1 Introduction
2 Signature based IDS Background
3 Description of the Data Collection Infrastructure
3.1 The Architecture
3.2 The Experimental Data
4 Configurational Diversity Analysis
4.1 Diversity in the Bipas of Snort and Suricata
4.1.1 Analysis of Individual IDSs
Source BIP | #Files | #IPA | #IP(“continuous”) | #IP(“discrete”) |
---|---|---|---|---|
Snort | 15,812 | 46,701 | 5,383 | 41,318 |
Suricata | 129 | 135,791 | 28,883 | 106,908 |
4.1.2 Diversity Analysis of the BIPAs
No. of BIPAs in 128 files of Snort | 46,187 | |
No. of BIPAs in 128 files of Suricata | 135,308 | |
No. of BIPAs in either Snort or Suricata | 177,504 | |
No. of BIPAs in both Snort and Suricata | 3,991 | |
No. of (IP/date pairs) observed in Snort and Suricata overlapping periods | (01) | 1,129,180 |
(10) | 2,219,330 | |
(11) | 113,152 |
Single states | # IPs | Multiple states | # IPs | Observed first in: | # IPs |
---|---|---|---|---|---|
(01) | 42,196 | (01,10) | 79 | (01) | 35 |
(10) | 44 | ||||
(10) | 131,317 | (01,11) | 2,834 | (01) | 1,257 |
(11) | 1,577 | ||||
(11) | 588 | (10,11) | 250 | (01) | 84 |
(11) | 166 | ||||
(01,10,11) | 240 | (01) | 102 | ||
(10) | 82 | ||||
(11) | 56 |
4.2 Diversity in Rules used by Snort and Suricata
4.2.1 Overall Analysis
Rules | #F | #R | #RNVC | #RVC |
---|---|---|---|---|
SnortReg | 52 | 10,675 | 2,259 | 8,416 |
SnortSub | 51 | 10,736 | 2,399 | 8,337 |
SnortCom | 166 | 903 | 472 | 431 |
SuricataET | 106 | 19,584 | 523 | 19,061 |
4.2.2 Snort Rules Diversity Analysis
#SIDs Snort Reg | 12,161 | |
#SIDs Snort Sub | 12,257 | |
#SIDs Snort Com | 959 | |
#distinct SIDs in any | 12,267 | |
#Data points (SID/date pairs) | 01 | 4 |
10 | 4,255 | |
11 | 100 | |
100 | 469,390 | |
101 | 0 | |
110 | 210 | |
111 | 41,913 |
1-S | #SIDs | 2-S | #SIDs | OFI | #SIDs | 3-S | #SIDs | OFI | #SIDs |
---|---|---|---|---|---|---|---|---|---|
(01) | 0 | (01,100) | 4 | 01 | 0 | (10,110,111) | 17 | 10 | 17 |
100 | 4 | 110 | 0 | ||||||
111 | 0 | ||||||||
(10) | 91 | (10,100) | 480 | 10 | 480 | (11,100,111) | 1 | 11 | 0 |
100 | 0 | 100 | 1 | ||||||
111 | 0 | ||||||||
(11) | 10 | (10,110) | 3 | 10 | 3 | (11,110,111) | 2 | 11 | 0 |
110 | 0 | 110 | 2 | ||||||
111 | 0 | ||||||||
(100) | 10,733 | (11,111) | 76 | 11 | 0 | (100,110,111) | 2 | 100 | 0 |
111 | 76 | 110 | 2 | ||||||
111 | 0 | ||||||||
(101) | 0 | (100,111) | 24 | 100 | 17 | 4-S | OFI: | 111 | 7 |
(110) | 2 | (110,111) | 7 | 110 | 7 | (10,11,110,111) | 1 | 10 | 1 |
111 | 0 | 11 | 0 | ||||||
110 | 0 | ||||||||
(111) | 814 | 111 |
4.2.3 Configurational Diversity Analysis of Snort and Suricata Rules
#SIDs Snort Reg with content field | 7,840 | |||
#SIDs Snort Sub with content field | 7,901 | |||
#SIDs Snort Com. with content field | 883 | |||
#SIDs in Sur.ET with the contents field | 15,239 | |||
#Distinct SIDs with content field in any of above | 23,014 | |||
#(SID-content,date) pairs in Snort and Suricata. | S | #D-P | S | #D-P |
1000 | 644,159 | |||
01 | 1 | 1001 | 0 | |
10 | 2,443 | 1010 | 8 | |
11 | 74 | 1011 | 0 | |
100 | 278,911 | 1100 | 4,236 | |
101 | 0 | 1101 | 0 | |
