Snort

Use Snort to detect real-time threats, analyze recorded traffic and identify anomalies

About Snort

Snort is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS).

Snort has three main use models:

  • Sniffer Mode - Read IP packets and prompt them in the console application.

  • Packet Logger Mode - Log all IP packets (inbound and outbound) that visit the network.

  • NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System) Modes - Log/drop the packets that are deemed as malicious according to the user-defined rules.

snort@kali$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build XXXXXX) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

The following are basic parameters:

Parameter
Description

-V / --version

This parameter provides information about your instance version.

-c

Identifying the configuration file

-T

Snort's self-test parameter, you can test your setup with this parameter.

-q

Quiet mode prevents snort from displaying the default banner and initial information about your setup.

PCAP mode parameters include:

Parameter
Description

-r / --pcap-single=

Read a single pcap

--pcap-list=""

Read pcaps provided in command (space separated).

--pcap-show

Show pcap name on console during processing.

Sniffer mode:

Parameter
Description

-v

Verbose, display TCP/IP output

-d

Display the packet data

-e

Display the link-layer headers

-X

Display the full packet details in hex

-i

Defines network interface to listen to

Snort Rule Structure

General rules options include the following:

Option
Description

Msg

The message field is a basic prompt and quick identifier of the rule. Once the rule is triggered, the message filed will appear in the console or log. Usually, the message part is a one-liner that summarises the event.

Sid

Snort rule IDs (SID) come with a pre-defined scope, and each rule must have a SID in a proper format. There are three different scopes for SIDs shown below.

  • <100: Reserved rules

  • 100-999,999: Rules came with the build.

  • >=1,000,000: Rules created by user.

Briefly, the rules we will create should have sid greater than 100.000.000. Another important point is; SIDs should not overlap, and each id must be unique.

Reference

Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That could be a Common Vulnerabilities and Exposures (CVE) id or external information. Having references for the rules will always help analysts during the alert and incident investigation.

Rev

Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to have the revision information of each rule. Therefore, it will be easy to understand rule improvements. Each rule has its unique rev number, and there is no auto-backup feature on the rule history. Analysts should keep the rule history themselves. Rev option is only an indicator of how many times the rule had revisions.

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; reference:cve,CVE-XXXX; rev:1;)

Example Rules

# ----------------
# LOCAL RULES
# ----------------

# ICMP Packet
alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 1000001; rev:1;)

# IP Range Filter
alert tcp 10.0.0.1/24 any <> any any (msg: "Subnet Found"; sid: 1000002; rev:1;)

# GET Requests
alert tcp any any <> any 80  (msg: "GET Found"; content:"GET"; sid: 100003; rev:1;)

# Filtering on IP id field
alert tcp any any <> any any (msg: "ID TEST"; id: 123456; sid: 100004; rev:1;)

# Flags (F-FIN, S-SYN, R-RST, P-PSH, A-ACK, U-URG)
alert tcp any any <> any any (msg: "FLAG TEST"; flags:S;  sid: 100005; rev:1;)

# Dsize
alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300;  sid: 100006; rev:1;)

# Same IP
alert ip any any <> any any (msg: "SAME IP TEST";  sameip; sid: 100007; rev:1;)

# Filter on content
alert tcp any any <> any any (content: "$PATTERN"; sid: 1000008; rev:1;)

Sample Snort Commands

# Run Snort with local.rules file and given PCAP
snort -c local.rules -r $PCAP -A full -l .

# Read snort packet by id
snort -r snort.log.$VAL -n $ID

# Read a snort log
snort -r snort.log.$VAL -X

# Sniff mode
snort -devX

Cheatsheet

602KB
SnortCheatsheet.pdf
pdf
Snort Cheatsheet

PreviousWiresharkNextSteganography

Last updated