Introduction to Snort

Snort is a very well known intrusion detection system (IDS).  Although it is free and open-source,  Snort is a powerful tool in detecting malicious attacks against individual hosts or networks.  Essentially, Snort is a packet sniffer, like tcpdump or Wireshark. Snort listens to a network interface and captures packets passing by.  The power of Snort is within its rule-based engine, which is able to filter packets, look for attack-signatures, and alert on them.

Snort can be configured to run in three modes:

• Sniffer mode - reads the packets off the network and displays them on-screen.
• Packet Logger mode - logs the packets to disk.
• Network Intrusion Detection System (NIDS) mode -  the most complex and configurable configuration, which allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions based upon what it sees.

A. Sniffer Mode

In the sniffer mode, you can run Snort at the command-line.  The Crtl+C key combination is used to stop the execution of Snort. The following command will print out the TCP/IP packet headers to the screen:  

root@bt:~#snort -v

In the command above, Snort listens to and capture packets from all interfaces.

If you would like to capture packets from interface eth2 only, -i option can be used to specify the interface as follows:  

root@bt:~#snort -v -i eth2

The commands above will run Snort and just show the IP and TCP/UDP/ICMP headers, and nothing else.  

If you want to see the packet payload data, try the following:

root@bt:~#snort -vd -i eth2

The command above instructs Snort to display the packet payload data as well as the headers.

For an even more descriptive display, showing the data link layer headers (i.e., frames), use:

root@bt:~#snort -vde -i eth2

Snort has many options which can be displayed using -h option.  

root@bt:~#snort -h

B. Packet Logger Mode

In the Packet Logger Mode, Snort records the captured packets to a file.  If you specify a logging directory using -l option,  Snort will automatically run in packet logger mode.

First, you need to create a directory called “slog” (you may use any name) under the current working directory as follows:

root@bt:~#mkdir slog

Then, you need to specify the log directory using the -l option as follows:

root@bt:~#snort -vde -i eth2 -l ./slog

This time, Snort will not print out the captured packets to the screen, but saves them in a log file in the ./slog directory.

In the screen capture below, the Log directory is specified as “Log directory = ./slog” :

After stopping Snort by using the Crtl+C key combination, Snort prints out a summary statistics of the captured packets. When the directory ./slog is listed as follows  

root@bt:~#ls ./slog

The log file appears as snort.log.13335132405 in this case as shown in the following picture:

By default, packets are captured in the binary mode. Thus, the content of a log file can’t  be read by a text editor like nano.  Option -r is used to read a binary log file.  For example, the log file in the previous example can be read and redirected into a text file named log.txt as follows:

root@bt:~#snort -vde -r ./slog/snort.log.13335132405 > log.txt

You can use a text editor, like nano, to read the content of the captured packets as shown below:

Capturing Packets for a Host or a Network.

In the previous examples, a target (host or network) is not specified. Therefore, Snort will capture all packets passing through the interfaces.  In the following activity, two computers, a Backtrack and a Windows 7, are used. Their host and network IP address are as follows:  

Note: You should use your computers’ IP address in the following steps and return a lab report.  Please include your Backtrack 5 and Windows 7 computer’s IP addresses in the beginning of your report using the following table.    

1. Start both your Backtrack 5 and Windows 7 virtual computers. In your Backtrack 5 system, open two terminals. In the terminal Create a directory called slog if you have not created it before as follows:

root@bt:~#mkdir slog

2. In your Backtrack 5 machine, type the following command to capture packets for your Windows 7 machine.

root@bt:~#snort -v -l ./slog -h [Your Windows 7 IP]/32

For example, for the target 192.168.1.49, this command is

root@bt:~#snort -v -l ./slog -h 192.168.1.49/32

Note: For the sake of brevity, we are capturing only IP/TCP/UDP/ICMP headers (-v option), and the captured packets will be logged in the ./slog directory.

3. While the snort is running in the terminal, type the following commands to create some network traffic for your Windows 7 target machine (Stop pigging after a few pings)

root@bt:~#curl <Your Windows 7 IP>

root@bt:~#ping <Your Windows 7 IP>

4. In the terminal where Snort has been running, use Crtl+C key to stop Snort. Based on the your capture summary, complete the following table and include it in your report.

