Snort

Learn how to use Snort to detect real-time threats, analyze recorded traffic files and identify anomalies.

Introduction to IDS/IPS

Intrusion Detection System (IDS)

IDS is passive monitoring for detecting possible malicious activities/patterns, abnormal incidents, and policy violations and is responsible for generating alerts for each suspicious event.

There are two main types of IDS systems:

  • Network Intrusion Detection System (NIDS) - NIDS monitors the traffic flow from various areas of the network. The aim is to investigate the traffic on the entire subnet. If a signature is identified, an alert is created.

  • Host-based Intrusion Detection System (HIDS) - HIDS monitors the traffic flow from a single endpoint device. The aim is to investigate the traffic on a particular device. If a signature is identified, an alert is created.

Intrusion Prevention System (IPS)

IPS is active protecting for preventing possible malicious activities/patterns, abnormal incidents, and policy violations and is responsible for stopping/preventing/terminating the suspicious event as soon as the detection is performed.

There are four main types of IPS systems:

  • Network Intrusion Prevention System (NIPS) - NIPS monitors the traffic flow from various areas of the network. The aim is to protect the traffic on the entire subnet. If a signature is identified, the connection is terminated.

  • Behavior-based Intrusion Prevention System (Network Behavior Analysis - NBA) - Behavior-based systems monitor the traffic flow from various areas of the network. The aim is to protect the traffic on the entire subnet. If a signature is identified, the connection is terminated.

Network Behavior Analysis System works similar to NIPS. Difference being behavior based systems require a training period (also known as "baselining") to learn the normal traffic and differentiate the malicious traffic and threats to provide more efficient results against new threats.

The system is trained to know the "normal" to detect "abnormal". The training period is crucial to avoid any false positives. In case of any security breach during the training period, the results will be highly problematic. Another critical point is to ensure that the system is well trained to recognize benign activities.

  • Wireless Intrusion Prevention System (WIPS) - WIPS monitors the traffic flow from of wireless network. The aim is to protect the wireless traffic and stop possible attacks launched from there. If a signature is identified, the connection is terminated.

  • Host-based Intrusion Prevention System (HIPS) - HIPS actively protects the traffic flow from a single endpoint device. The aim is to investigate the traffic on a particular device. If a signature is identified, the connection is terminated.

HIPS working mechanism is similar to HIDS. The difference between them is HIDS creates alerts for threats and HIPS stops the threats by terminating the connection.

Detection/Prevention Techniques

Three main detection and prevention techniques used in IDS and IPS solutions:

Technique
Approach

Signature-Based

This technique relies on rules that identify the specific patterns of the known malicious behavior. This model helps detect known threats.

Behavior-Based

This technique identifies new threats with new patterns that pass through signatures. The model compares the known/normal with unknown/abnormal behaviors. This model helps detect previously unknown or new threats.

Policy-Based

This technique compares detected activities with system configuration and security policies. This model helps detect policy violations.

Summary

  • IDS can identify threats but require user assistance to stop them.

  • IPS can identify and block the threats with less user assistance at the detection time.

SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS).

Capabilities of Snort:

  • Live traffic analysis

  • Attack and probe detection

  • Packet logging

  • Protocol analysis

  • Real-time alerting

  • Modules & plugins

  • Pre-processors

  • Cross-platform support! (Linux & Windows)

Snort has three main use models:

  • Sniffer Mode - Read IP packets and prompt them in the console application.

  • Packet Logger Mode - Log all IP packets (inbound and outbound) that visit the network.

  • NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System) Modes - Log/drop the packets that are deemed as malicious according to the user-defined rules.

Which snort mode can help you stop the threats on a local machine?

HIPS

Which snort mode can help you detect threats on a local network?

NIDS

Which snort mode can help you detect the threats on a local machine?

HIDS

Which snort mode can help you stop the threats on a local network?

NIPS

Which snort mode works similar to NIPS mode?

NBA

According to the official description of the snort, what kind of NIPS is it?

Full-blown

NBA training period is also known as ...

