Project: Linux Howtos

Intrusion Detection System Part 3: Snort

By Trevor Warren <trevor@freeos.com>
Posted: ( 2001-02-08 09:54:09 EST by )
Snort is a versatile, lightweight and very useful intrusion detection system. In this article we will look at Snort as a backup Intrusion Detection System for your enterprise network and see whether it can really scale up to the requirements of your enterprise networks.

Our failure establishes only this,
that our determination to succeed
wasn't strong enough.
--Bovee

The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. Snort uses a flexible rules language to describe traffic that it should collect or pass, and includes a detection engine utilizing a modular plug-in architecture. Snort has real-time alerting capability as well, incorporating alerting mechanisms for Syslog, user- specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump or as a packet logger that is useful for network traffic debugging. It can also be used as a full blown network intrusion detection system.

Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host.

Plug-ins allow the detection and reporting subsystems to be extended. Available plug-ins include database logging, small fragment detection, portscan detection, and HTTP URI normalization.

The ground that we will be covering with respect to Snort will be

- Snort as a straight packet sniffer like tcpdump.
- Snort as a packet logger. Useful for network traffic debugging etc.
- Snort as a full blown network intrusion detection system.

Compiling and installing Snort

Having downloaded Snort, untar the archive with the following command.

bash# tar -xvzf snort-1.6.3.tar.gz

This should do the trick and get it untarred into a directory snort-1.6.3. Having done this, next on the cards is a dependency check for various libraries and header files that Snort needs. You'll need to ensure that you have the sources for libcap. If not, you can download it from ftp://ftp.ee.lbl.gov/libpcap.tar.Z.
Download the libcap headers and untar the archive using the tar command with the similar switches as mentioned above. Enter the directory and carry out the following steps.

bash# ./configure

bash# make

Though we do not need any of the binaries, this is just a precautionary measure. Now, we'll compile Snort. Change into the directory in which Snort lies and issue the following command.

bash# ./configure --with-libpcap-includes=/path/to/your/libcap/headers

bash# make

bash# make install

Using

Now Snort is installed on your system. Let's start using Snort on your system. We'll start with the basics of using Snort as a Packet Sniffer and a Packet Analyser. Apart from running in a promiscuous mode, we will also discover rules that will help us log alerts to our Snort logs or redirect them to syslog.

Using Snort as a packet sniffer and packet analyzer is a pretty simple process. The man pages are very helpful as far as information regarding using Snort is concerned. Let's basically start with a simple command that makes Snort display all the command switches and then exit.

bash# snort -?

The output of the command is as follows.

-*> Snort! <*-
Version 1.6.3
By Martin Roesch (roesch@clark.net, www.snort.org)
USAGE: snort [-options]
Options:
-A Set alert mode: fast, full, or none (alert file alerts only)
'unsock' enables UNIX socket logging (experimental).
-a Display ARP packets
-b Log packets in tcpdump format (much faster!)
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-F Read BPF filters from file
-g Run snort gid as 'gname' user or uid after initialization
-h Home network =
-i Listen on interface
-l Log to directory
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-o Change the rule testing order to Pass|Alert|Log
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r Read and process tcpdump file
-s Log alert messages to syslog
-S Set rules file variable n equal to value v
-t Chroots process to after initialisaton
-u Run snort uid as 'uname' user (or uid) after initialization
-v Be verbose
-V Show version number
-? Show this information
are standard BPF options, as seen in TCPDump

Let's check out the next command wherein we set Snort to a verbose display of the packets sniffed and analyzed. The '-v' switch elicits a verbose response to Stdout. The '-d' switch elicits dumping the decoded application layer data and while '-e' shows the decoded ethernet headers. The '-i' switch specifies the interface to be monitored for packet analysis. The '-h' switch specifies which class of network packets has to be captured. e.g. - The command given below captures all the packets belonging to the class C internal IP's of the type 192.168.1.*.

freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24

If we wanted to generate alerts, the '-A' switch is of importance to us.

-A - Alert using the specified alert-mode. Valid alert modes include 'fast', 'full', 'none', and 'unsock'. Fast, writes alerts to the default 'alert' file in a single-line, syslog style alert message. Full, writes the alert to the 'alert' file with the full decoded header as well as the alert message. The command will then change to the following.

freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24 -A fast

Instead, if you wanted to send alert messages to the syslog daemon, you could use the '-s' switch instead.

-s - Send alert messages to Syslog. On Linux boxes, they will appear in /var/log/secure or /var/log/messages on many other platforms.

freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24 -s

Until now we haven't seen any actual logging taking place. All the packets sniffed and analyzed were just dumped to your screen. To have Snort dump the packets sniffed and analyzed to your logs, you will use the "-l" switch. That dumps all the data, regarding the packets analysed, to the directory log in the current path. You will have to create this directory. Do not expect Snort to create it at runtime.

freeos:~ # snort -v -d -e -i eth0 -h 192.168.1.0/24 -A full -l ./log

But, there is an inherent drawback to this type of packet analysis and reporting. One of the foremost problems that may be encountered can be visualized as follows. Assuming that you are using Snort on your Gigabit ethernet. The speed at which data will be flowing across the network is too much for your NIC working in promiscous mode. Many packets will be dumped because it may not be possible to keep up the pace of analyzing the large amount of high speed data transfers across your network segment. Thus, instead if using the "-l" switch you should use the "-b" switch. This will log packets in tcpdump format and produce minimal alerts. For example:

freeos:~ # snort -b -i eth0 -A fast -h 192.168.1.0/24 -s -l ./log

In this configuration, Snort has been able to log multiple simultaneous probes and attacks on a 100 Mbps LAN running at a saturation level of approximately 80 Mbps. In this configuration the logs are written in binary format to log in tcpdump format. To read this file back and break out the data in the familiar Snort format, just re-run Snort on the data file with the "-r" option and the other options you would normally use.

freeos:~ # snort -i eth0 -l ./log -h 192.168.1.0/24 -A fast -r ./log/snort-123@1016.log

This command deciphers the tcpdump-formatted log file ./log/snort-0123@1016.log and dumps the output in the normal Snort log format in the ./log directory.

This kind of packet sniffing and analysis causes Snort to log all the packets on your network segment. But what if you wanted to log only certain type of packets. Yes, of course, there is a way out. Snort allows you to define your own rules for packet analysis. Use the '-c' command switch for this.

freeos:~ # snort -b -i eth0 -A fast -h 192.168.1.0/24 -s -l ./log -c ./rules.snort

For various rulesets that could be used along with Snort, take a look at http://www.snort.org/snort_rules.html.

Here ends our look at Snort. Following up will be another article that will help you ascertain the dangers that your system logs are prone to and the security measures you can put into place to prevent tampering of your precious system logs in case of a security breach.

Don't let life discourage you;
Everyone who got where he is
had to begin where he was.
-Richard L Evans

Snort
Intrusion Detection Systems for your network: Part I
Intrusion Detection Systems: Part II - Installing Tripwire

Other articles by Trevor Warren

Current Rating: [ 6.81 / 10 ] Number of Times Rated: [ 94 ]

Contents Articles   Howtos   Interviews   News   Opinions   Reviews Comparison Links   Articles   Howtos   Interviews   Opinions   Reviews   Websites News

Linux About Linux

Print It! Printer Friendly Version