5. Type the following command to check for the log file.

root@bt:~#ls ./slog

6. If a log file does not exist, you need to start over. You can access the content of the captured packets in various ways. In this case, you will use Wireshark. Start Wireshark in the command-line as follows:

root@bt:~#wireshark

7. Go to the File drop-down menu and select “Open.”  Then click on “root” under the “Places” menu and choose the /slog directory to open your log file as shown below:

8. You should be able to see all captured packets in Wireshark as shown below:

9. You will see many Broadcast packets (Aren’t they annoying?). You can create a filter to filter out those packets. Simply, right click on one of them and then select Prepare A Filter | Not Selected as shown below. This way you will create a filter without learning complex Wireshark syntax (the green area in the Filter box). Finally, click Apply to apply the filter and remove all annoying broadcast packets.

10. After filtering out unnecessary packets, the remaining packets are easier to navigate. Typically, a packet includes: Ethernet Header, IP Header, TCP or UDP Header, Protocol Header, and Payload.  To see the details of a header, just click (+) to expand the header. For example, the following figure illustrates the details of the TCP header for the HTTP packet from the Windows 7 machine(192.168.1.49) to the Backtrack machine (192.168.1.11):

In your lab report, include the screen capture of Wireshark where the three-way handshake takes place between the your Windows 7 and Backtrack machines. You should see three packets back-to-back with [SYN], [SYN, ACK] and [ACK] flags.  

C. Network Intrusion Detection System (NIDS) Mode

Snort is a very capable packet sniffer and logger. However, the real function of Snort is not to capture all packets, but rather, packets with particular signatures.  Network security administrators craft Snort rules to dictate to Snort which packets to capture and what to do if a packet that fits the definition of the rules is received. To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, Snort should be run with a configuration file (-c option) as follows:

root@bt:~#snort -l ./slog -h 192.168.1.0/24 -c snort.conf

where snort.conf is the snort configuration file. If a configuration file is specified, Snort will apply the rules configured in the snort.conf file to each packet.  Based on these rules, Snort  decides if an action should be taken or not. If an output directory is not specified, Snort will save to the output to the directory /var/log/snort.  Note that, in the example given above, the Snort monitors the network 192.168.1.0.

If Snort is going to be used as an IDS, the -v option should not be used for the sake of performance (there is no point to a verbose output to the screen in an IDS system). Snort has various alert modes available at the command line. These modes are accessed with the -A command line switch as follows:  

Creating A Simple Rule to Detect Ping Messages 

In this activity, you will create a configuration file to alert if a host in the local network is pinged.

1. In the current directory, use nano to create the snort.conf file.

root@bt:~#nano snort.conf

2. In nano, type the following lines and save your file:

var HOME_NET <Your Network ID>/24

var EXTERNAL_NET any

alert icmp any any -> <Your Network ID>/24 any (msg:"Alert!Somebody pings"; sid:1;)

For the network 192.168.1.0, the snort.conf file should be as shown in the following figure which also illustrates the meaning of different part of the snort rule:

3. Use Crtl+X to exit nano and save the file.

4. In the command-line, type the following to start Snort with your configuration file:

root@bt:~#snort -A fast -l ./slog -c ./snort.conf

5. Open another terminal window and ping 192.168.1.1 and 10.0.0.1. Use -c option with parameter 2 to send only two ping packets as follows:

root@bt:~#ping 192.168.1.1 -c 2

root@bt:~#ping 10.0.0.1 -c 2

6. Snort will create a file called alert in the directory ./slog. To display the content of this file type:

 root@bt:~#cat ./slog/alert

Your file should look like as follows. Include your screen capture of the alert file in your report. 

7. Stop Snort using the key combination Crtl+C.

As this example demonstrates, Snort rules can be crafted to initiate alerts or other actions (e.g., sending alert emails) in order to monitor suspicious network activities. Mastering Snort means learning how to write various rules. Snort has many pre-configured rules that you will analyze in the next activity.