The open source network intrusion detection system.

Secure System Administration & Certification

Ravindra Pendyala

The main distribution site for Snort is http://www.snort.org

IDS & History of Snort

What is Snort?

Features of Snort

Snort Modes

Compiling & Installing Snort

Snort Rules

Snort in different Modes

Using Snort

Third Party Enhancements

Conclusion

Intrusion: An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system.

NIDS: network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack).

NIDS & History of Snort...

Snort was a true case of a programmer scratching his own itch. Here was Marty Roesch with his home network, wanting to see who, if anyone, was trying to penetrate it. This was a small and simple detection system for home useInitial Release on Dec 22 1998 - snort-0.96.tar.gz

Latest Release on Oct 3 - snort-1.9.0.tar.gz

Martin Roesch is the founder and CTO of Sourcefire, Inc.

What is Snort?

Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Snort does NOT block intruders. Assumes a human is watching!!!

Snort in simple words …

• Automated tool to detect intrusions

• Works locally (reactionary) or network wide (preemptive)

• Preemptive IDS can use traffic monitoring or content monitoring

• Does NOT block intruders. Assumes a human is watching!!!

Operating Systems

i386 Sparc M68k/PPC

Alpha Other

X X X X X Linux

X X X OpenBSD

X X FreeBSD

X X Solaris

X X SunOS 4.1.X

X X HP-UX

X AIX

X IRIX

X TRU64

X MacOS X Server

X Win32

• “Lightweight”

• Free

• Portable

• Runs on HP-UX, Linux, AIX, Irix, *BSD, Solaris, Win2K

• Configurable with easy setup

Snort Modes

• Packet sniffer

• Packet Logger

• Preemptive IDS

- Actively monitors network traffic in real time to match intrusion signatures and send alerts

On Red Hat Linux 7.2, as root:

• Download and install libpcap

• Download and install these three .rpm:

libnet-1.0.2a-1snort.i386.rpm

snort-1.8.4-1snort.i386.rpm

snort-postgresql+flexresp-1.8.4-1snort.i386.rpm

Create /var/log/snort directory

Files installed:

• /etc/snort contains conf and rule files

• /var/log/snort will contain logs

• /usr/sbin/snort contains snort binary

• For a quick test, execute this command within the /etc/snort directory: snort –A console

• From a separate machine, use nmap to generate events for Snort to detect: nmap –sP <snort_machine_IP_address>

Installing on Windows 2000

•Download and install winpcap

•Download & execute Snort184Win32.exe, select “typical” installation

•mkdir “c:\Program Files\Sourcefire\Snort\log”

Files installed in c:\Program Files

Files\Sourcefire\Snort:

• snort.conf

• \rules directory contains rules

• Snort.exe executable

To test, execute this command within the c:\Program Files\Sourcefire\Snort directory:

• snort –A console

From a separate machine, use nmap to generate events for Snort to detect:

• nmap –sP <snort_machine_IP_address>

You should see an alert like this:

03/27-15:18:06.911226 [**] [1:469:1] ICMP PING NMAP [**]

[Classification: Attempted Information Leak] [Priority: 2]

{ICMP} 129.244.70.17 -> 129.244.70.237

Installing Snort

Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS

• Sample rule

alert udp $EXTERNAL_NET 53 -> $HOME_NET :1024 (msg:"MISC source port 53 to <1024";)

Rule alerts that anything from the external network coming in from port 53 and going to port 1024 should be flagged

• Elements before parentheses comprise ‘rule header’

• Elements in parentheses are ‘rule options’

• Rules can: Alert, Log, or Pass

• Used for IP, UDP, ICMP

• Source address / port

• Destination address / port

• Additional options

- This is where content matching can take place

• bad-traffic.rules exploit.rules scan.rules

• finger.rules ftp.rules telnet.rules

• smtp.rules rpc.rules rservices.rules

• dos.rules ddos.rules dns.rules

• tftp.rules web-cgi.rules web-coldfusion.rules

• web-frontpage.rules web-iis.rules web-misc.rules

• web-attacks.rules sql.rules x11.rules

• icmp.rules netbios.rules misc.rules

• backdoor.rules shellcode.rules policy.rules

• porn.rules info.rules icmp-info.rules

• virus.rules local.rules attack-responses.rules

Luckily you probably won’t have to write rules!

Snort Modes• Sniffer: snort –dvae will be display payloads,

be verbose, display arp traffic, and display link layer data

• Packet Logger: snort –b –l /var/log/snort will log binary data to the /var/log/snort

directory• NIDS: snort –b –l /var/log/snort –A full –c

/etc/snort/snort.conf will log binary data in the /var/log/snort directory, with full alerts in /var/log/snort/alert, reading the configuration file in /etc/snort

SnortSnarf www.silicondefense.com/software/snortsnarf/

• SnortSnarf is a Perl program to take files of alerts from the Snort to produce HTML reports

• Output intended for diagnostic inspection

• Silicon Defense also supplies sensors with commercial support

• Description and screenshot taken from SnortSnarf web

Analysis Console for Intrusion Databases (ACID)

• acidlab.sourceforge.net/

• PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools

• Query-builder and search interface, packet viewer (decoder), alert management, chart and statistics generation.

• Description and screenshots taken from ACID web

Conclusions

Snort is a powerful tool, but maximizing its usefulness requires a trained operator

Snort is considered a superior NIDS when compared to most commercial systems

Snort is a wonderful low to no cost solution for businesses.

Snort, written in C, can compile and run on variety of different Operating Systems.

Snort.org

Securityfocus.com

Whitehats.com

Questions?