Assessing the Effectiveness of Snort in Detecting Malicious URLs




Zuva, Simbarashe

Journal Title

Journal ISSN

Volume Title



Web attacks have been on the rise in recent years, and organisations are constantly searching for new and better ways to detect and block the corresponding attack vectors. Some of the prominent attributes of web attack vectors are malicious domains used to trigger or sustain these attacks, for instance, through launching phishing attacks or by hosting command and control (C&C) infrastructures. Detecting accurately and blocking the malicious domains has become increasingly difficult due to the evasive techniques used by the attackers to mask their activities by emulating legitimate network traffic to an accurately high degree and through tactics such as domain generation algorithms (DGA) and fast flux DNS. Snort, an open-source intrusion detection system, has traditionally been utilized to detect network intrusions through network traffic signature analysis. However, while snort has subsequently been upgraded to enable the detection of web attacks, its effectiveness in detecting malicious domains is questionable because of the coarse-grained nature of web attack signatures. At the same time, it is a reasonable proposition to assume that there would be an implicit relation between granular attacks and the usage/occurrence of malicious domains. In this project, a platform is developed to explore and assess experimentally the ability of snort in detecting malicious domains. The proposed approach extracts some useful indicators of compromise (IoC) from the granular Snort alerts triggered by web visits and leverage such information to establish whether the corresponding URLs are benign or malicious. The platform was built around a headless chrome browser and the pfSense open-source firewall which has a built-in snort engine. The experimental evaluation, conducted using a public dataset of benign and malicious domains, yielded important insights into the strengths and limitations of snort in detecting malicious domains, and helped identify directions for future improvements.



Malicious domain, Legitimate domain, Intrusion Detection, Snort, pfSense, Wireshark, Snort Alerts