Baselining

First Interaction with Snort

Verify Snort is installed by running snort -V

Ensure configuration file is valid snort -c /etc/snort/snort.conf -T

Here "-T" is used for testing configuration, and "-c" is identifying the configuration file (snort.conf). Note that it is possible to use an additional configuration file by pointing it with "-c".

The configuration file is an all-in-one management file of the snort. Rules, plugins, detection mechanisms, default actions and output settings are identified here. It is possible to have multiple configuration files for different purposes and cases but can only use one at runtime.

Note that every time you start the Snort, it will automatically show the default banner and initial information about your setup. You can prevent this by using the "-q" parameter.

Parameter
Description

-V / --version

This parameter provides information about your instance version.

-c

Identifying the configuration file

-T

Snort's self-test parameter, you can test your setup with this parameter.

-q

Quiet mode prevents snort from displaying the default banner and initial information about your setup.

Operation Mode 1: Sniffer Mode

Like tcpdump, Snort has various flags capable of viewing various data about the packet it is ingesting.

Sniffer mode parameters:

Parameter
Description

-v

Verbose. Display the TCP/IP output in the console.

-d

Display the packet data (payload).

-e

Display the link-layer (TCP/IP/UDP/ICMP) headers.

-X

Display the full packet details in HEX.

-i

This parameter helps to define a specific network interface to listen/sniff. Once you have multiple interfaces, you can choose a specific interface to sniff.

Sniffing with parameter "-i"

Start the Snort instance in verbose mode (-v) and use the interface (-i) "eth0"; sudo snort -v -i eth0

In case you have only one interface, Snort uses it by default. The above example demonstrates to sniff on the interface named "eth0". Once you simulate the parameter -v, you will notice it will automatically use the "eth0" interface and prompt it.

Sniffing with parameter "-v"

Start the Snort instance in verbose mode (-v); sudo snort -v

Once the traffic is generated, snort will start showing the packets in verbosity mode as follows:

Verbosity mode provides tcpdump like output information. Once we interrupt the sniffing with CTRL+C, it stops and summarizes the sniffed packets.

Sniffing with parameter "-d"

Start the Snort instance in dumping packet data mode (-d); sudo snort -d

Once the traffic is generated, snort will start showing the packets in verbosity mode as follows:

Packet data payload mode covers the verbose mode and provides more data.

Sniffing with parameter "-de"

Start the Snort instance in dump (-d) and link-layer header grabbing (-e) mode; snort -d -e

Once the traffic is generated, snort will start showing the packets in verbosity mode as follows:

Sniffing with parameter "-X"

Start the Snort instance in full packet dump mode (-X); sudo snort -X

Once the traffic is generated, snort will start showing the packets in verbosity mode as follows:

Note that you can use the parameters both in combined and separated form as follows:

  • snort -v

  • snort -vd

  • snort -de

  • snort -v -d -e

  • snort -X

Make sure to understand and practice each parameter with different types of traffic and discover favorite combinations.

Operation Mode 2: Packet Logger Mode

Let's run Snort in Logger Mode

Use Snort as a sniffer and log the sniffed packets via logger mode by using the packet logger mode parameters - Snort does the rest.

Packet logger parameters are explained in the table below:

Parameter
Description

-l

Logger mode, target log and alert output directory. Default output folder is /var/log/snort

The default action is to dump as tcpdump format in /var/log/snort

-K ASCII

Log packets in ASCII format.

-r

Reading option, read the dumped logs in Snort.

-n

Specify the number of packets that will process/read. Snort will stop after reading the specified number of packets.

Logfile Ownership

The fundamental file ownership rule; whoever creates a file becomes the owner of the corresponding file.

Snort needs superuser (root) rights to sniff the traffic, so once you run the snort with the "sudo" command, the "root" account will own the generated log files. Therefore you will need "root" rights to investigate the log files. There are two different approaches to investigate the generated log files;

  • Elevation of privileges - Elevate privileges to examine the files. Use the "sudo" command to execute command as a superuser with the following command sudo command. Elevate the session privileges and switch to the superuser account to examine the generated log files with the following command: sudo su

  • Changing the ownership of files/directories - Change the ownership of the file/folder to read it as your user: sudo chown username file or sudo chown username -R directory The "-R" parameter helps recursively process the files and directories.

