IDS & IPS

What is Snort?
From www.snort.org : Snort® is an open source network intrusion prevention and detection system
(IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based
inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads
and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

In this article, let us review how to install snort from source, write rules, and perform basic testing.

Install Snort
# apt-get update
# apt-get install snort

Verify the Snort Installation

Verify the installation as shown below.

# snort --version
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
 Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7

Create the following snort.conf and icmp.rules files:

Open the configuration file of snort

# leafpad /etc/snort/snort.conf

Check the configuration file and check whether the icmp rules is included or not. If not, include the line
below.

include /etc/snort/rules/icmp.rules

Open icmp rules file and include a rule mentioned below

# leafpad /etc/snort/rules/icmp.rules

Include the below mentioned line into icmp.rule file.

alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

The above basic rule does alerting when there is an ICMP packet (ping).

Following is the structure of the alert:

<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator>

<Destination IP Address> <Destination > (rule options)

(rule options)

Structure Example
Rule Actions alert
Protocol icmp
Source IP Address any
Source Port any
Direction Operator ->
Destination IP Address any
Destination Port any
(rule options) (msg:”ICMP Packet”; sid:477; rev:3;)

Execute snort
Execute snort from command line, as mentioned below.

# snort -c /etc/snort/snort.conf -l /var/log/snort/

here, -c for rules file and -l for log directory

Show log alert

Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for
this ICMP rule.

root@Sridhar:~# head /var/log/snort/alert

[**] [1:2925:3] INFO web bug 0x0 gif attempt [**]
[Classification: Misc activity] [Priority: 3]
12/02-12:08:40.479756 107.20.221.156:80 -> 192.168.1.64:55747
TCP TTL:42 TOS:0x0 ID:14611 IpLen:20 DgmLen:265 DF
***AP*** Seq: 0x6C1242F9 Ack: 0x74B1A5FE Win: 0x2E TcpLen: 32
TCP Options (3) => NOP NOP TS: 1050377198 1186998
[**] [1:368:6] ICMP PING BSDtype [**]
[Classification: Misc activity] [Priority: 3]
12/02-12:09:01.112440 192.168.1.14 -> 192.168.1.64

Alert Explanation

A couple of lines are added for each alert, which includes the following:

Message is printed in the first line.

Source IP
Destination IP
Type of packet, and header information.

If you have a different interface for the network connection, then use -dev -i option. In this example my
network interface is eth0.

# snort -dev -i eth0 -c /etc/snort/snort.conf -l /var/log/snort/

Execute snort as Daemon

Add -D option to run snort as a daemon.

# snort -D -c /etc/snort/snort.conf -l /var/log/snort/

Next, we need to configure our HOME_NET value: the network we will be protecting. First, enter ifconfig in your
terminal shell to see the network configuration. Note the IP address and the network interface value. See the image
below (your IP may be different).

MY IP address : 192.168.2.16
Next, type the following command to open the snort configuration file in gedit text editor:

sudo gedit /etc/snort/snort.conf

Enter the password for Ubuntu Server. When the snort.conf file opens, scroll down until you find the ipvar
HOME_NET setting. You’ll want to change the IP address to be your actual class C subnet. Currently, it
should be 192.168.2.0/24. You’ll simply change the IP address part to match your Ubuntu Server VM IP,
making sure to leave the “.0/24″ on the end.

Select Save from the bar on top and close the file. At this point, Snort is ready to run. Except, it doesn’t have
any rules loaded. To verify, run the following command:

sudo snort -T -i eth0 -c /etc/snort/snort.conf

Here we are telling Snort to test (-T) the configuration file (-c points to its location) on the eth0 interface
(enter your interface value if it’s different).

Let’s create our first simple test rule. This rule will generate an alert whenever Snort detects an ICMP Echo
request (ping) or Echo reply message. Open the local.rules file in a text editor as root with the following
command:
sudo gedit /etc/snort/rules/local.rules

You should see that the file is empty. Add the following rule (as one string of code, no line breaks):

alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:1000001;
rev:1; classtype:icmp-event;)

Let’s walk through the syntax of this rule:

Rule Header

alert – Rule action. Snort will generate an alert when the set condition is met.

any – Source IP. Snort will look at all sources.

any – Source port. Snort will look at all ports.

-> – Direction. From source to destination.

$HOME_NET – Destination IP. We are using the HOME_NET value from the snort.conf file.

any – Destination port. Snort will look at all ports on the protected network.
Rule Options

msg:”ICMP test” – Snort will include this message with the alert.

sid:1000001 – Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is why we are
starting with 1000001 (you may use any number, as long as it’s greater than 1,000,000).

rev:1 – Revision number. This option allows for easier rule maintenance.

classtype:icmp-event – Categorizes the rule as an “icmp-event”, one of the predefined Snort

categories. This option helps with rule organization.

Click Save and close the file. Now let’s run the Snort configuration test command again:

sudo snort -T -i eth0 -c /etc/snort/snort.conf

If you scroll up, you should see that one rule has been loaded.

Now, let’s start Snort in IDS mode and tell it to display alerts to the console:

sudo snort -A console -q -c /etc/snort/snort.conf -i eht0

Again, we are pointing Snort to the configuration file it should use (-c) and specifying the interface (-i eth0).
The -A console option prints alerts to standard output, and -q is for “quiet” mode (not showing banner and
status report). You shouldn’t see any output when you enter the command because Snort hasn’t detected any
activity specified in the rule we wrote. Let’s generate some activity and see if our rule is working.

Launch your Kali Linux VM. You may need to enter startx after entering credentials to get to the GUI.
Once there, open a terminal shell by clicking the icon on the top menu bar.

Now start pinging your Ubuntu Server with the following command (use your Ubuntu Server IP instead of
.x.x):

ping 192.168.2.16

Let it run for a couple of seconds and hit Ctrl+C to stop and return to prompt.
We can also see the source IP address of the host responsible for the alert-generating activity. In the example above,
it is 192.168.2.16.