New Use Cases for Snort: Cloud and Mobile Environments

First, this case study explores an Intrusion Detection System package called Snort (provided by Cisco Systems) in a cloud environment. Snort is an open source and highly scalable signature-based intrusion detection system. Here, Snort is deployed on Ubuntu Server 16.0.4 running on a virtual machine within a Microsoft Azure cloud system. This paper provides details on installing Snort on the virtual machine and configuring it for intrusion detection. The architecture here is based on a VM integrated IDS on Azure and demonstrates how a VM instance in the cloud can be secured through an IDS. Firewalls may be considered the first line of defense but they fail to secure systems from inside attacks. Next, two other areas (where Snort is less widely used) are briefly explored, namely library systems and mobile devices. Finally, this paper makes further recommendations on how a cloud network can be secured by distributed placement of the IDS and on each VM instances.

💡 Research Summary

The paper presents a practical case study of deploying the open‑source intrusion detection system Snort within a cloud environment and explores its potential in two less‑common domains: library information systems and mobile devices. After a brief introduction to cloud computing models (SaaS, PaaS, IaaS) and the inherent confidentiality, integrity, and availability (CIA) risks, the authors argue that traditional firewalls, while effective against external threats, cannot detect insider attacks. Consequently, they propose Snort, a signature‑based NIDS, as a complementary security layer.

The authors first describe Snort’s internal architecture, consisting of a packet decoder, preprocessors, a detection engine, a logging/alerting subsystem, and an output module. They then adopt a virtual‑machine‑integrated IDS model from prior work, which separates an IDS management unit (responsible for event collection, storage, and analysis) from IDS sensors embedded in each VM. This model is intended to provide visibility into intra‑cloud traffic.

Implementation details focus on Microsoft Azure. A Ubuntu Server 16.04 LTS virtual machine is provisioned using a free trial. The installation workflow includes: (1) installing build‑essential and required libraries (libpcap‑dev, libpcre3‑dev, libdumbnet‑dev, bison, flex); (2) compiling the Data Acquisition (DAQ) library from source; (3) downloading and compiling Snort 2.9.9.0 with the ‑‑enable‑sourcefire flag to enable packet‑performance monitoring; (4) configuring shared libraries via ldconfig and creating a symlink to /usr/sbin/snort.

Configuration steps involve manually creating the /etc/snort directory hierarchy (rules, iplists, preproc_rules, so_rules), setting appropriate permissions (5775), and populating the main configuration file snort.conf. The authors define HOME_NET as 10.0.0.4/24 and EXTERNAL_NET as “any”, and they add a simple local.rules file containing signatures that trigger alerts on ICMP ping, FTP, and Telnet attempts. Validation is performed with “snort -A console -c /etc/snort/snort.conf -i eth0”, confirming that alerts appear on the console. The paper also demonstrates Snort’s sniffer mode (‑v) for raw packet capture.

In the discussion, the authors highlight Snort’s strengths: high configurability, low computational overhead, extensibility via plugins, and a robust community that provides frequent rule updates (manually or via the Pulled Pork tool). They report that, in their Azure testbed, Snort successfully identified TCP and Telnet traffic and generated the expected alerts.

Beyond the cloud, the paper proposes two novel use cases. First, in library information systems that employ EZproxy for off‑campus access, Snort could monitor proxy traffic for anomalous authentication patterns, offering a new layer of protection for academic resources. Second, although Snort has seen limited adoption on mobile platforms due to perceived resource constraints, the authors note early efforts such as Swinedroid (an Android client that forwards alerts to a remote server) and suggest that the open nature of Android could enable more sophisticated IDS clients. They cite recent research on securing location‑based services by deploying Snort rules on both server and client sides.

The conclusion stresses that deploying Snort on a single VM protects that host but does not provide network‑wide visibility. To detect both internal and external threats in a cloud, a distributed IDS architecture—either a central IDS monitoring all traffic or an IDS instance on each VM—is required. The authors recommend integrating Snort with relational databases (MySQL, Oracle) for centralized logging and analysis, automating rule updates, and leveraging dynamic preprocessors for advanced detection. As cloud adoption continues to rise, lightweight, highly configurable IDS solutions like Snort are poised to become essential components of cloud security strategies.