killchain-compendium/misc/snort.md

# Snort

Comprised of __packet decoder__, __pre processor__, __detection engine__, __logging and alerting__, __output and plugins__

## Data Aquisition Modules

* __Pcap__, default
* __Afpacket__, inline mode, IPS
* __Ipq__, uses netfilter on linux
* __Nfq__, inline mode on linux
* __Ipfw__, inline mode on BSD 
* __Dump__, test mode

## Usage

* Check config, and run tests via
```sh
snort -c <config> -T
```


### Sniffing
| Parameter | Description |
+-----------+-------------+
| -v | Verbose. Display the TCP/IP output in the console.|
| -d | Display the packet data (payload).|
| -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. |
| -X | Display the full packet details in HEX.|
| -i | Liste on interface |

### Packet Logger

* Logged by IP as directory, ports as files inside these dirs
* BPF filter can be used like `tcp port 80`
* Log files can be opened by wireshark or tcpdump

| Parameter | Description | 
|-----------|-------------|
| -l | Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.|
| -K ASCII | Log packets in ASCII format | 
| -r | Filter dumped logs in Snort |
| -n | Specify the number of packets that will be read |

### IDS and IPS

* Output is an alert file along an optional log file 

| Parameter	| Description |
|-----------|-------------|
| -c | Defining the configuration file |
| -T | Testing the configuration file |
| -N | Disable logging |
| -D | Background mode |
| -A | Alert modes; __full__: all possible info about alerts, default mode; __fast__ :  alert message, timestamp, source and destination IP, port numbers. __console__: Provides fast style alerts on the console screen. __cmg__: CMG style, basic header details with payload in hex and text format. __none__: Disabling alerting |

* Rules found in `/etc/snort/rules/local.rules`
```sh
alert icmp any any <> any any  (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```

### PCAPs

* `snort -c <configfile> -r file.pcap -A console -n <number of packets>`
* `snort -c <configfile> --pcap-list="file1.pcap file2.pcap" -A console -l .`


## Rules

```sh
snort -c /etc/snort/rules/local.rules -A console
snort -c /etc/snort/rules/local.rules -A full
```
* Every rule has an IP source and destination, as well as a port for every endpoint
* General, payload and non payload rules

* Direction of the packet
    * `->` to destination 
    * `<>` bidirectional

* IDS -> `alert`
* IPS -> `reject`

`<action> <protocol> <ip.src> <src.port>  <> <ip.dst> <dst.port>(msg: "<msg>; <reference>; <ruleID>;<revision info>`

* Actions
    * `alert`
    * `log`
    * `drop`
    * `reject`

* SID rule IDs
    * < 100 reserved rules
    * 100 - 999,999 rules of the build
    * >= 1,000,000 user rules

* Reference may be a CVE
* Revisions are versionings of the rule

* Filter address range via CIDR
```sh
alert icmp 192.168.1.0/24 any <> any any  (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
* Filter multiple address ranges
```sh
alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any  (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
```
* Exlude via `!10.10.0.1`
* Filter via any and ports between 4712 and 8080
```sh
alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;)
```

### Detection Rules 

* `/etc/snort/rules/local.rules`
* ASCII or gex mode 
```sh
ASCII mode - alert tcp any any -> any 8080  (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)
alert tcp any any -> any 8080  (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
```
* Case insensitiv
```sh
alert tcp any any -> any 8080  (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)
```
* Fast pattern
```sh
alert tcp any any <> any 80  (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www";  sid:100001; rev:1;)
```    

* Non payload detection rules
    * TCP flags, `flags: F,S,A,R,P,U`
    * Payload size, `dsize:min<>max`
    * SameIP, `alert ip any any <> any any (msg: "SAME-IP TEST";  sameip; sid: 100001; rev:1;)`
    * Packet IDs, `id: 4711`
bump 2022-03-19 23:39:17 +01:00			`# Snort`

			`Comprised of __packet decoder__, __pre processor__, __detection engine__, __logging and alerting__, __output and plugins__`

