# Snort Comprised of __packet decoder__, __pre processor__, __detection engine__, __logging and alerting__, __output and plugins__ ## Data Aquisition Modules * __Pcap__, default * __Afpacket__, inline mode, IPS * __Ipq__, uses netfilter on linux * __Nfq__, inline mode on linux * __Ipfw__, inline mode on BSD * __Dump__, test mode ## Usage * Check config, and run tests via ```sh snort -c -T ``` ### Sniffing | Parameter | Description | +-----------+-------------+ | -v | Verbose. Display the TCP/IP output in the console.| | -d | Display the packet data (payload).| | -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. | | -X | Display the full packet details in HEX.| | -i | Liste on interface | ### Packet Logger * Logged by IP as directory, ports as files inside these dirs * BPF filter can be used like `tcp port 80` * Log files can be opened by wireshark or `tcpdump -r ` | Parameter | Description | |-----------|-------------| | -l | Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.| | -K ASCII | Log packets in ASCII format | | -r | Filter dumped logs in Snort | | -n | Specify the number of packets that will be read | ### IDS and IPS * Output is an alert file along an optional log file | Parameter | Description | |-----------|-------------| | -c | Defining the configuration file | | -T | Testing the configuration file | | -N | Disable logging | | -D | Background mode | | -A | Alert modes; __full__: all possible info about alerts, default mode; __fast__ : alert message, timestamp, source and destination IP, port numbers. __console__: Provides fast style alerts on the console screen. __cmg__: CMG style, basic header details with payload in hex and text format. __none__: Disabling alerting | * Rules found in `/etc/snort/rules/local.rules` ```sh alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;) ``` ### PCAPs * `snort -c -r file.pcap -A console -n ` * `snort -c --pcap-list="file1.pcap file2.pcap" -A console -l .` ## Rules ```sh snort -c /etc/snort/rules/local.rules -A console snort -c /etc/snort/rules/local.rules -A full ``` * Every rule has an IP source and destination, as well as a port for every endpoint * General, payload and non payload rules * Direction of the packet * `->` to destination * `<>` bidirectional * IDS -> `alert` * IPS -> `reject` ` <> (msg: "; ; ;` * Actions * `alert` * `log` * `drop` * `reject` * SID rule IDs * < 100 reserved rules * 100 - 999,999 rules of the build * >= 1,000,000 user rules * Reference may be a CVE * Revisions are versionings of the rule * Filter address range via CIDR ```sh alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;) ``` * Filter multiple address ranges ```sh alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;) ``` * Exlude via `!10.10.0.1` * Filter via any and ports between 4712 and 8080 ```sh alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;) ``` ### Detection Rules * `/etc/snort/rules/local.rules` * ASCII or gex mode ```sh ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET";content: "/foo"; sid: 100001; rev:1;) alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;) ``` * Case insensitiv ```sh alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;) ``` * Fast pattern ```sh alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;) ``` * Non payload detection rules * TCP flags, `flags: F,S,A,R,P,U` * Payload size, `dsize:min<>max` * SameIP, `alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)` * Packet IDs, `id: 4711`