Snort

1. What is Snort?
Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

2. What is open source?
The term open source typically refers to a program whose source code is released for use or modification by the community. Developers are free to download and make changes to the code as they please and create their own personalized product.

3. Where can I download Snort?
You can download the latest Snort releases here. Snort rules can be downloaded here.

4. What can I do with Snort?
Snort has three primary uses: It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion prevention system.

5. What is the relationship between Snort and Sourcefire?
Sourcefire was founded in 2001 by Martin Roesch, the original author of Snort, in response to demand for a commercial version of the popular technology. Today Sourcefire's mission is to combine our open source roots with proprietary innovation to deliver the most effective and comprehensive real-time network defense solutions on the planet. For more information on Sourcefire, visit www.sourcefire.com.

6. Does Sourcefire sell Snort?
While Sourcefire does offer a commercial version of the Snort technology, we do not sell Snort. Sourcefire embraces the open source model and is committed to the GPL. Sourcefire leverages the Snort detection engine and VRT Rules as the foundation for the Sourcefire 3D Sensor, adding an easy-to-use interface, optimized hardware, powerful data analysis and reporting, policy management and administration, a full suite of product services, and 24x7 support. All enhancements made to the Snort technology for Sourcefire's commercial offerings are contributed back to the open source community.

7. What is a Snort Integrator?
A Snort Integrator refers to any company that distributes Snort or Snort rules in their commercial offerings. This includes vendors bundling Snort or Snort rules, MSSPs and SIMs.

8. What is the role of the Sourcefire Vulnerability Research Team™ (VRT)?
Sourcefire VRT is a group of leading edge network security experts working to discover, assess, and respond to the latest trends in hacking activity, intrusion attempts, and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

9. How do I submit questions about Snort?
The open source community is very important to Sourcefire and we welcome your feedback. The Snort Team, VRT, and others at Sourcefire monitor the Snort mailing lists, forums, and IRC channel. Questions and comments about Snort should be submitted to one of these channels so the entire community can benefit. Feedback on Snort.org can be sent directly to Sourcefire at snort-site@sourcefire.com.

1. What is a registered user?
A registered user refers to someone who has completed the free registration process on www.snort.org. These users receive access to extra features of the site as well as access to download VRT Rule updates.

2. Why do I need to register?
Registration is simple and provides users with increased site functionality as well as access to Sourcefire VRT Rules. By registering you are also agreeing to the Sourcefire VRT Certified Rules License Agreement that prohibits commercial redistribution of Sourcefire VRT Rules. In addition, registered users have full access things such as to forums, enhanced documentation, webinars, and tutorials.

3. What if I do not wish to register?
Registration is not mandatory although unregistered users will not have access to timely Sourcefire VRT Rule updates. Unregistered users will still have full access to the Snort source code and community ruleset but will only receive a static Sourcefire VRT Certified Ruleset with each Snort point release.

4. Will my information be shared with any other parties or used for marketing?
No. The privacy of the Snort community is very important to Sourcefire. If you choose to opt-out, the information collected at the time of registration will not be used for any Sourcefire marketing efforts. In addition, Sourcefire will not sell or distribute any personal information to 3rd party companies. For additional details, please read our privacy policy.

5. How can I provide feedback or suggestions for the site?
Your feedback on the web site as well Snort in general is very important to Sourcefire. Please send any feedback on the Snort.org website to snort-site@sourcefire.com.

6. How can I find a user group in my area?
To help foster this sense of community and provide a platform for users to share their ideas and experiences, local Snort User Groups have been formed throughout the world. You can go to http://www.snort.org/community/user-groups to see if there is a group in your area or anyone interested in starting one.

7. What if there isn't a local user group?
Sourcefire is happy to help you establish a new group in your area. Send an e-mail to snort_groups@sourcefire.com to learn how to get started.

1. What is a Snort Rule?
Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works.

2. What is a signature?
In the security world the word signature has been given numerous definitions over the years. For the purposes of this discussion, a signature is defined as any detection method that relies on distinctive marks or characteristics being present in an exploits. These signatures are specifically designed to detect known exploits as they contain distinctive marks; such as ego strings, fixed offsets, debugging information, or any other unique marking that may or may not be related to actually exploiting a vulnerability.

This type of detection is typically classified as day after detection, as actual public exploits are necessary for this type of detection to work. Anti-Virus companies utilize this type of technology for protecting their customers from virus outbreaks. As we have seen over the years this type of protection only has limited protection capabilities as the virus has already infected someone before a signatures can be written.

3. What is a vulnerability?
A lot of people have tried to define the word 'vulnerability' and how it relates to the security industry. The best definition though is how it relates to world at large.

The below is a modified version of Microsoft's definition of a vulnerability, written by Scott Culp.
"A vulnerability is any flaw that makes it infeasible, even when implemented or used properly, to prevent an attacker from; usurping privileges, regulating internal protected operations, compromising data, or assuming trust that was not explicitly granted."

This definition allows are a wide range of things to be classified as vulnerabilities. It includes everything from the LSASS Buffer Overflow to characters flaws that allow for easy social engineering. This makes sense as vulnerabilities have been around since the beginning of time and have existed in every device or idea that was created to restrict or moderate access.

4. What is an exploit?
The counterpart to a vulnerably is the exploit, without that exploit there would not be any practical method for utilizing a vulnerability. Exploits are the methodologies or techniques that are utilized to take advantage of vulnerabilities. This is also a very broad definition as it includes everything from the standard proof of concept (PoC) exploit code to strategies for picking apart the defense on a football field.

