Snort Tutorial
-
Upload
imashooter85 -
Category
Documents
-
view
135 -
download
1
Transcript of Snort Tutorial
A Brief Tutorial in Snort
Jaland Worley
CT312-900
12/10/2011
Ralph DeFrangesco
Page 1 of 32
Table of Contents
Introduction to the Project 3
System Configuration 4
Virtualization 4
Description of Snort 5
Background 5
System Requirements 5
Installation 6
Using Snort 10
Configuration 10
Writing Rules 17
Violations 18
Summary 26
Advantages/Disadvantages 26
Future Implications 30
End Notes 31
Page 2 of 32
Introduction to the Project
This project is designed to give a basic overview and tutorial of how to install, configure,
and use the Snort intrusion detection system. In the first section of this document, the system
configuration of the server will be described in detail to provide the reader with a walkthrough of
how to configure a similar laboratory. Section two will provide a detailed description of Snort,
its history, system requirements, and how it is best installed. Section three will provide full
instructions on how to interact, configure, and make use of Snort. Section four will summarize
the entire document and provide insight on advantages and disadvantages of Snort, as well as
future implications.
Page 3 of 32
System Configuration
For this project, the laboratory will consist of a gigabit LAN, containing a workstation,
virtual server, and several mobile devices.
The workstation is custom built. It contains an AMD Phenom II chip with six cores
running at 3.2GHz per core. It is also hyper threaded, providing twelve threads for data
processing. It also has 16GB of DDR3 1333 RAM and a 150GB Raptor hard drive. The virtual
server is an Ubuntu Linux distribution. It has been installed on Oracle’s Virtual Box software. It
shares resources with the custom workstation. Ubuntu will host our Snort installation, and it will
be where most of the projects work will be performed. The mobile devices used in this project
will be two Apple iPhone 4S smartphones.
Virtualization is an amazing concept. For the purpose of this project, it provides a means
for students to have multiple systems running off a single set of hardware components. It is
required that CPUs and motherboards support virtualization in order to run software such as
Virtual Box. However, most new computers are capable of virtualization. Virtual Box allows a
user to configure the parameters of the machine they wish to create. From a single hardware
resource pool, the user selects how much disk space, processing power, and memory is used to
run the virtual machine. After these parameters are set, the user provides an image of whatever
operating system they wish to use and it is installed as if the image were being fed to another
machine made of real hardware. It is possible for a virtual machine to share one network
interface card with the host it is sharing other resources with. This is called bridging. Bridging
allows the laboratory in this project to function by binding a second IP address to the NIC.
Page 4 of 32
Description of Snort
Snort was released in 1998 by Martin Roesch. It is a completely free of charge network
intrusion detection system. Snort works by capturing packets as they pass through a network that
Snort monitors. The software matches characteristics and payloads of packets against a detailed,
and customizable, set of rules. When a packet or stream of packets sets meets the criterion of a
rule, then an alert is logged and/or the packet is dropped. These alerts are also customizable to
help network administrators categorize and manage their networks. Snort “is the most widely
deployed intrusion prevention technology in the world.” Snort detects many types of attacks
such as denial-of-service, buffer overflows, port scans, smb probes, fingerprinting, etc.; Snort
also reacts in real time to traffic. Snort is open-source and much of its success and usefulness
comes from the community that collaborates to make Snort a dynamic, living application.
Snort has several requirements that must be fulfilled before it can be used properly.
These requirements are software packages called libpcap, PCRE, libdnet, Barnyard2, and DAQ.
Libpcap is a packet capture software that allows Snort to inspect packets. PCRE is the perl
comptabile regular expression library that allows for special programming during the installation
and use of Snort. Libdnet is a network API that allows Snort to use various networking
protocols. Barnyard2 is an out put mechanism for Snort. This is used to output the data Snort
collects to various databases. In order to make viewing the output easier, there are many front-
end web interfaces that make Snort easier to use. In this tutorial mysql will be the back-end with
Snorby on the front-end. However, this tutorial will also show raw output from the command
line. There are no specific hardware requirements for Snort, but it should be understood that in
order for Snort to process a large amount of packets, much processing power will be required.
Page 5 of 32
Snort can be installed from binaries and source code. In this tutorial, Ubuntu Linux is the
platform being used for Snort. Other versions of Linux have been known to put a user into,
“dependency hell,” where packages cannot be installed without installing pre requisite packages
first. To avoid this, Ubuntu has a method of retrieving and installing software packages called
APT-GET. APT-GET allows users to download a certain applications and all of its
dependencies in one simple command. When APT-GET is used, Snort is installed in a matter of
one to two minutes. The following screenshots show APT-GET in action.
Page 6 of 32
Page 7 of 32
Page 8 of 32
Snort has already been installed on the server, but the process can be explained by the output.
APT-GET INSTALL SNORT looks at the lists of packages it has available, builds the
dependencies that Snort needs, and then it downloads everything and installs it for the user. If
there is a need to update Snort to a newer version, APT-GET can handle this for the user as well.
The command APT-GET UPGRADE looks for updates of all the packages installed on the
server. Packages can also be removed with APT-GET REMOVE [package name]. Packages
that are outdated can be removed with APT-GET AUTOREMOVE.
