Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Final Presentation

advertisement 
Snort Lite
Members
•Michael Attig (mea1@arl)
–Hardware Design / System Architecture
•Qian Wan (qw2@arl)
–Software Design
Webpage
http://www.arl.wustl.edu/arl/projects/fpx/snort_lite/
CS/CoE 535 : Snort Lite - Fall 2003
1
Motivation
• Built up ability to do packet inspection
• Would like to add some form of packetclassification
• Combining these 2 features is a first step
toward implementing Snort in hardware
– Ideally reach line rates
– Inspect all packets
– Turn Snort active
• Header Processing + Payload Processing
CS/CoE 535 : Snort Lite - Fall 2003
2
Assumptions
• Time constraints force several assumptions
– Support Signature lengths from 10 to 32
characters long (80 to 256 bits)
– 1 content-rule can be associated with only 1
header rule
– Must have content and header rule
• Content + Header = Rule
– No content Wildcards (no regular expressions)
– Wildcards are allowed in Header Fields
– Recognize IP, TCP, UDP protocols
CS/CoE 535 : Snort Lite - Fall 2003
3
Hardware Overview
SID
Packet Data
CS/CoE 535 : Snort Lite - Fall 2003
Matching Rule
4
Major Components Functionality
• Options Processing
– Payload Processing via Multiple Bloom Filters
• 8 Hash Functions per BF
• False Positive Probability 0.0039
– SDRAM Hash Table Implementation (Quadratic
Probing)
• Expected Number of Lookups = ?
• Header Processing
– SRAM table lookup
– Header Fields Comparator
CS/CoE 535 : Snort Lite - Fall 2003
5
Chip Utilization
•
•
•
•
Number of 4-input LUTs – 63%
Number of Occupied Slices – 88%
Number of Block RAMs – 123 of 160 – 76%
Speed – 34.7 MHz
– (this number doesn’t reflect current design)!
CS/CoE 535 : Snort Lite - Fall 2003
6
Control Opcodes
•
•
•
•
•
•
•
•
•
x70 – Add String to Hash Table
x72 – Remove String from Hash Table
x74 – Set Bits in a Bloom Filter
x76 – Add Header Table Entry
x78 – Remove Header Table Entry
x80 – Change Alert Message Destination
x82 – Read Header Table Entry
x84 – Read Statistics
x86 – Test Functionality / Pass Through
CS/CoE 535 : Snort Lite - Fall 2003
7
Example Rule
• alert tcp 128.252.153.51/16 any 
192.168.200.10 80 (content: “Look at my
Sample content!”; sid:750;)
• Generic
– action proto src_ip src_port dest_ip dest_port
(content: sid:)
CS/CoE 535 : Snort Lite - Fall 2003
8
Java Rule Parser
• Reads in a Rule File
• Creates the payload for 3 control
packets to program Circuit
– x70 – add signature to analyzer
– x74 – set bits in appropriate
Bloom Filter
– x76 – Add Header Entry
• Tells you if a rule doesn’t match
assumptions
• Ignores other fields
– Just extracts content and sid
CS/CoE 535 : Snort Lite - Fall 2003
9
Data Flow Overview
Add rules from web interface
Save rules into database
Output statistics to web page
Construct rules to plain text
Record matches in database
Parse rules into payload
Construct payload to UDP
CS/CoE 535 : Snort Lite - Fall 2003
10
Updated Table definitions in DB snortlight
TABLES
BLOOMFILTER
--------------------Id
INT ;
BlockRAM1 INT ;
BlockRAM2 INT ;
BlockRAM3 INT ;
BlockRAM4 INT ;
BlockRAM5 INT ;
BLOOMCNTR
------------------
// identity(1, 1)
// the ID of BlockRAM 1
// the ID of BlockRAM 2
// the ID of BlockRAM 3
// the ID of BlockRAM 4
// the ID of BlockRAM 5
RULES
---------Id
INT ;
// identity(1, 1)
BloomId
INT ;
// FK of BLOOMFILTER
Content
VARCHAR(100) ; // NOT NULL
SourceIP VARCHAR(30) ;
DestIP
VARCHAR(30) ;
SourcePort VARCHAR(20) ;
DestPort
VARCHAR(20) ;
NoCase
ENUM(“FALSE”, “TRUE”) ;
// 0 false
InHardware ENUM(“FALSE”, “TRUE”) ;
// 0 false
Action
CHAR(5) ;
// actions to take
Protocol
CHAR(5) ;
// type of protocol
InsertTime DATE;
DeleteTime DATE;
KeepLog
ENUM(“FALSE”, “TRUE”) ;
// 0 false
CS/CoE 535 : Snort Lite - Fall 2003
BloomId
INT ;
BlockRAMId VARCHAR(10) ;
BitPosition
INT ;
Counter
INT ;
RULEMATCH
-----------------PacketID
RuleID
EventDT
INT ;
INT ;
DATE;
MATCHSTATIS
-------------------RuleID
INT ;
BloomID INT ;
StartDT
DATE;
EndDT
DATE;
counter
INT ;
// FK of RULES
// use 0 for false match
11
Work completed during break- software
• Resolved All Major Technical Challenges
during first-use of PHP and MySQL
– Reconfigured Apache and PHP for Java
extension and tested using system classes
– Tested File I/O from PHP and tested
– Reconfigured PHP for socket extension and
tested using Telnet to communicate to server
• Modified Web Pages ( partial demo)
CS/CoE 535 : Snort Lite - Fall 2003
12
Web Interface
• Use Apache as web server, MySQL as
database server all on Windows XP
• HTML and PHP including its extensions to glue
the system together
CS/CoE 535 : Snort Lite - Fall 2003
13
Results - Software
• Integration
– Statistics for matches
– Bloom Filter Counter
– Software and hardware components
– Sockets?
CS/CoE 535 : Snort Lite - Fall 2003
14
Future Work
• Redesign – too many assumptions
• Allow Header-only and content-only rules
• Implement more content-based features
–
–
–
–
TCP flags
IP options
More header fields
Multiple Signatures per content rule
• Snort has many over-lapping rules
• Software to dynamically recreate VHDL to change
Number of PBFs per LBF based on number of strings
for a particular length
– Statistical Modeling would help determine this
CS/CoE 535 : Snort Lite - Fall 2003
15
Related documents
lesson_for_icardsort_lite - All about apps in YOUR classroom!
lesson_for_icardsort_lite - All about apps in YOUR classroom!
Game Idea Proposal Game Name
Game Idea Proposal Game Name
SNORT
SNORT
09/29/2006 - Morehead State University
09/29/2006 - Morehead State University
here - hudoc
here - hudoc
Download
advertisement