Avatar Avatar

In March 2024, we introduced SnortML, an innovative machine learning engine for the Snort intrusion prevention (IPS) system. SnortML was developed to tackle the limitations of static signature-based methods by proactively identifying exploits as they evolve rather than reacting to newly discovered exploits. After its release, we’ve continued to invest in this capability to help customers act on global threat data fast enough to stop rapidly spreading threats.

At the end of 2020, the list of Common Vulnerabilities and Exposures (CVEs) stood at 18,375. By 2024, that number had skyrocketed to over 40,000. While traditional intrusion prevention systems relying on static signatures are effective against known threats, they often struggle to detect new or evolving exploits.

SnortML addresses these challenges with state-of-the-art neural network algorithms while ensuring complete data privacy by running entirely on the device. The machine-learning engine runs entirely on firewall hardware, keeping every packet within the network perimeter. Decisions are computed locally in real time, without the need to send data to the cloud or expose it to third-party analytics. This approach satisfies strict data-residency, privacy, and compliance requirements, especially for critical infrastructure and sensitive environments.

This is why our engineers at Cisco Talos developed SnortML. Leveraging deep neural networks trained on extensive datasets, SnortML identifies patterns associated with exploit attempts, even those it hasn’t encountered before. When we launched SnortML, we started with protection for SQL Injection, one of the most common and impactful attack vectors.

Cross-Site Scripting (XSS) is a pervasive web vulnerability that allows attackers to inject malicious client-side scripts into web pages. These scripts execute in the victim’s browser, enabling attackers to compromise user data, hijack sessions, or deface websites, leading to significant security risks.

This can occur in two primary ways: Stored XSS, where malicious JavaScript is sent to a vulnerable web application and stored on the server, later delivered and executed when a user accesses content containing it; or Reflected XSS, where an attacker crafts a malicious script, often in a link, which when clicked, is “reflected” by the web application back to the victim’s browser for immediate execution without being stored on the server.

In both cases, the malicious XSS payload typically appears in the HTTP request query or body. SnortML blocks malicious XSS scripts sent for storage on a vulnerable server (Stored XSS). It also blocks requests from malicious links intended to reflect a script back at a victim (Reflected XSS), preventing the malicious response. By scanning HTTP request queries and bodies, SnortML effectively addresses all XSS threats.

Let’s dive into an example to illustrate how SnortML stops XSS attacks in real-time. In this case, we’ll use CVE-2024-25327, a recently disclosed Cross-Site Scripting (XSS) vulnerability found in Justice Systems FullCourt Enterprise v.8.2. This particular CVE allows a remote attacker to execute arbitrary code by injecting malicious scripts through the formatCaseNumber parameter within the application’s Citation search function. For our demonstration, no static signature has been created/enabled for this CVE yet.

The screenshot below, taken from the Cisco Secure Firewall Management Center (FMC), clearly illustrates SnortML in action. It shows the malicious input targeting the formatCaseNumber parameter. SnortML’s advanced machine learning engine immediately identified the anomalous behavior characteristic of an XSS exploit, even though this specific CVE (CVE-2024-25327) had no static signature. The FMC log confirms that SnortML successfully detected and blocked the attack in real-time, preventing the malicious script from ever reaching the target application.

FMC event log showing the XSS attack blocked by SnortML
Fig. 1: FMC event log showing the XSS attack blocked by SnortML

SnortML is transforming the landscape of exploit detection and prevention. First with SQL Injection protection, and now with the recent additions of Command Injection and XSS protection, SnortML continues to strengthen its defenses against today’s most critical threats. And this is just the beginning.

Coming soon, SnortML will feature a fast pattern engine and a least recently used (LRU) cache, dramatically increasing threat detection speed and efficiency. These enhancements will pave the way for even broader exploit detection capabilities.

Stay tuned for more updates as we continue to advance SnortML and deliver even greater security innovations.

Check out the Cisco Talos video explaining how SnortML uses machine learning to stop zero-day attacks.

Want to dive deeper into Cisco firewalls? Sign up for the Cisco Secure Firewall Test Drive, an instructor-led, four-hour hands-on course where you’ll experience the Cisco firewall technology in action and learn about the latest security challenges and attacker techniques.


We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X

Authors

Marc Mastrangelo

Engineering Product Management Leader

Security Business Group

Muhammad Irshad

Leader, Security Research

Security Business Group (SBG)