Page 9 of 32
The packages Libpcap, PCRE, and Libdnet are automatically found by APT-GET and
installed. It is important to install the database that will be used in the installation. MySQL will
be used in this project, but sqlite and Postgre SQL can be used as well. These can be installed
through APT-GET, source code, binaries, and in the initial installation of the Linux server. The
remaining package Barnyard2 needs to be installed separately. Unfortunately, there is not a
APT-GET method to find Barnyard, so the binaries will have to be downloaded and run
separately. The original host of Barnyard2 no longer hosts the file. The method used in this
installation is called, “git.” Git is similar to WGET, which is used to download FTP files. GIT
CLONE https://github.com/firnsy/barnyard2.git is the command to retrieve the file. Once the
file has been downloaded, the source code can be compiled and run. Barnyard2 requires dh-
autoreconf packages to be installed in this manner.
Page 10 of 32
Using Snort
Snort runs off of a configuration file. This file tells Snort where to look for its
parameters, rules, and methods of operating.
Page 11 of 32
Variables are edited to customize Snort to use on the home network.
Page 12 of 32
Variables are also used to describe external networks.
Page 13 of 32
Page 14 of 32
Page 15 of 32
There are many rule sets to use in Snort. For this tutorial, custom rules were written in order to
better explain and discover how Snort handles rule violations.
The real power of Snort is in the ability to write customized rules. For this tutorial, five
rules have been written to demonstrate different attacks. The first rule is a rule that looks for
ICMP traffic from a certain host, the next rule is a rule that looks for ICMP traffic from any host,
next is a telnet alert, an ssh alert, and a rule that alerts when a specific port is scanned.
Page 16 of 32
Page 17 of 32
The five rules that will be used in this tutorial.
The rules are stored in a special rules file. All other files have been commented out of
the configuration file so they are not used while Snort is running. Each rule has a special sid
number that allows for further customization and organization of alerts. Also, each rule has a
message field that allows the user to customize what the alert actually says.
Page 18 of 32
Once the rules are written and the rest of the configuration is complete. Snort can be
started. Snort is started automatically as a daemon once it is installed. If Snort needs to be
started manually, then it can be done with one of two commands “snort –c /etc/snort/snort.conf –
D –l /var/log/snort” will run Snort as a daemon. Also, /etc/init.d/snort start will run Snort with
the basic configuration file, and as a daemon. The first rule looks for an ICMP packet coming
from a particular host. The following screenshots shows the creation of the traffic and the alert
that Snort creates.
Page 19 of 32
The alert log was tailed in the screenshot above, but in the log file there are four entries to match
the four packets sent. The next alerts are generated by an application on an iPhone called
“Scany.” It is a combination port scanner, OS fingerprinter, service probe multi-tool.
Page 20 of 32
Page 21 of 32
These three alerts were generated after the iPhone application was executed.
The application sent many ICMP packets and probed around the operating system looks
for open ports and services that were running . Snort alerted on three of the rules loaded into the
Snort configuration. The TCP PortScan seems to be a rule that is loaded all the time, it was not
specified in the experimental rules file. The next type of traffic is a telnet request. Telnet is not
used very much these days. It transmits data in clear text, ant it is just inherently insecure, but it
is often turned on by default in some systems.
Page 22 of 32
Page 23 of 32
Telnet’s successor, SSH, is used commonly in most organizations for remote access. It is
often left open, and attackers can brute force passwords to gain access to the system. The
following screenshots show an alert for an SSH attempt. SSH connections should only be
allowed from trusted networks.
Page 24 of 32
Page 25 of 32
If Snort ever needs to be stopped, it can be stopped with the command “killall snort” or
“/etc/init.d/snort stop.”
Page 26 of 32
Summary
Snort is a great application. It is easy to install and configure, but it does have some
disadvantages. The next section breaks down the advantages and disadvantages of Snort.
Advantages
Free
Easy to install and configure (on certain platforms)
Plentiful support through Snort Community
Fully customizable
Efficient with system resources
Downloadable rule sets (with paid subscription)
Disadvantages
Difficult to install and configure (on certain platforms)
Steep learning curve when writing rules
Difficult to test rules in a production environment
Limited Windows support
Alerts can be overwhelming
The last disadvantage is the biggest flaw in Snort. If the default rule sets are used, even with
customization. The amounts of alerts are almost too much to handle. The following
screenshots demonstrate this.
Page 27 of 32
The configuration file is modified to allow all rule sets to be parsed.
After running the application “Scany,” from the iPhone, this is what a portion of the alert file
looks like.
Page 28 of 32
Page 29 of 32
In order to effectively use Snort, the time needed for testing and rule configuration is
substantial. If an organization has the time, resources, and employee talent, Snort can be a
useful tool to protect the organizations network from intrusion and attack.
Page 30 of 32
Future Implications
Snort is only going to get better with time. The open source community is growing at a
high rate, and the amount of support and rules are growing at a similar rate. With time, the
Snort rules should become more streamlined to work in production environments, but the
need for interaction and modification of these rules is never going to go away. Therefore, if
one can become proficient with Snort, one can increase their marketability when searching
for jobs. Due to its cost effectiveness, ease to obtain, and continued growth, Snort will
remain the top open-source IDS for years to come.
Page 31 of 32
End Notes
Works CitedPeters, E. (n.d.). Snorby eBook. Retrieved 12 10, 201, from github: https://github.com/Snorby/snorby/wiki/Snorby-E-Book
Snorby.org. (n.d.). Snorby. Retrieved 12 10, 2011, from Snorby - All About Simplicity: http://www.snorby.org
Snort.org. (n.d.). Snort. Retrieved 12 10, 2011, from Snort.org: http://www.snort.org
Ubuntu.com. (n.d.). dh-autoreconf. Retrieved 12 10, 2011, from Ubuntu.com: http://packages.ubuntu.com/maverick/all/dh-autoreconf/download
Page 32 of 32