In the Open
In the Open

Snort

Comprised of packet decoder, pre processor, detection engine, logging and alerting, output and plugins

Data Aquisition Modules

  • Pcap, default
  • Afpacket, inline mode, IPS
  • Ipq, uses netfilter on linux
  • Nfq, inline mode on linux
  • Ipfw, inline mode on BSD
  • Dump, test mode

Usage

  • Check config, and run tests via
snort -c <config> -T

Sniffing

| Parameter | Description | +-----------+-------------+ | -v | Verbose. Display the TCP/IP output in the console.| | -d | Display the packet data (payload).| | -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. | | -X | Display the full packet details in HEX.| | -i | Liste on interface |

Packet Logger

  • Logged by IP as directory, ports as files inside these dirs
  • BPF filter can be used like tcp port 80
  • Log files can be opened by wireshark or tcpdump -r <logfile>

| Parameter | Description | |-----------|-------------| | -l | Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.| | -K ASCII | Log packets in ASCII format | | -r | Filter dumped logs in Snort | | -n | Specify the number of packets that will be read |

IDS and IPS

  • Output is an alert file along an optional log file

| Parameter | Description | |-----------|-------------| | -c | Defining the configuration file | | -T | Testing the configuration file | | -N | Disable logging | | -D | Background mode | | -A | Alert modes; full: all possible info about alerts, default mode; fast : alert message, timestamp, source and destination IP, port numbers. console: Provides fast style alerts on the console screen. cmg: CMG style, basic header details with payload in hex and text format. none: Disabling alerting |

  • Rules found in /etc/snort/rules/local.rules
alert icmp any any <> any any  (msg: "ICMP Packet Found"; sid: 100001; rev:1;)

PCAPs

  • snort -c <configfile> -r file.pcap -A console -n <number of packets>
  • snort -c <configfile> --pcap-list="file1.pcap file2.pcap" -A console -l .

Rules

snort -c /etc/snort/rules/local.rules -A console
snort -c /etc/snort/rules/local.rules -A full
  • Every rule has an IP source and destination, as well as a port for every endpoint

  • General, payload and non payload rules

  • Direction of the packet

    • -> to destination
    • <> bidirectional

  • IDS -> alert

  • IPS -> reject

<action> <protocol> <ip.src> <src.port> <> <ip.dst> <dst.port>(msg: "<msg>; <reference>; <ruleID>;<revision info>

  • Actions

    • alert
    • log
    • drop
    • reject

  • SID rule IDs

    • < 100 reserved rules
    • 100 - 999,999 rules of the build

    • = 1,000,000 user rules

  • Reference may be a CVE

  • Revisions are versionings of the rule

  • Filter address range via CIDR

alert icmp 192.168.1.0/24 any <> any any  (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
  • Filter multiple address ranges
alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any  (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
  • Exlude via !10.10.0.1
  • Filter via any and ports between 4712 and 8080
alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;)

Detection Rules

  • /etc/snort/rules/local.rules
  • ASCII or gex mode 
ASCII mode - alert tcp any any -> any 8080  (msg: "GET Request Found"; content:"GET";content: "/foo"; sid: 100001; rev:1;)
alert tcp any any -> any 8080  (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
  • Case insensitiv
alert tcp any any -> any 8080  (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)
  • Fast pattern
alert tcp any any <> any 80  (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www";  sid:100001; rev:1;)
  • Non payload detection rules
    • TCP flags, flags: F,S,A,R,P,U
    • Payload size, dsize:min<>max
    • SameIP, alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)
    • Packet IDs, id: 4711