CS/CoE 535 : Snort Lite - Fall 2003 1 Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Slides:

Advertisements

Similar presentations

CC SQL Utilities.

Advertisements

CSCI 6962: Server-side Design and Programming Input Validation and Error Handling.

400 Gb/s Programmable Packet Parsing on a Single FPGA Authors : Michael Attig 、 Gordon Brebner Publisher: 2011 Seventh ACM/IEEE Symposium on Architectures.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Querying a Database Microsoft Office Access 2003.

A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

With Microsoft Access 2010 © 2011 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Access.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Chapter 9 Classification And Forwarding. Outline.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Information-Centric Networks10b-1 Week 13 / Paper 1 OpenFlow: enabling innovation in campus networks –Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Sarang Dharmapurikar With contributions from : Praveen Krishnamurthy,

Tutorial 14 Working with Forms and Regular Expressions.

Chapter 6: Packet Filtering

Jon Turner, John DeHart, Fred Kuhns Computer Science & Engineering Washington University Wide Area OpenFlow Demonstration.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.

© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.2: Using NBAR for Classification.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

For Project 1, Deliverable 4, you will add referential integrity (FOREIGN KEY) constraints to existing tables, as well as composing general assertions.

11 3 / 12 CHAPTER Databases MIS105 Lec15 Irfan Ahmed Ilyas.

CS/CoE 536 : Lockwood 1 CS/CoE 536 Reconfigurable System On Chip Design Lecture 4 : Demonstration of Machine Problem 1 : CAM-based Firewall Washington.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.

Sven Ubik, Petr Zejdl, Vladimir Smotlacha TNC-2006, Catania, Hardware anonymization.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

CS/CoE 536 : Lockwood 1 Project Integration : In order to ensure that projects can be integrated at the end of the semester, a few rules have been developed.

CS/CoE 535 : Lockwood - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.

Networking Material taken mainly from HowStuffWorks.com.

XP New Perspectives on Microsoft Access 2002 Tutorial 31 Microsoft Access 2002 Tutorial 3 – Querying a Database.

Field Programmable Port Extender (FPX) 1 NCHARGE: Remote Management of the Field Programmable Port Extender (FPX) Todd Sproull Washington University, Applied.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design.

ECE 526 – Network Processing Systems Design Network Address Translator.

CS/CoE 536 : Lockwood 1 CS/CoE 536 Reconfigurable System On Chip Design Lecture 10 : MP3 Working Draft Washington University Fall 2002

Field Programmable Port Extender (FPX) 1 Remote Management of the Field Programmable Port Extender (FPX) Todd Sproull Washington University, Applied Research.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

First generation firewalls packets filtering ريماز ابراهيم محمد علي دعاء عادل محمد عسجد سامي عبدالكريم.

400 Gb/s Programmable Packet Parsing on a Single FPGA Author: Michael Attig 、 Gordon Brebner Publisher: ANCS 2011 Presenter: Chun-Sheng Hsueh Date: 2013/03/27.

Snort – IDS / IPS.

Module 11: File Structure

Managing IP Traffic with ACLs

Accelerating Pattern Matching for DPI

Introducing ACL Operation

Washington University

Transport Layer Systems Packet Classification

Tutorial 3 – Querying a Database

Bloom Filters Very fast set membership. Is x in S? False Positive

Next steps for SPP & ONL 2/6/2007

Setting Up Firewall using Netfilter and Iptables

Washington University, Applied Research Lab

Remote Management of the Field Programmable Port Extender (FPX)

Implementing an OpenFlow Switch on the NetFPGA platform

Online NetFPGA decision tree statistical traffic classifier

High Performance Pattern Matching using Bloom–Bloomier Filter

Presentation transcript:

CS/CoE 535 : Snort Lite - Fall Snort Lite Members Michael Attig –Hardware Design / System Architecture Qian Wan –Software Design Webpage

CS/CoE 535 : Snort Lite - Fall Motivation Built up ability to do packet inspection Would like to add some form of packet- classification Combining these 2 features is a first step toward implementing Snort in hardware –Ideally reach line rates –Inspect all packets –Turn Snort active Header Processing + Payload Processing

CS/CoE 535 : Snort Lite - Fall Assumptions Time constraints force several assumptions –Support Signature lengths from 10 to 32 characters long (80 to 256 bits) –1 content-rule can be associated with only 1 header rule –Must have content and header rule Content + Header = Rule –No content Wildcards (no regular expressions) –Wildcards are allowed in Header Fields –Recognize IP, TCP, UDP protocols

CS/CoE 535 : Snort Lite - Fall Hardware Overview Packet Data SID Matching Rule

CS/CoE 535 : Snort Lite - Fall Major Components Functionality Options Processing –Payload Processing via Multiple Bloom Filters 8 Hash Functions per BF False Positive Probability –SDRAM Hash Table Implementation (Quadratic Probing) Expected Number of Lookups = ? Header Processing –SRAM table lookup –Header Fields Comparator

CS/CoE 535 : Snort Lite - Fall Chip Utilization Number of 4-input LUTs – 63% Number of Occupied Slices – 88% Number of Block RAMs – 123 of 160 – 76% Speed – 34.7 MHz –(this number doesn’t reflect current design)!

