A Brief Tutorial in Snort

Jaland Worley

CT312-900

12/10/2011

Ralph DeFrangesco

Page 1 of 32

Table of Contents

Introduction to the Project 3

System Configuration 4

Virtualization 4

Description of Snort 5

Background 5

System Requirements 5

Installation 6

Using Snort 10

Configuration 10

Writing Rules 17

Violations 18

Summary 26

Advantages/Disadvantages 26

Future Implications 30

End Notes 31

Page 2 of 32

Introduction to the Project

This project is designed to give a basic overview and tutorial of how to install, configure,

and use the Snort intrusion detection system. In the first section of this document, the system

configuration of the server will be described in detail to provide the reader with a walkthrough of

how to configure a similar laboratory. Section two will provide a detailed description of Snort,

its history, system requirements, and how it is best installed. Section three will provide full

instructions on how to interact, configure, and make use of Snort. Section four will summarize

the entire document and provide insight on advantages and disadvantages of Snort, as well as

future implications.

Page 3 of 32

System Configuration

For this project, the laboratory will consist of a gigabit LAN, containing a workstation,

virtual server, and several mobile devices.

The workstation is custom built. It contains an AMD Phenom II chip with six cores

running at 3.2GHz per core. It is also hyper threaded, providing twelve threads for data

processing. It also has 16GB of DDR3 1333 RAM and a 150GB Raptor hard drive. The virtual

server is an Ubuntu Linux distribution. It has been installed on Oracle’s Virtual Box software. It

shares resources with the custom workstation. Ubuntu will host our Snort installation, and it will

be where most of the projects work will be performed. The mobile devices used in this project

will be two Apple iPhone 4S smartphones.

Virtualization is an amazing concept. For the purpose of this project, it provides a means

for students to have multiple systems running off a single set of hardware components. It is

required that CPUs and motherboards support virtualization in order to run software such as

Virtual Box. However, most new computers are capable of virtualization. Virtual Box allows a

user to configure the parameters of the machine they wish to create. From a single hardware

resource pool, the user selects how much disk space, processing power, and memory is used to

run the virtual machine. After these parameters are set, the user provides an image of whatever

operating system they wish to use and it is installed as if the image were being fed to another

machine made of real hardware. It is possible for a virtual machine to share one network

interface card with the host it is sharing other resources with. This is called bridging. Bridging

allows the laboratory in this project to function by binding a second IP address to the NIC.

Page 4 of 32

Description of Snort

Snort was released in 1998 by Martin Roesch. It is a completely free of charge network

intrusion detection system. Snort works by capturing packets as they pass through a network that

Snort monitors. The software matches characteristics and payloads of packets against a detailed,

and customizable, set of rules. When a packet or stream of packets sets meets the criterion of a

rule, then an alert is logged and/or the packet is dropped. These alerts are also customizable to

help network administrators categorize and manage their networks. Snort “is the most widely

deployed intrusion prevention technology in the world.” Snort detects many types of attacks

such as denial-of-service, buffer overflows, port scans, smb probes, fingerprinting, etc.; Snort

also reacts in real time to traffic. Snort is open-source and much of its success and usefulness

comes from the community that collaborates to make Snort a dynamic, living application.

Snort has several requirements that must be fulfilled before it can be used properly.

These requirements are software packages called libpcap, PCRE, libdnet, Barnyard2, and DAQ.

Libpcap is a packet capture software that allows Snort to inspect packets. PCRE is the perl

comptabile regular expression library that allows for special programming during the installation

and use of Snort. Libdnet is a network API that allows Snort to use various networking

protocols. Barnyard2 is an out put mechanism for Snort. This is used to output the data Snort

collects to various databases. In order to make viewing the output easier, there are many front-

end web interfaces that make Snort easier to use. In this tutorial mysql will be the back-end with

Snorby on the front-end. However, this tutorial will also show raw output from the command

line. There are no specific hardware requirements for Snort, but it should be understood that in

order for Snort to process a large amount of packets, much processing power will be required.

Page 5 of 32

Snort can be installed from binaries and source code. In this tutorial, Ubuntu Linux is the

platform being used for Snort. Other versions of Linux have been known to put a user into,

“dependency hell,” where packages cannot be installed without installing pre requisite packages

first. To avoid this, Ubuntu has a method of retrieving and installing software packages called

APT-GET. APT-GET allows users to download a certain applications and all of its

dependencies in one simple command. When APT-GET is used, Snort is installed in a matter of

one to two minutes. The following screenshots show APT-GET in action.

Page 6 of 32

Page 7 of 32

Page 8 of 32

Snort has already been installed on the server, but the process can be explained by the output.

APT-GET INSTALL SNORT looks at the lists of packages it has available, builds the

dependencies that Snort needs, and then it downloads everything and installs it for the user. If

there is a need to update Snort to a newer version, APT-GET can handle this for the user as well.

The command APT-GET UPGRADE looks for updates of all the packages installed on the

server. Packages can also be removed with APT-GET REMOVE [package name]. Packages

that are outdated can be removed with APT-GET AUTOREMOVE.

Page 9 of 32

The packages Libpcap, PCRE, and Libdnet are automatically found by APT-GET and

installed. It is important to install the database that will be used in the installation. MySQL will

be used in this project, but sqlite and Postgre SQL can be used as well. These can be installed

through APT-GET, source code, binaries, and in the initial installation of the Linux server. The

remaining package Barnyard2 needs to be installed separately. Unfortunately, there is not a

APT-GET method to find Barnyard, so the binaries will have to be downloaded and run

separately. The original host of Barnyard2 no longer hosts the file. The method used in this

installation is called, “git.” Git is similar to WGET, which is used to download FTP files. GIT

CLONE https://github.com/firnsy/barnyard2.git is the command to retrieve the file. Once the

file has been downloaded, the source code can be compiled and run. Barnyard2 requires dh-

autoreconf packages to be installed in this manner.

