Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Published byMadlyn Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design."— Presentation transcript:

1 CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig (mea1@arl) –Hardware Design / System Architecture Qian Wan (qw2@arl) –Software Design Webpage http://www.arl.wustl.edu/arl/projects/fpx/snort_lite/

2 CS/CoE 535 : Snort Lite - Fall 2003 2 Motivation Built up ability to do packet inspection Would like to add some form of packet- classification Combining these 2 features is a first step toward implementing Snort in hardware –Ideally reach line rates –Inspect all packets –Turn Snort active Header Processing + Payload Processing

3 CS/CoE 535 : Snort Lite - Fall 2003 3 Assumptions Time constraints force several assumptions –Support Signature lengths from 10 to 32 characters long (80 to 256 bits) –1 content-rule can be associated with only 1 header rule –Must have content and header rule Content + Header = Rule –No content Wildcards (no regular expressions) –Wildcards are allowed in Header Fields –Recognize IP, TCP, UDP protocols

4 CS/CoE 535 : Snort Lite - Fall 2003 4 Hardware Overview Packet Data SID Matching Rule

5 CS/CoE 535 : Snort Lite - Fall 2003 5 Major Components Functionality Options Processing –Payload Processing via Multiple Bloom Filters 8 Hash Functions per BF False Positive Probability 0.0039 –SDRAM Hash Table Implementation (Quadratic Probing) Expected Number of Lookups = ? Header Processing –SRAM table lookup –Header Fields Comparator

6 CS/CoE 535 : Snort Lite - Fall 2003 6 Chip Utilization Number of 4-input LUTs – 63% Number of Occupied Slices – 88% Number of Block RAMs – 123 of 160 – 76% Speed – 34.7 MHz –(this number doesn’t reflect current design)!

7 CS/CoE 535 : Snort Lite - Fall 2003 7 Control Opcodes x70 – Add String to Hash Table x72 – Remove String from Hash Table x74 – Set Bits in a Bloom Filter x76 – Add Header Table Entry x78 – Remove Header Table Entry x80 – Change Alert Message Destination x82 – Read Header Table Entry x84 – Read Statistics x86 – Test Functionality / Pass Through

8 CS/CoE 535 : Snort Lite - Fall 2003 8 Example Rule alert tcp 128.252.153.51/16 any  192.168.200.10 80 (content: “Look at my Sample content!”; sid:750;) Generic –action proto src_ip src_port dest_ip dest_port (content: sid:)

9 CS/CoE 535 : Snort Lite - Fall 2003 9 Java Rule Parser Reads in a Rule File Creates the payload for 3 control packets to program Circuit –x70 – add signature to analyzer –x74 – set bits in appropriate Bloom Filter –x76 – Add Header Entry Tells you if a rule doesn’t match assumptions Ignores other fields –Just extracts content and sid

10 CS/CoE 535 : Snort Lite - Fall 2003 10 Data Flow Overview Add rules from web interface Save rules into database Construct rules to plain text Parse rules into payloads Record matches in database Output statistics to web page Construct payloads to UDP Update Bloom Counter

11 CS/CoE 535 : Snort Lite - Fall 2003 11 Updated Table definitions in DB snortlight TABLES BLOOMFILTER --------------------- Id INT ; // identity(1, 1) BlockRAM1 INT ; // the ID of BlockRAM 1 BlockRAM2 INT ; // the ID of BlockRAM 2 BlockRAM3 INT ; // the ID of BlockRAM 3 BlockRAM4 INT ; // the ID of BlockRAM 4 BlockRAM5 INT ; // the ID of BlockRAM 5 RULES ---------- Id INT ; // identity(1, 1) BloomId INT ; // FK of BLOOMFILTER Content VARCHAR(100) ; // NOT NULL SourceIP VARCHAR(30) ; DestIP VARCHAR(30) ; SourcePort VARCHAR(20) ; DestPort VARCHAR(20) ; NoCase ENUM(“FALSE”, “TRUE”) ; // 0 false InHardware ENUM(“FALSE”, “TRUE”) ; // 0 false Action CHAR(5) ; // actions to take Protocol CHAR(5) ; // type of protocol InsertTime DATE; DeleteTime DATE; KeepLog ENUM(“FALSE”, “TRUE”) ; // 0 false BLOOMCNTR ------------------ BloomId INT ; BlockRAMId VARCHAR(10) ; BitPosition INT ; Counter INT ; RULEMATCH ------------------ PacketID INT ; RuleID INT ; // FK of RULES EventDT DATE; MATCHSTATIS // use 0 for false match -------------------- RuleID INT ; BloomID INT ; StartDT DATE; EndDT DATE; counter INT ;

12 CS/CoE 535 : Snort Lite - Fall 2003 12 Graphical Processes Illustration alert tcp 127.0.0.0/9 any -> 128.252.153.0/24 801 (content: "CSE 535 is fun but harder!"; sid:68;) traffic first match result

13 CS/CoE 535 : Snort Lite - Fall 2003 13 Web Interface– Add a Rule

14 CS/CoE 535 : Snort Lite - Fall 2003 14 Web Interface– Result of Adding a Rule alert tcp 127.0.0.0/9 any -> 128.252.153.0/24 801 (content: "CSE 535 is fun but harder!"; sid:68;) -Temprulei.txt-

15 CS/CoE 535 : Snort Lite - Fall 2003 15 Web Interface– Display Rules Actual Snort rules contents shown above.

16 CS/CoE 535 : Snort Lite - Fall 2003 16 Delete one rule just entered

17 CS/CoE 535 : Snort Lite - Fall 2003 17 Result page after one rule deleted

18 CS/CoE 535 : Snort Lite - Fall 2003 18 Append rule matches

19 CS/CoE 535 : Snort Lite - Fall 2003 19 Rule Matches Statistics

20 CS/CoE 535 : Snort Lite - Fall 2003 20 Future Work Redesign – too many assumptions Allow Header-only and content-only rules Implement more content-based features –TCP flags –IP options –More header fields –Multiple Signatures per content rule Snort has many over-lapping rules Software to dynamically recreate VHDL to change Number of PBFs per LBF based on number of strings for a particular length –Statistical Modeling would help determine this

Download ppt "CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design."

Similar presentations

CC SQL Utilities.

CC SQL Utilities.
CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.

CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.
400 Gb/s Programmable Packet Parsing on a Single FPGA Authors : Michael Attig 、 Gordon Brebner Publisher: 2011 Seventh ACM/IEEE Symposium on Architectures.

400 Gb/s Programmable Packet Parsing on a Single FPGA Authors : Michael Attig 、 Gordon Brebner Publisher: 2011 Seventh ACM/IEEE Symposium on Architectures.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Querying a Database Microsoft Office Access 2003.

Querying a Database Microsoft Office Access 2003.
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
With Microsoft Access 2010 © 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.

With Microsoft Access 2010 © 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Information-Centric Networks10b-1 Week 13 / Paper 1 OpenFlow: enabling innovation in campus networks –Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru.

Information-Centric Networks10b-1 Week 13 / Paper 1 OpenFlow: enabling innovation in campus networks –Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru.

Similar presentations

Ads by Google