forked from snort3/snort3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoverview.txt
94 lines (60 loc) · 3.27 KB
/
overview.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
Snort 3.0 is an updated version of the Snort Intrusion Prevention System (IPS) which features a new
design that provides a superset of Snort 2.X functionality with better efficacy, performance,
scalability, usability, and extensibility. Some of the key features of Snort 3.0 are:
* Support multiple packet processing threads
* Use a shared configuration and attribute table
* Autodetect services for portless configuration
* Modular design
* Plugin framework with over 200 plugins
* More scalable memory profile
* LuaJIT configuration, loggers, and rule options
* Hyperscan support
* Rewritten TCP handling
* New rule parser and syntax
* Service rules like alert http
* Rule "sticky" buffers
* Way better SO rules
* New HTTP inspector
* New performance monitor
* New time and space profiling
* New latency monitoring and enforcement
* Inspection Events
* Autogenerate reference documentation
=== Efficacy
* Detects and blocks all but 10 HTTP Evader tests (see https://noxxi.de/research/http-evader.html).
* Autodetection of services reduces misses due to incorrect or out of date port configurations and
improves detection on unexpected command and control channels.
=== Performance
* Vastly improved throughput over Snort 2 for deep flow inspection.
* Many more fast pattern buffers means fewer non-fast pattern rules.
* Hyperscan is used for faster fast patterns, content literals and (optionally) compatible PCRE
during signature evaluation, and various searches done by inspectors.
* sd_pattern rules have normal fast patterns, don't require extra searches.
* The snort3_demo repo has a performance suite that can be used to compare Snort 2 and Snort 3.
* The DAQ 3 interface facilitates leveraging your data plane for maximum throughput including
checksum offload and acquisition of a vector of packets.
* Snort 3 is not run-to-completion, making it possible to detain packets for lookaside acceleration
and other new features.
=== Scalability
* Much easier to leverage multiple cores.
* All packet threads share configuration and rule engine which frees up much more memory for packet
processing.
=== Usability
* Sticky buffers make it easier to write correct rules.
* Autodetection eliminates much port configuration maintenance.
* Service-based detection doesn't preclude port-based detection.
* Builtin defaults and policy tweaks make effective tuning much simpler.
* Command line help and generated reference documentation make it easy to get the correct
configuration details.
* A trace mechanism is provided to make it easy to see how packets are processed.
* Build a scaled down image and configure for smaller systems such as IoT devices.
* The snort2lua utility (described later) makes it easy to convert your local rules.
* Extensive peg counts capture the important events and actions to provide more detailed insight
into your deployment.
=== Extensibility
* Several plugin types are defined and over 220 plugins are available.
* Inspection events make collaboration among plugins possible without framework updates.
* All plugins, including SO rules, can be mixed in the same library.
* A command line shell is available for reloads and other operations.
* The snort3_extra repo has examples to each plugin type to help you get started.
* Easy to add SO rules for 0-day attacks.