Snort (Eric Scott and Steven Pitman)

Contents

  1. Overview
  2. Packet Sniffing Mode
  3. Packet Logging Mode
  4. Intrusion Detection/Prevention Mode
  5. Demo
    1. Setting up the Virtual Machine
    2. Triggering an Alert

1. Overview

Presentation
Snort is an open source intrusion detection system (IDS) which can do real time analysis of packets. Snort can either record a packet (Packet Sniffing / Packet Logging Mode) or do actions based on pre-made rules (Intrusion Detection/Prevention Mode). It is the most widely deployed intrusion detection system in the world. Since Snort is a very lightweight tool, it is used professionally by different companies. A notable example is Cisco, one of the largest designer, manufacturer and seller of routers. Cisco now owns Snort, and actively develops it and releases all improvements made to Snort. The most up to date rules are offered free to the community, but users can also subscribe for a small fee to get access to these rules 30 days earlier. Subscribers can also submit false positives/negatives for the rules and get support on them.

2. Packet Sniffing Mode

The first mode that Snort offers is the ability to simply view the packets going in and out of a machine. This can be accomplished by running the following command:

snort -vde

The v flag makes snort print out all of the packets coming in or out. The d and e flag make it display the application layer data and the link layer data respectively. Visiting the SYN Flooding website gives some sample output, showing the GET request:

			=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

			01/20-18:59:20.602650 8:0:27:36:A8:2E -> 52:54:0:12:35:2 type:0x800 len:0x1D0
			10.0.2.15:49576 -> 128.100.3.30:80 TCP TTL:64 TOS:0x0 ID:53229 IpLen:20 DgmLen:450 DF
			***AP*** Seq: 0xE8A72916  Ack: 0x25B8402  Win: 0x16D0  TcpLen: 20
			47 45 54 20 2F 7E 61 72 6E 6F 6C 64 2F 34 32 37  GET /~arnold/427
			2F 31 35 73 2F 63 73 63 34 32 37 2F 69 6E 64 65  /15s/csc427/inde
			70 74 68 2F 73 79 6E 2D 66 6C 6F 6F 64 69 6E 67  pth/syn-flooding
			2F 69 6E 64 65 78 2E 68 74 6D 6C 20 48 54 54 50  /index.html HTTP
			2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E  /1.1..Host: www.
			63 73 2E 74 6F 72 6F 6E 74 6F 2E 65 64 75 0D 0A  cs.toronto.edu..
			55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
			6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 62  lla/5.0 (X11; Ub
			75 6E 74 75 3B 20 4C 69 6E 75 78 20 78 38 36 5F  untu; Linux x86_
			36 34 3B 20 72 76 3A 31 36 2E 30 29 20 47 65 63  64; rv:16.0) Gec
			6B 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 65  ko/20100101 Fire
			66 6F 78 2F 31 36 2E 30 0D 0A 41 63 63 65 70 74  fox/16.0..Accept
			3A 20 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C  : text/html,appl
			69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D  ication/xhtml+xm
			6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D  l,application/xm
			6C 3B 71 3D 30 2E 39 2C 2A 2F 2A 3B 71 3D 30 2E  l;q=0.9,*/*;q=0.
			38 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61  8..Accept-Langua
			67 65 3A 20 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30  ge: en-US,en;q=0
			2E 35 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64  .5..Accept-Encod
			69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61  ing: gzip, defla
			74 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20  te..Connection: 
			6B 65 65 70 2D 61 6C 69 76 65 0D 0A 52 65 66 65  keep-alive..Refe
			72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E  rer: http://www.
			63 73 2E 74 6F 72 6F 6E 74 6F 2E 65 64 75 2F 7E  cs.toronto.edu/~
			61 72 6E 6F 6C 64 2F 34 32 37 2F 31 35 73 2F 63  arnold/427/15s/c
			73 63 34 32 37 2F 0D 0A 0D 0A                    sc427/....

			=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
		

3. Packing Logging Mode

One of the powerful tools that Snort has is the ability to log the network packets to a file. One reason to do this would be to record the traffic to find out if a rule is giving false positives, or fixing another error. Another is that if Snort is overloaded (ex: maxing out a 1Gbps connection and it can't keep up), it can output the traffic directly to a file so that it or another tool can analyze the data. It can output in a standard format that all major tools can use, such as tcpdump or Wireshark. To log the data to a file you can use the following command:

snort -vde -l log_folder

4. Intrusion Detection/Prevention Mode

The most powerful mode that Snort has is the ability to analyze traffic in real time and to perform actions based on these rules. Some of the more common actions are raising an alert / logging it to a file, logging the packet, dropping the packet, or activate another dynamic rule. All the rules are separated into different files, which each file is organized based on the type of rules it's protecting against (ex: sql-injection.rules). A rule is made up of the following: <action> <protocols> <ip addresses> <port number> <direction> <activate/dynamic rules>. An example (from the Snort Manual):

alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg:"external mountd access";)

This rule will raise a warning in the log file (alert) when a tcp connection from outside the network (!192.168.1.0/24) on any port is made inside the network. Another rule could be as follows:

alert tcp $HOME_NET any -> any any (msg:"Visiting Facebook"; content:"facebook"; nocase; classtype:facebooklog; sid:1318; rev:5;)

Which, if a user tried to visit www.facebook.com, it would log that this user has visited facebook, which may not be allowed. Within the log file, it would have output such as:

			[**] [1:9999:1] Visiting facebook [**]
			[Classification: Person visiting facebook] [Priority: 2] 
			01/21-01:08:34.462856 52:54:00:12:35:02 -> 08:00:27:6B:17:E9 type:0x800 len:0x324
			74.125.226.143:80 -> 10.0.2.15:43583 TCP TTL:64 TOS:0x0 ID:9142 IpLen:20 DgmLen:790
			***AP*** Seq: 0x54D6C02  Ack: 0x1D2DEE73  Win: 0xFFFF  TcpLen: 20
		

5. Demo

5.1 Setup

5.2 Triggering an Alert

Run snort in the desired mode (ex: snort -dve -c /etc/snort/snort.conf). The rules provided above (slacking.rules) will trigger an alert, which is in a file called "alert" (this will be created where the terminal is at, or you can specify a folder using -l [folder_path]). Visiting facebook.com, www.cs.toronto.edu/~arnold, hackthis.co.uk, and overthewire.org will all raise an alert.