SnortML

Name

snort_ml

Type

Inspector (passive)

Usage

Inspect

Instance Type

Singleton

Other Inspectors Required

snort_ml_engine, http_inspect

Enabled

Maximum Detection policy

Every day new vulnerabilities are discovered in software critical to the function of the modern world. Security analysts take apart these new vulnerabilities, isolate what is necessary to trigger them, and write signatures to detect exploits targeting them. Most signatures can only really be written for specific vulnerabilities.

SnortML is a neural network-based exploit detection for the Snort intrusion prevention system. It is designed to not only learn to detect known attacks from training data, but also learn to detect attacks it has never seen before.

The snort_ml inspector searches primarily for SQL injection attacks over HTTP. As this inspector may affect performance, it is only enabled by default under the Maximum Detection policy.

From Secure Firewall version 10.0.0, detection of command line injection attacks over HTTP traffic is supported. A command line injection attack occurs when an attacker is able to input operating system (OS) commands on a host OS.

Also, from Secure Firewall version 10.0.0, neural network models of 256, 512, or 1024 byte size are automatically selected based on URI input. Smaller trained neural network models lead to faster analysis compared to larger models without any impact on efficacy.

SnortML Rules

Enable the snort_ml inspector rule to generate events and, in an inline deployment, drop offending packets. The snort_ml inspector rule is only enabled by default under the Maximum Detection intrusion and network access policies.

Table 1. Snort ML Inspector Rules

GID:SID

Rule Message

411:1

(snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection.

SnortML Parameters

uri_depth

Specifies the number of bytes to scan from the HTTP URI. The value -1 means unlimited.

Type: integer

Valid range: -1 to 2147483648

Default value: -1

client_body_depth

Specifies the number of bytes to scan from the HTTP client body. The value -1 means unlimited.

Type: integer

Valid range: -1 to 2147483648

Default value: 0

Enable SnortML Rule

The SnortML rule is enabled by default if you are using Maximum Detection as the base policy in the intrusion policy that you have set up. If you are not using Maximum Detection as the base policy, the SnortML rule is disabled by default. To enable it, perform the following steps:

Procedure

Step 1

Choose Policies > Intrusion..

Step 2

Under the Intrusion Policies tab, click Snort 3 Version for the intrusion policy on which you want to the enable the SnortML rule. The About Intrusion Policies window comes up.

Step 3

Read through the information displayed on the About Intrusion Policies window and click Dismiss.

Step 4

In the Summary tab, click View Effective Policy.

Step 5

On the Effective Policy window, type GID=411 in the filter bar and press the Enter key. The 411:1 rule is displayed.

Step 6

From the Rule Action dropdown list, choose Block.

Step 7

Click Override on the window that comes up.

Step 8

Click Summary to go back to the Summary window and verify if the number of Overriden Rules has increased by one. The SnortML rule is now enabled and the SnortML inspector is also enabled automatically.

Disable SnortML Inspector

To disable the snort_ml inspector, perform the following steps:

Procedure

Step 1

Choose Policies > Intrusion.

Step 2

Under the Network Analysis Policies tab, click Snort 3 Version for the network analysis policy for which you want to disable the snort_ml inspector. Read through the warning that comes up and click Yes.

Step 3

Click snort_ml in the list of Inspectors.

Step 4

Click the Edit (edit icon) icon next to Overriden Configuration.

Step 5

On the Override Configuration window, change "enabled": true to "enabled": false.

Step 6

Click anywhere outside the text box to verify the JSON format. After you see JSON syntax ok, click OK to save the configuration. You can see the changes that you made under Overridden Configuration.

Step 7

Click Save to save the changes made to the network analysis policy.

What to do next

Ensure that you apply the modified intrusion policy in the required access control rule in your access control policy. Also, apply the modified network access policy from the Network Analysis and Intrusion Policies section in the Advanced Settings of your access control policy.

View SnortML Rule Events in Unified Events

Procedure

Step 1

Choose Events & Logs > Analysis > Unified Events..

Step 2

In the search bar, type intrusion and select Intrusion Events.

Step 3

In the Add field in the search bar, enter snort_ml and click Apply. The intrusion events that are generated due to the SnortML rule are displayed.

Step 4

(Optional) Click the Right Arrow (right arrow icon) to view more details on the generated event.

View SnortML Rule Events in Intrusion Events

Procedure

Step 1

Choose Events & Logs > Intrusions > Events..

Step 2

Click Table View of Events for a detailed view of the intrusion events.

Step 3

Click Edit Search.

Step 4

In the Message field, enter snort_ml and click Search. All the intrusion events that are generated by the SnortML rule are displayed.