Snort — An Intrusion Detection System

Part 2 — Configuration and Using as a NIDS

Hope everyone of you is well in this pandemic and is staying home. So in the previous article, we saw how to set up Snort on your machine. But without setting it up, it is like a gun without bullets — in short, it is of no use.

In this article, we explore how to configure Snort to act as a Network Intrusion Detection System and also see how to use Snort as a sniffer.

Network Intrusion Detection System Framework

Basic Configuration of Snort

Whenever we work with Linux, the one command that always is our greatest helper is help command. And so like all Linux commands and applications, Snort also has the help command which can be invoked by the following:

kali > sudo snort –-help

Snort Help Options

Here I have underlined some switches from the help of Snort.

− -c gives us the location of the Snort rules and tells it to use its rules. They are the signature against which the new packets are verified.

− -d tells Snort to show the application layer of data.

− -e displays the Data Link layer information which contains the MAC address of the system.

− -i allows the user to designate the interface we want to use. By default, Snort uses eth0.

− -k allows the user to define how he/she wants to store the information of the data capture performed by Snort.

-v is like the same in most of the programs, verbose, providing with all the information.

START SNORT

Knowing some of the basic switches of Snort, let’s try running Snort. What makes Snort fabulous is that it can be run as a sniffer, packet logger, or even as a NIDS. In this article, we will look at Snort as a packet sniffer and NIDS.

To run Snort in packet dump mode, use the following command:

kali > sudo snort -vde

Sniffer Output — 1

Sniffer Output — 2

The output we get is pretty self-explanatory. But still, let’s explore the output for a better understanding. If we take the first snapshot, we have started Snort in packet dump mode.

Snort dumps the data it captures in hex format as well as ASCII format too. In the packet it captures, it gives certain information like source IP address, destination IP address, the network protocol used, TTL of a packet, and information contained in headers too. When we stop the capture, it spouts a summary of the capture which gives us the time it ran for, the number of packets captured, the memory used for the capture, and at last, the breakdown of which protocols were being used in the transfer.

SNORT AS NIDS

For using Snort as a NIDS, we need to instruct Snort to include the configuration file and rules. Generally, we can find the conf file at /etc/snort/snort.conf and that file will point to Snort rules. We need to give the -c switch and then the location.

kali > sudo snort -vde -c /etc/snort/snort.conf

Snort as NIDS — 1

SNORT as NIDS — 2

We can also customize the rules to our comfort and to suit our enterprise. So the next topic we will see is Snort rules and configuring Snort.

Snort Rules and Configuring Snort

Like all general Linux applications, Snort is configured via a conf file that can be opened as a simple text file. Edit this text file, restart the application and we have a new working configuration.

Before going anywhere let’s take a brief look into the syntax of Snort rules.

− Snort rules must be contained in a single line or we can use multi-line character \. For example,

log tcp !x.x.x/xx OR

log tcp !x.x.x/xx any -> xxx \

(msg: “some command”)

− All rules should contain a rule header (which identifies the actions) and rule options (which identifies the rule’s alert messages).

− The rules must be in such a way that they describe situations like a violation of the security policy of the company, or correctly detect the exploitable vulnerabilities.

− There are 3 kinds of rules in Snort:

• Alert Rules: Generates alert using alert method
• Log Rules: Upon generation of any alert, it logs that specific alert.
• Pass Rules: Ignores the packet if deemed malicious and drops it

Now we can move on to the configuration file which can be opened using the following command:

kali > mousepad /etc/snort/snort.conf

Configuration File Open Screen

In the Snort configuration file, we may see 9 sections, as:

Options Available for Configuration

For the most basic configuration, we will address only sections 1,6 and 7.

Setting variables

Configuration Variable

In the above screenshot, we can see the highlighted line “ipvar HOME_NET”. This variable denotes the network to be protected. The HOME_NET is the variable name to which the IP address is assigned and that can be a single IP address, list of IP addresses, or even a subnet in CIDR notation and even can be left any.

Check the output

Final configuration

Using CTRL+F we then move on to output plugins. By default, Snort sends output in log format. But if we want, we can comment out that line (unified2) and uncomment the bottom line (log_tcpdump), enabling the output in tcpdump format which is saved in /var/log/snort directory.

Disable rules

Depending on our enterprise, we may need to change the rules that Snort relies upon, which we can customize in the following line of Section 7.

Configuration Rules

To not let Snort use a given set, simply comment out “include” part.

After any kind of changes you make, simply save the file and test the configuration using the -T switch.

kali > sudo snort -T -c /etc/snort/snort.conf

Final Configuration Validation

THE END…?

Well, we have not even scratched the surface of Snort. For the geeks out there, think of this as just the beginning to a Cristopher Nolan or a Quentin Tarantino movie, it still has many layers to go through. We can write our own rules, create own NIDS for the enterprise, and even sniff packets.

Hope you guys liked this series. If you found it worth reading as a security guy, do share it. I will try to write more cybersecurity and information security-related articles and projects. See you guys in the next article!