Logging with parameter "-l"

Start Snort instance in packet logger mode; sudo snort -dev -l .

Now start ICMP/HTTP traffic with the traffic-generator script.

Once the traffic is generated, Snort will start showing the packets and log them in the target directory. You can configure the default output directory in snort.config file. However, you can use the "-l" parameter to set a target directory. Identifying the default log directory is useful for continuous monitoring operations, and the "-l" parameter is much more useful for testing purposes.

The -l . part of the command creates the logs in the current directory.

It is a single binary/tcpdump format log.

Logging with parameter "-K ASCII"

Start the Snort instance in packet logger mode; sudo snort -dev -K ASCII

The logs created with "-K ASCII" parameter is entirely different. There are folders with IP address names.

ASCII mode provides multiple files in human-readable format, so it is possible to read the logs easily by using a text editor. By contrast with ASCII format, binary format is not human-readable and requires analysis using Snort or an application like tcpdump.

Reading generated logs with parameter "-r"

Start the Snort instance in packet reader mode; sudo snort -r

Snort can read and handle the binary like output (tcpdump and Wireshark also can handle this log format). However, if you create logs with "-K ASCII" parameter, Snort will not read them. As you can see in the above output, Snort read and displayed the log file just like in the sniffer mode.

Opening log file with tcpdump:

Similarly, it can be opened with Wireshark.

"-r" parameter also allows users to filter the binary log files. Filter the processed log to see specific packets with the "-r" parameter and Berkeley Packet Filters (BPF).

  • sudo snort -r logname.log -X

  • sudo snort -r logname.log icmp

  • sudo snort -r logname.log tcp

  • sudo snort -r logname.log 'udp and port 53'

The output will be the same as the above, but only packets with the chosen protocol will be shown. Specify the number of processes with the parameter "-n". The following command will process only the first 10 packets: snort -dvr logname.log -n 10

Resources to understand how the BPF works and its use:

Investigate the traffic with the default configuration file with ASCII mode. sudo snort -dev -K ASCII -l .

Execute the traffic generator script and choose "TASK-6 Exercise". Wait until the traffic ends, then stop the Snort instance. Now analyse the output summary and answer the question.

sudo ./traffic-generator.sh

Now, you should have the logs in the current directory. Navigate to folder "145.254.160.237". What is the source port used to connect port 53?

Use snort.log.1640048004. Read the snort.log file with Snort; what is the IP ID of the 10th packet?

Read the "snort.log.1640048004" file with Snort; what is the referer of the 4th packet?

Read the "snort.log.1640048004" file with Snort; what is the Ack number of the 8th packet?

Read the "snort.log.1640048004" file with Snort; what is the number of the "TCP port 80" packets?

Operation Mode 3: IDS/IPS

Snort in IDS/IPS Mode

IDS/IPS mode helps manage traffic according to user-defined rules. (N)IDS/IPS mode depends on rules and configuration.

Run Snort in IDS/IPS Mode

NIDS mode parameters are explained in the table below;

Parameter
Description

-c

Defining the configuration file.

-T

Testing the configuration file.

-N

Disable logging.

-D

Background mode.

-A

Alert modes;

full: Full alert mode, providing all possible information about the alert. This one also is the default mode; once you use -A and don't specify any mode, snort uses this mode.

fast: Fast mode shows the alert message, timestamp, source and destination IP, along with port numbers.

console: Provides fast style alerts on the console screen.

cmg: CMG style, basic header details with payload in hex and text format.

none: Disabling alerting.

Using the pre-defined ICMP rule as an example will only generate alerts in any direction of ICMP packet activity.

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)

This rule is located in "/etc/snort/rules/local.rules".

