Presentation
Snort is an open source intrusion detection system (IDS) which can do real time analysis of packets. Snort can either record a packet (Packet Sniffing / Packet Logging Mode) or do actions based on pre-made rules (Intrusion Detection/Prevention Mode). It is the most widely deployed intrusion detection system in the world.
Since Snort is a very lightweight tool, it is used professionally by different companies. A notable example is Cisco, one of the largest designer, manufacturer and seller of routers. Cisco now owns Snort, and actively develops it and releases all improvements made to Snort.
The most up to date rules are offered free to the community, but users can also subscribe for a small fee to get access to these rules 30 days earlier. Subscribers can also submit false positives/negatives for the rules and get support on them.
The first mode that Snort offers is the ability to simply view the packets going in and out of a machine. This can be accomplished by running the following command:
snort -vde
The v flag makes snort print out all of the packets coming in or out. The d and e flag make it display the application layer data and the link layer data respectively. Visiting the SYN Flooding website gives some sample output, showing the GET request:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/20-18:59:20.602650 8:0:27:36:A8:2E -> 52:54:0:12:35:2 type:0x800 len:0x1D0 10.0.2.15:49576 -> 128.100.3.30:80 TCP TTL:64 TOS:0x0 ID:53229 IpLen:20 DgmLen:450 DF ***AP*** Seq: 0xE8A72916 Ack: 0x25B8402 Win: 0x16D0 TcpLen: 20 47 45 54 20 2F 7E 61 72 6E 6F 6C 64 2F 34 32 37 GET /~arnold/427 2F 31 35 73 2F 63 73 63 34 32 37 2F 69 6E 64 65 /15s/csc427/inde 70 74 68 2F 73 79 6E 2D 66 6C 6F 6F 64 69 6E 67 pth/syn-flooding 2F 69 6E 64 65 78 2E 68 74 6D 6C 20 48 54 54 50 /index.html HTTP 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E /1.1..Host: www. 63 73 2E 74 6F 72 6F 6E 74 6F 2E 65 64 75 0D 0A cs.toronto.edu.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 User-Agent: Mozi 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 62 lla/5.0 (X11; Ub 75 6E 74 75 3B 20 4C 69 6E 75 78 20 78 38 36 5F untu; Linux x86_ 36 34 3B 20 72 76 3A 31 36 2E 30 29 20 47 65 63 64; rv:16.0) Gec 6B 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 65 ko/20100101 Fire 66 6F 78 2F 31 36 2E 30 0D 0A 41 63 63 65 70 74 fox/16.0..Accept 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C : text/html,appl 69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D ication/xhtml+xm 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D l,application/xm 6C 3B 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E l;q=0.9,*/*;q=0. 38 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 8..Accept-Langua 67 65 3A 20 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 ge: en-US,en;q=0 2E 35 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 .5..Accept-Encod 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 ing: gzip, defla 74 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 te..Connection: 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 52 65 66 65 keep-alive..Refe 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E rer: http://www. 63 73 2E 74 6F 72 6F 6E 74 6F 2E 65 64 75 2F 7E cs.toronto.edu/~ 61 72 6E 6F 6C 64 2F 34 32 37 2F 31 35 73 2F 63 arnold/427/15s/c 73 63 34 32 37 2F 0D 0A 0D 0A sc427/.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
One of the powerful tools that Snort has is the ability to log the network packets to a file. One reason to do this would be to record the traffic to find out if a rule is giving false positives, or fixing another error. Another is that if Snort is overloaded (ex: maxing out a 1Gbps connection and it can't keep up), it can output the traffic directly to a file so that it or another tool can analyze the data. It can output in a standard format that all major tools can use, such as tcpdump or Wireshark. To log the data to a file you can use the following command:
snort -vde -l log_folder
The most powerful mode that Snort has is the ability to analyze traffic in real time and to perform actions based on these rules. Some of the more common actions are raising an alert / logging it to a file, logging the packet, dropping the packet, or activate another dynamic rule. All the rules are separated into different files, which each file is organized based on the type of rules it's protecting against (ex: sql-injection.rules). A rule is made up of the following: <action> <protocols> <ip addresses> <port number> <direction> <activate/dynamic rules>. An example (from the Snort Manual):
alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"external mountd access";)
This rule will raise a warning in the log file (alert) when a tcp connection from outside the network (!192.168.1.0/24) on any port is made inside the network. Another rule could be as follows:
alert tcp $HOME_NET any -> any any (msg:"Visiting Facebook"; content:"facebook"; nocase; classtype:facebooklog; sid:1318; rev:5;)
Which, if a user tried to visit www.facebook.com, it would log that this user has visited facebook, which may not be allowed. Within the log file, it would have output such as:
[**] [1:9999:1] Visiting facebook [**] [Classification: Person visiting facebook] [Priority: 2] 01/21-01:08:34.462856 52:54:00:12:35:02 -> 08:00:27:6B:17:E9 type:0x800 len:0x324 74.125.226.143:80 -> 10.0.2.15:43583 TCP TTL:64 TOS:0x0 ID:9142 IpLen:20 DgmLen:790 ***AP*** Seq: 0x54D6C02 Ack: 0x1D2DEE73 Win: 0xFFFF TcpLen: 20
Run snort in the desired mode (ex: snort -dve -c /etc/snort/snort.conf). The rules provided above (slacking.rules) will trigger an alert, which is in a file called "alert" (this will be created where the terminal is at, or you can specify a folder using -l [folder_path]). Visiting facebook.com, www.cs.toronto.edu/~arnold, hackthis.co.uk, and overthewire.org will all raise an alert.