Understanding and Configuring Snort Rules

Synopsis
In this article we will learn the make up of Snort rules and how we can
we configure them on windows to get alerts for any attacks performed.
There are various IDS (Intrusion Detection System) and IPS(Intrusion
Prevention System) methods available to use, but one of the best and
most common method is Snort.

What is Snort?
Snort is a Free and Open Source Network Intrusion Prevention
and Detection System. It uses a rule-based language combining
signature, protocol and anomaly inspection methods to detect malicious
activity such as DOS attacks, Buffer overflows, stealth port scans, CGI
attacks, SMB probes, OS fingerprinting attempts, and more. It is capable
of performing real time traffic analysis and packet logging on IP
networks.

Uses of Snort Rules?

 Snort uses the popular libpcap library (For UNIX/Linux) or winpcap
(for Windows), the same library that tcpdump uses to perform packet
sniffing.

 Snort’s Packet Logger feature is used for debugging network traffic.

 Snort generates alerts according to the rules defined in configuration

file.

 The Snort rule language is very flexible, and creation of new rules is
relatively simple.
  Snort rules help in differentiating between normal internet activities
and malicious activities.

A simple syntax for a Snort rule:

#### An example for Snort rule:

log tcp !192.168.0/24 any -> 192.168.0.33 (msg: "mounted access" ; )

The direction operators <> and -> indicate the direction of interest for
the traffic, this means traffic can either flow in one direction or in bi -
directionally. Keyword any can be used to define any IP addresses,
numeric IP addresses must be used with a CIDR (Classless Inter-
domain Routing) netmask. In snort rules the port numbers can be listed
in many ways, including any ports, negation etc. Port ranges are
indicated with Range operator :.

An example for multi-line Snort rule:

log tcp !192.168.0/24 any -> 192.168.0.33 \

(msg: "mounted access" ; )

Usually snort rules were written in a single line, but with the new version
snort rules can be written in multi line. This can be done by adding a
backslash \ to the end of the line. This multiple line helps, if a rule is
very large and difficult to understand.

Example of a Port negation-

log tcp any any -> 192.168.1.0/24 !6000:6010

For better understanding refer to this table:

 Protocols Ip Address *Action performed

*log tcp any 192.168.1.0/24 It will log traffic from various ports and will go to ports which are
:1024 -> 400: greater than or equal to 400

log udp any any 92.168.1.0/24 It will log traffic from any port and destination ports ranging from
-> 1:1024 1 to 1024

Snort rules must be contained on a single line, unless the multi-line

char \ is used, the snort rule parser does not handle rules on multiple lines.
Usually it is contained in snort.confconfiguration file.
It come with two logical parts: 1. Rule header – Identifies rule actions
such as alerts, log, pass, activate, dynamic and the CIDR (Classless
inter-domain routing) Block.
2. Rule options – Identifies rule’s alert messages.

Snort rules must be written in such a way that it describes all the
following events properly:

 The conditions in which a user thinks that a network packet(s) is not

same as usual or if the identity of the packet is not authentic.

 Any violation of the security policy of the company that might be a

threat to the security of the company’s network and other valuable
information.

 All well known and common attempts to exploit the vulnerabilities in

the company’s network.

The rules defined to the system should be compatible enough to act

immediately and take necessary remedial measures, according to the
nature of the intrusion.Snort Does not evaluate the rules in that order
that they appear in the snort rules file. By default, the order is:

1. Alert rules – It generates an alert using alert method.

 2. Log rules – After generating alert, it then log the packet.

3. Pass rules – It ignore the packet and Drop it.

As we know IP is a unique address for every computer and is used for

transferring data or packet over the internet from one network to the
other network and each packet contains a message, Data, source,
destination address and much more. Snort supports three IP protocols
for suspicious behavior:

1. TCP (Transmission control protocol) – It is used to connect two

different hosts and exchange data between them. Example – HTTP,
SMTP, FTP

2. UDP (User datagram protocol) – It is used to broadcasting messages

over the internet. Example – DNS Traffic

3. ICMP (Internet control message protocol) – It is used in windows to

send network error messages. Example – Ping, Traceroute etc.

Installing and configuring Snort rules

on windows:
As we have discussed earlier, snort rules can be defined on any
Operating system. Here we will configure Snort rules on windows.The
first step is to download snort itself, which you can download from here
(DOWNLOAD SNORT). After you have downloaded snort, download
Snort rules from here (DOWNLOAD SNORT RULES). These rules are
community rules and you can download it without signing up. If you want
the greatest snort rules, getting updates for new rules set, then you
should go for subscription rules, which will cost you like 30$/year for an
indvidual. There is not much difference between the community rules
and the subscribers rules, they have same structure but you will get
updates for new snort rules really quick if you are a subscriber.
  Install snort in root directory, a popup will appear for installing
Winpcap, install it if its not already installed in your windows.

