Originally Published: Tuesday, 16 October 2001 Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Std View]

Intrusion Detection Systems for the Uninitiated, Part 2; Installing and Configuring Snort

Shashank Pandey returns to Linux.com with part two of his popular series on IDS: Intrusion detection Systems for Linux. Quizzing PortSentry in his last article, in today's Pandey cast a sharp eye over working with snort. And remember in some primitive parts of the world you have to pay for information like this! Can you imagine?

Abstract

Snort is a lightweight network-based intrusion detection system (called NIDS). NIDS is unlike 'portsentry', which is a host based IDS and capable of performing real-time traffic analysis and packet logging on IP networks. The reason Snort is called 'lightweight' NIDS, is because it's easy to use and install and is designed primarily for small networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and such.

Snort uses 'rules' (specified in 'rule' files) to know which traffic to allow and which to stop. In fact it's so flexible it allows you to write new rules and abides by them (see http://www.snort.org/writing_snort_rules.htm). It also has a 'detection engine' that utilizes a modular plugin architecture whereby specific plugins can be added or removed from the 'detection engine' to alter its capability.

An important aspect of any IDS is its 'alerting mechanism'. Snort attracts attention in a variety of ways, in that it can alert about the attacks/probes through syslog, has a real-time (as the attacks/probes take place) alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Snort can run in three modes :

  1. As a straight packet sniffer like tcpdump(1)
  2. As a packet logger (useful for network traffic debugging, etc),
  3. As a full-blown network intrusion detection system.

This article will talk in detail about the Snort installation, architecture, rules and how to run them.

So here we go.

Platform

Linux 2.2.* ,
Snort 1.7(http://www.snort.org/)
Snort is known to compile and run on: Sparc: SunOS 4.1.x, Solaris, Linux, and OpenBSD
x86: Linux, OpenBSD, FreeBSD, NetBSD, and Solaris
M68k/PPC: Linux, OpenBSD, NetBSD, Mac OS X Server

Snort should also compile on:
AIX, IRIX, HPUX, Tru64

Pre-Requisites

Tcpdump(www.tcpdump.org)
Libpcap(Snort is based on the libpcap packet capture library, commonly used in may TCP/IP traffic sniffers and analyzers. ).
Get it from: ftp://ftp.ee.lbl.gov/libpcap.tar.Z.

Compiling and Installing Snort

The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch.

Having downloaded Snort, untar the archive with the following command.

root @lord]# tar -zxvf snort-1.7.tar.gz

This should untar Snort into a directory named snort-1.7. The next thing to do is installing the libpcap(dependency). Untar the libpcap archive you downloaded, using the tar command with the similar switches as above. Enter the libpacp directory and carry out the following steps.

root @lord]# ./configure root @lord]# make

because we don't need any binaries for now, there is no need for a 'make install'. In factm even if you do install a binaries, no problem.

Now, we'll compile Snort. Change to the directory that Snort is in and issue the following commands.

root @lord]# ./configure --with-libpcap-includes=/path/to/libpcap/ {* in my case it was : root@lord ./configure --with-libpcap-includes=/home/dood/libpcap }

root @lord]# make root @lord]# make install

Ok, cute. Snort should now be installed on your machine!

Create a directory for Snort to store logs

root @lord]#mkdir /var/log/snort

As always, do this :

root @lord]# whereis snort

to confirm where snort is installed!

The Basics of snort Archtecture

The Snort architecture consists of three basic components which can be somewhat described as:

  1. A Packet Decoder basically prepares the captured protocol packets into a form such as the data can be assimilated by the detection engine. The packet decoder can log Ethernet, SLIP and PPP packets.
  2. Detection Engine: analyzes and process packets fed to it by the 'decoder' based on the Snort rules. Plugin modules can be incorporated in the detection engine to increase the functionality of Snort.
  3. Logger/Alerter: Logging allows you to log the information collected by the packet decoder in human readable format. By default logs are stored in : /var/log/Snort directory.

Alerting mechanism send alerts to syslog, a normal file, Unix sockets or a database. Optionally, you may turn off alerting completely during testing or penetration studies.

By default, all the alerts are stored in: /var/log/Snort/alerts file.

Snort USAGE and its Modes

Right. I hope you are still with me.

Now, what we'll do here is, we'll discuss the concepts and then commands in proper detail.

Let us start with a simple command that makes Snort display all the command switches and then exit.

root@lord snort -?

The output of the command is as follows. -*> Snort! <*- Version 1.7 By Martin Roesch (roesch@clark.net, www.snort.org) USAGE: snort [-options] Options: -A Set alert mode: fast, full, or none (alert file alerts only) 'unsock' enables UNIX socket logging (experimental). -a Display ARP packets -b Log packets in tcpdump format (much faster!) -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -F Read BPF filters from file -g Run snort gid as 'gname' user or uid after initialization -h Home network = -i Listen on interface -l Log to directory -n Exit after receiving packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass|Alert|Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P set explicit snaplen [sp? -ed.] of packet (default: 1514) -q Quiet. Don't show banner and status report -r Read and process tcpdump file -s Log alert messages to syslog -S

Gosh! So many switches?! If you are wondering, I will just discuss a few good ones and leave the other simpler ones for you to explore yourself. But before that, we will speed through some snort fundamentals

Snort- Modes

So, Like I told you some time back, snort runs in three different modes :

Sniffer Mode: When in this mode, Snort reads and decodes all packets from the network(passing though your ethernet card) and dumps them to the stdout(your screen!).

To put Snort into straight sniffing mode(use '-v' verbose switch.) :

root @lord]# ./snort -v

Note: This will dump the packet headers only.

