VRT NRT
Near Real-Time Detection (NRT) is an undertaking by the Sourcefire VRT.
Download: snort-nrt.tar.gz
The Presentation: sfvrt-nrt.pdf
The Reason: Today's client side attack threats represent a boon for the attacker in ways to obfuscate, evade, and hide their attacks methods. Adobe PDF, Flash, Microsoft Office documents, and Javascript require a very deep understanding of the file format, how its interpreted in the Browser, and understanding of the byte code paths that some of these formats can generate. To effectively handle some of these types of attacks it requires processing of these files multiple times to deal with compression, obfuscation, program execution, etc. This requires a new type of system to handle this type of inspection. The NRT system allows for this deep file format understanding and inspection.
Near Real-Time Detection (NRT) is the result of extensive research into detection of attacks hidden inside numerous layers of compression, obfuscation, and evasion techniques across multiple file formats. NRT in its current form operates with the Snort detection engine, early stages here, future versions won't rely on any one particular IPS for getting data from network traffic. NRT addresses the issues with file format parsing by separating selected file types from transmitted data, which are then passed to additional detection engines either on local or distributed remote system(s). The intention is for the system to be extensible and not necessarily be a plugin for Snort.
While network forensic products and tool kits claim to already cover this space, we have found them in limited use in the industry. The reason for this is they go far to deep for most consumers to understand and utilize. With NRT we wanted to bridge this gap between Forensics and IPS. It gives the security analyst important data that can be acted on immediately, without the need to spend hours and sometimes days, analyzing suspicious files. Full information on potentially malicious conditions detected by the NRT system is saved alongside the offending file.
The NRT detection engines provide alerting information back to Snort, which enables Snort to generate event data that users will immediately recognize. They also provide NRT specific alert mechanisms which allows for larger blocks of data and information to be made available to the end user.
NRT has additional value in that it is also easily extensible to provide for the detection of known files that traverse the network. For example, it is able to detect a file that is taken from a file server and sent out of the private network, thus alerting the security staff to a possible data leak.
Future development plans include providing automatic detection rule updates that an IPS deployment like Snort can use to protect the private network along with further enhancements aimed at data leak prevention. The system will also use templates to describe file types and a simple rule language to detect attacks.
')
