Snort

SNORT is an open-source, rule-based Network Intrusion Detection and Prevention

System (NIDS/NIPS).

Snort has three operating modes:

Packet Sniffer – Reads packets from the network and displays them in the
Snort console

Packet Logger – Reads packets from the network and writes them to a file

NIDS – Network intrusion detection system that applies rules to scan through
packets

Sniffer Mode
Sniff packets and send to standard output as a dump file

Sniffer Mode

-v (verbose) Display the TCP/IP output in the console.

–e Display link layer (TCP/IP/UDP/ICMP) headers.

–d Display packet data payload

–X Display full packet with headers in HEX format

This parameter helps to define a specific

network interface to listen/sniff. Once you have
-i
multiple interfaces, you can choose a specific
interface to sniff. sudo snort -v -i eth0

Packet Logger Mode

Input output to a log file

Packet Logger Mode

Use to read back the log file content using snort -n to output
-r
specifc number of packets sudo snort -r snort.log -n 69

- Log to a directory as a tcpdump file format - The default action is

–l (directory name)
to dump as tcpdump format in /var/log/snort

–k ASCII Display output as ASCII format Log in ASCII format (human

readable) (otherwise it will be in binary format that only snort
can read with -r) sudo snort -dev -K ASCII -l .

Snort 1
 Specify the number of packets that will process/read. Snort will
-n
stop after reading the specified number of packets.

Snort needs root rights to sniff the traffic, so once you run the snort with the
"sudo" command, the "root" account will own the generated log files.

Therefore you will need "root" rights to investigate the log files.

There are two different approaches to investigate the generated log files;

sudo su / sudo command

sudo chown username file or sudo chown username -R directory

Filters
https://biot.com/capstats/bpf.html

sudo snort -r logname.log -X

sudo snort -r logname.log icmp

sudo snort -r logname.log tcp

sudo snort -r logname.log 'udp and port 53'

NIDS Mode
Use the specified file as config file and apply rules to process captured
packets

Parameter Description

-c Defining the configuration file. default /etc/snort/snort.conf

-T Testing the configuration file.

-N Disable logging.

Background mode. to close it do the following: 1. ps -ef | grep snort 2.

-D
sudo kill -9 <pid>

-A Alert modes; full: Full alert mode, providing all possible information about
the alert. This one also is the default mode; once you use -A and don't
specify any mode, snort uses this mode. fast: Fast mode shows the alert
message, timestamp, source and destination IP, along with port numbers.
console: Provides fast style alerts on the console screen. cmg: CMG
style, basic header details with payload in hex and text format.
none: Disabling alerting. - In this section, only
the "console" and "cmg" parameters provide alert information in the
console.

Snort 2
 -s Alert to syslog

-v Print alert information

-K ASCII log mode

IDS/IPS mode: "Using rule file without configuration file"

It is possible to run the Snort only with rules without a configuration file. Running the
Snort in this mode will help you test the user-created rules. However, this mode will
provide less performance.

IPS mode and dropping packets

Snort IPS mode activated with -Q --daq afpacket parameters.

-Q --daq afpacketActivate the Data Acquisition (DAQ) modules and use the
afpacket module to use snort as an IPS:

You can also activate this mode by editing snort.conf file. However, you don't
need to edit snort.conf file in the scope of this room.

-i eth0:eth1 Identifying interfaces

note that Snort IPS require at least two interfaces to work.

running IPS mode

sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A console

user@ubuntu$ sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A

console
Running inIPS mode

12/18-07:40:01.527100 [Drop] [**] [1:1000001:0] ICMP Packet found [**] [Priority: 0]

{ICMP} 192.168.175.131 -> 192.168.175.2
12/18-07:40:01.552811 [Drop] [**] [1:1000001:0] ICMP Packet found [**] [Priority: 0]
{ICMP} 172.217.169.142 -> 192.168.1.18
12/18-07:40:01.566232 [Drop] [**] [1:1000001:0] ICMP Packet found [**] [Priority: 0]
{ICMP} 192.168.175.131 -> 192.168.175.2
12/18-07:40:02.517903 [Drop] [**] [1:1000001:0] ICMP Packet found [**] [Priority: 0]
{ICMP} 192.168.1.18 -> 172.217.169.142
12/18-07:40:02.550844 [Drop] [**] [1:1000001:0] ICMP Packet found [**] [Priority: 0]
{ICMP} 172.217.169.142 -> 192.168.1.18
^C*** Caught Int-Signal