			`## Data Aquisition Modules`

			`* __Pcap__, default`
			`* __Afpacket__, inline mode, IPS`
			`* __Ipq__, uses netfilter on linux`
			`* __Nfq__, inline mode on linux`
			`* __Ipfw__, inline mode on BSD`
			`* __Dump__, test mode`

			`## Usage`

			`* Check config, and run tests via`
			```sh
			`snort -c <config> -T`
			```


			`### Sniffing`
			`\| Parameter \| Description \|`
			`+-----------+-------------+`
			`\| -v \| Verbose. Display the TCP/IP output in the console.\|`
			`\| -d \| Display the packet data (payload).\|`
			`\| -e \| Display the link-layer (TCP/IP/UDP/ICMP) headers. \|`
			`\| -X \| Display the full packet details in HEX.\|`
			`\| -i \| Liste on interface \|`

			`### Packet Logger`

			`* Logged by IP as directory, ports as files inside these dirs`
			* BPF filter can be used like `tcp port 80`
			`* Log files can be opened by wireshark or tcpdump`

			`\| Parameter \| Description \|`
			`\|-----------\|-------------\|`
			`\| -l \| Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.\|`
			`\| -K ASCII \| Log packets in ASCII format \|`
			`\| -r \| Filter dumped logs in Snort \|`
			`\| -n \| Specify the number of packets that will be read \|`

			`### IDS and IPS`

			`* Output is an alert file along an optional log file`

			`\| Parameter \| Description \|`
			`\|-----------\|-------------\|`
			`\| -c \| Defining the configuration file \|`
			`\| -T \| Testing the configuration file \|`
			`\| -N \| Disable logging \|`
			`\| -D \| Background mode \|`
			`\| -A \| Alert modes; __full__: all possible info about alerts, default mode; __fast__ : alert message, timestamp, source and destination IP, port numbers. __console__: Provides fast style alerts on the console screen. __cmg__: CMG style, basic header details with payload in hex and text format. __none__: Disabling alerting \|`

			* Rules found in `/etc/snort/rules/local.rules`
			```sh
			`alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)`
			```

			`### PCAPs`

			* `snort -c <configfile> -r file.pcap -A console -n <number of packets>`
			* `snort -c <configfile> --pcap-list="file1.pcap file2.pcap" -A console -l .`


			`## Rules`

			```sh
			`snort -c /etc/snort/rules/local.rules -A console`
			`snort -c /etc/snort/rules/local.rules -A full`
			```
			`* Every rule has an IP source and destination, as well as a port for every endpoint`
			`* General, payload and non payload rules`

			`* Direction of the packet`
			* `->` to destination
			* `<>` bidirectional

			* IDS -> `alert`
			* IPS -> `reject`

			`<action> <protocol> <ip.src> <src.port> <> <ip.dst> <dst.port>(msg: "<msg>; <reference>; <ruleID>;<revision info>`

			`* Actions`
			* `alert`
			* `log`
			* `drop`
			* `reject`

			`* SID rule IDs`
			`* < 100 reserved rules`
			`* 100 - 999,999 rules of the build`
			`* >= 1,000,000 user rules`

			`* Reference may be a CVE`
			`* Revisions are versionings of the rule`

			`* Filter address range via CIDR`
			```sh
			`alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)`
			```
			`* Filter multiple address ranges`
			```sh
			`alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)`
			```
			* Exlude via `!10.10.0.1`
			`* Filter via any and ports between 4712 and 8080`
			```sh
			`alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;)`
			```

			`### Detection Rules`

			* `/etc/snort/rules/local.rules`
			`* ASCII or gex mode`
			```sh
			`ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)`
			`alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"\|47 45 54\|"; sid: 100001; rev:1;)`
			```
			`* Case insensitiv`
			```sh
			`alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)`
			```
			`* Fast pattern`
			```sh
			`alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)`
			```

			`* Non payload detection rules`
			* TCP flags, `flags: F,S,A,R,P,U`
			* Payload size, `dsize:min<>max`
			* SameIP, `alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)`
			* Packet IDs, `id: 4711`