 To check weather Snort has successfully installed, Open Command

Prompt and go to Snort Directory.
cd Snort

 Check if there is a bin directory created under directory folder.

 Now go to Bin directory and check Snort version.

cd bin

Snort -V

 Extract all the Snort rules folders, that you donwloaded before and
from there copy all the content from folder to c:\Snort\rules

 Similarly, copy all the content from preproc_rules folder

to c:/Snort/preproc_rules
If it ask to overwrite the files say yes to all. It will replace all the old
versions with new preproc rules.

 After you have copied all the contents the main task starts here, Go
to c:/Snort/etc and open**Snort.conf** with wordpad. CONF
stands for configure.

 Snort.conf has Nine different sections, First thing we will set the
variables. The first variable we have is HOME_NET, You can leave this
 to any but it is preferred to put your machine IP address, In my case
the IP is 192.168.73.129

 EXTERNAL_NET any line as it is.

 If you have a DNS SERVER, then make changes in

the DNS_SERVERS line by replacing $HOME_NET with your DNS server
IP address, otherwise leave it blank.

 Now scroll down to RULE_PATH, and

replace ../rules with c:\Snort\rules and
replace**../so_rules** with c:\Snort\so_rules, At last
replace ../preproc_rules withc:\Snort\preproc_rules

 Also change
the WHITE_LIST_PATH and BLACK_LIST_PATH from**../rules**
toc:\Snort\rules

 Now navigate toc:\Snort\rules, and create two text files

named whitelistandblacklist and change their file extension from**
.txt** to **.rules, **if a pop up appears click yes.

 That’s all for step one, and there is nothing much to do in step two
but set #config logdir: to **config logdir:c:\Snort\log **,
this will help snort to write the output in a particular location.

 Now straightway go to step 4, in this we have to configure dynamic

loaded libraries. At path to dynamic preprocessor libraries
replace usr/local/lib/snort_dynamicpreprocessor with your
dynamic preprocessor which
is C:\Snort\lib\snort_dynamicpreprocessor
 Similarly
replace usr/local/lib/snort_dynamicengine/libsf_engine.so
with your base preprocessor engine which
is C:\Snort\lib\snort_dynamicengine\sf_engine.dll

 Comment (#) the dynamic rule libraries line as we have already

configured the libraries.

 Now we are on step 5, add a comment(#) before all the listed

preprocessors under inline packet normalization, they do nothing but
generate errors at the run time.

 In step 6 configuring output plugins, provide the location of

the classification.config and replace it
withC:\Snort\etc\classification.config, Similarly provide the
location of the reference.config and repalce it
withC:\Snort\etc\reference.config

 In the next line add output alert_fast: alert.ids , for snort to

dump all logs in alert.ids

 In Snort.conf file, find and replace ipvar to var. By default the string
ipvar is not recognized by snort, so we replace it with var. To find and
replace press Ctrl + H and in find what field write ipvar and the
replace field write var and click Replace all.

 The last step is to remove the back slash and add comment
characters # on lines 501 to 507. These lines can be found above
step6.
  Save the snort.conf file and close the window.

 Now its time to set Snort rule, Go toc:\Snort\rulesand

open **icmp-info.rules **in wordpad.

 At the end add a rule as per required such as

alert tcp any any -> any any(msg: "Testing Alert" ; sid:1000001)

In my case, I don’t have any criteria so it will load on any ICMP packet it
receives. In the above rule we have also provide a signature id (sid)
which is highly required. Bciy convention when you write your own snort
rules, you have to start above 999999

 To verify the snort is actually generating alerts, open Command

prompt and go to c:\Snort\bin and write a command
snort -iX -A console -c C:\snort\etc\snort.conf -l C:\Snort\log -K ascii

where X is your device index number. In My case its 1 . Hit Enter and
you are all set.

Performance Considerations:
If snort occupies high cpu usage without high amounts of traffic to
analyze, it may be indicative of too high a volume of traffic, insufficient
system resources, or some other process is consuming most of the
CPU. Although sometimes, too many rules are added, in which the
packet queue drops the packet because it fills before snort has a chance
to look at them. Best practice is to only enable rules you need so snort
can spend more time grabbing packets from the queue. Never enable all
rules or you will most likely experience performance issues. For
example, if you are in a Windows only environment, then only enable
Windows related rules. In addition, use Berkeley Packet Filters (BPF) to
limit traffic to machines or ports that need to be inspected. For example,
if you have a network backup server, it’s best to tell Snort to ignore
traffic from it since it will generate a large amount of traffic. BPF’s are
added as the last command-line options to snort:

snort -iX -A console -c C:\snort\etc\snort.conf -l C:\Snort\log -K ascii 'not host

192.168.1.100'

--== Initializing Snort ==--

Initializing Output Plugins!

