Snort Cookbook | O'Reilly Media

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Every journey begins with a single step; with Snort, that step is installation. Snort is a powerful tool under the right conditions, and throughout this book, we fully intend to help you make the most of it. This chapter is dedicated to getting started: the steps required to install Snort onto your system, suggestions about how best to place your IDS sensors, and suggestions about how to connect it. If you already have a working installation, we still suggest skimming through this chapter to see if there are any ways you might be able to optimize your solution. I know someone who reads culinary cookbooks all the time, and yet rarely actually follows a recipe. Cookbooks are like that: they are a source of ideas—a way of trying combinations that you might not have considered before. But unless the recipe title appeals to you, there is no need to read it right away. Just remember that you've seen it; you can always come back later.

The recipes in this book are based on the latest stable version of Snort at the time of this writing: Version 2.2.x. We're aware that 2.3.0 is under development; however, it is not stable enough to use. When appropriate, we address new features that are being incorporated into Version 2.3.0.

You want to install Snort from source on a Unix-type operating system.

To install from source, download it from the Snort web site (http://www.snort.org). Uncompress, unpack, compile, and install by using the following commands:

tar xzf snort-2.2.0.tar.gz
cd snort-2.2.0
./configure
make

And then as root:

make install

Installing from source is nearly as easy as installing from precompiled packages, and it works across all Unix platforms. There is also a lot more flexibility in the options you can choose. First of all, you need to download the latest source tar file from snort.org. At this point, if possible, you should ensure that the source has not been meddled with; you can do this by verifying the checksum given using the MD5 utilities.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Every journey begins with a single step; with Snort, that step is installation. Snort is a powerful tool under the right conditions, and throughout this book, we fully intend to help you make the most of it. This chapter is dedicated to getting started: the steps required to install Snort onto your system, suggestions about how best to place your IDS sensors, and suggestions about how to connect it. If you already have a working installation, we still suggest skimming through this chapter to see if there are any ways you might be able to optimize your solution. I know someone who reads culinary cookbooks all the time, and yet rarely actually follows a recipe. Cookbooks are like that: they are a source of ideas—a way of trying combinations that you might not have considered before. But unless the recipe title appeals to you, there is no need to read it right away. Just remember that you've seen it; you can always come back later.

The recipes in this book are based on the latest stable version of Snort at the time of this writing: Version 2.2.x. We're aware that 2.3.0 is under development; however, it is not stable enough to use. When appropriate, we address new features that are being incorporated into Version 2.3.0.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to install Snort from source on a Unix-type operating system.

To install from source, download it from the Snort web site (http://www.snort.org). Uncompress, unpack, compile, and install by using the following commands:

tar xzf snort-2.2.0.tar.gz
cd snort-2.2.0
./configure
make

And then as root:

make install

Installing from source is nearly as easy as installing from precompiled packages, and it works across all Unix platforms. There is also a lot more flexibility in the options you can choose. First of all, you need to download the latest source tar file from snort.org. At this point, if possible, you should ensure that the source has not been meddled with; you can do this by verifying the checksum given using the MD5 utilities.

[simon@frodo downloads]$ md5sum snort-2.2.x.tar.gz
6194278217e4e3f733b046256a31f0e6 *snort-2.2.x.tar.gz

The source is a tarred gzip file; to extract it, enter the following at a command prompt:

[simon@frodo downloads]$ gunzip snort-2.2.x.tar.gz
[simon@frodo downloads]$ tar -xvf snort-2.2.x.tar

You'll then see the entire list of filenames scroll past as they are decompressed and extracted. This creates a directory structure under the current directory. In this case, with the base directory ./snort-2.2.0/. Change into this directory. At this point, if you wish to perform an ordinary installation, type the following:

[simon@frodo snort-2.2.x]$ ./configure

This will create the make file optimized for your architecture. There are a number of options that you can specify to configure. These are listed in Table 1-1. They include options for specifying switches for the compliers as well as turning on support for certain features.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to run Snort on a Unix machine but don't want to compile from source.

