- Snort is a free and open source NIPS and NIDS which has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.
- Snort performs protocol analysis, content searching, and content matching.
- The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
- Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.
- BASE is the Basic Analysis and Security Engine.
- It is based on the code from the Analysis Console for Intrusion Databases (ACID) project.
- This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.
- Architecture of Snort
- Packet Decoder
- Detection Engine <==> Rules
- Alert or Logging ==> Log File or Database
- General form of a Snort rule:
action proto src_ip src_port direction dst_ip dst_port (options) alert tcp 192.168.1.35 any -> any any (msg:"Traffic from 192.168.1.35";) alert any any -> any any (flags: SF,12; msg: "Possible SYN FIN scan";)
- Simple Snort Rules
alert icmp any any -> 184.108.40.206 any (msg: "Ping packet sent to 220.127.116.11"; sid:10000001) alert tcp any any -> any any (msg: "Amandeep Searched"; content:"amandeep"; nocase; sid:100000002) alert tcp any any -> any any (msg: "GET request to tracker"; flow:to_server,established; content:"GET"; http_method; sid:100000003) alert udp any any -> any 53 (msg:"DNS traffic detected"; sid:100000004) alert ip any any -> any any (msg:"More Fragmentations"; fragbits:M; sid:100000005) alert ip any any -> any any (msg:"Dont Fragment Bit Set"; fragbits:D; sid:100000006) alert tcp any any -> any any (msg:"SYN Flags Set"; flags:S; sid:100000007) alert tcp any any -> any any (msg:"FIN Flags Set"; flags:F; sid:100000008) alert tcp any any -> any any (msg:"RST Flags Set"; flags:R; sid:100000009) alert tcp any any -> any 21 (msg:"FTP root login attempt"; content:"user root"; nocase; sid:100000010)
Standalone Snort Installation
Install using APT
sudo apt-get install snort
Compiling the Source code
|This section needs verification or testing!|
Download Latest snort tar file & extract:
tar xvzf snort-18.104.22.168.tar.gz
Make sure you have dev packages of libpcap and libpcre.
apt-cache policy libpcap0.8-dev apt-cache policy libpcre3-dev
Compiling the Source:
cd snort-22.214.171.124 ./configure make make install snort --version
Installing Rules (register to download All rules eg: snortrules-snapshot-2970.tar.gz):
mkdir /etc/snort mkdir /etc/snort/rules mkdir /var/log/snort
Creating test rule:
cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules
cat /etc/snort/rules/icmp.rules alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
For testing the above rule, run the following & initiate ping:
snort -c /etc/snort/snort.conf -l /var/log/snort/
Execute snort as Daemon
snort -D -c /etc/snort/snort.conf -l /var/log/snort/
Install Snort with Base
- Install Apapche2:
sudo apt-get install apache2
- Download BASE
mv base /var/www/
- Download ADODB
mv adodb /var/www/base
mysql -u [USER NAME] -p
CREATE DATABASE snort; grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost; grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort; SET PASSWORD FOR snort@localhost=PASSWORD('snort-db'); flush privileges;
apt-get install snort-mysql
cd /usr/share/doc/snort-mysql/ zcat create_mysql.gz | mysql -u snort -D snort -p snort-db
nano /etc/snort/database.conf output database: log, mysql, user=snort password=snort-db dbname=snort host=127.0.0.1
rm /etc/snort/db-pending-config /etc/init.d/snort start
- Test Snort:
- Test MySQL:
mysql -u "snort" -p"snort-db" -e"use snort; SELECT * FROM event INNER JOIN signature ON event.signature=signature.sig_id ORDER BY event.timestamp;"
sudo apt-get install php-pear pear install Image_Color2 pear install Image_Canvas-alpha pear install Image_Graph-alpha
blog comments powered by Disqus