110 | 177 | 1110 | 0 | |
111 | 34,409 | 1111 | 748 |
1-S | #SIDs | 2-S | #SIDs | OFI | #SIDs | 3-S | #SIDs | OFI | #SIDs |
---|---|---|---|---|---|---|---|---|---|
10 | 57 | (01,100) | 1 | 01 | 0 | (10,110,111) | 18 | 10 | 18 |
100 | 1 | 110 | 0 | ||||||
111 | 0 | ||||||||
100 | 6,548 | (10,100) | 315 | 10 | 314 | (11,110,111) | 2 | 11 | 0 |
100 | 1 | 110 | 2 | ||||||
111 | 0 | ||||||||
110 | 2 | (10,110) | 2 | 10 | 2 | (1000,1010,1100) | 1 | 1000 | 1 |
110 | 0 | 1010 | 0 | ||||||
1100 | 0 | ||||||||
111 | 760 | (11,111) | 72 | 11 | 0 | ||||
111 | 72 | ||||||||
1000 | 15,113 | (100,111) | 3 | 100 | 3 | ||||
111 | 0 | ||||||||
1100 | 96 | (110,111) | 7 | 110 | 7 | ||||
111 | 0 | ||||||||
1111 | 17 |
5 Functional Diversity Analysis of Snort and Suricata
5.1 Description of the Data used in Functional Diversity Analysis
Dates | #Rules | Rules in i & not in i-1 | Rules in i-1 & not in i | changes of VN b/w i & i + 1 | #BIPAs | BIPAs in i & not in i-1 | BIPAs in i-1 & not in i |
---|---|---|---|---|---|---|---|
01/8 | 10,228 | 0 | 32 | 2,603 | 1,088 | ||
03/8 | 10,258 | 30 | 0 | 8 | 1,614 | 99 | 177 |
08/8 | 10,266 | 8 | 0 | 0 | 6,296 | 4,859 | 34 |
09/8 | 10,268 | 2 | 0 | 3 | 6,905 | 643 | 44 |
10/8 | 10,277 | 9 | 2 | 8 | 7,837 | 976 | 148 |
15/8 | 10,314 | 39 | 0 | 4 | 10,592 | 2,903 | 81 |
17/8 | 10,330 | 16 | 11,459 | 948 | |||
23/8 | 10,340 | 0 | 14 | 9,783 | 1,099 | ||
24/8 | 10,345 | 5 | 3 | 17 | 10,053 | 829 | 968 |
29/8 | 10,354 | 12 | 6 | 17 | 7,425 | 3,596 | 70 |
31/8 | 10,360 | 12 | 2 | 16 | 6,577 | 918 | 1,940 |
06/9 | 10,368 | 10 | 436 | 448 | 5,644 | 2,873 | 1,386 |
08/9 | 10,374 | 442 | 4 | 18 | 5,958 | 1,072 | 126 |
12/9 | 10,394 | 24 | 5,049 | 1,035 |
Dates | #Rules | Rules in i & not in i-1 | Rules in i-1 & not in i | changes of VN b/w i & i + 1 | #BIPAs | BIPAs in i & not-in i-1 | BIPAs in i-1 & not in i |
---|---|---|---|---|---|---|---|
01/8 | 18,842 | 2 | 1,200 | 16,137 | 1,184 | ||
03/8 | 18,860 | 20 | 17 | 1,240 | 16,339 | 1,377 | 1,884 |
08/8 | 18,860 | 17 | 2 | 1,198 | 16,194 | 1,758 | 701 |
09/8 | 18,872 | 14 | 8 | 1,203 | 16,281 | 786 | 840 |
10/8 | 18,867 | 3 | 0 | 1,237 | 16,203 | 761 | 2,234 |
15/8 | 18,900 | 33 | 7 | 1,216 | 16,334 | 2,355 | 1,303 |
17/8 | 18,945 | 52 | 16,254 | 1,213 | |||
23/8 | 18,940 | 13 | 1,195 | 16,185 | 1,364 | ||
24/8 | 18,939 | 12 | 7 | 1,228 | 16,122 | 1,309 | 3,462 |
29/8 | 18,945 | 13 | 3 | 1,095 | 16,068 | 3,426 | 712 |
31/8 | 18,973 | 31 | 4 | 1,229 | 16,051 | 695 | 2,919 |
06/9 | 19,025 | 56 | 25 | 1,219 | 16,348 | 3,202 | 1,761 |
08/9 | 19,031 | 31 | 137 | 1,125 | 16,198 | 1,598 | 2,303 |
12/9 | 18,912 | 18 | 15,744 | 1,822 |
5.2 Evolution in the Alerting behaviour of Snort and Suricata
5.3 Diversity in Time between Snort and Suricata
5.4 Functional Diversity Analysis between Snort and Suricata
Date | Sn&¬Su | Su&¬Sn | Sn&Su | Same-in | Different-in | Start-in Su | Start-in Sn | Start-in both |
---|---|---|---|---|---|---|---|---|
Sn&Su | Sn&Su | |||||||
Aug-01 | 1,012,895 | 777,204 | 53 | 42 | 11 | 3 | 0 | 8 |
Aug-03 | 900,073 | 829,656 | 53 | 43 | 10 | 2 | 0 | 8 |