To install from an RPM, download the latest version of the RPM from the Snort web site (http://www.snort.org), then as root, type the following:

               rpm -ivh snort-2.2.x-x.i386.rpm

Replace the filename with the name of the latest version.

To install from a Debian package, download the latest version of the DEB package, then as root, type the following (replacing the filename with the name of the latest version):

               dkpg -i snort-2.2.x.deb

IDS systems are critical on efficiency. The precompiled packages are easy and quick, but they fail to optimize the system to your exact hardware. If you start to hit performance related issues with your binary install, try recompiling from source, which may solve the problem.

Snort.org includes several Red Hat Package Manager (RPM) distributions for download. RPMs are compatible with a number of other Linux distributions (SuSE and Mandrake spring immediately to mind). You have a choice of several RPMs, each with various options enabled. Unless you know what you're looking for, choose the plain Snort-version.i386.rpm file. Download the RPM, and then as root, execute the following command (The -ivh option means "install verbose hash"):

[root@frodo root]# rpm -ivh snort-2.2.x-x.i386.rpm
Preparing...     ########################################### [100%]
   1:snort       ########################################### [100%]

The Debian packages are available from various sources online. You should choose a reputable source for your packages whenever possible. Once you have downloaded your Debian package, use the Debian package manager tool, dpkg, to install the packages.

root@frodo:/root# dpkg --install snort-2.2.x.deb

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to run Snort on a Solaris system.

To install Snort from a Solaris package, download the latest version of the libpcap and Snort packages from the Sunfreeware web site, http://www.sunfreeware.com, then as root, type the following (replacing the filename with the name of the latest version):

# gunzip libpcap-0.8.3-sol9-sparc-local.gz
# gunzip snort-2.1.0-sol9-sparc-local.gz
# pkgadd -d libpcap-0.8.3-sol9-sparc-local
# pkgadd -d snort-2.1.0-sol9-sparc-local

Confirm the installation of each package by pressing Enter.

You may also need to install the PCRE library by using the following commands:

# gunzip pcre-4.5-sol9-sparc-local.gz
# pkgadd -d pcre-4.5-sol9-sparc-local

You can also install Snort from source, which is the recommended method.

You will need the gzip package to use gunzip to uncompress the packages. This can be downloaded from the Sunfreeware web site.

Installing software from the Solaris packages is similar to installing from RPMs. Solaris packages can be downloaded from http://www.sunfreeware.com and from a variety of mirror sites. You can perform a web search on "sunfreeware" to find mirror sites, in the event that the main site is overloaded or unavailable. Make sure you download the correct package for your version of Solaris and the platform, Intel or Sparc. Note that packages tend to be behind in versions from the current source version. At the time of this writing, the latest Snort Solaris package version is Snort 2.1.0. For this reason, you should install Snort from the source code to ensure you are using an up-to-date version.

Prior to installing Snort, make sure you have the latest version of libpcap installed. You can install libpcap from source code or from the Solaris package. To install Solaris packages, you must have root privileges. Make sure you are logged in as root or switch to root by typing

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to install Snort on your Windows machine.

Before you install Snort, you must download and install the WinPcap driver:

Download the WinPcap driver from http://WinPcap.polito.it/install/default.htm. The latest stable version of WinPcap at the time of this writing is Version 3.0.
Double-click on the install file—WinPcap_3_0.exe, in this case—to launch the installation.
The Welcome to the Installation Wizard window appears. Click Next to continue.
You are presented with the license agreement. Click on the box labeled "Yes, I agree with all the terms of this license agreement," and then click Next to continue.
The WinPcap installation status appears on the screen, and you are presented with the Readme Information window. Click Next to continue.
Last, you'll see the Installation Complete window stating that WinPcap 3.0 has been successfully installed. Click OK to exit the installation.
Next, it is a good practice to reboot after installing the WinPcap drivers.

