Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor



Similar documents
Extensible Network Configuration and Communication Framework

A Review on Network Intrusion Detection System Using Open Source Snort

SPANIDS: A Scalable Network Intrusion Detection Loadbalancer

Intrusion Detection Systems with Correlation Capabilities

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

Quantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking

Double guard: Detecting Interruptions in N- Tier Web Applications

Network Intrusion Analysis (Hands-on)

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

How To Classify Network Traffic In Real Time

An apparatus for P2P classification in Netflow traces

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Intrusion Detection Systems (IDS)

A NOVEL APPROACH FOR PROTECTING EXPOSED INTRANET FROM INTRUSIONS

HIDS and NIDS Hybrid Intrusion Detection System Model Design Zhenqi Wang 1, a, Dankai Zhang 1,b

Open Source Network Security Monitoring With Sguil

Performance Analysis of IPv4 v/s IPv6 in Virtual Environment Using UBUNTU

Network Security Management

Intrusion Detection in AlienVault

SIDN Server Measurements

Dynamic Rule Based Traffic Analysis in NIDS

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Efficacy of Live DDoS Detection with Hadoop

Linux Network Security

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Using Fuzzy Logic Control to Provide Intelligent Traffic Management Service for High-Speed Networks ABSTRACT:

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Flexible Web Visualization for Alert-Based Network Security Analytics

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Network Intrusion Simulation Using OPNET

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

One Server Per City: C Using TCP for Very Large SIP Servers. Kumiko Ono Henning Schulzrinne {kumiko, hgs}@cs.columbia.edu

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Putting it on the NIC: A Case Study on application offloading to a Network Interface Card (NIC)

The Fundamentals of Intrusion Prevention System Testing

Very Large Enterprise Network, Deployment, Users

Question: 3 When using Application Intelligence, Server Time may be defined as.

Performance Comparison of SCTP and TCP over Linux Platform

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems. Christopher Roblee Vincent Berk George Cybenko

Exploiting Stateful Inspection of Network Security in Reconfigurable Hardware

LOAD BALANCING FOR HIGH-SPEED PARALLEL NETWORK INTRUSION DETECTION. A Thesis. Submitted to the Graduate School. of the University of Notre Dame

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Understanding Slow Start

PROFESSIONAL SECURITY SYSTEMS

Performance of Host Identity Protocol on Nokia Internet Tablet

Real-Time Analysis of CDN in an Academic Institute: A Simulation Study

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

D1.2 Network Load Balancing

Enterprise Network Deployment, 10,000 25,000 Users

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Network Forensics: Log Analysis

IDS / IPS. James E. Thiel S.W.A.T.

Deployment of Snort IDS in SIP based VoIP environments

Course Title: Penetration Testing: Security Analysis

Firestorm Network Intrusion Detection System

Packet Capture in 10-Gigabit Ethernet Environments Using Contemporary Commodity Hardware

Network Based Intrusion Detection Using Honey pot Deception

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

Enterprise Applications

Attack Evaluation and Mitigation Framework

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Monitoring System Status

SYSTEM SETUP FOR SPE PLATFORMS

Datacenter Operating Systems

An Overview of the Bro Intrusion Detection System

IDSaaS: Intrusion Detection System as a Service in Public Clouds

Chapter 9 Firewalls and Intrusion Prevention Systems

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Traffic Analyzer Based on Data Flow Patterns

Applications of Passive Message Logging and TCP Stream Reconstruction to Provide Application-Level Fault Tolerance. Sunny Gleason COM S 717

Benchmarking Cassandra on Violin

Configuring Snort as a Firewall on Windows 7 Environment

Very Large Enterprise Network Deployment, 25,000+ Users

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Network Defense Tools

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Using Synology SSD Technology to Enhance System Performance Synology Inc.

Using Synology SSD Technology to Enhance System Performance Synology Inc.

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Introduction. Application Performance in the QLinux Multimedia Operating System. Solution: QLinux. Introduction. Outline. QLinux Design Principles

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

How To Identify Different Operating Systems From A Set Of Network Flows

Network Security Monitoring

Signature-aware Traffic Monitoring with IPFIX 1

Performance Characteristics of VMFS and RDM VMware ESX Server 3.0.1

DDoS Counter Measures Based on Snort s detection system

A Transport Protocol for Multimedia Wireless Sensor Networks

Comparison of Web Server Architectures: a Measurement Study

Detecting Attacks. Signature-based Intrusion Detection. Signature-based Detection. Signature-based Detection. Problems

EVERYTHING A DBA SHOULD KNOW

Transcription:

-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University of Notre Dame Technical Report 03-10 November 2003