# the rule here is

drop icmp any any <> any any (msg: "ICMP Packet found"; sid:10000001;rev:1;)

Snort 3
 Investigating PCAP with parameter "-r"

Parameter Description

-r / --pcap-single= Read a single pcap snort -r icmp-test.pcap

Read pcaps provided in command (space

--pcap-list=""
separated).

--pcap-show Show pcap name on console during processing.

Examples:

sudo snort -c /etc/snort/snort.conf -q -r icmp-test.pcap -A console -n 10

sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A

console -n 10

sudo snort -c /etc/snort/snort.conf -q --pcap-list="icmp-test.pcap http2.pcap" -A

console --pcap-show

sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap

Snort rules format

Remember, once you create a rule, it is a local rule and should be in your
"local.rules" file.

This file is located under "/etc/snort/rules/local.rules".

Snort 4
 Snort is in passive mode by default. So most of the time, you will use Snort as
an IDS. You will need to start "inline mode" to turn on IPS mode.

• alert: Generate an alert and log the packet. • log: Log the packet. • drop:
Action Block and log the packet. • reject: Block the packet, log it and terminate
the packet session.

Protocol parameter identifies the type of the protocol that filtered for the
rule. Note that Snort2 supports only four protocols filters in the rules (IP,
TCP, UDP and ICMP). However, you can detect the application flows using
Protocol
port numbers and options. For instance, if you want to detect FTP traffic,
you cannot use the FTP keyword in the protocol field but filter the FTP
traffic by investigating TCP traffic on port 21.

IP and Port Numbers

These parameters identify the source and destination IP addresses and associated
port numbers filtered for the rule.

alert icmp 192.168.1.56 any <> any any (msg: "ICMP Packet Found"; sid:

IP Filtering 100001; rev:1;) This rule will create alerts for each ICMP packet
originating from the 192.168.1.56 IP address.
alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid:
Filter an IP range
100001; rev:1;) This rule will create alerts for each ICMP packet

Snort 5
 originating from the 192.168.1.0/24 subnet.
alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP

Filter multiple IP Packet Found"; sid: 100001; rev:1;) This rule will create alerts for
ranges each ICMP packet originating from the 192.168.1.0/24 and
10.1.1.0/24 subnets.

"negation operator" is used for excluding specific addresses and

ports. Negation operator is indicated with "!" alert icmp
Exclude IP
!192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001;
addresses/ranges
rev:1;) This rule will create alerts for each ICMP packet not
originating from the 192.168.1.0/24 subnet.
alert tcp !192.168.1.0/24 21 <> any any (msg: "ICMP Packet Found"; sid:

Port Filtering 100001; rev:1;) This rule will create alerts for each TCP packet
originating from port 21.
alert tcp !192.168.1.0/24 !21 <> any any (msg: "ICMP Packet Found"; sid:

Exclude a specific port 100001; rev:1;) This rule will create alerts for each TCP packet not
originating from port 21.
alert tcp !192.168.1.0/24 1:1024 <> any any (msg: "ICMP Packet Found";
Filter a port range
sid: 100001; rev:1;) This rule will create alerts for each TCP packet
(Type 1)
originating from ports between 1-1024.
alert icmp any :1024 <> any any (msg: "ICMP Packet Found"; sid: 100001;
Filter a port range
rev:1;) This rule will create alerts for each TCP packet originating
(Type 2)
from ports less than or equal to 1024.
alert icmp any 1024: <> any any (msg: "ICMP Packet Found"; sid: 100001;
Filter a port range
rev:1;) This rule will create alerts for each TCP packet originating
(Type 3)
from a source port higher than or equal to 1024.
alert icmp any 80,1024: <> any any (msg: "ICMP Packet Found"; sid:
Filter a port range
100001; rev:1;) This rule will create alerts for each TCP packet
(Type 4)
originating from a source port 80 and higher than or equal to 1024.