Now that WinPcap is installed, continue with the Snort installation:

Download the Snort executable file from http://www.snort.org/dl/binaries/win32. The latest stable version of Snort at the time of this writing is Version 2.2.0.
Double-click on the install file—snort-2_2_0.exe, in this case—to launch the installation.
You are presented with the GNU General Public License agreement (Figure 1-1). Once you have read and accepted the terms of the agreement, click I Agree.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to uninstall Snort from your Windows machine.

To uninstall Snort from your Windows operating system, you can follow these simple steps:

Use Windows Explorer to navigate to the Snort directory. Unless you specified otherwise, this is C:\Snort by default.
Double-click on the Uninstall.exe file to launch the uninstallation.
The Uninstall Snort window informs you of the Snort location that is to be uninstalled (Figure 1-8). Click Uninstall to continue.

Figure 1-8: Uninstall Snort window
If you have not installed Snort as a Windows service a window appears that states, "Snort not installed as a service." Click OK to continue.
You see the progress of the Snort uninstall continue in the window. Once the uninstallation is complete, you see the Finished window stating that the "Uninstall was completed successfully" (Figure 1-9). Click Show Details to see the details of the uninstallation. Click Close to close this window.

Figure 1-9: Successful Uninstall window

You may also want to uninstall the WinPcap driver. If you are using other sniffers or packet-crafting programs such as Ethereal, Windump, or Nmap you will not want to uninstall WinPcap. The following can uninstall WinPcap:

Use Windows Explorer to navigate to the default WinPcap directory: C:\Program Files\WinPcap.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to install Snort on a Mac OS X machine.

You can install from source as detailed in "Installing Snort from Source on Unix." For a binary installer, use HenWen, a Snort GUI for Mac OS X that comes with a precompiled Snort binary.

To install HenWen, download the disk image from http://seiru.home.comcast.net/henwen.html. Mount the disk image, and copy the files to your hard disk.

You can either install from source through a terminal in the same way as in Recipe 1.1 (making use of sudo instead of actually becoming root), or you can install using HenWen.

HenWen (available from http://seiryu.home.comcast.net/henwen.html) is a GUI for Snort that includes a fully precompiled version of Snort, optimized to run on Mac OS X.

Installation of HenWen couldn't be simpler. The download is a gzipped disk-image, so as soon as the download is complete, it automatically decompresses and mounts the disk image (see Figure 1-10).

Figure 1-10: HenWen installation

The remainder of the installation entails copying HenWen and LetterStick to a place on your hard disk. Use and configuration of HenWen is covered in depth in Chapter 5.

Recipe 1.2

HenWen documentation (http://seiryu.home.comcast.net/henwen.html)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You need to uninstall Snort.

If you installed Snort using an RPM file, uninstalling is simple. First, determine the RPM installation name by typing the following:

[root@frodo root]# rpm -q snort
snort-2.2.0-1

Then use the RPM erase option:

[root@frodo root]# rpm -e snort-2.2.0-1

All gone!

With the source version, it is just as simple (provided you kept your source tree) in the directory that contains the Makefile, as root type:

[root@frodo snort-2.2.0]# make uninstall

And it automatically uninstalls.

In earlier versions of Snort, there is no make uninstall command available, you should have a look through the Makefile, which will tell you what files have been installed where; it is then a matter of deleting them by hand.

Alternatively, if you had the foresight to install all of Snort into a specified directory, rm -rf is also a very effective method of removing all traces.

Don't forget that if you have modified your startup scripts to start a Snort daemon, these need to be changed to reflect the removal of Snort.

If you have not kept your source around, you can install the source, recompile it, and run make install, followed by make uninstall to uninstall.

Recipe 1.2

RPM utility manpage

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You need to upgrade from an older version of Snort to the most recent version.

Before you carry out any of the following upgrade method, make a copy of any configuration files that you wish to retain.

If you are using RPM as the install method, use the upgrade switch.

[root@frodo root]# rpm -Uvh snort-2.2.0-1.i386.rpm
Preparing...       ########################################### [100%]
   1:snort         ########################################### [100%]

From source, you can just carry out a standard install. This will upgrade all necessary files.