-1-1 Introduction Network intrusion detection systems have become one of several invaluable tools to safeguard critical infrastructure and information. Publicly available network intrusion detection systems (NIDS) such as Snort [3][5] and Bro [2] as well as a large number of commercial systems complement other security mechanisms by passively monitoring a network link for possible intrusions and other security breaches. Alerts about possible violations are forwarded to security personal and are often also stored in databases for further analysis and correlation [1]. The performance of a NIDS can be described by its ability to detect true attacks in the stream of network traffic it observes. In addition to the sophistication of the intrusion detection algorithm employed, processing speed is a key consideration for the overall performance. If the NIDS is unable to process network traffic at the rate it arrives, packets are dropped and valuable information may be lost. Significant packet loss negatively affects the overall NIDS effectiveness. The performance requirements of the popular Snort NIDS has been studied before [4]. However, in addition to the performance of the NIDS sensor itself, the database that receives and stores alerts can play a role in determining overall performance. On a system under attack, the NIDS sensor can potentially generate a large number of alerts over a short period of time. If the database server is unable to absorb alerts at the offered rate, important alert data is lost and the entire intrusion detection system is rendered inefficient. This problem is compounded if multiple NIDS sensors report to the same database system. For example, a dual-processor 800 Mhz Pentium-III system running MySQL is able to log 412 alerts per second into a MySQL database server configured for the ACID intrusion detection analysis console [1]. A 100 Mbit Ethernet link at 50 percent utilization can carry approximately 23855 packets with an average size of 512 bytes per second. Given the maximum database throughput, at most 1.7 percent of all packets can trigger an alert before the database server is overloaded and alerts are lost. Clearly, in certain attack situations, the rate of alerts can exceed the database throughput, resulting in loss of alert information. 2 Performance Optimization The ACID intrusion detection analysis console [1] stores intrusion alerts generated by one or more sensors in an SQL database server for further analysis and correlation. The open-source Snort NIDS includes a plug-in module that interacts with a database server and logs alerts in an ACIDcompatible format. Intrusion alerts are stored in a variety of tables, depending on the alert and packet type. Each alert issued by a sensor is added to a table of events. Event table entries reference signatures in a separate table, and refer to additional information about the alert in tables that store IP, TCP, UDP or ICMP header information, the packet payload and other optional information. The relationship between events and signatures is established by unique, ACID-internal signature identifiers that map events to signatures.

-2- On startup, a Snort sensor obtains a sensor ID from the database server, and registers itself in a table of active sensors. When generating an alert, the sensor looks up the alert signature in the signature table to obtain the database internal signature ID. If a signature is encountered for the first time, it is not present in the table and the sensor inserts the signature and related information in a number of database tables, before obtaining the unique signature ID. This general design of the ACID database tables offers significant flexibility as it supports any number of sensors and does not assume a static set of signatures. Furthermore, alert information is distributed over a number of tables, thus minimizing record size in each table and reducing the amount of wasted space in case not all elements are applicable to a specific alert. However, the flexibility of ACID comes at the cost of higher overhead. For instance, inserting an alert related to an IP/TCP packet into the database requires at a minimum: a lookup of the signature ID insertion of the event into the event table insertion of IP header information into the iphdr table insertion of TCP header information into the tcphdr table possibly, insertion of optional information and payload into the respective tables Note that the last four steps involve updates to the index in addition to inserting the record, generally implemented as expensive read-modify-write sequences on the index file. An analysis of the I/O behavior of the database server reveals that a significant amount of time is spent accessing the signature table. The table is accessed for every alert and accounts for almost 25 percent of all I/O system calls. Interestingly, most I/O system calls complete in under 15 microseconds, indicating that the majority of file data is successfully cached in main memory. Signature table accesses, however, exhibit a significantly higher access time as a result of frequent long-latency disk accesses. This effect is in part due tothe file cache policy that prefers toevict read-only data over modified disk blocks. It is furthermore observed that during normal operation, the signature table is almost never updated, once it has been populated with the commonly encountered signatures. Combined, these observations indicate that caching the signature table at the NIDS sensors is able to eliminate an expensive database access without loss of functionality of the ACID database, resulting in improved alert insertion performance. The signature cache is implemented as a hash table inside the Snort database plug-in. Each hash table entry consists of the Snort signature identifier, signature name, revision number and the ACID signature ID. The hash table is indexed by the Snort signature ID and is arranged as an array of linked lists. When generating an alert, the database plug-in first attempts to look up the signature in the hash table. Upon success, the internal signature ID is used to insert the event and related information into the various ACID tables. If a given signature is not present in the local hash table, the plug-in looks it up in the ACID signature table. The signature may be found in the database table if a sensor is encountering a signature for the first time, but it has been inserted previously by another sensor (or an earlier session of this sensor). If the signature is not found in the database table, it is inserted along with related

