Snort
Use Snort to detect real-time threats, analyze recorded traffic and identify anomalies
Last updated
Use Snort to detect real-time threats, analyze recorded traffic and identify anomalies
Last updated
Snort is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS).
Snort has three main use models:
Sniffer Mode - Read IP packets and prompt them in the console application.
Packet Logger Mode - Log all IP packets (inbound and outbound) that visit the network.
NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System) Modes - Log/drop the packets that are deemed as malicious according to the user-defined rules.
The following are basic parameters:
-V / --version
This parameter provides information about your instance version.
-c
Identifying the configuration file
-T
Snort's self-test parameter, you can test your setup with this parameter.
-q
Quiet mode prevents snort from displaying the default banner and initial information about your setup.
PCAP mode parameters include:
-r / --pcap-single=
Read a single pcap
--pcap-list=""
Read pcaps provided in command (space separated).
--pcap-show
Show pcap name on console during processing.
Sniffer mode:
-v
Verbose, display TCP/IP output
-d
Display the packet data
-e
Display the link-layer headers
-X
Display the full packet details in hex
-i
Defines network interface to listen to
General rules options include the following:
Msg
The message field is a basic prompt and quick identifier of the rule. Once the rule is triggered, the message filed will appear in the console or log. Usually, the message part is a one-liner that summarises the event.
Sid
Snort rule IDs (SID) come with a pre-defined scope, and each rule must have a SID in a proper format. There are three different scopes for SIDs shown below.
<100: Reserved rules
100-999,999: Rules came with the build.
>=1,000,000: Rules created by user.
Briefly, the rules we will create should have sid greater than 100.000.000. Another important point is; SIDs should not overlap, and each id must be unique.
Reference
Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That could be a Common Vulnerabilities and Exposures (CVE) id or external information. Having references for the rules will always help analysts during the alert and incident investigation.
Rev
Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to have the revision information of each rule. Therefore, it will be easy to understand rule improvements. Each rule has its unique rev number, and there is no auto-backup feature on the rule history. Analysts should keep the rule history themselves. Rev option is only an indicator of how many times the rule had revisions.
alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; reference:cve,CVE-XXXX; rev:1;)