It is good to keep your installation up to date; Snort is maintained quite regularly, and past upgrades have fixed many problems, while also improving performance and functionality.

The previous upgrade method is not supposed to overwrite any modified configuration or rules files left in the normal locations (e.g., /etc/snort/snort.conf). However, it is good practice to ensure that you back up your snort.conf file and your rules files before you upgrade. You can then replace your edited versions after the binaries have been upgraded, should anything untoward happen.

Recipe 1.2

RPM utility manpage

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to monitor more than one network interface.

Use more than one instance of Snort, each monitoring a separate interface.

Combine your NICs into a single "bridged" unit.

It is perfectly possible to run more than one instance of Snort. Using this method, you just assign a separate Snort process to watch each interface that you are interested in, each with its own configuration file.

The bridging option was primarily developed as a method to allow a Linux machine to act as a bridge between networks. It allows two network cards to be aggregated into a single entity. Before progressing down this route, consider reading the documentation available on the Sourceforge home page for the project, available here: http://bridge.sourceforge.net.

Assuming that bridging is built into your kernel, this is how you would go about implementing it. First, clear the IP addresses on the interfaces you are trying to bridge (you can use more than two):

[root@frodo root]# ifconfig eth0 0.0.0.0 
[root@frodo root]# ifconfig eth1 0.0.0.0

Use the bridging commands to create a bridge container:

[root@frodo root]# brctl addbr snort_bridge

Add the interfaces to the container:

[root@frodo root]# brctl addif snort_bridge eth0 
[root@frodo root]# brctl addif snort_bridge eth1

Then bring the bridge online:

[root@frodo root]# ifconfig snort_bridge up

To make use of the bridge, include it as the interface argument to Snort:

[root@frodo root]# snort -v -i snort_bridge
Running in packet dump mode
Log directory = /var/log/snort
Initializing Network Interface snort_bridge

The options that you use really depend on the reasons for needing more than one port. If you are listening to more than one range of IP addresses, it makes sense to run an instance per IP range. However, if you are tapping a full duplex link or a link that is faster than the network cards (gigabit tapping with 100 MB cards, for example), using bridged networking is a better option.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to listen in from a hub without showing up on the network.

You can connect Snort to the hub using a receive-only Ethernet cable.

To make the cable, take a normal Ethernet cable and carefully split it somewhere along its length. Carefully extract the pin-one line (on most normal Ethernet cables, this will be white with an orange stripe), snip the line, and solder in a 23 pF capacitor.

You can turn off the IP address using ifconfig, but shutting down the IP address is only one step. It is possible to make a network card respond to protocols below the IP stack level. Protocols such as ARP and ICMP do not cease to function just because you have the IP address turned off; this could allow a skilled intruder to detect an otherwise hidden IDS.

If you are trying to keep things simple, remember that an IP address is not the only way to detect an IDS. Other aspects of the system may show an IDS, such as network traffic sending alerts, names of systems in DNS that either include IDS in the name or appear suspect, and the behavior of active response systems that indicate that something is listening.

Snort online documentation, "IDS Deployment Guides" (http://www.snort.org/docs/)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to insert a tap between two particular points on your network.

Construct a passive tap.

A passive tap is slightly more complex than the receive-only Ethernet cable. You require a four-port Ethernet housing, four category 5e modular snap-in jacks, and bit of category 5e cabling.

