Forensics Security

Intrusion Detection with Snort Tutorial

The general thought is that if a firewall is protecting one’s network, the network is considered secure. However, that is not entirely true. Firewalls are a fundamental component of a network, but they cannot fully protect the network from forced entries or hostile intent. Intrusion Detection Systems are used to evaluate aggressive or unexpected packets and generate an alert before these programs can harm the network. A host-based Intrusion Detection System runs on all the devices in a network or connects to an organization’s internal network. A network-based Intrusion Detection System is instead deployed at a certain point or group of points from which all ingoing and outgoing traffic can be monitored. An advantage of a host-based Intrusion Detection System is that it also can detect anomalies or malicious traffic being generated from the host itself, i.e., if the host is affected by malware, etc. Intrusion Detection Systems (IDS) work by monitoring and analyzing network traffic and comparing it with an established ruleset, determining what should be taken as normal for the network (i.e., for ports, bandwidths, etc.) and what to take a closer look at.

An Intrusion Detection System can be deployed depending upon the size of the network. There are dozens of quality commercial IDSs, but many companies and small businesses cannot afford them. Snort is a flexible, lightweight, and popular Intrusion Detection System that can be deployed according to the needs of the network, ranging from small to large networks, and provides all the features of a paid IDS. Snort does not cost anything but that does not mean that it cannot provide the same functionalities as an elite, commercial IDS. Snort is considered a passive IDS, which means it sniffs network packets, compares with the ruleset, and, in the case of detecting a malicious log or entry (i.e., detecting an intrusion), generates an alert or places an entry in a log file. Snort is used for monitoring the operations and activities of routers, firewalls, and servers. Snort provides a user-friendly interface, containing a chain of rulesets that can be very helpful to a person who is unfamiliar with IDSs. Snort generates an alarm in case of an intrusion (buffer overflow attacks, DNS poisoning, OS fingerprinting, port scans, and much more), giving an organization greater visibility of the network traffic and making it much easier to meet security regulations.

Installing Snort

Before you install Snort, there are some open-source softwares or packages that you should install first to get the best out of this program.

  • Libpcap: A packet sniffer like Wireshark that is used to capture, monitor, and analyze network traffic. To install libpcap, use the following commands to download the packet from the official website, unzip the package, and then install it:
ubuntu@ubuntu:~$ wget http://www.tcpdump.org/release/libpcap-1.9.1.tar.gz
ubuntu@ubuntu:~$ tar -xzvf libpcap-<version number>
ubuntu@ubuntu:~$ cd libpcap-<version number>
ubuntu@ubuntu:~$ ./configure
ubuntu@ubuntu:~$ sudo make
ubuntu@ubuntu:~$ make install
  • OpenSSH: A secure connectivity tool that provides a secure channel, even over an insecure network, to remotely log in via ssh protocol. OpenSSH is used to connect to systems remotely with admin privileges. OpenSSH can be installed using the following commands :
ubuntu@ubuntu:~$ wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/
portable/openssh-8.3p1.tar.gz
ubuntu@ubuntu:~$ tar xzvf openssh-<version number>
ubuntu@ubuntu:~$ cd openssh-<version number>
ubuntu@ubuntu:~$ ./configure
ubuntu@ubuntu:~$ sudo make install
  • MySQL: The most popular free and open-source SQL database. MySQL is used to store alerted data from Snort. SQL libraries are used by remote machines to communicate and access the database where Snort log entries are stored. MySQL can be installed using the following command:
ubuntu@ubuntu:~$ sudo apt-get install mysql
  • Apache Web Server: The most used web server on the internet. Apache is used to display the analysis console through the web server. It can be downloaded from the official website here: http://httpd.apache.org/, or by using the following command:
ubuntu@ubuntu:~$ sudo apt-get install apache2
  • PHP: PHP is a scripting language used in web development. A PHP parsing engine is required to run the Analysis console. It can be downloaded from the official website: https://www.php.net/downloads.php, or by using the following commands:
ubuntu@ubuntu:~$ wget https://www.php.net/distributions/php-7.4.9.tar.bz2
ubuntu@ubuntu:~$ tar -xvf php-<version number>.tar
ubuntu@ubuntu:~$ cd php-<version number>
ubuntu@ubuntu:~$ sudo make
ubuntu@ubuntu:~$ sudo make install
  • OpenSSL: Used to secure communications over the network without worrying about third party fetching or monitoring the data sent and received. OpenSSL provides cryptographic functionality to the web server. It can be downloaded from the official website: https://www.openssl.org/.
  • Stunnel: A program used to encrypt the arbitrary network traffic or connections inside the SSL and that works alongside OpenSSL. Stunnel can be downloaded from its official website: https://www.stunnel.org/, or it can be installed using the following commands:
ubuntu@ubuntu:~$ wget https://www.stunnel.org/downloads/stunnel-5.56-android.zip
ubuntu@ubuntu:~$ tar xzvf stunnel- <version number>
ubuntu@ubuntu:~$ cd stunnel- <version number>
ubuntu@ubuntu:~$ ./configure
ubuntu@ubuntu:~$ sudo make install
  • ACID: An abbreviation for Analysis Control for Intrusion Detection. ACID is a query-supported search interface used to find matching IP addresses, patterns given, a specific command, a payload, signatures, specific ports, etc., from all logged alerts. It provides in-depth functionality of packet analysis, allowing identification of what exactly the attacker was trying to accomplish and the type of payload used in the attack. ACID can be downloaded from its official website: https://www.sei.cmu.edu/about/divisions/cert/index.cfm.

