Snort

1
Snort

• Roy

INSA Lab.
2
Outline

• What is Snort?
• Working modes
• How to write snort rules ?
• Snort plug-ins
• Its show time

3
What is Snort?

• An open source network IDS
• Powerful
• Stand-alone real-time traffic analysis
• Packet logging on IP networks
• Detect a variety of attacks and probes
• Protocol analysis, content searching/matching
• Log to a nicely organized, human-readable
  directory structure
• Flexible
• Rules language to describe traffic
• Detection engine utilizes a modular plug-in
  architecture

4
Snort Working Modes

• Sniffer mode
• Tcpdump, Commview
• Packet logger mode
• NIDS mode

5
Snort Rules

• Rules are similar as packet-filter expressions
• Snort has 4 rule actions
• activate - alert and then turn on another dynamic
  rule
• dynamic - remain idle until activated by an
  activate rule , then act as a log rule
• alert - generate an alert using the selected
  alert method, and then log the packet
• pass - ignore the packet
• log - log the packet

Rule application order
6
How to Write Snort Rules ?

• Advance Snort Rule
• http//www.snort.org/docs/snort_manual/node14.html
  
• Snort Rules Database http//www.snort.org/snort-db
  /

• Simple Snort Rule
• alert tcp any any -gt any any (content00 01 86
  a5 msgmountd access)

Rule Actions alert, log, passetc
Detial of rule
Protocol tcp udp icmpetc
Direction Operator -gt, ltgt
destination port number
destination ip address
Source ip address
Source port number
7
Writing good rules
3C

• Content matching
• Catch the vulnerability, not the exploit
• attacker changes the exploit slightly
• Catch the oddities of the protocol in the rule
• user root
• alert tcp any any -gt any any 21 (content"user
  root")
• user root userlttabgtroot
• alert tcp any any -gt any 21 (flowto_server,establ
  ished content"root" pcre"/user\sroot/i")

8
Snort Plug-ins

• Preprocessors
• Operate on packets after theyve been received
  and decoded by snort before match rules.
• Ex. http_decode, port scan, frag2, stream4
• Output modules
• Any rule types you define can be specified to use
  a particular kind of output plug-in
• Ex. Alert_fast, alert_syslog, database, xml

9
Snort Working Architecture
Snort
Output module

Rule
Log
Pass
Alert
Preprocessor
Active
10
Show time

• Test environment
• Download and install package
• Case1.Nmap port scan
• Case2.MSN chat messages

11
Environment
12
BeforeInstall

• Require
• libpcre
• http//www.pcre.org/
• libpcap
• http//sourceforge.net/projects/libpcap/

13
Snort Go!!Go!!Go!!

• Download
• snort-2.1.3.tar.gz
• http//www.snort.org/
• Install package

14
Start Snort !!
Edit snort.conf
Wait some minutes
15
View the results

• Nice directory structure and file name

16
Case1.Nmap Scan
17
Case2.MSN chat message

• Copy and past to create new rules
• Add new rule file to snort.conf
• include RULE_PATH/msn.rules
• Just execute Snort

• Snort doesnt include msn rules by default
• Snort rule database
• http//www.snort.org/snort-db/
• Using key word to search

18
Enjoy the result
19
Conclusions

• Good rules get maximize efficiency and speed

20
Reference

• Writing rules
• http//www.snort.org/docs/snort_manual/node14.html
  
• Rule database
• http//www.snort.org/snort-db/