Take a small length of your cabling, strip off the outer coating, and separate the eight internal wires. Partially assemble the Ethernet housing by snapping the jacks into place.
Number the ports 1 to 4 from the left and the pins on each 1 to 8 from the left.
Starting with the orange wire from your separated cable, connect it to pin 1 in jack 1, and run it through pin 6 in jack 2 to pin 1 on jack 4.
Run the white wire with the orange stripe from pin 2 in jack 1 through pin 3 in jack 2 to pin 2 in jack 4.
Run the white wire with the green stripe from pin 3 on jack 1 through pin 3 on jack 3 to pin 3 on jack 4.
Run the white wire with the blue stripe from pin 4 on port 1 straight to pin 4 on port 4.
Run the solid blue wire straight from pin 5 on port 1 to pin 5 on port 5.
Run the solid green wire from pin 6 in port 1 through pin 6 in port 3 to pin 6 in port 4.
Run the solid brown wire from pin 7 in port 1 to pin 7 in port 4.
Run the white wire with the brown stripe from pin 8 in port 1 to pin 8 in port 4.

You can see an example in Figure 1-11.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You need to record all traffic across a full duplex connection.

There are two ways to do this. Both require the use of the passive tap constructed in "Invisibly Sniffing Between Two Network Points."

If you have a Snort machine with multiple network interfaces, combine their use into a full duplex dump using either of the ways outlined in "Monitoring Multiple Network Interfaces." If your Snort machine has only one network interface, using the passive tap, run both lines to a small hub. Then from another port of the hub, run a cable to your IDS. This will combine and maybe even buffer the traffic for the IDS and give a full duplex connection.

This tap would be useful across an uplink between two switches. It is invisible on the network, as it cannot transmit. This can also be used inline between hosts or between a switch and a host, narrowing down the traffic analyzed to only that going to and from a specific host.

You should also note that a 100 M hub is capable of handling only 100 M, whereas a 100 M switch may well be capable of handling 200 M duplex connections. This wouldn't usually be a problem, as most networks won't run anywhere near capacity, but you should consider the possibility of packet loss.

Snort online documentation, "IDS Deployment Guides" (http://www.snort.org/docs/)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

How can I use Snort to sniff Gigabit Ethernet network(s)?

There are several commercial applications available to help sniff traffic at high speed, such as load balancers, sniffing switches, and regenerative taps. Another option is to filter or limit the amount and type of traffic that your high-speed sensors have to analyze. Lastly, you could use several of the OS and libpcap sniffing modifications to help your sensors still function at those speeds.

While there is no silver bullet for all networks, several networks that one of the authors has worked on monitor 1 to 2 GB networks. There are several things to consider when tasked with monitoring "GigE" networks.

Using a stock kernel is almost never an option. With every OS, there is a load of unneeded software that will affect the performance of the machine. For straight-out-of-the-box performance, any of the *BSD systems seem to be visibly far ahead of the stock Linux or System V systems at the higher speed.
Use tested and tried networking cards. With some NICs, you can "cheat" the network with such things as caching network traffic before passing it to the OS, filtering, and a modified libpcap built right into the card. The company is named endace (www.endace.com), and their product is a high-performance PCI NIC card.
Filtering. While you might want to capture full packet dumps from all traffic on your network, this might not be possible. For example, if all the users on your network are forced through a web proxy, you have logs of all web traffic anyhow. You don't need to capture on those ports other than Snort alert packets. A policy-based IDS solution is sometimes perfect as one layer of your IDS architecture. This is discussed in detail in "Monitoring a Network using Policy-based IDS" in Chapter 7, but it just means that you ignore normal traffic and alarm on unusual traffic. For example, ignore all port 80 traffic to and from your web server, but alarm on any other port in use coming from the web server.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You are running a wireless network and you need to secure it.

Snort itself is incapable of sniffing a wireless network. A possible workaround is to use a wireless switch, and use an uplink or span port on it to collect the data.

It is advisable to use Snort to monitor the packets that come off your wireless network, because you have no physical control over who can and can't connect to the network, making it a far more risky environment than your normal network. A good wireless switch will allow you to monitor all traffic through either an uplink port or a span port, and then you can use Snort in the same way as on a normal network.

There are other tools available on the Internet that allow you to sniff wireless connections:

AirSnort (http://airsnort.shmoo.com/): This is available from , but despite having a similar name, it has nothing to do with Snort apart from being a packet sniffer.
Snort-Wireless (http://www.wireless-snort.org/): This set of patches for Snort allows Snort to natively sniff wireless networks.