Direction
The direction operator indicates the traffic flow to be filtered by Snort. The left side of
the rule shows the source, and the right side shows the destination.

> Source to destination flow.

<> Bidirectional flow

Note that there is no "<-" operator in Snort.

Snort 6
 There are three main rule options in Snort;

General Rule Options - Fundamental rule options for Snort.

Payload Rule Options - Rule options that help to investigate the payload data.
These options are helpful to detect specific payload patterns.

Non-Payload Rule Options - Rule options that focus on non-payload data. These
options will help create specific patterns and identify network issues.

General Rule Options

The message field is a basic prompt and quick identifier of the rule. Once
Msg the rule is triggered, the message filed will appear in the console or log.
Usually, the message part is a one-liner that summarises the event.

Snort rule IDs (SID) come with a pre-defined scope, and each rule must
have a SID in a proper format. There are three different scopes for SIDs
shown below. • <100: Reserved rules • 100-999,999: Rules came with
Sid
the build. • >=1,000,000: Rules created by user. Briefly, the rules we will
create should have sid greater than 100.000.000. Another important point
is; SIDs should not overlap, and each id must be unique.

Each rule can have additional information or reference to explain the

purpose of the rule or threat pattern. That could be a Common
Reference Vulnerabilities and Exposures (CVE) id or external information. Having
references for the rules will always help analysts during the alert and
incident investigation.

Snort rules can be modified and updated for performance and efficiency
issues. Rev option help analysts to have the revision information of each
rule. Therefore, it will be easy to understand rule improvements. Each rule
has its unique rev number, and there is no auto-backup feature on the rule
Rev
history. Analysts should keep the rule history themselves. Rev option is
only an indicator of how many times the rule had revisions. alert icmp
any any <> any any (msg: "ICMP Packet Found"; sid: 100001;
reference:cve,CVE-XXXX; rev:1;)

Payload Detection Rule Options

Snort 7
 Content Payload data. It matches specific payload data by ASCII, HEX or both.
It is possible to use this option multiple times in a single rule. However, the
more you create specific pattern match features, the more it takes time to
investigate a packet. Following rules will create an alert for each HTTP
packet containing the keyword "GET". This rule option is case sensitive!
• ASCII mode - alert tcp any any <> any 80 (msg: "GET Request
Found"; content:"GET"; sid: 100001; rev:1;) • HEX mode - alert tcp
any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid:
100001; rev:1;)

Disabling case sensitivity. Used for enhancing the content searches.alert

Nocase tcp any any <> any 80 (msg: "GET Request Found"; content:"GET";
nocase; sid: 100001; rev:1;)

- Prioritise content search to speed up the payload search operation. -

By default, Snort uses the biggest content and evaluates it against the
rules. "fast_pattern" option helps you select the initial packet match
with the specific value for further investigation. - This option always
works case insensitive and can be used once per rule. - Note that this
Fast_pattern
option is required when using multiple "content" options. - The
following rule has two content options, and the fast_pattern option tells to
snort to use the first content option (in this case, "GET") for the initial
packet match. alert tcp any any <> any 80 (msg: "GET Request Found";
content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)

Non-Payload Detection Rule Options

There are rule options that focus on non-payload data. These options will help create
specific patterns and identify network issues.

Filtering the IP id field.alert tcp any any <> any any (msg: "ID TEST";
ID
id:123456; sid: 100001; rev:1;)

Filtering the TCP flags. • F - FIN • S - SYN • R - RST • P - PSH • A - ACK •

Flags U - URG alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid:
100001; rev:1;)

Filtering the packet payload size. • dsize:min<>max; • dsize:>100 • dsize:

Dsize <100 alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300;
sid: 100001; rev:1;)

Filtering the source and destination IP addresses for duplication. alert

Sameip ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001;
rev:1;)

Snort 8
 Configurations
snort.conf: Main configuration file.

local.rules: User-generated rules file.