Focusing only on operating modes in this module, Snort will creat an 'alert' file if the traffic flow triggers and alert. Once IPS/IDS mode is ran, the sniffing and logging mode will semi-passive. Functions can be acticvated using the parameters mentioned previously (-i, -v, -d, -e, -X, -l, -K ASCII).

IDS/IPS mode with parameter "-c and -T"

To test the configuration file, run sudo snort -c /etc/snort/snort.conf -T to check the config file and prompt if any misconfigurations are current.

IDS/IPS mode with parameter "-N"

Start the Snort instance and disable logging by running the following command: sudo snort -c /etc/snort/snort.conf -N

This command will disable logging mode. The rest of the other functions will still be available (if activated).

The command-line output will provide the information requested with the parameters. If verbosity is activated (-v) or full packet dump (-X) the output will be in the console, but there will be no logs in the log folder.

IDS/IPS mode with parameter "-D"

Start the Snort instance in background mode with the following command: sudo snort -c /etc/snort/snort.conf -D

The command-line output will provide the information requested with the parameters. If verbosity is activated (-v) or full packet dump (-X) with packet logger mode (-l) logs will still go in the logs folder, but there will be no output in the console.

After starting background mode, check the corresponding process using the "ps" command.

To stop the daemon, use the "kill" command to stop the process.

Daemon mode is mainly used to automate the Snort. This parameter is mainly used in scripts to start the Snort service in the background and is not recommended to use without having a working knowledge of Snort and stable configuration.

IDS/IPS mode with parameter "-A"

There are several alert modes available in snort:

  • console: Provides fast style alerts on the console screen.

  • cmg: Provides basic header details with payload in hex and text format.

  • full: Full alert mode, providing all possible information about the alert.

  • fast: Fast mode, shows the alert message, timestamp, source and destination ıp along with port numbers.

  • none: Disabling alerting.

Only the "console" and "cmg" parameters provide alert information in the console. It is impossible to identify the difference between the rest of the alert modes via terminal. Differences can be identified by looking at generated logs.

Comparing the "full", "fast" and "none" modes parameters don't provide console output, so identify the differences through log formats.

IDS/IPS mode with parameter "-A console"

Console mode provides fast style alerts on the console screen. Start the Snort instance in console alert mode (-A console ) with the following command sudo snort -c /etc/snort/snort.conf -A console

IDS/IPS mode with parameter "-A cmg"

Cmg mode provides basic header details with payload in hex and text format. Start the Snort instance in cmg alert mode (-A cmg ) with the following command sudo snort -c /etc/snort/snort.conf -A cmg

Compare the console and cmg outputs before moving on to other alarm types. In the given outputs above, console mode provides basic header and rule information. Cmg mode provides full packet details along with rule information.

IDS/IPS mode with parameter "-A fast"

Fast mode provides alert messages, timestamps, and source and destination IP addresses. Remember, there is no console output in this mode. Start the Snort instance in fast alert mode (-A fast ) with the following command sudo snort -c /etc/snort/snort.conf -A fast

Fast style alerts contain summary information on the action like direction and alert header.

IDS/IPS mode with parameter "-A full"

Full alert mode provides all possible information about the alert. Remember, there is no console output in this mode. Start the Snort instance in full alert mode (-A full ) with the following command sudo snort -c /etc/snort/snort.conf -A full

Full style alerts contain all possible information on the action.

IDS/IPS mode with parameter "-A none"

Disable alerting. This mode doesn't create the alert file. However, it still logs the traffic and creates a log file in binary dump format. There is no console output in this mode. Start the Snort instance in none alert mode (-A none) with the following command sudo snort -c /etc/snort/snort.conf -A none

There is no alert file. Snort only generated the log file.

IDS/IPS mode: "Using rule file without configuration file"

To run the Snort only with rules without a configuration file in this mode will help test the user-created rules. This mode will provide less performance.

IPS mode and dropping packets

Snort IPS mode activated with -Q --daq afpacket parameters. This mode can also be activated by editing snort.conf file.