5. What is a protocol?
A protocol is the method that allows computers to 'talk' across a network. Below is a simple example of how a protocol works:

a.TCP 3-Way Handshake occurs.
b.Client system sends a Client HELLO message
c.Server system responds with a Server HELLO message
d.Both side exchange key information to determine what type of encryption to use.
e.Both sides begin encrypted communication.

6. What are Community Rules?
Community rules refer to all rules that have been submitted by members of the open source community or Snort Integrators. These rules are freely available to all Snort users and are governed by the GPL.

7. What are Sourcefire VRT Certified Rules?
Sourcefire VRT Certified Rules refer to rules that have been developed, tested and approved by the Sourcefire Vulnerability Research Team (VRT). New Sourcefire VRT Certified Rules released after March 7th, 2005 are governed by the VRT Certified Rules License Agreement.

8. What is a user-defined rule?
User-defined rules refer to rules that an end user writes specifically for their environment. These rules are not contributed back to the open source community. When writing your own rule, a SID between 1,000,001 and 2,000,000 should be assigned to avoid overlap with existing rulesets.

9. How are rules distributed?
There are two sets of rules distributed on the snort.org web site. The "Community Ruleset" is freely available to all users. The "Sourcefire VRT Certified Rulesets" will be made available to users in the following ways:

a. Subscribers will receive rulesets in real-time as they are released to Sourcefire customers - 30 days ahead of registered users
b. Registered users will receive rulesets when they are published
c. Unregistered users will receive access to a static ruleset containing only the latest rules at the time of each Snort point release

1. What does the Sourcefire VRT Certified Rules Subscription entitle me to?
Understanding that attackers are constantly developing new methods of attack, uncovering new vulnerabilities and exploiting known weaknesses in commonly deployed systems, Sourcefire created the Sourcefire Vulnerability Research Team (VRT) to ensure our customers stay one step ahead of the latest threats. With this new subscription service, Snort users can benefit from the hard work of this team at the same time Sourcefire customers do. All Sourcefire VRT Certified Rules will be made available to subscribers in real-time as they are released.

Subscribers receive:

• The fastest access to Sourcefire VRT certified rule updates - The same ruleset developed for Sourcefire customers - 30 days faster than registered users
• Coverage in advance of exploits - The Sourcefire VRT proactively focuses on the underlying vulnerability, rather than simply reacting to known attacks
• The ability to submit false positives/negatives directly to the Sourcefire VRT./li>

2. Do I have to subscribe to receive Sourcefire VRT Rules?
No. Subscribers receive Sourcefire VRT Certified Rules updates immediately when they are available. However, these rules are still made available to registered users after 30 days and to unregistered users at the time of each Snort point release (ex. 2.7.0, 2.8.0, 3.0).

3. How much does a Subscription cost?
The pricing for the Sourcefire VRT Certified Rules is based on an annual subscription model. Subscription prices break down as follows:

4. If I purchase a subscription, can I deploy the rules on other sensors?
The subscription allows you to deploy the rules only for the sensors which licenses were purchased.

5. Can I use tools such as Oinkmaster to manage the subscription?
Yes. Users simply need to generate an oink code here.

1. What is the GNU GPL?
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

You can read the complete GPL license here.

2. What is the Sourcefire VRT Certified Rules License Agreement?
The Sourcefire VRT Certified Rules License Agreement enables registered end-users to freely download and use rules that have been certified by the Sourcefire VRT while restricting commercial redistribution.

View the complete Sourcefire VRT Certified Rules License Agreement.

3. What is the Snort Integrator License from Sourcefire?
The Snort Integrator License from Sourcefire is a fee-based license that enables Snort Integrators to distribute VRT Certified Rules with their commercial offerings. If you are interested in an integrator license, please contact Sourcefire at snort-license@sourcefire.com.

4. How is the Snort Engine licensed?
The Snort engine continues to be distributed under the free software/open source GNU General Public License version 2 (commonly known as the "GPL v.2"). With the GPL license, Snort is available free of charge. Users may download the software for free and modify, integrate, and distribute it. However, GPL users must abide by the rules of the GPL, which stipulates that if a Snort-derived application is redistributed, the complete source code for this application must also be open and available for redistribution.

5. Why are the rules licensed separately from the Engine?
Sourcefire is extremely committed to the advancement of Snort and the open source community. That commitment has resulted in advances such as gigabit performance capability, the integration of the snort_inline technology, the current and future generations of IP defragmentation and TCP stream reassembly functionality, protocol anomaly detectors and normalization, portscan detection, the unified output subsystem, reams of documentation, and two complete code audits. In addition, Sourcefire has dedicated significant resources to improving the quality, accuracy and timeliness of Snort rules. The nature of rule development and distribution has always made the rules research, development, and distribution a parallel process with Snort development, with its own licensing needs.

8. What license is used if I contribute code for the Snort Engine?
When contributing code or bug fixes for the Snort Engine, the GPL applies.

9. What license is used if I contribute a rule for Snort?
When you contribute a new rule for Snort, you will have the option of having this rule included in the Community Ruleset or considered for inclusion in the VRT Certified Ruleset. Rules submitted to the Community Ruleset will be covered by the GPL. If you would like to have your rule considered for the VRT Certified Ruleset, you must agree to assign all ownership and copyrights over to Sourcefire. If this rule is selected, your name will be published in the associated documentation declaring you a "contributor" to that rule. Prior to submitting a new rule for the VRT Certified Ruleset, Sourcefire recommends that you carefully read the agreement and contact us if you have any unanswered questions.