Page 10 of 32

Using Snort

Snort runs off of a configuration file. This file tells Snort where to look for its

parameters, rules, and methods of operating.

Page 11 of 32

Variables are edited to customize Snort to use on the home network.

Page 12 of 32

Variables are also used to describe external networks.

Page 13 of 32

Page 14 of 32

Page 15 of 32

There are many rule sets to use in Snort. For this tutorial, custom rules were written in order to

better explain and discover how Snort handles rule violations.

The real power of Snort is in the ability to write customized rules. For this tutorial, five

rules have been written to demonstrate different attacks. The first rule is a rule that looks for

ICMP traffic from a certain host, the next rule is a rule that looks for ICMP traffic from any host,

next is a telnet alert, an ssh alert, and a rule that alerts when a specific port is scanned.

Page 16 of 32

Page 17 of 32

The five rules that will be used in this tutorial.

The rules are stored in a special rules file. All other files have been commented out of

the configuration file so they are not used while Snort is running. Each rule has a special sid

number that allows for further customization and organization of alerts. Also, each rule has a

message field that allows the user to customize what the alert actually says.

Page 18 of 32

Once the rules are written and the rest of the configuration is complete. Snort can be

started. Snort is started automatically as a daemon once it is installed. If Snort needs to be

started manually, then it can be done with one of two commands “snort –c /etc/snort/snort.conf –

D –l /var/log/snort” will run Snort as a daemon. Also, /etc/init.d/snort start will run Snort with

the basic configuration file, and as a daemon. The first rule looks for an ICMP packet coming

from a particular host. The following screenshots shows the creation of the traffic and the alert

that Snort creates.

Page 19 of 32

The alert log was tailed in the screenshot above, but in the log file there are four entries to match

the four packets sent. The next alerts are generated by an application on an iPhone called

“Scany.” It is a combination port scanner, OS fingerprinter, service probe multi-tool.

Page 20 of 32

Page 21 of 32

These three alerts were generated after the iPhone application was executed.

The application sent many ICMP packets and probed around the operating system looks

for open ports and services that were running . Snort alerted on three of the rules loaded into the

Snort configuration. The TCP PortScan seems to be a rule that is loaded all the time, it was not

specified in the experimental rules file. The next type of traffic is a telnet request. Telnet is not

used very much these days. It transmits data in clear text, ant it is just inherently insecure, but it

is often turned on by default in some systems.

Page 22 of 32

Page 23 of 32

Telnet’s successor, SSH, is used commonly in most organizations for remote access. It is

often left open, and attackers can brute force passwords to gain access to the system. The

following screenshots show an alert for an SSH attempt. SSH connections should only be

allowed from trusted networks.

Page 24 of 32

Page 25 of 32

If Snort ever needs to be stopped, it can be stopped with the command “killall snort” or

“/etc/init.d/snort stop.”

Page 26 of 32

Summary

Snort is a great application. It is easy to install and configure, but it does have some

disadvantages. The next section breaks down the advantages and disadvantages of Snort.

Advantages

Free

Easy to install and configure (on certain platforms)

Plentiful support through Snort Community

Fully customizable

Efficient with system resources

Downloadable rule sets (with paid subscription)

Disadvantages

Difficult to install and configure (on certain platforms)

Steep learning curve when writing rules

Difficult to test rules in a production environment

Limited Windows support

Alerts can be overwhelming

The last disadvantage is the biggest flaw in Snort. If the default rule sets are used, even with

customization. The amounts of alerts are almost too much to handle. The following

screenshots demonstrate this.

Page 27 of 32

The configuration file is modified to allow all rule sets to be parsed.

After running the application “Scany,” from the iPhone, this is what a portion of the alert file

looks like.

Page 28 of 32

Page 29 of 32

In order to effectively use Snort, the time needed for testing and rule configuration is

substantial. If an organization has the time, resources, and employee talent, Snort can be a

useful tool to protect the organizations network from intrusion and attack.

Page 30 of 32

Future Implications

Snort is only going to get better with time. The open source community is growing at a

high rate, and the amount of support and rules are growing at a similar rate. With time, the

Snort rules should become more streamlined to work in production environments, but the

need for interaction and modification of these rules is never going to go away. Therefore, if

one can become proficient with Snort, one can increase their marketability when searching

for jobs. Due to its cost effectiveness, ease to obtain, and continued growth, Snort will

remain the top open-source IDS for years to come.

Page 31 of 32

End Notes

Works CitedPeters, E. (n.d.). Snorby eBook. Retrieved 12 10, 201, from github: https://github.com/Snorby/snorby/wiki/Snorby-E-Book

Snorby.org. (n.d.). Snorby. Retrieved 12 10, 2011, from Snorby - All About Simplicity: http://www.snorby.org

Snort.org. (n.d.). Snort. Retrieved 12 10, 2011, from Snort.org: http://www.snort.org

Ubuntu.com. (n.d.). dh-autoreconf. Retrieved 12 10, 2011, from Ubuntu.com: http://packages.ubuntu.com/maverick/all/dh-autoreconf/download

Page 32 of 32