Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Similar presentations


Presentation on theme: "CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design."— Presentation transcript:

1 CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design Webpage

2 CS/CoE 535 : Snort Lite - Fall Motivation Built up ability to do packet inspection Would like to add some form of packet- classification Combining these 2 features is a first step toward implementing Snort in hardware –Ideally reach line rates –Inspect all packets –Turn Snort active Header Processing + Payload Processing

3 CS/CoE 535 : Snort Lite - Fall Assumptions Time constraints force several assumptions –Support Signature lengths from 10 to 32 characters long (80 to 256 bits) –1 content-rule can be associated with only 1 header rule –Must have content and header rule Content + Header = Rule –No content Wildcards (no regular expressions) –Wildcards are allowed in Header Fields –Recognize IP, TCP, UDP protocols

4 CS/CoE 535 : Snort Lite - Fall Hardware Overview Packet Data SID Matching Rule

5 CS/CoE 535 : Snort Lite - Fall Major Components Functionality Options Processing –Payload Processing via Multiple Bloom Filters 8 Hash Functions per BF False Positive Probability –SDRAM Hash Table Implementation (Quadratic Probing) Expected Number of Lookups = ? Header Processing –SRAM table lookup –Header Fields Comparator

6 CS/CoE 535 : Snort Lite - Fall Chip Utilization Number of 4-input LUTs – 63% Number of Occupied Slices – 88% Number of Block RAMs – 123 of 160 – 76% Speed – 34.7 MHz –(this number doesn’t reflect current design)!

7 CS/CoE 535 : Snort Lite - Fall Control Opcodes x70 – Add String to Hash Table x72 – Remove String from Hash Table x74 – Set Bits in a Bloom Filter x76 – Add Header Table Entry x78 – Remove Header Table Entry x80 – Change Alert Message Destination x82 – Read Header Table Entry x84 – Read Statistics x86 – Test Functionality / Pass Through

8 CS/CoE 535 : Snort Lite - Fall Example Rule alert tcp /16 any  (content: “Look at my Sample content!”; sid:750;) Generic –action proto src_ip src_port dest_ip dest_port (content: sid:)

9 CS/CoE 535 : Snort Lite - Fall Java Rule Parser Reads in a Rule File Creates the payload for 3 control packets to program Circuit –x70 – add signature to analyzer –x74 – set bits in appropriate Bloom Filter –x76 – Add Header Entry Tells you if a rule doesn’t match assumptions Ignores other fields –Just extracts content and sid

10 CS/CoE 535 : Snort Lite - Fall Data Flow Overview Add rules from web interface Save rules into database Construct rules to plain text Parse rules into payloads Record matches in database Output statistics to web page Construct payloads to UDP Update Bloom Counter

11 CS/CoE 535 : Snort Lite - Fall Updated Table definitions in DB snortlight TABLES BLOOMFILTER Id INT ; // identity(1, 1) BlockRAM1 INT ; // the ID of BlockRAM 1 BlockRAM2 INT ; // the ID of BlockRAM 2 BlockRAM3 INT ; // the ID of BlockRAM 3 BlockRAM4 INT ; // the ID of BlockRAM 4 BlockRAM5 INT ; // the ID of BlockRAM 5 RULES Id INT ; // identity(1, 1) BloomId INT ; // FK of BLOOMFILTER Content VARCHAR(100) ; // NOT NULL SourceIP VARCHAR(30) ; DestIP VARCHAR(30) ; SourcePort VARCHAR(20) ; DestPort VARCHAR(20) ; NoCase ENUM(“FALSE”, “TRUE”) ; // 0 false InHardware ENUM(“FALSE”, “TRUE”) ; // 0 false Action CHAR(5) ; // actions to take Protocol CHAR(5) ; // type of protocol InsertTime DATE; DeleteTime DATE; KeepLog ENUM(“FALSE”, “TRUE”) ; // 0 false BLOOMCNTR BloomId INT ; BlockRAMId VARCHAR(10) ; BitPosition INT ; Counter INT ; RULEMATCH PacketID INT ; RuleID INT ; // FK of RULES EventDT DATE; MATCHSTATIS // use 0 for false match RuleID INT ; BloomID INT ; StartDT DATE; EndDT DATE; counter INT ;

12 CS/CoE 535 : Snort Lite - Fall Graphical Processes Illustration alert tcp /9 any -> / (content: "CSE 535 is fun but harder!"; sid:68;) traffic first match result

13 CS/CoE 535 : Snort Lite - Fall Web Interface– Add a Rule

14 CS/CoE 535 : Snort Lite - Fall Web Interface– Result of Adding a Rule alert tcp /9 any -> / (content: "CSE 535 is fun but harder!"; sid:68;) -Temprulei.txt-

15 CS/CoE 535 : Snort Lite - Fall Web Interface– Display Rules Actual Snort rules contents shown above.

16 CS/CoE 535 : Snort Lite - Fall Delete one rule just entered

17 CS/CoE 535 : Snort Lite - Fall Result page after one rule deleted

18 CS/CoE 535 : Snort Lite - Fall Append rule matches

19 CS/CoE 535 : Snort Lite - Fall Rule Matches Statistics

20 CS/CoE 535 : Snort Lite - Fall Future Work Redesign – too many assumptions Allow Header-only and content-only rules Implement more content-based features –TCP flags –IP options –More header fields –Multiple Signatures per content rule Snort has many over-lapping rules Software to dynamically recreate VHDL to change Number of PBFs per LBF based on number of strings for a particular length –Statistical Modeling would help determine this


Download ppt "CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design."

Similar presentations


Ads by Google