AirSnort online docs (http://airsnort.shmoo.com/)

Snort-Wireless (http://www.snort-wireless.org/)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Where do I position my IDS sensors?

Ideally you would position a number of IDS sensors in different locations, each of which covers a particular area of threat within your organization.

Some locations you should consider:

Monitor any points of external access to the network (Internet, wireless, and VPN, for example).
Ideally, you want to monitor both sides of any filtering tool.
Monitor any DMZ area.
Ideally, you want to monitor both sides if any machines are multihomed.
Monitor any critical and/or vulnerable services (e.g., mail-, web-, and database- related services).
Monitor any internal network connections between subnets.
Monitor the internal network in general for internal problems.

The following sections provide some case studies for you to consider.

Small business (or geek at home)

The scenario shown in Figure 1-12 has one point of entry. It doesn't contain many computers, and there are not a lot of complicated services running. The most traffic comes from file transfers, web access, and email. There is little to no risk of employee-related attack. The sensible way to monitor this network is to place the IDS to monitor inside the firewall at the point of access to the network. This will crop up potential issues that have passed through the firewall.

Figure 1-12: A home network

Medium-sized business

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to use Snort to capture and view packets in real time to monitor network traffic.

To see the TCP and IP packet header information, use the -v option:

C:\Snort\bin>snort -v

To see application-layer headers, use the -d option. To see the data link-layer headers, use the -e option. You can use all three command-line options together:

C:\Snort\bin>snort -dev

Snort is an efficient and effective packet sniffer for capturing and viewing network traffic. The output follows a typical sniffer text format like TCPDump or Ethereal.

You can use Snort to view network traffic by providing the necessary command-line options. The simplest way is to provide the -v (verbose) command-line option. However, this shows you only the TCP and IP packet header information, as in the following:

C:\Snort\bin>snort -v
Running in packet dump mode
Log directory = log
   
Initializing Network Interface \Device\NPF_ 
{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}
   
        --=  = Initializing Snort =  =--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_ 
{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}
   
        --=  = Initialization Complete =  =--
   
-*> Snort! <*-
Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike@datanerds.net, 
www.datanerds.net/~mike)
1.8 - 2.x WIN32 Port By Chris Reid 
(chris.reid@codecraftconsultants.com)
   
09/14-11:16:50.213014 192.168.100.70:1051 -> 216.155.193.130:5050
TCP TTL:128 TOS:0x0 ID:39709 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0xDA7FD499  Ack: 0x17EA2F6B  Win: 0x4121  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
   
09/14-11:16:50.231051 192.168.100.70:1052 -> 205.188.5.252:5190
TCP TTL:128 TOS:0x0 ID:39710 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0xDA819839  Ack: 0xFC65B33A  Win: 0x422F  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to use Snort to log your network traffic to files in real time.

To log network traffic to a set of files and directories, use the -l <directory> option:

C:\Snort\bin>snort -de -l c:\snort\log

To log network traffic relative to your home network, use the -h <network> option:

C:\Snort\bin>snort -l c:\snort\log -h 192.168.100.0/24

To log network traffic in binary format, use the -b option in conjunction with the -l option:

C:\Snort\bin>snort -l c:\snort\log -b

To specify a name for the binary logfile, use the -L <name> option:

C:\Snort\bin>snort -l c:\snort\log -L test

Snort can be used to log network traffic in a variety of ways. By providing the necessary command-line options, you can log the data to files sorted by directory or to a binary file. Network traffic can be logged to a set of files and directories by using the -l <directory> command-line option. You must provide the name of the directory to which you wish to log the data. For our example, we have used the default log directory C:\Snort\log. If you wish to use a different log directory, make sure it exists first, or Snort exits with an error.

