i Intrusion Detection Tool: Snort – All things in moderation

Intrusion Detection Tool: Snort

What is snort ?

Snort is an open source network intrusion prevention system(IDS), capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Installation

Install from source
Find the appropriate package for your operating system and install.

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz  
tar xvfz daq-2.0.6.tar.gz  

cd daq-2.0.6  
./configure && make && sudo make install  

On Ubuntu/Debinan:

sudo apt-get install snort  

Usage

USAGE: snort [-options] <filter options>
Options:
        -A         Set alert mode: fast, full, console, test or none  (alert file alerts only)
                   "unsock" enables UNIX socket logging (experimental).
        -b         Log packets in tcpdump format (much faster!)
        -B <mask>  Obfuscated IP addresses in alerts and packet dumps using CIDR mask
        -c <rules> Use Rules File <rules>
        -C         Print out payloads with character data only (no hex)
        -d         Dump the Application Layer
        -D         Run Snort in background (daemon) mode
        -e         Display the second layer header info
        -f         Turn off fflush() calls after binary log writes
        -F <bpf>   Read BPF filters from file <bpf>
        -g <gname> Run snort gid as <gname> group (or gid) after initialization
        -G <0xid>  Log Identifier (to uniquely id events for multiple snorts)
        -h <hn>    Set home network = <hn>
                   (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
        -H         Make hash tables deterministic.
        -i <if>    Listen on interface <if>
        -I         Add Interface name to alert output
        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
        -K <mode>  Logging mode (pcap[default],ascii,none)
        -l <ld>    Log to directory <ld>
        -L <file>  Log to this tcpdump file
        -M         Log messages to syslog (not alerts)
        -m <umask> Set umask = <umask>
        -n <cnt>   Exit after receiving <cnt> packets
        -N         Turn off logging (alerts still work)
        -O         Obfuscate the logged IP addresses
        -p         Disable promiscuous mode sniffing
        -P <snap>  Set explicit snaplen of packet (default: 1514)
        -q         Quiet. Don't show banner and status report
        -Q         Enable inline mode operation.
        -r <tf>    Read and process tcpdump file <tf>
        -R <id>    Include 'id' in snort_intf<id>.pid file name
        -s         Log alert messages to syslog
        -S <n=v>   Set rules file variable n equal to value v
        -t <dir>   Chroots process to <dir> after initialization
        -T         Test and report on the current Snort configuration
        -u <uname> Run snort uid as <uname> user (or uid) after initialization
        -U         Use UTC for timestamps
        -v         Be verbose
        -V         Show version number
        -X         Dump the raw packet data starting at the link layer
        -x         Exit if Snort configuration problems occur
        -y         Include year in timestamp in the alert and log files
        -Z <file>  Set the performonitor preprocessor file path and name
        -?         Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
   --logid <0xid>                  Same as -G
   --perfmon-file <file>           Same as -Z
   --pid-path <dir>                Specify the directory for the Snort PID file
   --snaplen <snap>                Same as -P
   --help                          Same as -?
   --version                       Same as -V
   --alert-before-pass             Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,...
   --treat-drop-as-alert           Converts drop, sdrop, and reject rules into alert rules during startup
   --treat-drop-as-ignore          Use drop, sdrop, and reject rules to ignore session traffic when not inline.
   --process-all-events            Process all queued events (drop, alert,...), default stops after 1st action group
   --enable-inline-test            Enable Inline-Test Mode Operation
   --dynamic-engine-lib <file>     Load a dynamic detection engine
   --dynamic-engine-lib-dir <path> Load all dynamic engines from directory
   --dynamic-detection-lib <file>  Load a dynamic rules library
   --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
   --dump-dynamic-rules <path>     Creates stub rule files of all loaded rules libraries
   --dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library
   --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory
   --dynamic-output-lib <file>  Load a dynamic output library
   --dynamic-output-lib-dir <path> Load all dynamic output libraries from directory
   --create-pidfile                Create PID file, even when not in Daemon mode
   --nolock-pidfile                Do not try to lock Snort PID file
   --no-interface-pidfile          Do not include the interface name in Snort PID file
   --disable-attribute-reload-thread Do not create a thread to reload the attribute table
   --pcap-single <tf>              Same as -r.
   --pcap-file <file>              file that contains a list of pcaps to read - read mode is implied.
   --pcap-list "<list>"            a space separated list of pcaps to read - read mode is implied.
   --pcap-dir <dir>                a directory to recurse to look for pcaps - read mode is implied.
   --pcap-filter <filter>          filter to apply when getting pcaps from file or directory.
   --pcap-no-filter                reset to use no filter when getting pcaps from file or directory.
   --pcap-loop <count>             this option will read the pcaps specified on command line continuously.
                                   for <count> times.  A value of 0 will read until Snort is terminated.
   --pcap-reset                    if reading multiple pcaps, reset snort to post-configuration state before reading next pcap.
   --pcap-reload                   if reading multiple pcaps, reload snort config between pcaps.
   --pcap-show                     print a line saying what pcap is currently being read.
   --exit-check <count>            Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it
                                   takes from signaling until DAQ_Stop() is called.
   --conf-error-out                Same as -x
   --enable-mpls-multicast         Allow multicast MPLS
   --enable-mpls-overlapping-ip    Handle overlapping IPs within MPLS clouds
   --max-mpls-labelchain-len       Specify the max MPLS label chain
   --mpls-payload-type             Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS
   --require-rule-sid              Require that all snort rules have SID specified.
   --daq <type>                    Select packet acquisition module (default is pcap).
   --daq-mode <mode>               Select the DAQ operating mode.
   --daq-var <name=value>          Specify extra DAQ configuration variable.
   --daq-dir <dir>                 Tell snort where to find desired DAQ.
   --daq-list[=<dir>]              List packet acquisition modules available in dir.  Default is static modules only.
   --dirty-pig                     Don't flush packets and release memory on shutdown.
   --cs-dir <dir>                  Directory to use for control socket.
   --ha-peer                       Activate live high-availability state sharing with peer.
   --ha-out <file>                 Write high-availability events to this file.
   --ha-in <file>                  Read high-availability events from this file on startup (warm-start).
   --suppress-config-log           Suppress configuration information output.

