SNORT is an open source intrusion detection/prevention system that is capable of real-time traffic analysis and packet logging. Extremely popular, SNORT is the tool of choice for the open source community. While there are a number of other NIDS and NIPS out there, we will stick to SNORT for the purposes of this section.
SNORT is available from the https://www.snort.org/ website:
It makes a lot of sense to go through the documentation available on the website as this information is updated on a fairly regular basis.
At the time of writing, SNORT is available in flavors that run on some Linux distributions as well as Windows.
The download link will guide us to the correct flavor as per our requirements:
After the download, we need to install SNORT as per the following process:
We start by agreeing to the GNU Public License (GPL) so that we can proceed with the installation of SNORT:
We then proceed to selecting the components that we need, and we are done:
The key step to follow after this is to edit the snort.conf
file, where we can specify the proper paths for SNORT to look to for guidance:
A text file editor such as vi editor or Notepad (for Windows) is used to edit the snort.conf
file:
SNORT can be configured to run in three modes:
The sniffer mode just reads the packets and displays them in the console mode.
To get started, we use the following command:
./snort –v
This runs SNORT in verbose mode, shows the IP, grabs the TCP / IP / UDP / ICMP packet headers, and prints them out to the screen.
While –v
shows details of the packet headers, we may feel the need to view the packet contents as well. To see these, we need to type the following command:
snort –vd
For details with extended data link layer headers, we can use the following command:
snort –vde
The packet logger mode is similar to the sniffer mode, except that it logs packets to the disk. To enable it to do this, we need to set up our capture directory, where SNORT will store the captured packets.
By default, the SNORT installation creates a log directory in the snort
folder. We can use this folder for the purposes of storing packet captures. The command for this is as follows:
./snort –vde –l ./log
In this case, we are asking SNORT to capture headers, packets, and data link layer information from all the packets and store them in a specified directory in the log format.
To enable logging relative to our home network, we can also specify to SNORT the home network using –h
and the IP address range of the network, for example, 192.168.1.0/24
.
However, if we are going to need to view and analyze the packets later in another sniffer such as Wireshark, then we need to do the capturing or logging in the binary mode. To do this, we use the following command:
./snort –l ./log –b
SNORT also has the capability to read back these packets using the –r
switch, which puts it in the playback mode.
The following is a sample log file created using the first option:
The key to the effective use of SNORT for the purposes of intrusion detection or intrusion prevention is the SNORT configuration file usually known as the snort.conf
file.
The command to get started quickly in basic NIDS mode is as follows:
snort –d –l ..log –h 192.168.1.0/24 –c snort.conf
The following is the output of the preceding command:
SNORT can be run in three different modes:
The real magic of SNORT is in the rules. Based on the rules, SNORT can be configured to give out alerts or take specific action.
Alerts can be in the form of the following:
SNORT rules are divided into two logical sections—the rule header and rule options:
The rule action options are as follows:
activate
rule, and then acts as a log
ruleWe can also define our own rule types and associate one or more output plugins for them.
SNORT currently analyzes TCP, UDP, ICMP, and IP protocols.
Making rules is better illustrated by an example. Let's assume that we wish to alert the administrator to all attempts by an intruder to telnet (Port 23) into our network.
For the sake of our discussion, let's say that our home network has the IP range from 192.168.1.0
to 255
. In such a case, we will write the following rule:
alert tcp any any -> 192.168.1.0/24 23
This means that any attempts from any network and any port to telnet into our home network of 192.168.1.0/24
would generate an intruder alert for the network administrator. This would show that an intruder is attempting to telnet into our network.
However, as we would like the alert to be a bit verbose and explain the attempt made by the intruder in simple language, we would use the rule options section and add some additional information, as follows:
alert tcp any any -> 192.168.1.0/24 23 (msg:"Intruder Alert – Telnet used"; flags:A+;classtype:policy-violation;sid:100001;rev:1;)
In this case, the message Intruder Alert – Telnet Used
would be flashed as part of the alert.
Let's take a look at another example. We have reason to believe that an insider in our organization is spending his time searching for obscene material. Our objective in this case is to alert the administrator to all attempts to use the network using port 80 with a search for the keyword, porn
.
As we are aware, HTTP uses port 80
. Therefore, we will look for network activity from our network to any external network, which uses port 80
and contains the word porn
.
To do this, let's write the following rule:
alert tcp $HOME_NET any -> any 80 (content:"porn"; sid:100002;rev:2;)
This rule will throw up all the searching and browsing activity with the word porn
in it.
As we can see, SNORT is an extremely versatile tool, which gives us a lot of capability to identify both insider and outsider activity on the network. However, to actually use it to its fullest, it is important to considerably spend more time on practicing with SNORT. Entire books have been written on SNORT usage and rules. The Internet too has a number of excellent tutorials on using SNORT. As a potential network forensics expert and a Digital 007 in the making, I would recommend that you spend some additional time on this amazing tool. The SNORT manual in the PDF form (included in the distribution) is also an excellent resource to enhance one's capabilities and should be the first resource looked at by you.
13.59.209.131