Snort BPF option: not host 192.168.1.100

Another performance consideration is to only log alerts in the unified2

binary format rather than ascii, this will speed up the process of writing
out logs.

How to use Snort

1.0 GETTING STARTED
Snort really isn't very hard to use, but there are a lot of
command line options to play with, and it's not always obvious
which ones go together well. This file aims to make using Snort
easier for new users. Before we proceed, there are a few basic
concepts you should understand about Snort. There are three
main modes in which Snort can be configured: sniffer, packet
logger, and network intrusion detection system. Sniffer mode
simply reads the packets off of the network and displays them for
you in a continuous stream on the console. Packet logger mode
logs the packets to the disk. Network intrusion detection mode is
the most complex and configurable configuration, allowing Snort
to analyze network traffic for matches against a user defined rule
set and perform several actions based upon what it sees.

2.0 SNIFFER MODE

First, let's start with the basics. If you just want to print out the
TCP/IP packet headers to the screen (i.e. sniffer mode), try this:
./snort -v

This command will run Snort and just show the IP and
TCP/UDP/ICMP headers, nothing else. If you want to see the
application data in transit, try the following:
./snort -vd

This instructs Snort to display the packet data as well as the

headers. If you want an even more descriptive display, showing
the data link layer headers do this :
./snort -vde

As an aside, these switches may be divided up or smashed

together in any combination. The last command could also be
typed out as:
./snort -d -v -e

and it would do the same thing.

3.0 PACKET LOGGER MODE

Ok, all of these commands are pretty cool, but if you want to
record the packets to the disk, you need to specify a logging
directory and Snort will automatically know to go into packet
logger mode:
./snort -dev -l ./log

Of course, this assumes you have a directory named "log" in the

current directory. If you don't, Snort will exit with an error
message. When Snort runs in this mode, it collects every packet
it sees and places it in a directory hierarchy based upon the IP
address of one of the hosts in the datagram. If you just specify a
plain "-l" switch, you may notice that Snort sometimes uses the
address of the remote computer as the directory in which it
places packets, and sometimes it uses the local host address. In
order to log relative to the home network, you need to tell Snort
which network is the home network:
./snort -dev -l ./log -h 192.168.1.0/24

This rule tells Snort that you want to print out the data link and
TCP/IP headers as well as application data into the directory
./log, and you want to log the packets relative to the 192.168.1.0
class C network. All incoming packets will be recorded into
subdirectories of the log directory, with the directory names being
based on the address of the remote (non-192.168.1) host. Note
that if both hosts are on the home network, then they are
recorded based upon the higher of the two's port numbers, or in
the case of a tie, the source address. If you're on a high speed
network or you want to log the packets into a more compact form
for later analysis you should consider logging in "binary mode".
Binary mode logs the packets in "tcpdump format" to a single
binary file in the logging directory:
./snort -l ./log -b

Note the command line changes here. We don't need to specify a

home network any longer because binary mode logs everything
into a single file, which eliminates the need to tell it how to
format the output directory structure. Additionally, you don't
need to run in verbose mode or specify the -d or -e switches
becuase in binary mode the entire packet is logged, not just
sections of it. All that is really required to place Snort into logger
mode is the specification of a logging directory at the command
line with the -l switch, the -b binary logging switch merely
provides a modifier to tell it to log the packets in something other
than the default output format of plain ASCII text. Once the
packets have been logged to the binary file, you can read the
packets back out of the file with any sniffer that supports the
tcpdump binary format such as tcpdump or Ethereal. Snort can
also read the packets back by using the -r switch, which puts it
into playback mode. Packets from any tcpdump formatted file can
be processed through Snort in any of its run modes. For example,
if you wanted to run a binary log file through Snort in sniffer
mode to dump the packets to the screen, you can try something
like this:
./snort -dv -r packet.log

You can manipulate the data in the file in a number of ways

through Snort's packet logging and intrusion detection modes, as
well as with the BPF interface that's available from the command
line. For example, if you only wanted to see the ICMP packets
from the log file, simply specify a BPF filter at the command line
and Snort will only "see" the ICMP packets in the file:
./snort -dvr packet.log icmp

For more info on how to use the BPF interface, read the man
page.

4.0 NETWORK INTRUSION DETECTION

MODE
To enable network intrusion detection (NIDS) mode (so that you
don't record every single packet sent down the wire), try this :
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

Where snort.conf is the name of your rules file. This will apply the
rules set in the snort.conf file to each packet to decide if an action
based upon the rule type in the file should be taken. If you don't
specify an output directory for the program, it will default to
/var/log/snort. One thing to note about the last command line is
that if Snort is going to be used in a long term way as an IDS, the
"-v" switch should be left off the command line for the sake of
speed. The screen is a slow place to write data to, and packets
can be dropped while writing to the display. It's also not
necessary to record the data link headers for most applications,
so the so it's not necessary to specify the -e switch either.
./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf

This will configure Snort to run in it's most basic NIDS form,
logging packets that the rules tell it to in plain ASCII to a
hierarchical directory structure (just like packet logger mode).