Features

Snort can be configured to run in three modes:

  • Sniffer mode, which simply reads the packets off the network and displays them for you in a continous stream on the console(screen).
    An example, if you want to print out TCP/IP packet headers to the screen, try this:
snort -v  

If you want to see the application data in transit, try the following:

snort -vd  
  • Packet Logger mode, wich logs the packets to disk.

To record the packets to the disk, you need to specify a loggin directory and Snort will automatically know to go into packet logger mode:

snort -dev -l ./log  

Others logging options:

snort -dev -l ./log -h 192.168.1.0/24  
// Log relative to the home network  
snort -l ./log -b  
// Binary mode logs  
  • Network Intrusion Detection System(NIDS) mode, which performs detection and analysis on network traffic. This is the most complex and configurable mode.

To enable Network Detection System(NIDS) mode so that your don’t recorad every single packet sent down the wire, try this:

snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf  

where snort.conf is the name of your configuration file( default at /etc/snort/). This will applay the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should taken. If you don’t specify an output directory for the program, it will default to /var/log/snort.

Many options we can try, but just one for start.

Snort rules

  • Snort’s rule engine enables custom rules to meets the needs of the network
  • Snort rules help in differentiating between normal internet activities and malicious activities.
  • Snort rules must be contained on a single line, the Snort rule parser does not handle rules on multiple lines
  • Snort rules come with two logical parts:
    Rule heaer: Identifies rule’s cations such as alerts, log, pass, activate, dynamic, etc.
    Rule options: Indentifies rule’s alert messages.
    Example:

A real example rule for ddos:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)  

Demo

So, let try an example with ping detect
Open file local.rules to add a new rule:

sudo vim /etc/snort/rules/local.rules  

Add a new rule to detect ping:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"You're being pinged!"; GID:1; sid: 10000001; classtype: icmp-event;)

Run snort IDS mode:

sudo snort -A console -d -l /var/log/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf

92.168.1.22 -> 192.168.1.152

Now, pring from another host:

ping 192.168.1.22  

Here are results:

Above, just is an example. Hope you can do more !

Conclusion

Snort is the most open source IDS. In this artice, I’m trying to guide you litte bit to start with snort like: installation, snort’s mode, snort’s rule strucuture and an real example how we apply a new rule by your own. Cheers!

References

Snort manual: https://goo.gl/kE3HWG

Leave a Reply