Activate the Data Acquisition (DAQ) modules and use the afpacket module to use snort as an IPS: -i eth0:eth1

Read the log using sudo snort -r snort.log.1670705004 and/or read the console output.

Operation Mode 4: PCAP Investigation

Investigate PCAPs with Snort

Snort capabilities are not limited to sniffing, logging and detecting/preventing the threats. PCAP read/investigate mode helps work with pcap files. Once Snort processes a pcap file, default traffic statistics with alerts depending on the ruleset will be received.

Reading a pcap file without using additional parameters will only overview the packets and provide statistics about the file which is not very helpful when trying to investigate pcap's with Snort to benefit from the rules and speed up investigation using known patters of threats.

Combining the parameters for different purposes - PCAP mode parameters:

Parameter
Description

-r / --pcap-single=

Read a single pcap

--pcap-list=""

Read pcaps provided in command (space separated).

--pcap-show

Show pcap name on console during processing.

Investigating single PCAP with parameter "-r"

For test purposes, test the default reading option with pcap by using the following command snort -r icmp-test.pcap

Investigate the pcap with the configuration file. sudo snort -c /etc/snort/snort.conf -q -r icmp-test.pcap -A console -n 10

The ICMP rule got a hit. Snort identified the traffic and prompted the alerts according to the ruleset.

Investigating multiple PCAPs with parameter "--pcap-list"

Investigate multiple pcaps with the configuration file. sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A console -n 10

The ICMP rule got a hit. Snort identified the traffic and prompted the alerts according to the ruleset. Since two pcaps were processed and there are lots of alerts, it is impossible to match the alerts with provided pcaps without snort's help by separating the pcap process to identify the source of the alerts.

Investigating multiple PCAPs with parameter "--pcap-show"

Investigate multiple pcaps, distinguish each one. sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A console --pcap-show

Investigate the mx-1.pcap file with the default configuration file. sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap What is the number of the generated alerts?

Keep reading the output. How many TCP Segments are Queued?

Keep reading the output. How many "HTTP response headers" were extracted?

Investigate the mx-1.pcap file with the second configuration file. sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap What is the number of the generated alerts?

Investigate the mx-2.pcap file with the default configuration file. sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap What is the number of the generated alerts?

Keep reading the output. What is the number of the detected TCP packets?

Investigate the mx-2.pcap and mx-3.pcap files with the default configuration file. sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap" What is the number of the generated alerts?

Snort Rule Structure

Learn Snort Rules

Understanding the Snort rule format is essential for any blue and purple teamer. The primary structure of the snort rule is shown below:

Each rule should have a type of action, protocol, source and destination IP, source and destination port and an option. Since Snort if defaulted to passive mode, it will be used as an IDS unless "inline mode" to turn on IPS mode is started.

To create efficient rules, it is recommended to practice Snort rules and option details for different use cases. In this instance, two actions are focused on: "alert" for IDS mode and "reject" for IPS mode.

Rules cannot be processed without a header. Rule options are "optional" parts. It is almost impossible to detect sophisticated attacks without using the rule options.

Action

There are several actions for rules. Understand the functionality and test it before creating rules for live systems. The most common actions are listed below.

  • alert: Generate an alert and log the packet.

  • log: Log the packet.

  • drop: Block and log the packet.

  • reject: Block the packet, log it and terminate the packet session.

Protocol

Protocol parameter identifies the type of the protocol that filtered for the rule.

Note that Snort2 supports only four protocols filters in the rules (IP, TCP, UDP and ICMP). Detect the application flows using port numbers and options. To detect FTP traffic, cannot use the FTP keyword in the protocol field but filter the FTP traffic by investigating TCP traffic on port 21.

IP and Port Numbers

These parameters identify the source and destination IP addresses and associated port numbers filtered for the rule.

IP Filtering

alert icmp 192.168.1.56 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet originating from the 192.168.1.56 IP address.

Filter an IP range

alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet originating from the 192.168.1.0/24 subnet.

Filter multiple IP ranges

alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet originating from the 192.168.1.0/24 and 10.1.1.0/24 subnets.