To see the headers + the packet payloads :

root @lord]#./snort -v -d To print a dump of the raw bytes in the entire packet :

root @lord]# ./snort -X

Tip: To test it on localhost : do this :

root @lord]#./Snort -v -d -i lo

from one console and 'telnet/ftp' to your localhost from another console. Ta-da! You can see all those packets transferred between localhost and ur telnet client in the sniffer window. Cute?

Packet Logger Mode:

This mode logs the packets to the disk in their decoded ASCII format.

root @lord]# Snort -l < directory to log packets to >

Intrusion detection Mode

When an alert rule goes off the alert data is logged to the alerting mechanism (by default a file called "alert" in the logging directory but can be through syslog, Winpop messages etc.) In addition to being logged to the logging mechanism. The default logging directory is /var/log/snort, which can be changed using the "-l" switch.

Now consider a typical snort command for packet analysis:

root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24

Here, we are considering the a class C subnet with host I.P s ranging from 192.168.3.0-192.168.3.255(subnet-mask:255.255.255.255)

Let's see the dissection of the above mentioned command to know what it means:

'-v ' : sends a verbose response to your console. '-d ' : dumps the decoded application layer data '-e ' : shows the decoded ethernet headers. '-i ' : specifies the interface to be monitored for packet analysis. '-h' : specifies Network to be managed in the form of network-address/CSIDR-subnet

Now, in the next example we will make Snort generate alerts:

To generate alerts, use the '-A' switch .

-A - Alert using the specified alert-mode.

Snort alert modes include but not limited to:

  1. fast : writes alerts to the default 'alert' file in a single-line, syslog style alert message.
  2. full : writes the alert to the 'alert' file with the full decoded header as well as the alert message.
  3. none : no alerting

. The command will then change to the following.

root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24 -A fast

To send alert messages to the syslog daemon, use the '-s' switch instead. Alerts will appear in /var/log/secure or /var/log/messages ,most likely :

root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24 -s

Until now all the packets sniffed and analyzed were just dumped to your screen. To have Snort dump the packets sniffed and analyzed to your logs, you will use the "-l" switch. And then the directory name i.e /var/log/snort:

root @lord]#snort -v -d -e -i eth0 -h 192.168.3.0/24 -A full -l /var/log/snort

To log packets in tcpdump format and produce minimal alerts , use the '-b' command switch

root @lord]#snort -b -i eth0 -A fast -h 192.168.3.0/24 -s -l /var/log/snort

In the above mentioned commands, Snort logs all the packets on your network segment that might leave you with a confusing mess. If you want to log only certain types of packets depending on the rules you write , use the '-c' command switch.

root @lord]# snort -b -i eth0 -A fast -h 192.168.5.0/24 -s -l /var/log/snort -c /snort-rule-file

Writing rules for snort

I would rather guide you to this place :

"Writing Snort Rules : How to Write snort Rules and Keep your Sanity" (http://www.snort.org/writing_snort_rules.htm) by Martin Roesch. Ok. So, we go on.

Securing IDS

It should be kept in mind that Intrusion Detection Systems are not 'God'. They have their own flaws like everything else in this world ! The true spirit of ' hacking' involves stretching the capability of a system (legally!). To beat the 'crackers' you have to be ever vigilent, not being afraid to learn and testing the limitation your IDS, firewall etc. Everything that falls into the periphery of your security policy.

Since there are already beautifully written articles and papers by some very knowledgeable people on this issue, I will do them the honor of just providing a pointer to the relevant URLs.

    Articles :
    ++++++
 >``Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection'' paper of   January 1998.
       ( http://secinf.net/info/ids/idspaper/idspaper.html ) 

     >  "A look at whisker's anti-IDS tactics "   (www.wiretrip.net)      
   
     Tools :
     +++++
     > Fragrouter(http://www.anzen.com/research/nidsbench)
     > Whisker((www.wiretrip.net))

To summarize most of the techniques described in these articles (and on which the tools work) deal with wily packet-games or changing the URL pattern to execute a malicious command.

These tools are used by security experts and crackers worldwide to fool IDSs. So learn to use them on your network/IDS before the baddies do.

Also, check out the snort.org downloads section for tools that assist snort in performing better. These guys have also got a snort discussion forum, a resource if you have any queries or problems with Snort.

Links of Interest

www.snort.org
www.silicondefence.com
www.whitehats.com
project.honeynet.org

Credits

The author would like to thank:

The developers of Snort and the author(s) of the Snort web site. Many of the examples and some documentation were reproduced in part and can be directly attributed to the developer's information as posted on the Snort web site (http://www.snort.org/) and also in the readme's accompanying the snort distribution.

-Simon Hayes (Chief Editor) and the editorial team of Linux.com: for polishing my articles J

-To YOU (for still being awake!)

Conclusion

Snort is a great tool not only for securing your network but also to learn about how attacks happen and how to prevent them. It can be integrated with other security tools like 'tripwire' and 'swatch' to get an even clearer picture of the intrusion attempt. At the same time, IDSs (both free and the other ones) are plagued with issues like poor event processing when taking appropriate action and quite a few security glitches. Let's see how future IDSs turn out to be!

Your mails and comments are more than welcome, as always .

I hope we had a good time, guys ;-)

About the Author

The author is an undergraduate student of Computer science and works as ' I.T. Manager' at a New Delhi(India) based Total I.T sols organization. He is also actively involved as a freelance Information Security consultant, swears by 'information dissemination' and does not hate bill gates! (I would rather pay attention to my work than hating anybody.) I like playing guitar, a bit of meditation and sci-fi. Said author is probably gonna launch his own 'kewl-Geek' portal in a short time. Can live without oxygen for as long as he can hold his breath but not even a micro-second without technology!