Snort for Idiots (And cheap people like me)

posted onDecember 16, 2001
by hitbsecnews

By: presto

(First off, this article would have made use of the infamous slogan towards “dummies”, but I’d rather not put up with legal issues others have faced because of this.)

Introduction

The world economy is in the deepest of purgatories right now. And it sure sucks. It sucks especially for anyone out there who lives in a society where there exists a monetary system. If you happen to live in a society where there isn’t a monetary system and you’re paying for DSL by trading chickens and children, please e-mail me immediately. For right now though, I will have to live on with practicing frugalness religiously.

Living the cheap life isn’t always that bad. I learned about the Open Source movement, amongst other things. I’m running Linux and a “proactively secure” flavor of BSD. Not bad at all. In addition to that, similarly licensed software was impended along and within those systems. One great example I’d like to introduce to all of you is Snort.

Snort finds itself headlining on IDS (Intrusion Detection System) benchmarks all the time and sure can kick some butt when it comes to that. From a personal standpoint as well, it has proven itself to be worthy as a tough, accurate, and efficient network IDS. I wouldn’t hesitate either to state that it may be just the best network based IDS out there right now.

First Steps of Installation

You need to download the Snort before you do anything else, so get your knuckles cracking and head to http://www.snort.org. Find your platform and installation method (i.e. source, binary, etc.) of choice. This installation cover is specifically for Linux, but should be no different from other supported UNIX flavors.

The first steps are common and familiar steps most experienced UNIX folks shouldn’t have a problem with and newcomers shouldn’t see it as an obstacle either. These steps are also instructed in the INSTALL file that comes with any tar balls you downloaded.

1. ./configure
2. make
3. make install

Pre Daemon Setup

Did you really think you could just get an IDS setup without giving it some instructions? I didn’t think so. Don’t worry, the basic and pre mature setup of instructions or “rules” isn’t hard at all (another reason why I picked Snort).

Snort, by default, comes with a file called RULES.SAMPLE and various other files with the appendage of *.rules. You want to make a directory of /etc/snort/rules/ (if it isn’t already there) and copy RULES.SAMPLE over to it. You may also want to copy all *.rules files over as well, or you can get the newest rules supplied at Snort’s site on their download page. It should be under the filename of rules.tar.gz. Just untar that package and move the files to /etc/snort/rules/, instead of using the ones that came in the Snort tar ball.

RULES.SAMPLE contains some standard logging rules for more general situations that involve scanning variants and as well as logging authority similar to that of what you would find with syslog. Take a look inside the file and browse through it carefully to comment out what you want and what you don’t want. It is best that you do that because authorizing the usage of every rule isn’t always as proficient as you think it is. Remember that one of the main purposes of any IDS is to log activity. I don’t how many gigs you’ve got reserved on your /var partition, but I can only limit myself to so much space. If you do choose to enable all rules avail, please proceed to with caution and make sure you check and clean out your logs daily.

All files with the appendage of *.rules are more specific rules concerning actual attack encounters. And for the sake of organization, rules are categorized by service type and protocols. I recommend that you follow this modality, as you will most likely have to keep adding more rules for the days to come. Producing and making your own rules will be discussed further in this article.

The main configuration file needs only a bit of tweaking to be deemed usable. Open up /etc/snort/snort.conf and browse through the entries and comments provided. The very first thing you want to edit though would be your external IP at “var HOME_NET”; it should be one of the first uncommented lines you notice. Optionally and if it is available, you can specify more than one IP writing out the following:

var HOME_NET
[10.1.1.0/24,192.168.1.0/24]

There are additional lines after on, which you can leave alone. It would be a good idea though to specify your DNS servers, as they do set off a lot of false port scanning alarms.
You want to add an alias for your dns servers by adding:

var DNS_SERVERS
[192.168.1.100,192.168.12.11]

Now, go further down the configuration file until you see a preprocessor entry that looks like:

preprocessor portscan-ignorehosts: $DNS_SERVERS

Uncomment this to disable the logging of port scan probes from your DNS servers.

