				SNORTNET 
Proposal and Implementation of Distributed Network Intrusion Detection System.
				(draft)

fygrave@tigerteam.net
Fri Apr 28 16:13:18 ICT 2000

ABSTRACT

With rapid development of networks worldwide Intrusion Detection Systems
become an important part of network infrastructure in small companies,
average-size ISPs and even huge entrerprises. As the network grows, scalability
and ease of extension become two important qualifications of a Network
Intrusion Detection System. The purpose of SnortNet development is to bring
these qualifications to snort, an opensource lightweight intrusion detection
system.

1. OVERVIEW

SnortNet project is merely a research project which targets development of
Distributed Intrusion Detection System (DIDS) based on snort NIDS as a node
sensor.

1.1. Terminology

Following terminilogy is being used:

Sensor - the DIDS component which primary function is to monitor network/(host)
activity in order to identify possible intrusion attempts, perform optional 
local logging and generate messages regarding detected events.

Proxy - the DIDS component which primary function is to interconnect Sensors
and Master nodes. Should be used when there's no direct connection between
Sensor and Master is available. (f.e when one of those is located inside DMZ).
Proxy should be able to understand certain filtering rules which could apply to
alert or log message (based on alert source/dst, type of alert or it's
priority).

Master - the DIDS component which primary function is to serve as monitoring
tool for the DIDS. Masters could act as `slaves' to other Masters which makes
it possible to build DIDS trees. Masters could optionally perform local logging
of received information (via syslog/files/..).  Masters also should be able to
understand certain filtering rules which could apply to alert or log message.

Alert - a message which is being passed from Sensor to Master and carries enough information to identify type of intrusion.


IMPLEMENTATION

SnortNet DIDS is being developed and implemented using Snort Output plugin features. Further development might require certain adoptation of Snort code as well as possible development of Snort Preprocessor.

USAGE OF SNORTNET OVER TCP LINK

SnortNet currently could be used over tcp link to build sample distributed
IDS systems. No ecryption is provided so far, but support of SSL encrypted
links is planned. No proxying features have been implemented yet, so no
"SnortNet trees" are available.

To perform minimal access control, TCP wrappers library is being used.

USAGE OF SONRTNET OVER SERIAL LINE

Feature is not implemented yet.

POSSIBLE EXTENSIONS OF SNORTNET TO COLLABORATE WITH OTHER IDS systems.

Once IAP protocol is implemented, SnortNet could be extended to collaborate
with other network and hostbased intrusion detection systems, which implement similar functionality. First adoptation is planned to be with `EyesOnExec' hostbased intrusion detection module developed by Sebastain Krahmer. 
(http://www.uni-potsdam.de/homepages/students/linuxer)



AVAILABILITY AND REQUIREMENTS

SnortNet so far has been tested on following platforms:

* FreeBSD
* Linux

And requires following packages to be installed:
* TCP wrappers (in case if access-control is needed)
  TCP Wrappers is available at ftp://ftp.porcupine.org/pub/security/.
* Ncurses library.

For the compilation time, Snort source code is needed. 
Snort is available at http://www.clark.net/~roesch/security.html 


ACKNOWLEDGEMENTS

Thanks to Marty Roesch for wonderful piece of software and an opportunity to
take a part in its development.
Thanks to Sebastain Krahmer for pulling a bunch of thoughts and ideas during
the talk sessions.
blah blah blah ;-)


REFERENCES AND RELATED PAPERS


"Intrusion Detection Exchange Format Requirements", Mark Wood
http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-02.txt
"Intrusion Detection Data Model"
http://www.ietf.org/internet-drafts/draft-ietf-idwg-data-model-02.txt
"IAP - Internet Alert Protocol proposal"
http://search.ietf.org/internet-drafts/draft-gupta-idef-iap-00.txt

APPENDIXES

