Network Intrusion Detection with Snort

If you’re anything like me, you’re paranoid about network intrusion. In all event, we just need something to monitor our systems and warn us of potential attacks. This can be done through a package known as Snort. Snort is a real-time packet sniffer, packet logger and a network intrusion detection system.

On Ubuntu, installing snort is easy via command line:

sudo apt-get install snort -y

 

The snort configuration files are located in /etc/snort/snort.conf. To test if the configuration files are working properly, type the following command:

sudo snort -T -c /etc/snort/snort.conf -i <interface>

 

 

Snort Rules

The best part about snort is that though rules are available, they can be configured by the user. Once rules are created, they can be added to the configuration file as follows:

include $RULE_PATH/<yourrule.rules>

 

Once the path to the rules has been added to the configuration files, the rules can be created in the <yourrule.rules> file using an editor using the specified custom rules syntax. Rules (such as <yourrule.rules>) can be added and configured in /etc/snort/rules.

Custom rules are easy to create using the specified rule headers/options. Snort rules abide by a specific format. The rule header is as follows:

[action] [protocol][sourceIP][sourceport] → [destIP][destport] (rules options)

—action: Snort action headers determines the fate of the packet if it matches the rule. Snort has 3 default modes: alert, log, and pass (ignore packet); there are 3 additional inline modes: drop, reject, and sdrop (block but no logging).

—protocol: Snort analyzes 3 protocols: TCP, UDP, and ICMP.

—sourceIP: The source IP (the incoming packet)

—sourceport: The source port

—destIP: The destination IP

—destport: The desitnation port

 

The rule options are as follows:

–msg: The message displayed if there is a match.

—content: The content that is searched in the data packet/payload.

—flow: The connection state

 

Rules

An example of a rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;)

In this case, it says to alert the user if it encounters a TCP protocol coming from the external world from any port to the home network on port 21. It further says that the message to be displayed is “FTP Admworm ftp login attempt”. The content section contains the information that is searched in the payload.

 

alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;)

Here, if a TCP packet from any external network from any port encounters the telnet servers of the home network on port 23, it will display an alert. The payload is searched for the following content:”|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|”.

 

Packet Sniffer

In the packet sniffer mode, all incoming packets are displayed. To put snort into packet sniffer mode, type:

sudo snort -dve

 

Packet Logger

In the packet logger mode, all incoming packets are logged into a file. To put snort into packet logger mode, type (the default logging directory is /var/log/snort):

sudo -l <logging directory>

 

Network Intrusion Detection

In the network intrusion detection mode, all packets are analyzed using the configuration file. To put snort into network intrusion detection mode, type:

snort -c /etc/snort/snort.conf -l <logging directory> -A console

 

It will use the configuration files to log everything to the console.

In other words, snort is an easy to use intrusion detection system that can come in handy for the paranoid. It will effectively verify if any kinds of attacks are conducted on your system within nanoseconds.