Snort

Introduction

According to the README "Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching in order to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real- time alerting capability as well, incorporating alerting mechanisms for syslog, user specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient."

Wow. OK, what does that mean? Snort is a sniffer and also an Intrusion Detection System (IDS). It runs on just about any platform you can think of, but especially UNIX, and Windows. It was written and is developed on UNIX, so support from the main Snort development group tends to be better for that. UNIX is also arguably a faster platform and speed is essential for an IDS. But there are other Snort developers and users who provide expert 'Snort on Windows' documentation and support, so if you are an all Windows shop you should probably stick to that and just run Snort on Windows.

Super Quick Start

  1. Download the latest version of Snort for your platform (UNIX or Windows).
  2. (Compile and) Install it.
  3. The the following commands to make sure Snort works in sniffer mode, and note the differences in output. You may need to specify an interface to listen on or you may not--it depends on your system. Try it both ways.
    1. snort -v (listen on the first available interface)
    2. On Windows only, try snort -W to list available interfaces.
    3. snort -vi eth0 (UNIX) or snort -vi 1 (Windows)
    4. snort -ve (-e = Display the second layer header info)
    5. snort -vd (-d = Dump the Application Layer)
    6. snort -vdC (-C = Print out payloads with character data only (no hex))
    7. snort -vdCe or snort -vdCei eth0 or snort -vdCei1 (put it all together)
  4. Edit your snort.conf file as needed. (Learn about the option from
  5. IDS Policy Manager for Snort even if you don't use it all the time.)
  6. Try some IDS mode commands like:
    1. snort -T -c /path/to/snort.conf (test mode!!!)
    2. snort -vi eth0 -c /path/to/snort.conf (console IDS mode, never do this as a production IDS--it is slow and you'll lose packets.)
  7. Learn the Berkeley Packet Filter syntax (see the "expression" section of the tcpdump man page).

Snort References

Snort--The Piggy Proggy

  • Snort.org--Marty and "the gang." The definitive source (pun in intended) for Snort. Free, open-source--great stuff!
  • Sourcefire--"Founded by the creators of Snort&8482;, the most widely deployed Intrusion Detection technology worldwide, [... Sourcefire provides a commercial] enhanced Snort&8482; with sophisticated proprietary technologies to offer the first ever unified security monitoring infrastructure, delivering all of the capabilities needed to proactively identify threats and defend against intruders. Sourcefire's tightly integrated Intrusion Management System (IMS) combines state-of-the-art monitoring, perimeter defense, system management and real-time network awareness." (See about Sourcefire.)
  • SiliconDefense--Used to offer various commercial Snort appliances, consulting and technical support, but got out of that business. Listed here only for completeness.
  • Snort on Windows tools and documentation
  • Demarc PureSecure--Commercial, though there's a free home use version. Extremely slick interface, kind of ACID on steroids. "A one of a kind, Total Intrusion Detection System (TIDS), which provides an unsurpassed level of comprehensive security. For the first time you will be able to reliably prevent, detect, and deter internal and external threats to your organization's valuable assets with complete confidence, 24 hours a day. Advanced cross platform compatible technology means PureSecure can be deployed and scaled in a wide variety of network infrastructures."
  • Hogwash (AKA Snort inline, more info) --Turns Snort into a transparent filtering bridge (layer 2 filter). If you don't know what that means, you probably shouldn't bother with this.
  • Eagle X--A Windows installer for a (mostly) pre-configured and integrated setup for Snort, IDScenter, Apache, PHP, MySQL and ACID! I haven't used this in production, but it is very cool. I did a Snort presentation to PANTUG (a local user group) on 2003-10-08 using EagleX as the demonstration. It's a large download (~16M) which should not be surprising given the number of packages involved.
  • easy IDS--A Linux installer for a (mostly) pre-configured and integrated setup for Snort, Apache, PHP, MySQL and ACID! I haven't used this, but it sounds cool.

Snort GUI/Management Tools

  • Snort GUIs: exploring the ins and outs of snort front ends by Mike Poor.
  • http://www.snort.org/dl/contrib/front_ends and http://www.snort.org/dl/contrib/data_analysis
  • Basic Analysis and Security Engine (BASE)--"It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system."
  • Analysis Console for Intrusion Databases (ACID)--Obsolete, use BASE. "A a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools."
  • IDS Policy Manager for Snort (IDS PM)--A Windows GUI for managing UNIX Snort sensors. Excellent and intuitive interface. I highly recommend installing this just to play with the interface and learn about Snort configuration options and rules.
  • IDSCenter--"A configuration and management tool for Snort IDS on Windows platforms."
  • SnortCenter --[Seems to be BROKEN ( 1, 2, 3 ) and unmaintained, don't use this any more!] "SnortCenter is a web-based client-server management system written in PHP and Perl. It will help you to configure Snort and keep the signatures up-to-date. The Management Console will build the configuration files for you and then send it to the remote sensor." It is agent-based and both the agents and management server run on UNIX and Windows. It also has support for ACID.
  • Oinkmaster--A Perl-based (sort-of automatic) Snort Rule Updater.
  • A Snort module for Webmin

