Professional Documents
Culture Documents
What is Snort?
From www.snort.org : Snort® is an open source network intrusion prevention and detection system
(IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based
inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads
and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
In this article, let us review how to install snort from source, write rules, and perform basic testing.
Install Snort
# apt-get update
# apt-get install snort
# snort --version
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7
Check the configuration file and check whether the icmp rules is included or not. If not, include the line
below.
include /etc/snort/rules/icmp.rules
# leafpad /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
The above basic rule does alerting when there is an ICMP packet (ping).
(rule options)
Structure Example
Rule Actions alert
Protocol icmp
Source IP Address any
Source Port any
Direction Operator ->
Destination IP Address any
Destination Port any
(rule options) (msg:”ICMP Packet”; sid:477; rev:3;)
Execute snort
Execute snort from command line, as mentioned below.
Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for
this ICMP rule.
Alert Explanation
A couple of lines are added for each alert, which includes the following:
If you have a different interface for the network connection, then use -dev -i option. In this example my
network interface is eth0.
Next, we need to configure our HOME_NET value: the network we will be protecting. First, enter ifconfig in your
terminal shell to see the network configuration. Note the IP address and the network interface value. See the image
below (your IP may be different).
MY IP address : 192.168.2.16
Next, type the following command to open the snort configuration file in gedit text editor:
Enter the password for Ubuntu Server. When the snort.conf file opens, scroll down until you find the ipvar
HOME_NET setting. You’ll want to change the IP address to be your actual class C subnet. Currently, it
should be 192.168.2.0/24. You’ll simply change the IP address part to match your Ubuntu Server VM IP,
making sure to leave the “.0/24″ on the end.
Select Save from the bar on top and close the file. At this point, Snort is ready to run. Except, it doesn’t have
any rules loaded. To verify, run the following command:
Here we are telling Snort to test (-T) the configuration file (-c points to its location) on the eth0 interface
(enter your interface value if it’s different).
Let’s create our first simple test rule. This rule will generate an alert whenever Snort detects an ICMP Echo
request (ping) or Echo reply message. Open the local.rules file in a text editor as root with the following
command:
sudo gedit /etc/snort/rules/local.rules
You should see that the file is empty. Add the following rule (as one string of code, no line breaks):
alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:1000001;
rev:1; classtype:icmp-event;)
Rule Header
alert – Rule action. Snort will generate an alert when the set condition is met.
$HOME_NET – Destination IP. We are using the HOME_NET value from the snort.conf file.
any – Destination port. Snort will look at all ports on the protected network.
Rule Options
msg:”ICMP test” – Snort will include this message with the alert.
sid:1000001 – Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is why we are
starting with 1000001 (you may use any number, as long as it’s greater than 1,000,000).
rev:1 – Revision number. This option allows for easier rule maintenance.
Click Save and close the file. Now let’s run the Snort configuration test command again:
If you scroll up, you should see that one rule has been loaded.
Now, let’s start Snort in IDS mode and tell it to display alerts to the console:
Again, we are pointing Snort to the configuration file it should use (-c) and specifying the interface (-i eth0).
The -A console option prints alerts to standard output, and -q is for “quiet” mode (not showing banner and
status report). You shouldn’t see any output when you enter the command because Snort hasn’t detected any
activity specified in the rule we wrote. Let’s generate some activity and see if our rule is working.
Launch your Kali Linux VM. You may need to enter startx after entering credentials to get to the GUI.
Once there, open a terminal shell by clicking the icon on the top menu bar.
Now start pinging your Ubuntu Server with the following command (use your Ubuntu Server IP instead of
.x.x):
ping 192.168.2.16
Let it run for a couple of seconds and hit Ctrl+C to stop and return to prompt.
We can also see the source IP address of the host responsible for the alert-generating activity. In the example above,
it is 192.168.2.16.