Exclude IP addresses/ranges

"negation operator" is used for excluding specific addresses and ports. Negation operator is indicated with "!"alert icmp !192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet not originating from the 192.168.1.0/24 subnet.

Port Filtering

alert tcp !192.168.1.0/24 21 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from port 21.

Exclude a specific port

alert tcp !192.168.1.0/24 !21 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet not originating from port 21.

Filter a port range (Type 1)

alert tcp !192.168.1.0/24 1:1024 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from ports between 1-1024.

Filter a port range (Type 2)

alert icmp any :1024 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from ports less than or equal to 1024.

Filter a port range (Type 3)

alert icmp any 1024: <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from a source port higher than or equal to 1024.

Filter a port range (Type 4)

alert icmp any 80,1024: <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from a source port 80 and higher than or equal to 1024.

Direction

The direction operator indicates the traffic flow to be filtered by Snort. The left side of the rule shows the source, and the right side shows the destination.

  • -> Source to destination flow.

  • <> Bidirectional flow

There are three main rule options in Snort;

  • General Rule Options - Fundamental rule options for Snort.

  • Payload Rule Options - Rule options that help to investigate the payload data. These options are helpful to detect specific payload patterns.

  • Non-Payload Rule Options - Rule options that focus on non-payload data. These options will help create specific patterns and identify network issues.

General Rule Options

Msg

The message field is a basic prompt and quick identifier of the rule. Once the rule is triggered, the message filed will appear in the console or log. Usually, the message part is a one-liner that summarises the event.

Sid

Snort rule IDs (SID) come with a pre-defined scope, and each rule must have a SID in a proper format. There are three different scopes for SIDs shown below.

  • <100: Reserved rules

  • 100-999,999: Rules came with the build.

  • >=1,000,000: Rules created by user.

Briefly, the rules we will create should have sid greater than 100.000.000. Another important point is; SIDs should not overlap, and each id must be unique.

Reference

Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That could be a Common Vulnerabilities and Exposures (CVE) id or external information. Having references for the rules will always help analysts during the alert and incident investigation.

Rev

Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to have the revision information of each rule. Therefore, it will be easy to understand rule improvements. Each rule has its unique rev number, and there is no auto-backup feature on the rule history. Analysts should keep the rule history themselves. Rev option is only an indicator of how many times the rule had revisions.

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; reference:cve,CVE-XXXX; rev:1;)

Payload Detection Rule Options

Content

Payload data. It matches specific payload data by ASCII, HEX or both. It is possible to use this option multiple times in a single rule. However, the more you create specific pattern match features, the more it takes time to investigate a packet.

Following rules will create an alert for each HTTP packet containing the keyword "GET". This rule option is case sensitive!

  • ASCII mode - alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)

  • HEX mode - alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)

Nocase

Disabling case sensitivity. Used for enhancing the content searches.alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)

Fast_pattern

Prioritise content search to speed up the payload search operation. By default, Snort uses the biggest content and evaluates it against the rules. "fast_pattern" option helps you select the initial packet match with the specific value for further investigation. This option always works case insensitive and can be used once per rule. Note that this option is required when using multiple "content" options.

The following rule has two content options, and the fast_pattern option tells to snort to use the first content option (in this case, "GET") for the initial packet match.

alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)

Non-Payload Detection Rule Options

There are rule options that focus on non-payload data. These options will help create specific patterns and identify network issues.

ID

Filtering the IP id field.alert tcp any any <> any any (msg: "ID TEST"; id:123456; sid: 100001; rev:1;)

Flags

Filtering the TCP flags.

  • F - FIN

  • S - SYN

  • R - RST

  • P - PSH

  • A - ACK

  • U - URG

alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;)

Dsize

Filtering the packet payload size.

  • dsize:min<>max;

  • dsize:>100

  • dsize:<100

alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300; sid: 100001; rev:1;)

Sameip

Filtering the source and destination IP addresses for duplication.alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)

Once a rule is created, it is a local rule and should be in the "local.rules" file located under "/etc/snort/rules/local.rules".