This is just one of the preprocessors available for Snort. These preprocessors are what makes Snort such a fantastic IDS and what separates it from many other IDS platforms. Some of the preprocessors, for example, defeat evasion techniques such as fragmentation, enable the detection of various scan types, and you even have a few newer preprocessors such as ARP spoofing detection (though at this time, is considered experimental). Other preprocessors are there to help organize and keep thing considerably proficient. As I stated earlier, the problem with many IDS implementations (including Snort) are traffic and log overloads, which can be time consuming and just plain old bad for a server. IDS can be really easy to install, but very difficult to implement.

Alright, last but not least, you need to specify the rule sets you will be using. To do this, you should append some include statements to snort.conf. It should look something along the lines of this:

Var RULES /etc/snort/rules

Include $RULES/cgi.rules

Make sure you append all include statements to specify all rules files you have available.

The Execution

To manually start Snort, use the following command line:

snort -A full -c /etc/snort/snort.conf –D

This tells Snort to run as a daemon (-D) and tells Snort of the location of the configuration file (-c). The “-A” flag specifies the alert mode of your choice. I specified “full” for my server because all alerts will be written to /var/log/snort/alert with the decoded headers and the alert message. You also have the choice of “fast”, “none”, or “unsock”. In “fast” mode, alerts are logged to the same file, but no decoded headers will be written. Specifying the “none” flag will disable any logging to alert, and “unsock” will send an alert over a socket to the process of that socket.

Instead of doing this manually, you could also create your own rc entry or just install Snort in an rpm, which will probably provide you with those scripts.

Why I Chose Snort (Conclusion)

Before any of the highlighted benchmarks were released and even during the times where I would have money available to invest into a commercial IDS product, I chose Snort anyway.

When I rule the world and become a billionaire, I will still choose Snort (as long as it continues its progress). Where ever you can save money, you should. But frugalness isn’t just about being straight out cheap. It’s also about knowing that you made a satisfying, if not spectacular, budgeted investment in something you will find worthwhile. Money is only a small reason for my choosing (but I emphasize being frugal because I naturally am).

Snort is flexible and constantly updated one way or another. I love how you have these preprocessors and how everything can be learned in a day or two, if not less time. The site is a fun loving place, too. They’re serious about security, but have a traditional fun loving hacker environment that I have always enjoyed.

Being able to have a lot more control on logging than other IDS is a great component as well. You may have those radio buttons and check boxes that can decrease and increase specs, but Snort has a Zen to it (and an even stronger Feng Shui when combined with other Open Source utilities).

To put it simply, Snort is easy, friendly to humans, efficient, and well built. And even if they did charge thousands and thousands of dollars for complicated commercial licensing, I would still think it was a great product. I still probably wouldn’t pay for it though. I was born frugal and I’m going to die frugal. Love Snort and it will love you back.

Additional References

I wrote earlier about writing your own rules. This is not a complicated issue, but a more complicated issue when it comes to a newcomer’s tutorial. The best source to read and learn about writing rules would be at http://www.snort.org/docs/writing_rules/, probably the “official” document of writing rules by Martin Roesch.

This article was never intended to cover every issue with Snort, but give a basic setup and an idea of how Snort works and why it rules. Make sure you visit http://www.snort.org for more clarified documentation on other flags and preprocessors.

1.) Old Posts don't die -- they get archived - Dinesh Nair
2.) Flawed Internal Setups By Example - presto
3.) An Interview with the Father of the Internet - L33tdawg
4.) Exploiting Weaknesses In Intrusion Detection Systems - spoonfork
5.) Snort for idiots (and cheap people like me) - presto
6.) A short commentary on script kiddies - Anateus
7.) SOTHA Returns! - madsaxon
8.) Cold Fusion Server Security - madirish

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes