Linux.com Article DB: Intrusion Detection Systems for the Uninitiated, Part 2; Installing and Configuring Snort

Snort USAGE and its Modes

Right. I hope you are still with me.

Now, what we'll do here is, we'll discuss the concepts and then commands in proper detail.

Let us start with a simple command that makes Snort display all the command switches and then exit.

root@lord snort -?

The output of the command is as follows. -*> Snort! <*- Version 1.7 By Martin Roesch (roesch@clark.net, www.snort.org) USAGE: snort [-options] Options: -A Set alert mode: fast, full, or none (alert file alerts only) 'unsock' enables UNIX socket logging (experimental). -a Display ARP packets -b Log packets in tcpdump format (much faster!) -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -F Read BPF filters from file -g Run snort gid as 'gname' user or uid after initialization -h Home network = -i Listen on interface -l Log to directory -n Exit after receiving packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass|Alert|Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P set explicit snaplen [sp? -ed.] of packet (default: 1514) -q Quiet. Don't show banner and status report -r Read and process tcpdump file -s Log alert messages to syslog -S

Gosh! So many switches?! If you are wondering, I will just discuss a few good ones and leave the other simpler ones for you to explore yourself. But before that, we will speed through some snort fundamentals

Snort- Modes

So, Like I told you some time back, snort runs in three different modes :

Sniffer Mode: When in this mode, Snort reads and decodes all packets from the network(passing though your ethernet card) and dumps them to the stdout(your screen!).

To put Snort into straight sniffing mode(use '-v' verbose switch.) :

root @lord]# ./snort -v

Note: This will dump the packet headers only.

To see the headers + the packet payloads :

root @lord]#./snort -v -d To print a dump of the raw bytes in the entire packet :

root @lord]# ./snort -X

Tip: To test it on localhost : do this :

root @lord]#./Snort -v -d -i lo

from one console and 'telnet/ftp' to your localhost from another console. Ta-da! You can see all those packets transferred between localhost and ur telnet client in the sniffer window. Cute?

Packet Logger Mode:

This mode logs the packets to the disk in their decoded ASCII format.

root @lord]# Snort -l < directory to log packets to >

Intrusion detection Mode

When an alert rule goes off the alert data is logged to the alerting mechanism (by default a file called "alert" in the logging directory but can be through syslog, Winpop messages etc.) In addition to being logged to the logging mechanism. The default logging directory is /var/log/snort, which can be changed using the "-l" switch.

Now consider a typical snort command for packet analysis:

root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24

Here, we are considering the a class C subnet with host I.P s ranging from 192.168.3.0-192.168.3.255(subnet-mask:255.255.255.255)

Let's see the dissection of the above mentioned command to know what it means:

'-v ' : sends a verbose response to your console. '-d ' : dumps the decoded application layer data '-e ' : shows the decoded ethernet headers. '-i ' : specifies the interface to be monitored for packet analysis. '-h' : specifies Network to be managed in the form of network-address/CSIDR-subnet

Now, in the next example we will make Snort generate alerts:

To generate alerts, use the '-A' switch .

-A - Alert using the specified alert-mode.

Snort alert modes include but not limited to:

fast : writes alerts to the default 'alert' file in a single-line, syslog style alert message.
full : writes the alert to the 'alert' file with the full decoded header as well as the alert message.
none : no alerting

. The command will then change to the following.

root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24 -A fast

To send alert messages to the syslog daemon, use the '-s' switch instead. Alerts will appear in /var/log/secure or /var/log/messages ,most likely :

root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24 -s

Until now all the packets sniffed and analyzed were just dumped to your screen. To have Snort dump the packets sniffed and analyzed to your logs, you will use the "-l" switch. And then the directory name i.e /var/log/snort:

root @lord]#snort -v -d -e -i eth0 -h 192.168.3.0/24 -A full -l /var/log/snort

To log packets in tcpdump format and produce minimal alerts , use the '-b' command switch

root @lord]#snort -b -i eth0 -A fast -h 192.168.3.0/24 -s -l /var/log/snort

In the above mentioned commands, Snort logs all the packets on your network segment that might leave you with a confusing mess. If you want to log only certain types of packets depending on the rules you write , use the '-c' command switch.

root @lord]# snort -b -i eth0 -A fast -h 192.168.5.0/24 -s -l /var/log/snort -c /snort-rule-file

Writing rules for snort

I would rather guide you to this place :

"Writing Snort Rules : How to Write snort Rules and Keep your Sanity" (http://www.snort.org/writing_snort_rules.htm) by Martin Roesch. Ok. So, we go on.

Originally Published: Tuesday, 16 October 2001	Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles	Page: 3/4 - [Printable]
Intrusion Detection Systems for the Uninitiated, Part 2; Installing and Configuring Snort Shashank Pandey returns to Linux.com with part two of his popular series on IDS: Intrusion detection Systems for Linux. Quizzing PortSentry in his last article, in today's Pandey cast a sharp eye over working with snort. And remember in some primitive parts of the world you have to pay for information like this! Can you imagine?

	<< Page 3 of 4 >>
Snort USAGE and its Modes Right. I hope you are still with me. Now, what we'll do here is, we'll discuss the concepts and then commands in proper detail. Let us start with a simple command that makes Snort display all the command switches and then exit. root@lord snort -? The output of the command is as follows. -> Snort! <- Version 1.7 By Martin Roesch (roesch@clark.net, www.snort.org) USAGE: snort [-options] Options: -A Set alert mode: fast, full, or none (alert file alerts only) 'unsock' enables UNIX socket logging (experimental). -a Display ARP packets -b Log packets in tcpdump format (much faster!) -c Use Rules File -C Print out payloads with character data only (no hex) -d Dump the Application Layer -D Run Snort in background (daemon) mode -e Display the second layer header info -F Read BPF filters from file -g Run snort gid as 'gname' user or uid after initialization -h Home network = -i Listen on interface -l Log to directory -n Exit after receiving packets -N Turn off logging (alerts still work) -o Change the rule testing order to Pass\|Alert\|Log -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P set explicit snaplen [sp? -ed.] of packet (default: 1514) -q Quiet. Don't show banner and status report -r Read and process tcpdump file -s Log alert messages to syslog -S Gosh! So many switches?! If you are wondering, I will just discuss a few good ones and leave the other simpler ones for you to explore yourself. But before that, we will speed through some snort fundamentals Snort- Modes So, Like I told you some time back, snort runs in three different modes : Sniffer Mode: When in this mode, Snort reads and decodes all packets from the network(passing though your ethernet card) and dumps them to the stdout(your screen!). To put Snort into straight sniffing mode(use '-v' verbose switch.) : `root @lord]# ./snort -v` Note: This will dump the packet headers only. To see the headers + the packet payloads : `root @lord]#./snort -v -d` To print a dump of the raw bytes in the entire packet : `root @lord]# ./snort -X` Tip: To test it on localhost : do this : `root @lord]#./Snort -v -d -i lo` from one console and 'telnet/ftp' to your localhost from another console. Ta-da! You can see all those packets transferred between localhost and ur telnet client in the sniffer window. Cute? Packet Logger Mode: This mode logs the packets to the disk in their decoded ASCII format. `root @lord]# Snort -l < directory to log packets to >` Intrusion detection Mode When an alert rule goes off the alert data is logged to the alerting mechanism (by default a file called "alert" in the logging directory but can be through syslog, Winpop messages etc.) In addition to being logged to the logging mechanism. The default logging directory is /var/log/snort, which can be changed using the "-l" switch. Now consider a typical snort command for packet analysis: `root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24` Here, we are considering the a class C subnet with host I.P s ranging from 192.168.3.0-192.168.3.255(subnet-mask:255.255.255.255) Let's see the dissection of the above mentioned command to know what it means: `'-v ' : sends a verbose response to your console. '-d ' : dumps the decoded application layer data '-e ' : shows the decoded ethernet headers. '-i ' : specifies the interface to be monitored for packet analysis. '-h' : specifies Network to be managed in the form of network-address/CSIDR-subnet` Now, in the next example we will make Snort generate alerts: To generate alerts, use the '-A' switch . -A - Alert using the specified alert-mode. Snort alert modes include but not limited to: fast : writes alerts to the default 'alert' file in a single-line, syslog style alert message. full : writes the alert to the 'alert' file with the full decoded header as well as the alert message. none : no alerting . The command will then change to the following. `root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24 -A fast` To send alert messages to the syslog daemon, use the '-s' switch instead. Alerts will appear in /var/log/secure or /var/log/messages ,most likely : `root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24 -s` Until now all the packets sniffed and analyzed were just dumped to your screen. To have Snort dump the packets sniffed and analyzed to your logs, you will use the "-l" switch. And then the directory name i.e /var/log/snort: `root @lord]#snort -v -d -e -i eth0 -h 192.168.3.0/24 -A full -l /var/log/snort` To log packets in tcpdump format and produce minimal alerts , use the '-b' command switch `root @lord]#snort -b -i eth0 -A fast -h 192.168.3.0/24 -s -l /var/log/snort` In the above mentioned commands, Snort logs all the packets on your network segment that might leave you with a confusing mess. If you want to log only certain types of packets depending on the rules you write , use the '-c' command switch. `root @lord]# snort -b -i eth0 -A fast -h 192.168.5.0/24 -s -l /var/log/snort -c /snort-rule-file` Writing rules for snort I would rather guide you to this place : "Writing Snort Rules : How to Write snort Rules and Keep your Sanity" (http://www.snort.org/writing_snort_rules.htm) by Martin Roesch. Ok. So, we go on.
	<< Page 3 of 4 >>