Vulnerability Based Snort IDS Management

For several years, Tenable's management products have been able to perform realtime correlation of IDS events with existing vulnerabilities and to also "push" just the relevant signatures to your Snort sensors. This entry will briefly discuss the advantages of IDS event and vulnerability correlation and then will walk a user through the deployment of the IDSUpdate script for managing Snort sensor rule configurations.

Accurate IDS Event Correlation with Vulnerabilities

The Security Center can be used to perform Nessus scans as often as you want, with as many scanners as you have and with the correct credentials to perform patch audits. It can also use one or more Passive Vulnerability Scanners to obtain vulnerability information in near real time. As IDS events arrive at the Security Center, each event is analyzed to see if it is related to a particular vulnerability, and if the vulnerability is present on the target system and target port. This is very accurate for attack detection because:

• highly accurate patch audit data is used
• realtime passive vulnerability data is used
• correlation is not dependent on the underlying OS or even application
• multiple cross references of CVE, Bugtraq, Nessus and other IDs are used

Managing A Snort Sensor Rule Set

The Security Center supports many leading IDS technologies including Snort. In Snort's case, Tenable also offers the ability to manage the signatures on the Snort sensor(s). The IDSUpdate tool allows Snort sensors to be tuned with only the signatures for the applications on their network.

Why would someone want to "turn off" signatures on an IDS sensor when they already have IDS/VA correlation? The answer is for performance and efficiency. Since the Security Center already "knows" about all of the vulnerabilities on a given network segment, it can remove Snort signature rules for attacks that may never occur, and even if they did, are not relevant. A Snort sensor running with less signatures will also have more horsepower to analyze traffic and have less chance of being overloaded.

Configuring A Deployment

An organization running the Security Center and gathering Snort IDS events is already half-way there. Each time the Snort rules are updated (with either the Sourcefire VRT rules and/or the Bleeding Snort rules), the Security Center is automatically building the pre-correlated signature libraries.

For your Snort sensors, download the IDSUpdate tool from the Tenable Support site and install it on your Snort sensor(s). It will untar into a directory named "IDSUpdate" and have an IDSUpdate.pl and IDSUpdate.cfg file. The config file has many parameters to be configured. Here is an example live IDSUpdate.cfg file: 

#############################################################
# Frequency of update polling (in minutes)
# Set to 0 to cycle once.
FREQUENCY=360

#############################################################
# IDS Engine Type
#############################################################
IDS_ENGINE=SNORT

#############################################################
# Snort specific information
#
# SNORT          - full path to the snort binary.
# SNORT_CONF     - full path the snort.conf file.
# SNOR_RULES_DIR - full path to the rules directory.
# SNORT_PID      - location of the running snort process ID
#############################################################
SNORT=/usr/sbin/snort
SNORT_RULES_DIR=/etc/snort/rules
SNORT_CONF=/etc/snort/snort.conf
SNORT_PID=/var/run/snort_eth1.pid

#############################################################
# Full pathname to required files
# Current requirements - wget and gunzip
#############################################################
WGET=/usr/bin/wget
TAR=/bin/tar
GUNZIP=/bin/gunzip
MD5SUM=/usr/bin/md5sum

#############################################################
# Archive URL
#############################################################
ARCHIVE_URL=http://192.168.210.33/sc3/html/snort.tar.gz
ARCHIVE_USERNAME=username
ARCHIVE_PASSWORD=password

#############################################################
# Log file
# If not present, logs will print to screen.
#############################################################
LOG_FILE=IDSUpdate.log

#############################################################
# Daemon mode
# Activate using "on"
#############################################################
DAEMONIZE=on

#############################################################
# Holds the last update string to indicate when a new package 
# is ready. This will be updated automatically.  Clear and 
# restart IDSUpdate to refresh immediately.
#############################################################
LAST_MD5=8a67a766d84324ed13002dc83d2553d5

The keywords in red are ones that are blank by default, or should be confirmed for your distribution of Snort. A valid username and password for the Security Center is required for this tool to obtain the new signatures.

The ARCHIVE_URL keyword specifies the location of the snort rules on the Security Center. If your Security Center is configured for SSL connectivity, change the URL to include https. The file snort.tar.gz will always contain ALL of the latest Snort rules. If the Security Center is subscribed to one of the Sourcefire VRT libraries, then this will contain effectively all of those. If the Security Center is subscribed to the Bleeding Snort rule set, then it is all of those. Lastly, if a Security Center is subscribed to both VRT and Bleeding Snort, snort.tar.gz will contain an aggregate of both rule sets.

For correlated rule sets, a separate file is produced for each unique Security Center customer, based on the customer ID. For example, customer 10's Snort rules would be named snort-10.tar.gz. In the above configuration file, these would be available at a URL of:

http://192.168.210.33/sc3/html/snort-10.tar.gz

Having separate Snort libraries for each Security Center customer allows you to place different Snort sensors at different places in the network for very specific monitoring.

So how does this work?

Each time the Security Center either obtains new IDS rules from the Sourcefire VRT or Bleeding Snort, it produces a new set of signature libraries. The Security Center does this on a daily basis, but administrators and security managers can force an update.

Each time the Security center obtains a new active Nessus scan (with or without credentials) or a passive scan from a Passive Vulnerability Scanner, it produces a new set of Snort signature libraries.

Each Snort sensor running the IDSUpdate tool downloads the signature set from the Security Center and compares it's MD5 checksum to the previous one. If there is a difference, the new rules are put in place and Snort is restarted. New downloads from the Security Center occur with a frequency set by the FREQUENCY variable in the configuration file.

For More Information

Tenable has two white papers available on this topic located in our Security Event Management Whitepapers section. The "Security Event Management" paper details how vulnerability and IDS correlation maps into log analysis and anomaly detection. The "Correlating IDS Alerts with Vulnerability Information" paper details the benefits and false positives which occur with this technique.