Let's start with overviewing the main configuration file (snort.conf)

/etc/snort/snort.conf

Navigate to the "Step #1: Set the network variables." section.

This section manages the scope of the detection and rule paths.

TAG NAME INFO EXAMPLE

HOME_NET That is where we are protecting. 'any' OR '192.168.1.1/24'

This field is the external network, so

EXTERNAL_NET we need to keep it as 'any' or 'any' OR '!$HOME_NET'
'!$HOME_NET'.

RULE_PATH Hardcoded rule path. /etc/snort/rules

These rules come with registered

SO_RULE_PATH $RULE_PATH/so_rules
and subscriber rules.
These rules come with registered
PREPROC_RULE_PATH $RULE_PATH/plugin_rules
and subscriber rules.

Navigate to the "Step #2: Configure the decoder." section.

In this section, you manage the IPS mode of snort. The single-node installation
model IPS model works best with "afpacket" mode. You can enable this mode and
run Snort in IPS.

TAG NAME INFO EXAMPLE

#config daq: IPS mode selection. afpacket

#config daq_mode: Activating the inline mode inline

#config logdir: Hardcoded default log path. /var/logs/snort

Data Acquisition Modules (DAQ) are specific libraries used for packet I/O,
bringing flexibility to process packets. It is possible to select DAQ type and mode
for different purposes.

There are six DAQ modules available in Snort;

Pcap: Default mode, known as Sniffer mode.

Snort 9
 Afpacket: Inline mode, known as IPS mode.

Ipq: Inline mode on Linux by using Netfilter. It replaces the snort_inline patch.

Nfq: Inline mode on Linux.

Ipfw: Inline on OpenBSD and FreeBSD by using divert sockets, with the pf and
ipfw firewalls.

Dump: Testing mode of inline and normalisation.

The most popular modes are the default (pcap) and inline/IPS (Afpacket).

Navigate to the "Step #3: Configure output plugins" section.

This section manages the outputs of the IDS/IPS actions, such as logging and
alerting format details. The default action prompts everything in the console
application, so configuring this part will help you use the Snort more efficiently.

Navigate to the "Step #4: Customise your ruleset" section.

TAG NAME INFO EXAMPLE

Hardcoded local and user-generated include

# site specific rules
rules path. $RULE_PATH/local.rules

#include Hardcoded default/downloaded rules include

$RULE_PATH/ path. $RULE_PATH/rulename

Note that "#" is commenting operator. You should uncomment a line to

activate it.

Exercising Rules
HTTP

Detect any in/out going http traffic

alert tcp any 80 <> any any (msg:”http traffic detected”; sid:696969; rev:1;)

alert tcp any any <> any 80 (msg:”http traffic detected”; sid:696969; rev:1;)

To drop it

drop tcp any 80 <> any any (msg:”http traffic detected”; sid:696969; rev:1;)

FTP

https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes

Snort 10
 Detect any ftp traffic

alert tcp any 21 <> any any (msg:"ftp detected";sid:696969;rev:1;)

alert tcp any any <> any 21 (msg:"ftp detected";sid:696968;rev:1;)

Detect successful FTP logins

alert tcp any 21 <> any any (msg:"Successful FTP login attempt";
content:"331";ssid:100022201;rev:1;)

Detect any failed FTP login attempts with a valid username but a bad password
or no password

alert tcp any 21 <> any any (msg:"Failed FTP login attempt";
content:"331";ssid:100022201;rev:1;)

alert tcp any 21 <> any any (msg:"Failed FTP login attempt";
content:"336";sid:100022202;rev:1;)

Detect failed FTP login attempts with "Administrator" username but a bad
password or no password.

alert tcp any 21 <> any any (msg:"S1 FTP login attempt with admin";
content:"331";content:"Administrator";ssid:100022201;rev:1;)

Detect PNG or GIF Files

alert tcp any any <> any any (msg:"png detected"

;content:"PNG";sid:123231;rev:1;)

alert tcp any any <> any any (msg:"png detected"

;content:"GIF";sid:123231;rev:1;)

Snort 11
Snort 12