Now that all the required basic packages are installed, Snort can be downloaded from the official website, snort.org, and can be installed using the following commands:

ubuntu@ubuntu:~$ wget https://www.snort.org/downloads/snort/snort-2.9.16.1.tar.gz
ubuntu@ubuntu:~$ tar xvzf snort- <version number>
ubuntu@ubuntu:~$ cd snort- <version number>
ubuntu@ubuntu:~$ ./configure
ubuntu@ubuntu:~$ sudo make && --enable-source-fire
ubuntu@ubuntu:~$ sudo make install

Next, run the following command to check whether Snort is installed and the version of Snort you are using:

ubuntu@ubuntu:~$ snort --
,,_ -*> Snort! <*-
o" )~ Version number ''''
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.11

After the installation is successful, the following files should have been created on the system:

/usr/bin/snort: This is Snort’s binary executable.

/usr/share/doc/snort: Contains the Snort documentation and manpages.

/etc/snort: Contains all the rulesets of Snort and it is also its configuration file.

Using Snort

To use Snort, first, you must configure the Home_Net value and give it the value of the IP address of the network that you are protecting. The IP address of the network can be obtained using the following command:

ubuntu@ubuntu:~$ ifconfig

From the results, copy the value of the inet address of the desired network. Now, open the Snort configuration file /etc/snort/snort.conf using the following command:

ubuntu@ubuntu:~$ sudo vim /etc/snort/snort.conf

You will see an output like this:

Find the line “ipvar HOME_NET.” In front of ipvar HOME_NET, write the IP address copied before and save the file. Before running Snort, another thing you must do is run the network in promiscuous mode. You can do so by using the following command:

ubuntu@ubuntu:~$ /sbin/ifconfig -<network name> -promisc

Now, you are ready to run Snort. To check its status and test the configuration file, use the following command:

ubuntu@ubuntu:~$ sudo snort -T -i <name of the network i.e eth0> -c /etc/snort/snort.conf

4150 Snort rules read
    3476 detection rules
    0 decoder rules
    0 preprocessor rules
3476 Option Chains linked into 290 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src     151      18       0       0
|     dst    3306     126       0       0
|     any     383      48     145      22
|      nc      27       8      94      20
|     s+d      12       5       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
| none
+-----------------------[event-filter-local]-----------------------------------
| gen-id=1      sig-id=3273       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=2494       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=3152       type=Threshold tracking=src count=5   seconds=2  
| gen-id=1      sig-id=2923       type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=2496       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60
| gen-id=1      sig-id=2495       type=Both      tracking=dst count=20  seconds=60
| gen-id=1      sig-id=2523       type=Both      tracking=dst count=10  seconds=10
| gen-id=1      sig-id=2924       type=Threshold tracking=dst count=10  seconds=60
| gen-id=1      sig-id=1991       type=Limit     tracking=src count=1   seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 215
|     1 byte states : 204
|     2 byte states : 11
|     4 byte states : 0
| Characters        : 64982
| States            : 32135
| Transitions       : 872051
| State Density     : 10.6%
| Patterns          : 5055
| Match States      : 3855
| Memory (MB)       : 17.00
|   Patterns        : 0.51
|   Match Lists     : 1.02
|   DFA
|     1 byte states : 1.02
|     2 byte states : 14.05
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 1039 ]
pcap DAQ configured to passive.
Acquiring network traffic from "wlxcc79cfd6acfc".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version number
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.11

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>

Snort successfully validated the configuration!
Snort exiting

Snort Rulesets

The greatest power of Snort lies in its rulesets. Snort has the ability to employ a large number of rulesets to monitor network traffic. In its latest version, Snort comes with 73 different types and over 4150 rules for detecting anomalies, contained in the folder “/etc/snort/rules.”

