Components of Snort


13


A brief introduction to these components is presented in this section. As you go


through the book and create some rules, you will become more familiar with these com 


ponents and how they interact with each other.


1.3.1


Packet Decoder


The packet decoder takes packets from different types of network interfaces and


prepares the packets to be preprocessed or to be sent to the detection engine. The inter 


faces may be Ethernet, SLIP, PPP and so on.


1.3.2


Preprocessors


Preprocessors are components or plug ins that can be used with Snort to arrange


or modify data packets before the detection engine does some operation to find out if


the packet is being used by an intruder. Some preprocessors also perform detection by


finding anomalies in packet headers and generating alerts. Preprocessors are very


important for any IDS to prepare data packets to be analyzed against rules in the detec 


tion engine. Hackers use different techniques to fool an IDS in different ways. For


example, you may have created a rule to find a signature  scripts/iisadmin  in HTTP


packets. If you are matching this string exactly, you can easily be fooled by a hacker


who makes slight modifications to this string. For example:


   scripts/./iisadmin 


   scripts/examples/../iisadmin 


   scripts\iisadmin 


   scripts/.\iisadmin 


To complicate the situation, hackers can also insert in the web Uniform Resource


Identifier (URI) hexadecimal characters or Unicode characters which are perfectly legal


as far as the web server is concerned. Note that the web servers usually understand all


of these strings and are able to preprocess them to extract the intended string  scripts/


iisadmin . However if the IDS is looking for an exact match, it is not able to detect this


attack. A preprocessor can rearrange the string so that it is detectable by the IDS.


Preprocessors are also used for packet defragmentation. When a large data chunk


is transferred to a host, the packet is usually fragmented. For example, default maxi 


mum length of any data packet on an Ethernet network is usually 1500 bytes. This value


is controlled by the Maximum Transfer Unit (MTU) value for the network interface.


This means that if you send data which is more than 1500 bytes, it will be split into mul 


tiple data packets so that each packet fragment is less than or equal to 1500 bytes. The








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved