by Michael Reed
Whether meaning to be mischievous or malicious, hackers can wreak havoc on your network. Fortunately, Snort makes it easy to spot them and set up protection
Snort is an intrusion detection system (IDS). It works by monitoring network activity and raising an alert in the case of suspicious activity. What constitutes suspicious activity is definable by rules, and it comes with a massive selection. It can protect a single machine from attacks or even an entire network. This guide will show you how to set up and use Snort and also take you through some typical security scenarios in which Snort will prove useful.
As you get to know Snort, you might consider setting up a testing environment using virtual machines. A simple approach would be to use a virtual machine that has its network adaptor configured to be visible on your network (the setting is called ‘bridged adaptor’ in VirtualBox, for example). The techniques outlined here are not dangerous, but they can be considerably easier to get working within a controllable environment.
Snort runs on a single machine, but can monitor an entire network
A second network card (optional)
Step by Step
Install Snort with ‘sudo apt-get install snort’. If you need the very latest version, visit the website and fetch, build and install it.
Set Up a ‘quiet’ network environment
When first setting up Snort, it helps to have as little activity on the network as possible. Disconnect other computers or even set up a VM with a bridged adaptor which you can operate upon from the host machine.
Test Snort installation
Nearly all Snort operations need to be carried out by the root user. On Ubuntu, it’s probably worth using ‘sudo -i’ to avoid password prompts. Use ‘su’ on other distros. As root, type ‘snort -v’. This puts Snort into packet sniffer mode.
Create network activity
Presuming that the network you are on is reasonably quiet, you can generate some network activity by pinging the server. Open another terminal and type ‘ping [IP address of server]’, and cancel after a couple of successful pings. Now, go back to the terminal with Snort running.
Interpreting the data
In this example, the ping activity is reported in entries that end with lines ‘ECHO’ and ‘ECHO REPLY’. You may have to scroll back in the terminal to see these entries. Notice that the entries contain the time that the activity occurred and the source and destination of the traffic.
Exit Snort by hitting Ctrl+C. When you exit Snort, it prints a statistical summary of the traffic that it observed. In this example, there should have been some ICMP traffic from the ping operation.
Here’s a more extensive command line: ‘snort -vde’. This produces more output due to the d (display packet data) and e (application layer). For example, if you fetch POP email without SSL selected, you’ll be able to see the username and password scroll past.
log packet data
Make a directory called ‘snort_logs’. Now run ‘snort -d -l ./snort_logs’ and Snort will log all recorded traffic into the log directory with a separate file for each interface. We’ll skip the verbose flag (-v), as all of the screen output eats into Snort’s throughput.
Back up Snort configuration file
Snort comes with a default configuration file which we will back up. Type ‘locate snort.conf’ to find the file and then make a copy of it. ‘cp /etc/ snort/snort.conf /etc/snort/snort.conf_old’ should work for Ubuntu, for example.
Open the config file in a text editor. For now, make sure that the variable ‘HOME_NET’ accurately describes your network. For example, if your computers have IP addresses that begin at 192.168.0.1, set it to 192.168.0.1/24.
Create launch script
Make a startup script to save time. Create an empty file with ‘nano start_snort’, then add the line ‘snort -de -l [full path to script]/snort_logs -c /etc/snort/snort.conf’ to it, and then save. Now type “chmod +x start_ snort”. This will launch snort in IDS mode, with reasonable defaults.
Intrusion detection mode
First, find the IP address of the machine running Snort by using ‘ifconfig’ and make a note of it. Now run ‘./start_snort’. Some extra startup information scrolls past as we are now using the Snort configuration file and the rules files that it references.
Simulate an attack (Nmap)
We’ll begin by carrying out a port scan on the machine running Snort using Nmap, a common first step in a typical intrusion attempt. From a different machine on your network, type ‘nmap [IP address of Snort machine]’. A file called ‘alert’ should have appeared in the log folder. Examine it.
Simulate an attack
Automatically start Snort
The method to launch a script at startup varies between distributions. On Ubuntu, simply add our ‘start_snort’ script to ‘/etc/init’ by typing ‘ln start_snort /etc/init/’. Remember to use fully qualified path names in the script.
Protect the network
Protecting an entire network requires either a dedicated Snort machine or a dedicated network adaptor on your server. This is because the network card must be put into promiscuous mode to capture all traffic being transmitted, and this is the scenario we will work with here. Once you have installed the second card and rebooted the machine, determine the naming of the two network interfaces by typing ‘ifconfig’. In this example, the second network card is called ‘eth1’. Now open ‘/etc/networking/interfaces’ in a text editor.
Configure promiscuous mode
Add the following lines to the file: ‘iface eth1 inet manual’, ‘up ifconfig $IFACE 0.0.0.0 up’, ‘up ip link set $IFACE promisc on’, ‘down ip link set $IFACE promisc off’, ‘down ifconfig $IFACE down’. Type ‘sudo ifup eth1’ to start up the second Ethernet adaptor and physically plug it into your router, hub or spanning switch.
Test promiscuous mode
Type ‘ifconfig’ and eth1 should be listed without an IP address. Now add ‘sudo ifup eth1’ to your Snort startup script along with the flag ‘-i eth1’ on the Snort launch command. When launched, Snort will now monitor all traffic on your network.
Create a simple Snort rule
For the sake of simplicity, we are going to add a rule to the configuration file rather than create a new rule file. As root, open up snort.conf in a text editor. On the final line of the configuration file, add the following line: ‘alert tcp any any -> any 23 ( msg: “telnet alert!”; sid: 1; )’.
Test simple rule
Launch Snort with ‘snort -dev -l ./snort_logs -c /etc/snort.conf’. From another machine, type ‘telnet [IP address of Snort machine]’. If everything has worked, you should now have an update in the alert file. See the Snort manual for a full breakdown, but open the file and check that source IP and destination IP look correct.
Fetch extra rules
Get extra rules from the Snort website (free sign-up required). They belong in ‘/etc/ snort/rules’ and should be enabled using the ‘include’ directive in snort.conf. The comprehensive selection is an excellent starting point for creating your own rules for dealing with, for example, application-specific exploits.
Add CSV output module
Unless you know that you are going to have to use Snort alert logs as input for another networking utility, consider switching it to CSV output so that you can view the data in a spreadsheet. Simply add the line ‘output alert_csv: alert.csv default’ to the end of the configuration file.
Add CSV output module
Interpreting an attack
When an attack is logged, begin by looking up the IP address with the ‘whois’ command or by using an online geographic IP lookup address. Note the port number of the attack to try to figure out the service or application that is the focus of the attack.
Block an attack (part 1)
Block the IP address of the attacker as reported in the alert file. Obviously, the address can change, but they tend to be fairly static from the most common type of automated attacks. Use the command ‘iptables -A INPUT -s [attacker IP address] -j DROP’.
Block an attack (part 2)
It’s possible that an attack is targeting an unused or unimportant port on your network. Use ‘/iptables -A INPUT -p tcp –destination- port 80 -j DROP’ to block a port, if you have determined that it will not harm the normal function of your system. To unblock a port or IP address, use the ‘-D’ switch instead of ‘-A’.