You can look at the types of rulesets in Snort using the following command:

ubuntu@ubuntu:~$ ls /etc/snort/rles
attack-responses.rules community-smtp.rules icmp.rules shellcode.rules
backdoor.rules community-sql-injection.rules imap.rules smtp.rules
bad-traffic.rules community-virus.rules info.rules snmp.rules
chat.rules community-web-attacks.rules local.rules sql.rules
community-bot.rules community-web-cgi.rules misc.rules telnet.rules
community-deleted.rules community-web-client.rules multimedia.rules tftp.rules
community-dos.rules community-web-dos.rules mysql.rules virus.rules
community-exploit.rules community-web-iis.rules netbios.rules web-attacks.rules
community-ftp.rules community-web-misc.rules nntp.rules web-cgi.rules
community-game.rules community-web-php.rules oracle.rules web-client.rules
community-icmp.rules ddos.rules other-ids.rules web-coldfusion.rules
community-imap.rules deleted.rules p2p.rules web-frontpage.rules
community-inappropriate.rules dns.rules policy.rules web-iis.rules
community-mail-client.rules dos.rules pop2.rules web-misc.rules
community-misc.rules experimental.rules pop3.rules web-php.rules
community-nntp.rules exploit.rules porn.rules x11.rules
community-oracle.rules finger.rules rpc.rules
community-policy.rules ftp.rules rservices.rules
community-sip.rules icmp-info.rules scan.rules

By default, when you run Snort in Intrusion Detection System mode, all these rules are deployed automatically. Let us now test the ICMP ruleset.

First, use the following command to run Snort in IDS mode:

ubuntu@ubuntu:~$ sudo snort -A console -i <network name>
-c /etc/snort/snort.conf

You will see several outputs on the screen, keep it that way.

Now, you will ping the IP of this machine from another machine using the following command:

ubuntu1@ubuntu1:~$ ping <ip address>

Ping it five to six times, and then return to your machine to see if the Snort IDS detects it or not.

08/24-01:21:55.178653 [**] [1:396:6] ICMP Destination Unreachable Fragmentation
 Needed and DF bit was set [**] [Classification: Misc activity] [Priority: 3]
 {ICMP} <ip address of attacker’s mmachine> -> <this machine’s ip address>

08/24-01:21:55.178653 [**] [1:396:6] ICMP Destination Unreachable Fragmentation
Needed and DF bit was set [**] [Classification: Misc activity] [Priority: 3]
{ICMP} <ip address of attacker’s mmachine> -> <this machine’s ip address>

08/24-01:21:55.178653 [**] [1:396:6] ICMP Destination Unreachable Fragmentation
 Needed and DF bit was set [**] [Classification: Misc activity] [Priority: 3]
 {ICMP} <ip address of attacker’s mmachine> -> <this machine’s ip
 address>

08/24-01:21:55.178653 [**] [1:396:6] ICMP Destination Unreachable Fragmentation
 Needed and DF bit was set [**] [Classification: Misc activity] [Priority: 3]
 {ICMP} <ip address of attacker’s mmachine> -> <this machine’s
ip address>

08/24-01:21:55.178653 [**] [1:396:6] ICMP Destination Unreachable Fragmentation
 Needed and DF bit was set [**] [Classification: Misc activity] [Priority: 3]
 {ICMP} <ip address of attacker’s mmachine> -> <this machine’s ip
 address>

08/24-01:21:55.178653 [**] [1:396:6] ICMP Destination Unreachable Fragmentation
 Needed and DF bit was set [**] [Classification: Misc activity] [Priority: 3]
{ICMP} <ip address of attacker’s mmachine> -> <this machine’s ip
address>

Here, we received an alert that someone is performing a ping scan. It even provided the IP address of the attacker’s machine.

Now, we will go to the IP address of this machine in the browser. We will see no alert, in this case. Try connecting to the ftp server of this machine using another machine as the attacker:

ubuntu1@ubuntu1:~$ ftp <ip address>

We still will not see any alert because these rulesets are not added in the default rules, and in these cases, no alert would be generated. This is when you must create your own rulesets. You can create rules according to your own needs and add them in the “/etc/snort/rules/local.rules” file, and then snort will automatically use these rules when detecting anomalies.

Creating a Rule

We will now create a rule for detecting a suspicious packet sent at port 80 so that a log alert is generated when this occurs:

# alert tcp any any -> $HOME_NET 80 (msg: "HTTP Packet found"; sid:10000001; rev:1;)

There are two major parts of writing a rule, i.e., Rule Header and Rule Options. The following is a breakdown of the rule we have just written:

  • Header
  • Alert: The action specified to be taken on discovering the packet matching the rule’s description. There are several other actions that can be specified in place of the alert according to the user’s needs, i.e., log, reject, activate, drop, pass, etc.
  • Tcp: Here, we have to specify the protocol. There are several types of protocols that can be specified, i.e., tcp, udp, icmp, etc., according to the user’s needs.
  • Any: Here, the source network interface can be specified. If any is specified, Snort will check for all source networks.
  • ->: The direction; in this case, it is set from source to destination.
  • $HOME_NET: The place where the destination IP address is specified. In this case, we are using the one configured in the /etc/snort/snort.conf file at the beginning.
  • 80: The destination port at which we are waiting for a network packet.
  • Options:
  • Msg: The alert to be generated or the message to be displayed in the case of capturing a packet. In this case, it is set to “HTTP Packet found.”
  • sid: Used to identify Snort rules uniquely and systematically. The first 1000000 numbers are reserved, so you can start with 1000001.
  • Rev: Used for easy rule maintenance.