CS/CoE 535 : Snort Lite - Fall Control Opcodes x70 – Add String to Hash Table x72 – Remove String from Hash Table x74 – Set Bits in a Bloom Filter x76 – Add Header Table Entry x78 – Remove Header Table Entry x80 – Change Alert Message Destination x82 – Read Header Table Entry x84 – Read Statistics x86 – Test Functionality / Pass Through

CS/CoE 535 : Snort Lite - Fall Example Rule alert tcp /16 any  (content: “Look at my Sample content!”; sid:750;) Generic –action proto src_ip src_port dest_ip dest_port (content: sid:)

CS/CoE 535 : Snort Lite - Fall Java Rule Parser Reads in a Rule File Creates the payload for 3 control packets to program Circuit –x70 – add signature to analyzer –x74 – set bits in appropriate Bloom Filter –x76 – Add Header Entry Tells you if a rule doesn’t match assumptions Ignores other fields –Just extracts content and sid

CS/CoE 535 : Snort Lite - Fall Data Flow Overview Add rules from web interface Save rules into database Construct rules to plain text Parse rules into payloads Record matches in database Output statistics to web page Construct payloads to UDP Update Bloom Counter

CS/CoE 535 : Snort Lite - Fall Updated Table definitions in DB snortlight TABLES BLOOMFILTER Id INT ; // identity(1, 1) BlockRAM1 INT ; // the ID of BlockRAM 1 BlockRAM2 INT ; // the ID of BlockRAM 2 BlockRAM3 INT ; // the ID of BlockRAM 3 BlockRAM4 INT ; // the ID of BlockRAM 4 BlockRAM5 INT ; // the ID of BlockRAM 5 RULES Id INT ; // identity(1, 1) BloomId INT ; // FK of BLOOMFILTER Content VARCHAR(100) ; // NOT NULL SourceIP VARCHAR(30) ; DestIP VARCHAR(30) ; SourcePort VARCHAR(20) ; DestPort VARCHAR(20) ; NoCase ENUM(“FALSE”, “TRUE”) ; // 0 false InHardware ENUM(“FALSE”, “TRUE”) ; // 0 false Action CHAR(5) ; // actions to take Protocol CHAR(5) ; // type of protocol InsertTime DATE; DeleteTime DATE; KeepLog ENUM(“FALSE”, “TRUE”) ; // 0 false BLOOMCNTR BloomId INT ; BlockRAMId VARCHAR(10) ; BitPosition INT ; Counter INT ; RULEMATCH PacketID INT ; RuleID INT ; // FK of RULES EventDT DATE; MATCHSTATIS // use 0 for false match RuleID INT ; BloomID INT ; StartDT DATE; EndDT DATE; counter INT ;

CS/CoE 535 : Snort Lite - Fall Graphical Processes Illustration alert tcp /9 any -> / (content: "CSE 535 is fun but harder!"; sid:68;) traffic first match result

CS/CoE 535 : Snort Lite - Fall Web Interface– Add a Rule

CS/CoE 535 : Snort Lite - Fall Web Interface– Result of Adding a Rule alert tcp /9 any -> / (content: "CSE 535 is fun but harder!"; sid:68;) -Temprulei.txt-

CS/CoE 535 : Snort Lite - Fall Web Interface– Display Rules Actual Snort rules contents shown above.

CS/CoE 535 : Snort Lite - Fall Delete one rule just entered

CS/CoE 535 : Snort Lite - Fall Result page after one rule deleted

CS/CoE 535 : Snort Lite - Fall Append rule matches

CS/CoE 535 : Snort Lite - Fall Rule Matches Statistics

CS/CoE 535 : Snort Lite - Fall Future Work Redesign – too many assumptions Allow Header-only and content-only rules Implement more content-based features –TCP flags –IP options –More header fields –Multiple Signatures per content rule Snort has many over-lapping rules Software to dynamically recreate VHDL to change Number of PBFs per LBF based on number of strings for a particular length –Statistical Modeling would help determine this