.【学位论文】.中国知网.华北水利水电学院：
2007
[22] snort.org. snort_manual. http://www.snort.org
[23] netfilter.org. http://www.netfilter.org
[24] RFC 3549. Linux Netlink as an IP Services Protocol. https://tools.ietf.org/html/rfc3549
[25] wikipedia. Netlink. http://en.wikipedia.org/wiki/Netlink
[26] 高平利.基于 Snort 入侵检测系统的分析与实现.计算机应用与软件.Vol.23 No. 8.2006，8：135-
138

Appreciation
This graduation paper is finally finished in six months, as my first time of writing dissertation
formally, as well as dissertation defense. Limited by inexperience, there are many unexpected
difficulties during research. When the final results came out, I felt extremely happy. Whatever
the outcome is, it will paint a wonderful period of my four years of life in BUPT, which lets me
hold a devout vision of computer science. Through the thorough research of Snort, I feel the
great charm of this open source project: to communicate with global top engineers in real-time,
the great potential of the project, the strong support of government and organizations, the
enthusiasm of research scholar... which inspire me to proceed in this direction, because if I go
on researching it in the future, it’s very possible to make a new powerful system on the basis of
this outstanding detection engine containing powerful packet decoding function and content
matching capability.
Here, I would firstly thank Hongying Han, Li Yan, Shiyou Wang, Jinwei Guo and other
members from my internship guidance unit Beijing R & D center of Nsfocus. They gave me a
lot of suggestions, required strictly on my working and helped me generously when I had
problems. Those daily work diaries and weekly meetings cultivated my working habit. Secondly,
I would thank professor Dongmei Zhang, dean Jiali Bian, professor Baojiang Cui, counselor
Yilin Wang and those experts from respondent groups of my instructor unit, School of
Computer Science, Beijing University of Posts and Telecommunications. They gave me many
precious advices of writing dissertation in format and the art of presenting work properly. The
strict interim reply assured the well progress of project so I would show my appreciation again
for the keen concern from teachers. I would also thank Joel Esler, manager of Snort community
as well as other members in the mail group, who gave me the latest information and precious
advices on the deployment of Snort environment. The fast and patient mail reply let me feel
warm and enthusiasm from IT engineers worldwide. Finally, I would thank again for the experts
and scholars involved in the reference of this paper, without help and inspiration from their
findings, I will be hardly to finish the thesis independently.
Limited to academic ability, there is inevitable inadequacy in this paper. Finally, I sincerely
appreciate the precious advices and comments of scholars. I will listen to them carefully and try
my best to improve.

Research of Intrusion Preventio System based on Snort

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (18)

Similar a Research of Intrusion Preventio System based on Snort

Similar a Research of Intrusion Preventio System based on Snort (20)

Research of Intrusion Preventio System based on Snort