SNORT is an open source intrusion detection/prevention system that is capable of real-time traffic analysis and packet logging. Extremely popular, SNORT is the tool of choice for the open source community. While there are a number of other NIDS and NIPS out there, we will stick to SNORT for the purposes of this section.
SNORT is available from the https://www.snort.org/ website:
It makes a lot of sense to go through the documentation available on the website as this information is updated on a fairly regular basis.
At the time of writing, SNORT is available in flavors that run on some Linux distributions as well as Windows.
The download link will guide us to the correct flavor as per our requirements:
After the download, we need to install SNORT as per the following process:
We start by agreeing to the GNU Public License (GPL) so that we can proceed with the installation of SNORT:
We then proceed to selecting the components that we need, and we are done:
The key step to follow after this is to edit the snort.conf file, where we can specify the proper paths for SNORT to look to for guidance:
A text file editor such as vi editor or Notepad (for Windows) is used to edit the snort.conf file:
SNORT can be configured to run in three modes:
- The sniffer mode
- The packet logger mode
- The network intrusion detection/prevention mode
The sniffer mode just reads the packets and displays them in the console mode.
To get started, we use the following command:
./snort –v
This runs SNORT in verbose mode, shows the IP, grabs the TCP / IP / UDP / ICMP packet headers, and prints them out to the screen.
While –v shows details of the packet headers, we may feel the need to view the packet contents as well. To see these, we need to type the following command:
snort –vd
For details with extended data link layer headers, we can use the following command:
snort –vde
The following is the output for the preceding command:
The packet logger mode is similar to the sniffer mode, except that it logs packets to the disk. To enable it to do this, we need to set up our capture directory, where SNORT will store the captured packets.
By default, the SNORT installation creates a log directory in the snort folder. We can use this folder for the purposes of storing packet captures. The command for this is as follows:
./snort –vde –l ./log
In this case, we are asking SNORT to capture headers, packets, and data link layer information from all the packets and store them in a specified directory in the log format.
To enable logging relative to our home network, we can also specify to SNORT the home network using –h and the IP address range of the network, for example, 192.168.1.0/24.
However, if we are going to need to view and analyze the packets later in another sniffer such as Wireshark, then we need to do the capturing or logging in the binary mode. To do this, we use the following command:
./snort –l ./log –b
SNORT also has the capability to read back these packets using the –r switch, which puts it in the playback mode.
The following is a sample log file created using the first option:
The key to the effective use of SNORT for the purposes of intrusion detection or intrusion prevention is the SNORT configuration file usually known as the snort.conf file.
The command to get started quickly in basic NIDS mode is as follows:
snort –d –l ..log –h 192.168.1.0/24 –c snort.conf
The following is the output of the preceding command:
SNORT can be run in three different modes:
- Passive: This is the default mode and SNORT acts as a NIDS in this mode. This is also known as TAP mode. Drop rules are not loaded.
- Inline: This is an active mode and SNORT acts as a NIPS in this role. This allows drop rules to trigger.
- Inline-test: This mode simulates the inline mode of SNORT, thus allowing the evaluation of inline behavior without affecting traffic and performance.
The real magic of SNORT is in the rules. Based on the rules, SNORT can be configured to give out alerts or take specific action.
Alerts can be in the form of the following:
- An output to the console or screen
- An output to a log file
- An output to a SQL database
- An output in the binary form for use with other sniffers
- An e-mail to an administrator
SNORT rules are divided into two logical sections—the rule header and rule options:
- The rule header consists of Action, Protocol, Source, and Destination IP addresses and netmasks and source and destination ports information
- The rule option section contains information and alert messages on the basis of which parts of the packet should be inspected in order to determine whether the rule action should be taken
The rule action options are as follows:
- Alert: This generates an alert based on the method selected and then logs the packet
- Drop: This blocks and logs the packet
- Pass: This just ignores the packet
- Log: This just logs the packet
- Sdrop: This just blocks the packet and doesn't log it
- Reject: This blocks and logs the packet, then sends a TCP reset for the TCP protocol or an ICMP port unreachable message if the protocol is UDP
- Activate: This sends an alert, and then turns on the dynamic mode
- Dynamic: This remains idle until activated by the
activaterule, and then acts as alogrule
We can also define our own rule types and associate one or more output plugins for them.
SNORT currently analyzes TCP, UDP, ICMP, and IP protocols.
Making rules is better illustrated by an example. Let's assume that we wish to alert the administrator to all attempts by an intruder to telnet (Port 23) into our network.
For the sake of our discussion, let's say that our home network has the IP range from 192.168.1.0 to 255. In such a case, we will write the following rule:
alert tcp any any -> 192.168.1.0/24 23
This means that any attempts from any network and any port to telnet into our home network of 192.168.1.0/24 would generate an intruder alert for the network administrator. This would show that an intruder is attempting to telnet into our network.
However, as we would like the alert to be a bit verbose and explain the attempt made by the intruder in simple language, we would use the rule options section and add some additional information, as follows:
alert tcp any any -> 192.168.1.0/24 23 (msg:"Intruder Alert – Telnet used"; flags:A+;classtype:policy-violation;sid:100001;rev:1;)
In this case, the message Intruder Alert – Telnet Used would be flashed as part of the alert.
Let's take a look at another example. We have reason to believe that an insider in our organization is spending his time searching for obscene material. Our objective in this case is to alert the administrator to all attempts to use the network using port 80 with a search for the keyword, porn.
As we are aware, HTTP uses port 80. Therefore, we will look for network activity from our network to any external network, which uses port 80 and contains the word porn.
To do this, let's write the following rule:
alert tcp $HOME_NET any -> any 80 (content:"porn"; sid:100002;rev:2;)
This rule will throw up all the searching and browsing activity with the word porn in it.
As we can see, SNORT is an extremely versatile tool, which gives us a lot of capability to identify both insider and outsider activity on the network. However, to actually use it to its fullest, it is important to considerably spend more time on practicing with SNORT. Entire books have been written on SNORT usage and rules. The Internet too has a number of excellent tutorials on using SNORT. As a potential network forensics expert and a Digital 007 in the making, I would recommend that you spend some additional time on this amazing tool. The SNORT manual in the PDF form (included in the distribution) is also an excellent resource to enhance one's capabilities and should be the first resource looked at by you.