We will add this rule in the “/etc/snort/rules/local.rules” file and see if it can detect HTTP requests on port 80.

ubuntu0@ubuntu0:~$ echo “alert tcp any any -> $HOME_NET 80 (msg: "HTTP Packet
 found"
; sid:10000001; rev:1;)>> /etc/snort/rules/local.rules

We are all set. Now, you can open Snort in IDS mode using the following command:

ubuntu0@ubuntu0:~$ sudo snort -A console -i wlxcc79cfd6acfc
 -c /etc/snort/snort.conf

Navigate to the IP address of this machine from the browser.

Snort can now detect any packet sent to port 80 and will show the alert “HTTP Packet Found” on the screen if this occurs.

08/24-03:35:22.979898 [**] [1:10000001:0] HTTP Packet found [**]
 [Priority: 0] {TCP}<ip address>:52008 -> 35.222.85.5:80

08/24-03:35:22.979898 [**] [1:10000001:0] HTTP Packet found [**]
 [Priority: 0] {TCP}<ip address>:52008 -> 35.222.85.5:80

08/24-03:35:22.979898 [**] [1:10000001:0] HTTP Packet found [**]
 [Priority: 0] {TCP}<ip address>:52008 -> 35.222.85.5:80

08/24-03:35:22.979898 [**] [1:10000001:0] HTTP Packet found [**]
 [Priority: 0] {TCP}<ip address>:52008 -> 35.222.85.5:80

08/24-03:35:22.979898 [**] [1:10000001:0] HTTP Packet found [**]
 [Priority: 0] {TCP}<ip address>:52008 -> 35.222.85.5:80

08/24-03:35:22.979898 [**] [1:10000001:0] HTTP Packet found [**]
 [Priority: 0] {TCP}<ip address>:52008 -> 35.222.85.5:80

08/24-03:35:22.979898 [**] [1:10000001:0] HTTP Packet found [**]
 [Priority: 0] {TCP}<ip address>:52008 -> 35.222.85.5:80

We will also create a rule for detecting ftp login attempts:

# alert tcp any any -> any 21 (msg: "FTP packet found"; sid:10000002; )

Add this rule to the “local.rules” file using the following command:

ubuntu0@ubuntu0:~$ echo “alert tcp any any -> alert tcp any any -> any 21
 (msg: "FTP packet found"; sid:10000002; rev:1;)>> /etc/snort/rules/local.rules

Now, try logging in from another machine and take a look at the results of the Snort program.

08/24-03:35:22.979898 [**] [1:10000002:0) FTP Packet found [**] [Priority: 0]
 {TCP}<ip address>:52008 -> 35.222.85.5:21

08/24-03:35:22.979898 [**] [1:10000002:0) FTP Packet found [**] [Priority: 0]
 {TCP}<ip address>:52008 -> 35.222.85.5:21

08/24-03:35:22.979898 [**] [1:10000002:0) FTP Packet found [**] [Priority: 0]
 {TCP}<ip address>:52008 -> 35.222.85.5:21

08/24-03:35:22.979898 [**] [1:10000002:0) FTP Packet found [**] [Priority: 0]
 {TCP}<ip address>:52008 -> 35.222.85.5:21

08/24-03:35:22.979898 [**] [1:10000002:0) FTP Packet found [**] [Priority: 0]
 {TCP}<ip address>:52008 -> 35.222.85.5:21

As seen above, we received the alert, which means that we have successfully created these rules for detecting anomalies on port 21 and port 80.

Conclusion

Intrusion Detection Systems like Snort are used for monitoring network traffic to detect when an attack is being carried out by a malicious user before it can hurt or affect the network. If an attacker is performing a port scan on a network, the attack can be detected, along with the number of attempts made, the attacker’s IP address, and other details. Snort is used to detect all types of anomalies, and it comes with a large number of rules already configured, along with the option for the user to write their own rules according to his or her needs. Depending on the size of the network, Snort can easily be set up and used without spending anything, as compared to other paid commercial Intrusion Detection Systems. The captured packets can be analyzed further using a packet sniffer, like Wireshark, to analyze and break down what was going in the mind of the attacker during the attack and the types of scans or commands performed. Snort is a free, open-source, and easy-to-configure tool, and it can be a great choice to protect any medium-sized network from attack.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14