Use "task9.pcap". Write a rule to filter IP ID "35369" and run it against the given pcap file. What is the request name of the detected packet? snort -c local.rules -A full -l . -r task9.pcap

Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?

Clear the previous log and alarm files and deactivate/comment out the old rule. Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?

Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?

Case Example - An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?

rev

Snort2 Operation Logic: Points to Remember

Points to Remember

Main Components of Snort

  • Packet Decoder - Packet collector component of Snort. It collects and prepares the packets for pre-processing.

  • Pre-processors - A component that arranges and modifies the packets for the detection engine.

  • Detection Engine - The primary component that process, dissect and analyse the packets by applying the rules.

  • Logging and Alerting - Log and alert generation component.

  • Outputs and Plugins - Output integration modules (i.e. alerts to syslog/mysql) and additional plugin (rule management detection plugins) support is done with this component.

Three types of rules available for snort

  • Community Rules - Free ruleset under the GPLv2. Publicly accessible, no need for registration.

  • Registered Rules - Free ruleset (requires registration). This ruleset contains subscriber rules with 30 days delay.

  • Subscriber Rules (Paid) - Paid ruleset (requires subscription). This ruleset is the main ruleset and is updated twice a week (Tuesdays and Thursdays).

Download and read more on the rules here.

Note: Once Snort2 is installed, it automatically creates the required directories and files. To use the community or the paid rules, indicate each rule in the snort.conf file.

Editing it without causing misconfiguration is troublesome for some users. Snort has several rule updating modules and integration tools. Never replace configured Snort configuration files; edit configuration files manually or update rules with additional tools and modules to not face any fail/crash or lack of feature.

  • snort.conf: Main configuration file.

  • local.rules: User-generated rules file.

Overviewing the main configuration file (snort.conf) sudo gedit /etc/snort/snort.conf

This section manages the scope of the detection and rule paths.

TAG NAME
INFO
EXAMPLE

HOME_NET

That is where we are protecting.

'any' OR '192.168.1.1/24'

EXTERNAL_NET

This field is the external network, keep it as 'any' or '!$HOME_NET'.

'any' OR '!$HOME_NET'

RULE_PATH

Hardcoded rule path.

/etc/snort/rules

SO_RULE_PATH

These rules come with registered and subscriber rules.

$RULE_PATH/so_rules

PREPROC_RULE_PATH

These rules come with registered and subscriber rules.

$RULE_PATH/plugin_rules

Use this section to manage the IPS mode of snort. The single-node installation model IPS model works best with "afpacket" mode. Enable this mode and run Snort in IPS.

TAG NAME
INFO
EXAMPLE

#config daq:

IPS mode selection.

afpacket

#config daq_mode:

Activating the inline mode

inline

#config logdir:

Hardcoded default log path.

/var/logs/snort

Data Acquisition Modules (DAQ) are specific libraries used for packet I/O, bringing flexibility to process packets. It is possible to select DAQ type and mode for different purposes.

There are six DAQ modules available in Snort;

  • Pcap: Default mode, known as Sniffer mode.

  • Afpacket: Inline mode, known as IPS mode.

  • Ipq: Inline mode on Linux by using Netfilter. It replaces the snort_inline patch.

  • Nfq: Inline mode on Linux.

  • Ipfw: Inline on OpenBSD and FreeBSD by using divert sockets, with the pf and ipfw firewalls.

  • Dump: Testing mode of inline and normalisation.

The most popular modes are the default (pcap) and inline/IPS (Afpacket).

This section manages the outputs of the IDS/IPS actions, such as logging and alerting format details. The default action prompts everything in the console application, so configuring this part will help you use the Snort more efficiently.

TAG NAME
INFO
EXAMPLE

# site specific rules

Hardcoded local and user-generated rules path.

include $RULE_PATH/local.rules

#include $RULE_PATH/

Hardcoded default/downloaded rules path.

include $RULE_PATH/rulename

Note that "#" is commenting operator. Uncomment a line to activate it.

Last updated