Snort and Xen

What is Xen Xen is an open-source and free virtual machine monitor for x86, Intel Itanium and PowerPC that enables the execution of multiple guest operating systems on the same computer hardware. Each Xen system has a single privileged OS, called Domain-0, that is responsible for starting and managing the other unprivileged OS instances. Domain-0 is the OS that boots when you start your computer, and it has the tools necessary to manage other domains. This form of virtualization is achieved using a technique called paravirtualization and is being developed by the Xen Project, led by XenSource, Inc. Xen provides secure isolation, resource control, quality-of-service guarantees, and live migration of virtual machines. On legacy computer systems, the operating systems must be explicitly modified to run on Xen (although compatibility is maintained for user applications). On the latest Intel VT or AMD Virtualization enabled processors, Xen can virtualize any OS, unmodified. Paravirtualization confers performance and security benefits when used in conjunction with hardware assisted virtualization. The security of your environment can be enhanced by running different services in complete isolation, without resorting to the purchase of additional costly hardware. If your server used to run a web server and an e-mail server together, you can now isolate these two services and run them as though they were running on completely separate machines.

What is Snort Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can be downloaded from http://www.snort.org and is distributed under the GNU GPL license by the author Martin Roesch. There are four protocols that Snort currently analyzes for suspicious behavior - TCP, UDP, ICMP, and IP. The open-source community is extending it analyze more protocols such as ARP, IGRP, GRE, OSPF, RIP, IPX. For instance we have extended SNORT to analyze RTP. Using SNORT's protocol analysis and content searching ability, it can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. Snort uses a flexible rules language to describe traffic that it should collect or pass, and includes a detection engine utilizing a modular plug-in architecture. A typical rule will look like

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; \ content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; \ reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; \ reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:8;)

Snort has real-time alerting capability as well, incorporating alerting mechanisms for Syslog, user- specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump or as a packet logger that is useful for network traffic debugging. It can also be used as a full blown network intrusion detection system.