Snort: Complete Guide to Using Snort

0
Guides
Ethical Hacking-Snort

What is Snort?

Snort is an open-source, highly versatile intrusion detection system (IDS) and intrusion prevention system (IPS) software for network security. It is designed to monitor network traffic and analyze it for signs of suspicious or malicious activity.

Here’s a brief explanation of what Snort is used for:

  • Intrusion Detection: Snort can passively monitor network traffic in real-time and analyze it for patterns or signatures that match known threats or attack patterns. When it detects such activity, it can generate alerts or log entries to notify network administrators of potential security breaches.

  • Intrusion Prevention: In addition to detecting malicious activity, Snort can be configured to take active measures to prevent intrusions. This includes blocking or dropping packets associated with detected threats, effectively acting as an intrusion prevention system (IPS).

  • Network Security Monitoring: Snort is often used as part of a larger security infrastructure to provide continuous monitoring of network traffic. It helps organizations detect and respond to security incidents and vulnerabilities promptly.

  • Customization and Extensibility: Snort is highly customizable, allowing users to define their own detection rules and signatures. This flexibility enables organizations to tailor Snort to their specific security needs and adapt to evolving threats.

  • Open Source and Community Support: Being open-source software, Snort benefits from a large and active community of users and developers who contribute to its development and create additional rule sets to detect emerging threats.

How to Install Snort

Installing Snort is a simple process on Linux. Open Terminal and type:

sudo apt update
sudo apt install snort -y

During the installation you will see a pop-up requesting your network interface. To find what network interface you are currently using, Open Terminal and type:

ifconfig

You will see something like eth0, wlan0, enp0 whichever it is write it down and enter it correctly when prompted to do so.

Next you maybe prompted for the network address range, this will usually be similar to 192.168.0.1/24 or 10.0.0.1/24 enter yours when the pop-up window appears.

Once the installation process has finished, you can check if it was installed correctly. Open Terminal and type:

snort --version

This will show you if Snort was installed successfully. Now you can have a quick look through snorts manual by typing:

man snort

How to Configure Snort

Before you can use Snort properly, you need to enable promiscuous mode. If running from inside a virtual machine environment like VirtualBox you need to change the VM’s network settings go to network > advanced and set promiscuous mode to: Allow All

If running this directly on a Linux machine Open Terminal and type:

sudo ip link set eth0 promisc on

If you network adapter was not eth0 make sure you enter the correct one instead.

Now navigate to Snorts location directory:

cd /etc/snort

To list all contents inside the directory type:

ls -la
Editing Configuration File

Inside the directory you should see the snort.conf file. We are going to edit this file, in the terminal type:

sudo vim /etc/snort/snort.conf

Now scroll down until you find:

ipvar HOME_NET any

Change any to your network router id (in my case it was 192.168.0.1/24)

ipvar HOME_NET 192.168.0.1/24

Now you need to scroll even further down until we find step#7 Customize your rule set.

$RULE_PATH/local.rules

press Esc key then type :wq Hit Enter to write and quit the file.

To validate rule sets are working correctly in terminal type:

sudo snort -T -i eth0 -c /etc/snort/snort.conf

It’s a good idea to temporarily disable the community rule sets before writing custom rules this will help identify your custom rules activity. To edit the snort.conf file again type:

sudo vim /etc/snort/snort.conf

Scroll all the way down to step7 you need to silence all the rule set lines below:

$RULE_PATH/local.rules

The local.rules is the file you use to write your custom rule sets. Type Esc to enter command mode type:

set num lines

This will add line numbers to the file, now type:

:578,696s/^/#

This will silence the rest of the rules for now! to undo this step later you simply use:

:578,696s/^#//

Now type: :wqTo write and quit the file.

You just disabled every rule set except the locale.rules file. If you run the validation command again you will see at this point you have zero rules in place, don’t panic you are about to write your own rules.

Writing Custom Rules

Now to write your first rule open the terminal and type:

sudo vim /etc/snort/rules/locale.rules

Type i and hit enter to start insert mode, this will allow us to make changes to the file. Now, scroll to the bottom of the file, any new rules you create should be added to the bottom of the file.

Our First Rule:

We are going to create an alert for ICMP traffic on any device on any port to our HOME_NET on any port. We give it the message “ICMP Ping Detected” and with the easily identifiable signature id of 10001 and with the revision label of 1. This is the information that will be logged when this rule is triggered.

alert icmp any any -> $HOME_NET any (msg:"ICMP Ping Detected"; sid:10001; rev:1;)

That’s it we have created our first rule to alert when something is pinging any device in our network.

To complete the process and save the rule, hit the Esc key to enter command mode and type :wq to write and quit the file.

To Run Snort with our new Rule

Now we have our first rule added, we can run snort, type the following command in terminal:

sudo snort -q -l /var/log/snort -i eth0 -A console -c /etc/snort/snort.conf

If no errors are displayed everything should have worked well. To test if the rule created actually works, ping any device in your network and you should see the message alerts display in terminal.

Let’s Create Another Rule

Let’s create a rule to monitor for ssh connections. Open terminal and type:

sudo vim /etc/snort/rules/locale.rules

Remember, to enter insert mode in Vim press i and hit enter. Add this new rule to the bottom of the list:

alert tcp any any -> HOME_NET 22 (msg:"SSH Authentication attempt";sid:10002;rev:1;)

Now hit the Esc key and type :wq to write and quit the file.

Run the snort file again with:

sudo snort -q -l /var/log/snort -i eth0 -A console -c /etc/snort/snort.conf

To test it, you need to create ssh traffic. Open the terminal and type:

ssh user@deviceIP

In my case it was:

ssh pi@192.168.0.28

You should now see message alerts for SSH in your Snort terminal.

Enabling Snorts Default Rules

Now we have learnt the basics of writing our own custom rules, you may want to re-enable Snorts default rules we disabled earlier. To do this we need to go back to the snort.conf file and uncomment the lines of code we commented out earlier. In the terminal type:

sudo vim /etc/snort/snort.conf

hit Esc key to enter command mode, now type:

:578,696s/^#//

This will reactivate all community rule sets.

Run the validation command to see if rule sets are now active.

The Logs

Last thing we need to know is where all our alert logs are stored. Logs are kept in this directory:

/var/log/snort

These are illegible but can be read inside Wireshark to decipher the data.

Open Wireshark with:

sudo wireshark

Go to file > open and locate the log file you wish to open. Now you can make sense of the log file data.

To submit alerts to the log files only, type this command in the terminal:

sudo snort -q -l /var/log/snort -i eth0 -A fast -c /etc/snort/snort.conf

Snorpy

Snorpy is a useful website that helps you build custom rules without errors. While we have learnt the basics to writing our own custom rules, I would still advise you to use Snorpy for creating error free custom rules.

Goto http://www.cyb3rs3c.net to start creating different rules with Snorpy. 

Conclusion

Overall, Snort is a valuable tool for enhancing network security by identifying and responding to suspicious or malicious activity, making it an essential component of many cybersecurity strategies.

Ethical Hacking Guides

We have many guides to help you on your journey into the world of Ethical Hacking. If this is something you find interesting, please take a look here today: Ethical Hacking Guides.

Recommendation:

ALFA Network Wi-Fi Adapter: https://amzn.to/3QbZ6AE

This Wi-Fi adapter is essential if you are to learn Wi-Fi Hacking.

Ethical Hacking IDS Intrusion Detection Intrusion Prevention IPS Linux

Luke Barber

Hello, fellow tech enthusiasts! I'm Luke, a passionate learner and explorer in the vast realms of technology. Welcome to my digital space where I share the insights and adventures gained from my journey into the fascinating worlds of Arduino, Python, Linux, Ethical Hacking, and beyond. Armed with qualifications including CompTIA A+, Sec+, Cisco CCNA, Unix/Linux and Bash Shell Scripting, JavaScript Application Programming, Python Programming and Ethical Hacking, I thrive in the ever-evolving landscape of coding, computers, and networks. As a tech enthusiast, I'm on a mission to simplify the complexities of technology through my blogs, offering a glimpse into the marvels of Arduino, Python, Linux, and Ethical Hacking techniques. Whether you're a fellow coder or a curious mind, I invite you to join me on this journey of continuous learning and discovery.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

Soil Moisture Sensor with Arduino Diagram
Soil Moisture Sensor with Arduino
Welcome to the World of Sensors and Modules with Arduino! The moisture sensor, also known as a soil moisture sensor,…
Read More
NRF24L01 Radio Controller
NRF24L01 Radio Controlled Arduino Project
Building our First Radio Controlled Arduino Project The NRF24L01 RF Module is a low-cost, high-performance 2.4GHz transceiver module widely used…
Read More
nRF24L01 with Arduino Nano Diagram
NRF24L01: Building your First Radio with Arduino
Welcome to the World of Sensors and Modules with Arduino! In this guide we will be building a basic transmitter…
Read More
Verified by MonsterInsights