SnortML: Machine Learning-based Exploit Detection

Introduction

The Intrusion Prevention System rules present in Cisco firewalls (before release 7.6) are written based on known and fixed patterns. While these rules, when properly written, are effective at catching all variations of attacks against a known vulnerability, they are not able to detect exploits written for new or unknown vulnerabilities. Building rules for zero-day vulnerabilities takes time, until which, unpatched systems remain vulnerable.

SnortML is a machine learning-based exploit detection engine for the Snort Intrusion Prevention System, introduced in release 7.6. With its new Machine Learning capabilities, attacks never seen before can be detected and blocked in real-time. Coverage can now be written for entire vulnerability classes, providing coverage even for new and unknown vulnerabilities. For the first release of the feature, coverage is provided to detect and block SQL injection attacks. The underlying model, built and trained by Talos, receives updates via the existing Lightweight Security Package (LSP) update system. These updates will include enhancements to SQL injection detection, as well as supporting new exploit types over time.

The SnortML rule

The SnortML IPS rules have the following characteristics:

1. GID: 411
2. Rule message: prepended with '(snort_ml)'
3. Enabled by default in Maximum Detection IPS policy

The first SnortML rule introduced in release 7.6 has the following characteristics:

1. GID: 411, SID: 1
2. Description: "(snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (411:1:1)”

Enabling the SnortML rule

The SnortML rule is enabled by default when using the base intrusion policy Maximum Detection. If the base intrusion policy used in your configuration is other than Maximum Detection, the SnortML rule will be disabled by default. To enable it follow the below steps:

1. Login to the FMC GUI. Navigate to Policies > Intrusion

2. Click on Snort 3 Version against the Intrusion Policy you want to edit.

Note – You can read through the note About Intrusion Policies that pops up to understand the Snort 3 version of Intrusion policies. Once you are done reading, click on Dismiss.

3. Under the Summary tab, click on View Effective Policy.

4. In the Filter bar, type in 'GID=411' to filter the SnortML rule. Hit Enter.

Note – Explore the other options available for filtering out intrusion rules.

5. Click on the drop-down menu under Rule Action and change the action from Disabled to Block.

6. Once the Rule Action has been changed successfully, go back to the Summary page by clicking on Summary and verify if the number of Overridden rules has increased by one.

For the SnortML intrusion rule to work the underlying engine has to be enabled. This is done by enabling the snort_ml inspector under Network Analysis Policy. Similar to Intrusion Policy, Network Analysis Policy with Base Policy set as Maximum Detection, has the snort_ml inspector enabled by default.

If the Base Policy is other than Maximum Detection, follow the below steps to enable the snort_ml inspector:

7. Navigate to Policies > Intrusion

8. Click on Network Analysis Policies.

9. Click on Snort3 Version against the Network Analysis Policy you want to edit.

10. Expand the inspector snort_ml.

11. Click on the edit icon to edit the configuration of the inspector.

12. Modify the configuration from "enabled": false to "enabled": true.

Click anywhere outside the text box to verify the JSON format. Once you see JSON syntax ok, click on OK to save the configuration.

The Overridden Configuration will display the changes made to the inspector configuration.

13. Click on Save to save the changes made to the Network Analysis Policy.

Note - Make sure to apply the modified Intrusion Policy/Maximum Detection Intrusion Policy in your Access Control policy's relevant Access Control rule. Also, apply the modified Network Analysis Policy/Maximum Detection Network Analysis Policy under the Advanced Settings of your Access Control Policy.

Viewing events generated for the SnortML rule

Unified Event Viewer

1. Navigate to Analysis > Unified Events

2. In the Search bar at the top type in Intrusion and select Intrusion Message.

3. Type in 'snort_ml' and click on Apply.

4. Intrusion events generated due to the SnortML rule will be displayed as shown in the example below.

To view the details of a particular event, click on the angle bracket on the left-most side of the event row.

Event details will pop up on the right side as below.

Scroll down through the Event Details to view further details such as the Snort rule, the URL triggering the rule, etc.

Intrusion Events

1. Click on Analysis > Events under the Intrusions section.

2. Click on Table View of Events to get a detailed view of the Intrusion events.

Explore all the columns displayed in this view

3. Click on Edit Search to filter the events.

4. Type in snort_ml against Message and click on Search.

5. All the Intrusion events generated by SnortML rule will be displayed.

Using the scroll bar at the bottom, scroll to the right to view all the other columns under Intrusion events viewer.

Summary

SnortML uses advanced algorithms that analyze patterns and behaviors rather than relying solely on predefined signatures. By adapting to new and evolving threats, SnortML rules offer enhanced detection capabilities and quicker responses to emerging threats that traditional signature-based systems might miss.

Additional Resources

https://blog.snort.org/2024/03/talos-launching-new-machine-learning.html