-3- information such as the reference ID and signature class. In either case, the database provides the internal signature ID to the sensor, which then inserts a new record in its hash table. Note that even though the local hash tables cache the central database table, coherency is not a concern since signatures are normally not deleted from the table. Individual sensors populate their hash tables lazily as signatures are encountered, with the central database assigning unique internal signature identifiers. The local cache increases Snort s memory requirements by a modest amount of 272 bytes per signature. The overhead of the hash table search is negligible compared to the savings in database query latency. Consequently, optimizing the local hash table layout to minimize average hash chain length is not a concern. Note that this optimization has no impact on the database table structure or on the database server. 3Evaluation To evaluate the effectiveness of the sensor signature cache, trace-based experiments are performed involving two PC/Linux hosts acting as a sensor and database server. The sensor is a 1.7 Ghz Pentium-4 system with 256 Mbyte of main memory, running Debian Linux 2.4.19 and Snort 1.9.1. The sensor is connected to a database server with two 800 Mhz Pentium-III Coppermine processors, 1.2 Gbyte of memory, running Debian Linux with the 2.4.19 kernel and MySQL 3.23.56 [6]. Database tables are stored on a 210 Gbyte RAID-0 array consisting of 6 Ultra-SCSI- 3 disk drives hosted on a Smart-2P RAID controller. In the experiments, the Snort sensor is reading a network trace in tcpdump format from disk. 1.7 Ghz Pentium-4, 256 Mbyte RAM dual 800 Mhz Pentium-III 1.2 Gbyte RAM tcpdump trace 100 Mbit/s Ethernet Snort 1.9.1 MySQL 3.23 Figure 1: Experimental Setup To expose the database performance bottleneck, an artificial Snort rule is used that logs every packet as an alert. While this setup does not correspond to the normal use of network intrusion detection systems in production environments, it eliminates the NIDS sensor as a bottleneck and thus approximates the system behavior in the event of an attack when the NIDS sensor rapidly generates a large number of alerts. In this environment, the unmodified system is able to read, process and issue alerts for 444,611 packets in 18 minutes, at an average rate of 412 alerts per second. The trace file contains the first 68 bytes of every packet captured off a campus internet connection on Sunday, December 8, 2002, between 10:21 and 10:36 a.m. With the sensor signature cache, the processing time for the same

-4- trace is reduced to 14 minutes, resulting in an average rate of 530 alerts per second and an improvement of 28.6 percent over the unmodified configuration. In both experiments, all database tables are initially empty. A second experiment uses the default Snort 1.9.1 ruleset on a larger trace, consisting of 15,561,199 packets captured on the same campus network link on Monday, December 2, 2002, between 12:01 and 12:10 a.m. This setup corresponds more closely to a realistic NIDS environment, as only a subset of the observed packets trigger alerts. The unmodified system requires 31.5 minutes of processing during which it logs 237,279 alerts, while the signature cache reduces this time by 9.5 percent to 28.5 minutes. These results demonstrate that alert logging overhead can limit overall NIDS performance, especially under high load such as an attack situation. Caching frequently used database information at the sensors reduces logging overhead by over 20 percent, resulting in a direct and corresponding performance improvement of the NIDS sensor in cases of high alert rates. 4 Summary The performance of a network intrusion detection system depends on both the method of detecting intrusions as well as its processing overhead. If the sensor is not able to process network traffic at the rate offered by the link under observation, packets are dropped and valuable information may be lost. The method of logging alerts has a direct impact on the sensor overhead, and can further limit the NIDs sensor performance in scenarios with high alert rates. This paper presents and evaluates a performance optimization technique that caches the contents of a database table to reduce the number of queries. When applied to the Snort intrusion detection sensor and the ACID database, this technique reduces alert logging overhead by 25 percent. A modified database plug-in for Snort 1.9.1 is available in source code form at no cost at: http://www.cse.nd.edu/~spanids/software.php The source code has been extensively tested with Snort 1.9.1 and is compatible with Snort 2.0. The authors wish to thank the entire Spanids research team for their support. This material is based upon work supported by the National Science Foundation under Grant No. ANI02-31535. Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

-5-5 References [1] R. Danyliw, ACID: Analysis Console for Intrusion Databases, http://acidlab.sourceforge.net, 2001 [2] V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time, Computer Networks, vol. 31, no. 23-24, 1999, pp. 2435-2463. [3] M. Roesch, Snort Lightweight Intrusion Detection for Networks, Proc. Usenix LISA 99 Conf., November 1999. http://www.snort.org/docs/lisapaper.txt [4] L. Schaelicke, T. Slabach, B. Moore and C. Freeland, Characterizing the Performance of Network Intrusion Detection Sensors, Proc. SixthInternational Symposium on Recent Advances in Intrusion Detection (RAID 2003), Lecture Notes in Computer Science, Springer-Verlag, Berlin - Heidelberg - New York, 2003. [5] Snort 2.0 - Detection Revisited, whitepaper, Sourcefire Network Security Inc, 2002. [6] TcX AB, Detron HB, and Monty Program KB, MySQL Reference Manual Version 3.2.2, http://www.mysql.com/documentation/mysql/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information