Snort Add-ons

  • See the "contrib" directory of your Snort distribution (e.g. C:\Snort\contrib, ./snort-2.0.0/contrib/) for lots of tools some of which are listed here.
  • SnortSnarf--"SnortSnarf is a Perl program to take files or databases of alerts from [Snort] and produce HTML output intended for diagnostic inspection and tracking down problems. The model is that one is using a cron job or similar to produce a daily/hourly/whatever file of snort alerts. This script can be run on each such file to produce a convenient HTML breakout of all the alerts."
  • SPICE/SPADE (Stealthy Portscan and Intrusion Correlation Engine/Statistical Packet Anomaly Detection Engine)--SPICE is a project at Silicon Defense to detect portscans, even those in which the attacker has attempted to make the scan stealthy. For example, they may have slowed down the scan or randomized it. SPADE is a Snort preprocessor plugin which sends alerts of anomalous packet through standard Snort reporting mechanisms.
  • SnortSam--A plugin to allow Snort to update firewall rules.
  • Snorticus--"A collection of shell scripts designed to allow easy managment of Snort sensors. It allows you to routinely collect Snort sensor data, analyze the data via SnortSnarf, and easily maintain rule files."
  • Snort2HTML--"Snort2HTML converts Snort logs into nicely-formatted HTML. Changes: Parsing for ICMP alerts, optimized code, input/output files now can be specified on the command line, and more."
  • snortlogl--"A Perl script which looks up the hostnames of machines mentioned in a snort IDS alert and outputs the relevant information in a nice list. Now has faster DNS lookups and separates portscans."
  • snort-stat.pl--"Does statistical analysis on snort logfiles. It's setup to process the syslog alerts that Snort creates and generate a bunch of relevant statistics about the current alerts. If you read the beginning of the script, it tells you how to activate the program as a cron job to provide daily reports of activity recorded by Snort."
  • SnortPlot--Analize snort log to graphically plot attack signatures.
  • Razorback--"A log analysis program that interfaces with the SNORT open source Intrusion Detection System to provide real time visual notification when an intrusion signature has been detected on the network. Snort should be configured to send data to syslog for razorback to display the data." [See other great free tools from InterSect Alliance.]
  • SAM--"A program to monitor (in real-time) the number of alerts generated by Snort. [...] SAM does not replace Snort or ACID but rather it compliments them."
  • SRRAM--Looks kind of dead. "Provides users with a way to easily manage their Snort rules. Rules can be automatically updated on a user determined schedule with no user intervention. The rule state (enabled/disabled) is maintained. A web console is provided."
  • Dave Ditrich's Snort Scripts Kind of old.

Snort Books

I will review these books as I get them (as of this writing I only have the first) and will do a compare and contrast at the end (assuming I can find the time and energy). See my Snort Books page.

  1. Snort 2.0 Intrusion Detection, by Jay Beale, James C. Foster, Jeffrey Posluns, Ryan Russell, Brian Caswell, et. al., from Syngress. [My Review] [Slashdot Review] [Bookpool] [B&N]
  2. Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID by Rafeeq Rehman, from Prentice Hall. [Slashdot Review] [Bookpool] [B&N] This is part of Bruce Perens' Open Source [Book] Series and so is freely available (PDF, RTF).
  3. Intrusion Detection with Snort, by Jack Koziol from New Riders. [Slashdot Review 1 Slashdot Review 2] [Bookpool] [B&N]
  4. Snort 2.0: The Complete Guide to Intrusion Detection by Jeff Nathan and Dragos Ruiu from Wiley&Sons. [B&N] This one seems to have gone away. I ordered it, but I was never charged, and it never shipped and it's "not avilable" at B&N.
  5. Intrusion Detection, by Rebecca (Becky) Gurley Bace from MacMillan Technical Press [ISBN 1-57870-185-6]. This book should be required reading for anyone who even thinks about Intrusion Detection Systems (IDS). I thought I knew quite a bit about IDS until I read this book.

Installation, Configuration and Usage Documentation

Snort Rules

Snort Alerts

# example message IP's x'd out to protect the innocent:
Sample alert: [1:2087:2] SMTP From comment overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: <eth2> {TCP} xxx.xx.xxx.xxx:37422 -> xxx.xx.xx.xx:25
Message format:
[1:2:3] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [Classification: bbbbbbbbbbbbb] [Priority: c]: <i> {ddd} eee.eee.eee.eee:fffff -> ggg.ggg.ggg.ggg:hh
1 - GID (engine that caught the signature) [integer] See also generators.h 2 - SID (Signature ID) [integer] 3 - REV (Revision of the Signature) [integer] a - Signature Short Description [text] b - Classification (Ex: Information Gain, Remote Root) [text] c - Priority [integer] d - Protocol (Ex: TCP, UDP) [text] e - Source IP [IP octets] f - Souce Port [integer] g - Dest. IP [IP octets] h - Dest. Port [integer] i - Ethernet Interface [text] According to the Snort Users Manual, SID numbering is as follows: < 100 Reserved for future use 100 - 3,465 GPL rules 3,465 - 1,000,000 "VRT Certified Rules" (see http://www.snort.org/rules/) > 1,000,000 Used for local rules Except, Bleeding Snort uses > 2,000,000

IDS Related Tools

  • Any sniffer running on Windows will require Winpcap, and some may also need LibnetNT.
  • stick (Draft White paper)--"An IDS stress tool used to evaluate the bottle neck point in an IDS in an operational environment. Stick will not be released anytime soon for the exception of IDS vendors." The stream4 pre-processor was designed at least partially to defeat tools like stick and snot. (See the free download of the Syngress Snort book's Chapter 6: Preprocessors.)
  • snot (UNIX, Windows, README)--"Triggers snort alerts taking a snort rules file as input. Use to decoy your local IDS admin, or just annoy people in general. This version now allows for non-randomized payloads, to inflict more hurt on the dumber IDS'." Basically, read a Snort rule file and create the packets described by the rules.
  • sneeze.pl (tar)--"[... An] easy-to-control false-positive generator (didn't care too much for stick, snot, or IDSWakeup) [written in Perl. ...] Requires Net::RawIP Perl module.
  • IDS Wakeup--IDSwakeup is a collection of tools that allows to test network intrusion detection systems. Requires hping2.

Read Only Patch Cables (AKA Ethernet Taps)

Other Miscellaneous IDS Information