Collaborative Virtual Computer Lab (CVCLAB)
Penn State Berks
Snort is a very well known intrusion detection system (IDS). Although it is free and open-source, Snort is a powerful tool in detecting malicious attacks against individual hosts or networks. Essentially, Snort is a packet sniffer, like tcpdump or Wireshark. Snort listens to a network interface and captures packets passing by. The power of Snort is within its rule-based engine, which is able to filter packets, look for attack-signatures, and alert on them.
Snort can be configured to run in three modes:
In the sniffer mode, you can run Snort at the command-line. The Crtl+C key combination is used to stop the execution of Snort. The following command will print out the TCP/IP packet headers to the screen:
root@bt:~#snort -v
In the command above, Snort listens to and capture packets from all interfaces.
If you would like to capture packets from interface eth2 only, -i option can be used to specify the interface as follows:
The commands above will run Snort and just show the IP and TCP/UDP/ICMP headers, and nothing else.
If you want to see the packet payload data, try the following:
The command above instructs Snort to display the packet payload data as well as the headers.
For an even more descriptive display, showing the data link layer headers (i.e., frames), use:
Snort has many options which can be displayed using -h option.
root@bt:~#snort -h
In the Packet Logger Mode, Snort records the captured packets to a file. If you specify a logging directory using -l option, Snort will automatically run in packet logger mode.
First, you need to create a directory called “slog” (you may use any name) under the current working directory as follows:
root@bt:~#mkdir slog
Then, you need to specify the log directory using the -l option as follows:
root@bt:~#snort -vde -i eth2 -l ./slog
This time, Snort will not print out the captured packets to the screen, but saves them in a log file in the ./slog directory.
In the screen capture below, the Log directory is specified as “Log directory = ./slog” :
After stopping Snort by using the Crtl+C key combination, Snort prints out a summary statistics of the captured packets. When the directory ./slog is listed as follows
root@bt:~#ls ./slog
The log file appears as snort.log.13335132405 in this case as shown in the following picture:
By default, packets are captured in the binary mode. Thus, the content of a log file can’t be read by a text editor like nano. Option -r is used to read a binary log file. For example, the log file in the previous example can be read and redirected into a text file named log.txt as follows:
root@bt:~#snort -vde -r ./slog/snort.log.13335132405 > log.txt
You can use a text editor, like nano, to read the content of the captured packets as shown below:
In the previous examples, a target (host or network) is not specified. Therefore, Snort will capture all packets passing through the interfaces. In the following activity, two computers, a Backtrack and a Windows 7, are used. Their host and network IP address are as follows:
Backtrack 5 | Windows 7 (Target) | |
Host IP Address | 192.168.1.11 | 192.168.1.49 |
Network ID | 192.168.1.0/24 | 192.168.1.0/24 |
Note: You should use your computers’ IP address in the following steps and return a lab report. Please include your Backtrack 5 and Windows 7 computer’s IP addresses in the beginning of your report using the following table.
First and Last Name | Backtrack 5 | Windows 7 (Target) |
Host IP Address | ||
Network ID |
root@bt:~#mkdir slog
root@bt:~#snort -v -l ./slog -h [Your Windows 7 IP]/32
For example, for the target 192.168.1.49, this command is
root@bt:~#snort -v -l ./slog -h 192.168.1.49/32
Note: For the sake of brevity, we are capturing only IP/TCP/UDP/ICMP headers (-v option), and the captured packets will be logged in the ./slog directory.
root@bt:~#curl <Your Windows 7 IP>
root@bt:~#ping <Your Windows 7 IP>
Protocol | Number | Percent |
ETH | ||
IPV4 | ||
TCP | ||
UDP | ||
ICMP | ||
ARP |
root@bt:~#ls ./slog
root@bt:~#wireshark
In your lab report, include the screen capture of Wireshark where the three-way handshake takes place between the your Windows 7 and Backtrack machines. You should see three packets back-to-back with [SYN], [SYN, ACK] and [ACK] flags.
Snort is a very capable packet sniffer and logger. However, the real function of Snort is not to capture all packets, but rather, packets with particular signatures. Network security administrators craft Snort rules to dictate to Snort which packets to capture and what to do if a packet that fits the definition of the rules is received. To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, Snort should be run with a configuration file (-c option) as follows:
root@bt:~#snort -l ./slog -h 192.168.1.0/24 -c snort.conf
where snort.conf is the snort configuration file. If a configuration file is specified, Snort will apply the rules configured in the snort.conf file to each packet. Based on these rules, Snort decides if an action should be taken or not. If an output directory is not specified, Snort will save to the output to the directory /var/log/snort. Note that, in the example given above, the Snort monitors the network 192.168.1.0.
If Snort is going to be used as an IDS, the -v option should not be used for the sake of performance (there is no point to a verbose output to the screen in an IDS system). Snort has various alert modes available at the command line. These modes are accessed with the -A command line switch as follows:
Option | Description |
-A fast | Fast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports. |
-A full | Full alert mode. This is the default alert mode and will be used automatically if you do not specify a mode. |
-A unsock | Sends alerts to a UNIX socket that another program can listen on. |
-A none | Turns off alerting. |
-A console | Sends “fast-style” alerts to the console (screen). |
-A cmg | Generates “cmg style” alerts. |
In this activity, you will create a configuration file to alert if a host in the local network is pinged.
root@bt:~#nano snort.conf
var HOME_NET <Your Network ID>/24
var EXTERNAL_NET any
alert icmp any any -> <Your Network ID>/24 any (msg:"Alert!Somebody pings"; sid:1;)
For the network 192.168.1.0, the snort.conf file should be as shown in the following figure which also illustrates the meaning of different part of the snort rule:
root@bt:~#snort -A fast -l ./slog -c ./snort.conf
root@bt:~#ping 192.168.1.1 -c 2
root@bt:~#ping 10.0.0.1 -c 2
root@bt:~#cat ./slog/alert
Your file should look like as follows. Include your screen capture of the alert file in your report.
As this example demonstrates, Snort rules can be crafted to initiate alerts or other actions (e.g., sending alert emails) in order to monitor suspicious network activities. Mastering Snort means learning how to write various rules. Snort has many pre-configured rules that you will analyze in the next activity.
of