Snort – Full Tutorial

Posted on April 4, 2010 by lpilinuxblog

Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

The three main modes in which Snort can be configured are as follows:

* Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console.

* Packet logger mode: It logs the packets to the disk.

* Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set.

Various features of snort

Snort has the following features:

* It detects and alerts people when it finds threats such as buffer overflows, stealth port scans, CGI attacks, SMB probes and NetBIOS queries, NMAP and other port scanners, well-known backdoors and system vulnerabilities, and DDoS clients.

* It develops a new signature to find vulnerabilities.

* It records packets in their human-readable form from the IP address.

* It is used as a passive trap to record the presence of traffic that should not be found on a network, such as NFS or Napster connections.

* It is used to monitor a home DSL connection or a corporate Web site.

Snort Rules

The snort rules are the conditions specified by a Network Administrator to differentiate between normal Internet activities and malicious activities. The snort rules are made up of two basic parts :

* Rule header: This is the part of any rule where the rule’s actions are identified. Alert, Log, Pass, Activate, Dynamic etc. are some important actions used in the snort rules.

* Rule options: This is the part of any rule where the rule’s alert messages are identified.

For example:

If any Network Administrator has written the rule Alert tcp $HOME_NET any -> any 6667 (msg:”IRC port in use”; flow:from_client) , the first portion of the rule specifies the action, which is to examine port 6667 traffic. If a match occurs, a message should be generated that reads, “IRC port is in use”, and the IDS will create a record that an IRC port might have been accessed.

Snort rule header

The Snort rule header contains information about the action a rule going to take. It also contains standard for matching a rule against network data packets. The options part of the Snort rule header consists of additional criteria for matching a rule against data packets. A Snort rule is used to detect one or more types of intrusion attack. Structure of the Snort rule header is as follows:

* The action part of the Snort rule header is used to determine the kind of action taken whenever the criteria are met and a rule is exactly matched against a data packet. Actions like generating an alert or log message or invoking another rule can take place afterwards.

* The protocol part is used to set the rule on network data packets for a particular protocol. This is the first standard described in the Snort rule. Protocols used in Snort rule are: IP, ICMP, UDP etc.

* The address parts are used to define the address of source and destination respectively. Address may be a single host, multiple hosts or network addresses depending upon the criteria and requirement. This part can also used to eliminate some of the addresses from a network. Address of Source and destination are determined on the basis of the direction field in the Snort rule header. If the direction field is set to “->”, then the Address on the left is of the source and the Address on the right is of the destination.

Note: When TCP or UDP protocol is used, then the port section is used to determine the source and destination ports of a packet on which the rule is applied.

* The direction part of the Snort rule is used to determine and differentiate the address and port number of source and destination.

Some common snort rules are as follows:

* OS Fingerprinting:

Alert tcp any any -> any
(msg: “O/S Fingerprint detected”; flags: S12;)

* Trivial File Transfer Protocol attempt:

Alert udp any any -> any 69
(msg “TFTP Connection Attempt)”;)

* Password transfer:

Alert tcp any any -> any
(content: “Password”; msg: “Password Transfer May Be
Occured!”;)

* Automated Unicode Attack By Nimda Virus:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:”WEB-IIS cmd.exe access”; flow:to_server,established;

content:”cmd.exe”; nocase; classtype:web-application-attack;

sid:1002; rev:6;)

Snort Configuration File:

The Snort Configuration file is used by Snort at the startup. It contains all rules and definition, which a user wants to apply. The user can use any name for the Snort configuration file but generally snort.conf is regarded as the conventional name. -c command line switch is used to specify the name of the configuration file. As shown in the example given below:

/cpt/snort/snort -c /cpt/snort/snort.conf

The above command uses /cpt/snort/snort.conf as the configuration file. A user can execute multiple Snort instances on different network interfaces with different configuration while using the configuration file name as a command line argument to Snort.

Sections of Snort Configuration File

There are six sections present in the Snort Configuration file. Each section carries different properties, which are important for the efficient and proper working of Snort. These sections are as follows:

1. Variable definitions: This section is used to define different variables for Snort configuration. These variables are used in Snort rules and for specifying the location of rule files.

2. Config parameters: This section is used to define different parameters of Snort configuration options.

3. Preprocessor configuration: This section is used to define Preprocessors, which are used to perform actions before a packet is operated by the main Snort detection engine.

4. Output module configuration: This section is used to control the logging of the Snort data.

5. Defining new action types: This section is used to define custom action types in the Snort configuration file.

6. Rules configuration and include files: This section is used to add external Snort rules file. These files are included in the main configuration file by using the include keyword

Snort Decoder:

The Snort decoder is used to verify the network structure packets and confirm that the packets are constructed according to specification. If the packet is different than the specification or uncommon setting, then the Snort will generate the alarm. These alarms are enable by default, however a user can disable the particular type of alert generated by the Snort decoder. The Snort decoder configuration options are as follows:

* config disable_decode_alerts
* config disable_tcpopt_experimental_alerts
* config disable_tcpopt_obsolete_alerts
* config disable_tcpopt_ttcp_alerts
* config disable_tcpopt_alerts
* config disable_tcpopt_ipopt_alerts

Different tools associated with Snort:

* AirSnort:

AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.

* Snort_inline:

snort_inline is a modified and customized version of Snort. It accepts data packets from iptables and IPFW using libipq(linux) or divert sockets, instead of libpcap. It then uses new rule types (drop, sdrop, reject) to inform iptables/IPFW whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set. This is a kind of Intrusion Prevention System (IPS), which uses existing Intrusion Detection System (IDS) signatures to make decisions on packets that pass through snort_inline.

* SnortSnarf:

SnortSnarf is a program that was designed for use with Snort, a security program used mainly with Linux networks. SnortSnarf converts the data from Snort into Web pages. Snort is an open source network intrusion detection system (NIDS) that monitors network traffic in real time, scrutinizing each packet closely to detect dangerous payloads or suspicious anomalies. SnortSnarf runs on *nix variants, as well as on Win32 systems.

* BASE:

BASE stands for Basic Analysis and Security Engine. It is created on the code from the Analysis Console for Intrusion Databases (ACID) project. BASE provides a Web front-end to query and analyze the alerts coming from a SNORT IDS system, and provides a visual representation of intrusion data. BASE is a Web interface for performing analysis of intrusions that snort has detected on the network. It uses a user authentication and role-base system, so that a user as the security admin can decide what and how much information each user can see.

* sguil:

Sguil is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts. The sguil client is written in Tcl/Tk and can be run on any operating system that supports Tcl/Tk. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode. It provides a visual representation of intrusion data. Sguil is an implementation of a Network Security Monitoring (NSM) system.

* OSSIM:

OSSIM (Open Source Security Information Management) is a collection of tools designed to aid network administrators in computer security, intrusion detection, and prevention. The goal of this project is to provide a comprehensive collection of tools to grant an administrator a view of all the security-related aspects of their system. OSSIM also provides a strong correlation engine, with detailed low-, mid-, and high-level visualization interfaces as well as reporting of incident managing tools such as Snort. The ability to act as an intrusion-prevention system based on correlated information from virtually any source results in a useful security tool. All this information can be filtered by a network or sensor in order to provide just the information needed by specific users, allowing for a fine grained multi-user security environment.

Share
This entry was posted in Linux Networking. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>