Snort - OpenSource Network Intrusion Detection Tool

Snort - OpenSource Network Intrusion Detection Tool

Snort is an open source, lightweight network intrusion detection program for Windows and Linux platforms. It has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.

It can detect various kinds of attacks and probes, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured to run in three modes:
  • Sniffer mode - It reads the packets off of the network and displays them for you in a continuous stream on the console (screen).
  • Packet Logger mode - It logs the packets to disk.
  • Network Intrusion Detection System (NIDS) mode - It performs detection and analysis on network traffic. This is the most complex and configurable mode.

Snort Snapshot

Sniffer Mode

If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), try this:
./snort -v
This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else. 


If you want to see the application data in transit, try the following:
./snort -vd
This instructs Snort to display the packet data as well as the headers. 


If you want an even more descriptive display, showing the data link layer headers, do this:
./snort -vde

Note: The command line switches can be listed separately or in a combined form. 

The last command could also be typed out as the following to produce the same result:
./snort -d -v -e

Packet Logger Mode

If you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically go into packet logger mode:
./snort -dev -l ./log
Of course, this assumes you have a directory named log in the current directory. If you don't, Snort will exit with an error message. When Snort runs in this mode, it collects every packet it sees and places the packets in a directory hierarchy based upon the IP address of one of the hosts in the datagram.

If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the remote computer as the directory in which it places packets and sometimes it uses the local host address. In order to log relative to the home network, you need to tell Snort which network is the home network:
./snort -dev -l ./log -h 192.168.1.0/24
This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host.

Note: If both the source and destination hosts are on the home network, they are logged to a directory with a name based on the higher of the two port numbers or, in the case of a tie, the source address.

If you're on a high-speed network or you want to log the packets into a more compact form for later analysis, you should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single binary file in the logging directory:
./snort -l ./log -b
Note the command line changes here. We don't need to specify a home network any longer because binary mode logs everything into a single file, which eliminates the need to tell it how to format the output directory structure. Additionally, you don't need to run in verbose mode or specify the -d or -e switches because in binary mode the entire packet is logged, not just sections of it. All you really need to do to place Snort into logger mode is to specify a logging directory at the command line using the -l switch--the -b binary logging switch merely provides a modifier that tells Snort to log the packets in something other than the default output format of plain ASCII text.

Once the packets have been logged to the binary file, you can read the packets back out of the file with any sniffer that supports the tcpdump binary format (such as tcpdump or Ethereal). Snort can also read the packets back by using the -r switch, which puts it into playback mode. Packets from any tcpdump formatted file can be processed through Snort in any of its run modes. For example, if you wanted to run a binary log file through Snort in sniffer mode to dump the packets to the screen, you can try something like this:
./snort -dv -r packet.log
You can manipulate the data in the file in a number of ways through Snort's packet logging and intrusion detection modes, as well as with the BPF interface that's available from the command line. For example, if you only wanted to see the ICMP packets from the log file, simply specify a BPF filter at the command line and Snort will only see the ICMP packets in the file:
./snort -dvr packet.log icmp

Network Intrusion Detection System Mode

To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, try this:
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
where snort.conf is the name of your snort configuration file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don't specify an output directory for the program, it will default to /var/log/snort.

One thing to note about the last command line is that if Snort is going to be used in a long-term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display.

It is also not necessary to record the data link headers for most applications, so you can usually omit the -e switch, too.
./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf
This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).


No comments

Powered by Blogger.