Designed to fill the gap left by expensive, heavy-duty network intrusion detection systems, Snort is a free, cross-platform packet sniffer, logger, and intrusion detector for monitoring smaller TCP/IP networks. It runs on Linux/UNIX and Win32 systems. It takes mere minutes to install and start using it.
Some of Snort’s numerous abilities:
-real-time traffic analysis and packet logging
-packet payload inspection
-protocol analysis and content searching/matching
-detect buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts
-real- time alerts to syslog, user-specified files, Unix socket, or WinPopups via Samba
Snort has three primary modes: packet sniffer, packet logger, or full-blown intrusion detection system. In the grand tradition of open/free software, it supports all manner of plugins, extensions, and customizations: database or XML logging, small fragment detection, and statistical anomaly detection. Packet payload inspection is one of Snort’s most useful features. This means many additional kinds of hostile activity can be detected.
Snort.org provides RPMs and tarballs. Normally I recommend building from source, but I had problems with the tarball of the latest stable version, 1.8.6. As the deadline for this article loomed mercilessly over me, I didn’t have time to figure out if I did something foolish, or if it was Snort’s fault. The RPM installed flawlessly.
For Snort to work, libpcap must be installed on your system, and most likely is. Use locate to check:
$ locate libpcap
which should provide output similar to:
/usr/lib/libpcap.so.0 /usr/lib/libpcap.a /usr/lib/libpcap.so /usr/lib/libpcap.so.0.6.2
If it is not present, get it from tcpdump.org, or your Linux installation disks.
It is unwise to install a security product without verifying the signature. Verify the checksum of your download:
# md5 snort-1.8.6.tar.gz
# md5 snort-1.8.6-1snort.i386.rpm
Unpack the tarball:
$ tar -xvzf snort-1.8.6.tar.gz
Install as root:
# make install
That’s the simple generic installation. Some options are make check, to run Snort’s pre-installation self-tests; make clean removes binaries and object files from the source code directory. It even has a make uninstall option for clean removal.
Other installation options, used with ./configure:
Enable SNMP alerting code
Support for mysql
Support for Postgresql databases
Support for openssl
There are many more, see the docs in your tarball for the rest.
Installing the RPM is ease itself:
# rpm -ivh snort-1.8.6-1snort.i386.rpm
As you can see on the Snort download page, precompiled binaries are already packaged for compatibility with other programs, like mySQL and PostgreSQL.
# snort -?
prints the most common options.
Test-drive to make sure it installed correctly. Monitor the local machine only, -i = interface:
# snort -vdei eth0
CTRL+C stops it. Don’t forget to put your NIC in promiscuous mode. Snort will also run as a daemon, and comes with start/stop scripts.
Packet Sniffer Mode
This only prints out TCP/IP packet headers to the screen:
# snort -v
To see application data:
# snort -vd
And data link layer headers:
# snort -vde
Unless your idea of a good time is staring at hexedecimal dumps as they scroll by, write it to disk.
# snort -vdel /var/log/snort
The -l switch means ‘log’. Tell Snort to log everything for the local network, -h means home:
# snort -vdel /var/log/snort -h 192.168.1.0/24
This creates a separate directory for each host. To dump everything into a single binary, tcpdump-formatted file, use the -b switch:
# snort -l /var/log/snort -b
It is unecessary to specify any other options, parse the output of this file as you need with either Snort’s built-in options, or use tcpdump, or ethereal. -r reads and processes the file:
# snort -vder /email@example.com
Parse for specific items with the built-in Berkeley Packet Filter:
# snort -vder /firstname.lastname@example.org udp
# snort -vr /email@example.com tcp
# snort -ver /firstname.lastname@example.org icmp
See man snort or tcpdump for more options for the Berkeley Packet Filter.
Network Intrusion Detection Mode
Now we get into the real Snort power tools. Take a look at /etc/snort/snort.conf, the global configuration file. Snort rulesets are also in /etc/snort, in plain text files. The impatient can uncomment this line and be up and running right away:
var HOME_NET $eth0_ADDRESS
This initializes Snort to the network configuration of the local NIC.
For speed, logging every single packet and writing to the screen won’t work. Packets will be dropped and logfiles will balloon. Drop the -v switch so it won’t write to the screen, and we can probably live without -e, data link headers:
# snort -dl /var/log/snort -h 192.168.1.0/24 -c /etc/snort/snort.conf
-h means home network, -c means use ruleset, followed by the path. This is NIDS at its most basic, logging packets as defined by the rules, in plain ASCII. Use the -b switch to log to a binary file. Notice that defining the subnet range uses CIDR notation, Classless Inter-Domain Routing.
Where do these mysterious rulesets come from? Two sources: from Snort.org, included in the RPM or download the binaries, or write your own. Martin Roesch, the creator of Snort, designed it for speed in all areas: installing, running, and responding to new attacks. If you have the ability to analyze an attack and recognize a unique signature, you can write a rule to find and log it. See the SnortUsersManual.pdf that comes in your download for an excellent tutorial on writing custom rules. (All docs are available online as well.) Snort.org posts updated rulesets daily, download to your heart’s content. Use snortpp, available from the snort/contrib directory on snort.org, to merge new ruleset files.
Where To Put It
If you have the time and resources, putting Snort on each side of a firewall can be most enlightening. Comparing what is hitting your firewall to what makes it through can be hair-raising, it really is astonishing how much malicious traffic is traveling the Internet. Running a single Snort box behind a firewall adds a layer of protection and is easier to manage, simply because of the lower data volume.