C:\Snort\bin>snort -de -l c:\snort\log
Running in packet logging mode
Log directory = c:\snort\log
   
Initializing Network Interface \Device\NPF_
{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}
   
        --=  = Initializing Snort =  =--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_
{572FF0E6-9A1E-42B5-A2AF-A5A307B613EF}
   
        --=  = Initialization Complete =  =--
   
-*> Snort! <*-
Version 2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike@datanerds.net,
www.datanerds.net/~mike)
1.8 - 2.x WIN32 Port By Chris Reid
(chris.reid@codecraftconsultants.com)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

I want to use Snort to detect, log, and alert on certain types of network traffic.

To log traffic using the rules files in snort.conf, use the -c option:

C:\Snort\bin>snort -de -l c:\snort\log -c c:\snort\etc\snort.conf

To log traffic with less output using fast alert mode, use the -A fast option:

C:\Snort\bin>snort -de -l c:\snort\log -c c:\snort\etc\snort.conf
               -A fast

Snort can log certain subsets of network traffic so you don't have to log every single packet. This is done by using the Snort rules file snort.conf. Snort inspects each packet and applies a set of rules to decide what action to take. For example, the packet may be ignored and passed, or logged, or an alert may be generated.

C:\Snort\bin>snort -de -l c:\snort\log -c c:\snort\etc\snort.conf

Snort displays information on the screen as it initializes the preprocessors. The default settings are used when no configurations or arguments are supplied. Packets that trigger a rule in the snort.conf file are logged in the C:\Snort\log directory under the source IP address directory, and also in the alert.ids file, such as the following:

[**] [1:1411:3] SNMP public access udp [**]
[Classification: Attempted Information Leak] [Priority: 2] 
09/14-15:43:49.265790 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800
len:0x77
192.168.100.70:1025 -> 192.168.130.36:161 UDP TTL:128 TOS:0x0
ID:14800 IpLen:20 DgmLen:105
Len: 77
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517]

By default, Snort logs in decoded ASCII format and uses full alerts. A full alert includes the alert message and the full packet header. Snort also includes other alert output options and logging methods. To produce less output, you can use the fast alert mode with the -A fast command-line option.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You have a binary capture file that you want to read. For example, a file that was captured with Snort using the binary option, TCPDump, or Ethereal.

Use the -r <filename> option to read a capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file:

C:\Snort\bin>snort -dv -r c:\snort\log\snort.log.1085148255

Snort can read capture files that have been saved using the libpcap format. Snort reads its own saved capture files, as well as binary capture files from sniffer programs, such as TCPDump and Ethereal. Snort reads capture files by using the -r <filename> command-line option, which puts it into playback mode. You must specify the logfile path and name as a parameter to the -r option. The following is an example of reading the binary file snort.log.1085148255:

C:\Snort\bin>snort -dv -r c:\snort\log\snort.log.1085148255

The following command reads the binary file snort.log.1085148255 and logs all traffic in ASCII format in the appropriate directories:

C:\Snort\bin>snort -r c:\snort\log\snort.log.1085148255 -l 
               c:\snort\log

The following command reads the binary file snort.log.108514825 and processes the traffic according to the parameters in the snort.conf file. It looks for any traffic that matches the signatures in the rules files:

C:\Snort\bin>snort -r c:\snort\log\snort.log.1085148255 -l
               c:\snort\log -c c:\snort\etc\snort.conf

The following command reads the binary file snort.log.1085148255 and displays only the TCP traffic to the screen:

C:\Snort\bin>snort -dv -r c:\snort\log\snort.log.1085148255 tcp

When processing capture files, Snort can be used in any of its three modes; sniffer, packet logger, and NIDS. The first example displays the logfile packets to the screen. You can also choose to log them to ASCII files or run the file through the rules engine. You can also use the command-line filters to look for certain packets as you process the logfile, such as TCP packets.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You run a Linux machine and you want to run Snort in the background, starting up at boot time.

Snort provides a daemon mode to allow it to run in the background. This is activated by using the -D switch.