Aug-08 | 956,331 | 859,790 | 53 | 26 | 7 | 2 | 0 | 5 |
Aug-09 | 971,229 | 837,406 | 38 | 25 | 13 | 6 | 1 | 6 |
Aug-10 | 451,611 | 461,047 | 18 | 12 | 6 | 2 | 0 | 4 |
Aug-15 | 667,868 | 544,822 | 41 | 38 | 3 | 1 | 0 | 2 |
Aug-17 | 1,043,366 | 958,518 | 77 | 65 | 12 | 4 | 0 | 8 |
23-Aug | 869,585 | 761,936 | 27 | 21 | 6 | 0 | 0 | 6 |
24-Aug | 869,737 | 878,191 | 8 | 5 | 3 | 3 | 0 | 0 |
29-Aug | 878,227 | 666,433 | 35 | 35 | 0 | 0 | 0 | 0 |
31-Aug | 1,081,173 | 892,611 | 248 | 246 | 2 | 0 | 0 | 2 |
06-Sep | 952,582 | 1,315,178 | 45 | 37 | 8 | 2 | 0 | 6 |
08-Sep | 811,995 | 1,247,364 | 44 | 35 | 9 | 0 | 2 | 7 |
12-Sep | 931,712 | 887,899 | 44 | 34 | 10 | 0 | 1 | 9 |
6 Discussion and Limitations
7 IDSs deployment Strategies based on our Analysis
-
If there is a constraint of using a single IDS, either Snort and Suricata, it is recommended to combine the rulesets and the BIPAs of both and use them in a single IDS. The rulesets and BIPAs can be used interchangeably by either of these IDSs. However, to avoid a high false alarm rate, both the rulesets should be properly tuned by an IT administrator based on the organization’s security policy.
-
The two IDSs can be deployed in parallel with the help of an adjudicating scheme. While this strategy may be more efficient in reducing the false alarm rate, this may, however, increase the overhead delays in the network.
-
The two IDSs can be deployed in series, with an adjudicating system at the end of the series link. We cannot prescribe which IDS to be deployed first in this strategy. This is because our analysis is limited in terms of the ’actual’ attack analysis and that which IDS perform better in terms of various detection metrics.
8 Related Work
9 Conclusion
-
There is a significant amount of diversity in the BIPAs of Snort and Suricata, and this is maintained throughout our observation period. The amount of overlap between these BIPAs is relatively small. Depending on the adjudication mechanism that a system architect wishes to deploy, having access to a larger pool of BIPAs may be beneficial to increase protection against a larger pool of malicious sources. However, if a user observes a large number of false positives from these blacklists at a given time, then diversity can be a help to keep the false positive rate low (for example by only raising alarms if an IP appears in multiple blacklists) until the vendors “clean up” the blacklists;
-
We observe the evolution of rule diversity for both Snort and Suricata butto generalize these results, we need to analyse pcap data of a longer duration.
-
We observe a significant amount of diversity in the rules of Snort and Suricata. When analyzing the rules based on the “content” field, only 1% of the rules of Snort and Suricata return a match. This indicates that these systems would alert on potentially very diverse traffic. This is indeed confirmed from our experiment that we ran with real traffic from City, University of London. There was very little overlap in the alerting behaviour of these products.