4.1 NIDS MODE OUTPUT OPTIONS

There are a number of ways to configure the output of Snort in
NIDS mode. The default logging and alerting mechanisms are to
log in decoded ASCII format and use "full" alerts. The full alert
mechanism prints out the alert message in addition to the full
packet headers. There are several other alert output modes
available at the command line, as well as two logging facilities.
Packets can be logged to their default decoded ASCII format or to
a binary log file via the -b command line switch. If you wish to
disable packet logging all together, use the -N command line
switch. Alert modes are somewhat more complex. There are six
alert modes available at the command line, full, fast, socket,
syslog, smb (winpopup), and none. Four of these modes are
accessed with the -A command line switch. The four options are:
-A fast - fast alert mode, write the alert in a simple format with a
timestamp, alert message, source and destination IPs/ports

-A full - this is also the default alert mode, so if you specify

nothing
this will automatically be used

-A unsock - send alerts to a UNIX socket that another program can

listen on

-A none - turn off alerting

To send alerts to syslog, use the -s switch. The default facilities

for the syslog alerting mechanism are LOG_AUTHPRIV and
LOG_ALERT. If you want to configure other facilities for syslog
output, use the output plugin directives in the rules files (see the
snort.conf file for more information). Finally, there is the SMB
alerting mechanism. This allows Snort to make calls to the
smbclient that comes with Samba and send WinPopup alert
messages to Windows machines. To use this alerting mode, you
must configure Snort to use it at configure time with the --
enable-smbalerts switch. Here are some output configuration
examples:

1) Log to default (decoded ASCII) facility and send alerts to

syslog
./snort -c snort.conf -l ./log -s -h 192.168.1.0/24
2) Log to the default facility in /var/log/snort and send alerts to a
fast alert file:
./snort -c snort.conf -s -h 192.168.1.0/24
3) Log to a binary file and send alerts to Windows workstation:
./snort -c snort.conf -b -M WORKSTATIONS

4.2 PERFORMANCE CONFIGURATION

If you want Snort to go *fast* (like keep up with a 100 Mbps net
fast) use the "-b" and "-A fast" or "-s" (syslog) options. This will
log packets in tcpdump format and produce minimal alerts. For
example :
./snort -b -A fast -c snort-lib

In this configuration, Snort has been able to log multiple

simultaneuos probes and attacks on a 100 Mbps LAN running at a
saturation level of approximately 80 Mbps. In this configuration
the logs are written in binary format to the snort.log tcpdump-
formatted file. To read this file back and break out the data in the
familiar Snort format, just rerun Snort on the data file with the "-
r" option and the other options you would normally use. For
example:
./snort -d -c snort-lib -l ./log -h 192.168.1.0/24 -r snort.log

Once this is done running, all of the data will be sitting in the log
directory in its normal decoded format. Cool, eh?

4.3 OTHER STUFF

Some people don't like the default way in which Snort applies it's
rules to packets, with the Alert rules applied first, then the Pass
rules, and finally the Log rules. This sequence is somewhat
counterintuitive, but it's a more foolproof method than allowing
the user to write a hundred alert rules and then disable them all
with an errant pass rule. For people who know what they're
doing, the "-o" switch has been provided to change the default
rule applicaition behavior to Pass rules, then Alert, then Log:
./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf -o

5.0 MISCELLANEOUS STUFF

If you are willing to run snort in "daemon" mode, you can add -D
switch to any combination above. Please NOTICE that if you want
to be able to restart snort by sending SIGHUP signal to the
daemon, you will need to use full path to snort binary, when you
start it, i.g.:
/usr/local/bin/snort -d -h 192.168.1.0/24 -l /var/log/snortlogs -c
/usr/local/etc/snort-lib -s -D

Relative pathes are not supported due to security concerns.

If you're going to be posting packet logs to public mailing lists
you might want to try out the -O switch. This switch "obfuscates"
your the IP addresses in the packet printouts. This is handy if you
don't want the people on the mailing list to know the IP
addresses involved. You can also combine the -O switch with the
-h switch to only obfuscate the IP addresses of hosts on the home
network. This is useful if you don't care who sees the address of
the attacking host. For example :
./snort -d -v -r snort.log -O -h 192.168.1.0/24

This will read the packets from a log file and dump the packets to
the screen, obfuscating only the addresses from the
192.168.1.0/24 class C network.

Well, that's about it for now.

If you have any further questions about using Snort, drop me an
e-mail at roesch@clark.net