[root@frodo rules]# snort -D -c /etc/snort/snort.conf -l
               /var/log/snort
[root@frodo rules]# ps -ef | grep snort
root     10738     1  0 11:34 ?  00:00:00 snort -D -c
/etc/snort/snort.conf -l /var/log/snortDiscussion

You'll probably want to run Snort like this: starting at boot and running in the background. If you want to start Snort earlier in the boot sequence, consult your system documentation as to how to edit the boot scripts.

The exact methods for starting Snort at boot vary slightly from distribution to distribution. There are likely to be some slight differences between the exact methods of setting this up on each different Linux distribution. The simplest method, if your system supports it, is to modify the /etc/rc.d/rc.local script. This script runs after all the other init scripts on the system, so your system will be unmonitored between the start of network services and the start of Snort. Add a line similar to the following to your rc.local script:

/usr/local/bin/snort -D -c /etc/snort/snort.conf -l /var/log/snort

You must verify the locations that are relevant to your particular setup. There is an example Snort startup script in /snort-2.x.x/contrib./S99snort.

Running Snort as a daemon is useful only if you are getting good notification from Snort about potential intrusions; otherwise, you are effectively ignoring it. You should refer to the other recipes regarding alerting.

Gerg, Christopher and Kerry J. Cox (eds.). "Chapter 3.3: Command Line Options." In Managing Security with Snort and IDS Tools. Sebastopol, CA: O'Reilly, 2004.

Recipe 1.18

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You run a Windows machine, and you want to start Snort at boot time and run it as a Windows service.

To install Snort as a service, enter:

snort /SERVICE /INSTALL

To uninstall Snort as a service, enter:

snort /SERVICE /UNINSTALL

To see the state of Snort as a service, enter:

snort /SERVICE /SHOW

Services tend to be used for core operating system functionality such as printing, logging, and so on. Running Snort as a service allows for automated starting and, just as importantly, monitoring and restarting in case of failure. It isn't much good having an IDS if it isn't on!

Snort includes three switches to control its use as a service:

/SERVICE /INSTALL
/SERIVCE /UNINSTALL
/SERVICE /SHOW

Go through the normal Windows installation and configuration. Then, in the Snort directory, type snort /SERVICE /INSTALL, followed by your usual parameters. For example:

snort /SERVICE /INSTALL -de -c c:\snort\etc\snort.conf -l
c:\snort\log -i1

You should get a response similar to:

[SNORT_SERVICE] Attempting to install the Snort service.
[SNORT_SERVICE] The full path to the Snort binary appears to be:
   C:\Snort\bin\snort /SERVICE
[SNORT_SERVICE] Successfully added registry keys to:
   \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
[SNORT_SERVICE] Successfully added the Snort service to the Services
database.

This installs Snort as a service; however, it doesn't set the service to Automatic so that it starts on boot, and it doesn't start the service either. You need to do both manually through the Windows Service manager. This is accessed through the Services shortcut under Administrative Tools in the Windows Control Panel. Scroll down the services list until you get to Snort, right-click, and then select Properties. Change the Startup type: from Manual to Automatic to get it to restart at boot, and click on the Start button under Service status to start it up immediately.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You want to capture and log packets without putting the interface into promiscuous mode. For example, you want to capture and log packets only for the system on which Snort is installed.

To disable promiscuous mode sniffing, use the -p command-line option:

C:\Snort\bin>snort -dev -p

By default, Snort captures packets in promiscuous mode, meaning it logs all traffic on the network to which it is attached. Disabling promiscuous mode causes Snort to monitor only the traffic that is going to and from your Snort system. You can use the -p command-line option in any of Snort's modes.

The following command captures packets in packet dump mode:

C:\Snort\bin>snort -dev -p

The following command captures packets in packet logger mode:

C:\Snort\bin>snort -de -l c:\snort\log -p

The following command captures packets in NIDS mode:

C:\Snort\bin>snort -de -l c:\snort\log -c c:\snort\etc\snort.conf -p

These commands capture only the packets heading to or from the Snort system for each of the Snort modes.

Table of Contents

Small business (or geek at home)

Medium-sized business