143 lines
4.1 KiB
Markdown
143 lines
4.1 KiB
Markdown
# Snort
|
|
|
|
Snort is comprised of multiple modules to process network packets.
|
|
|
|
* __packet decoder__
|
|
* __pre processor__
|
|
* __detection engine__
|
|
* __logging and alerting__
|
|
* __output and plugins__
|
|
|
|
## Data Aquisition Modules
|
|
|
|
* __Pcap__, default
|
|
* __Afpacket__, inline mode, IPS
|
|
* __Ipq__, uses netfilter on linux
|
|
* __Nfq__, inline mode on linux
|
|
* __Ipfw__, inline mode on BSD
|
|
* __Dump__, test mode
|
|
|
|
## Usage
|
|
|
|
* Check config, and run tests via
|
|
```sh
|
|
snort -c <config> -T
|
|
```
|
|
|
|
|
|
### Sniffing
|
|
| Parameter | Description |
|
|
|-----------|-------------|
|
|
| -v | Verbose. Display the TCP/IP output in the console.|
|
|
| -d | Display the packet data (payload).|
|
|
| -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. |
|
|
| -X | Display the full packet details in HEX.|
|
|
| -i | Liste on interface |
|
|
|
|
### Packet Logger
|
|
|
|
* Logged by IP as directory, ports as files inside these dirs
|
|
* BPF filter can be used like `tcp port 80`
|
|
* Log files can be opened by wireshark or `tcpdump -r <logfile>`
|
|
|
|
| Parameter | Description |
|
|
|-----------|-------------|
|
|
| -l | Logger mode, target log and alert output directory. Default output folder is tcpdump to /var/log/snort.|
|
|
| -K ASCII | Log packets in ASCII format |
|
|
| -r | Filter dumped logs in Snort |
|
|
| -n | Specify the number of packets that will be read |
|
|
|
|
### IDS and IPS
|
|
|
|
* Output is an alert file along an optional log file
|
|
|
|
| Parameter | Description |
|
|
|-----------|-------------|
|
|
| -c | Defining the configuration file |
|
|
| -T | Testing the configuration file |
|
|
| -N | Disable logging |
|
|
| -D | Background mode |
|
|
| -A | Alert modes; __full__: all possible info about alerts, default mode; __fast__ : alert message, timestamp, source and destination IP, port numbers. __console__: Provides fast style alerts on the console screen. __cmg__: CMG style, basic header details with payload in hex and text format. __none__: Disabling alerting |
|
|
|
|
* Rules found in `/etc/snort/rules/local.rules`
|
|
```sh
|
|
alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
|
|
```
|
|
|
|
### PCAPs
|
|
|
|
* `snort -c <configfile> -r file.pcap -A console -n <number of packets>`
|
|
* `snort -c <configfile> --pcap-list="file1.pcap file2.pcap" -A console -l .`
|
|
|
|
|
|
## Rules
|
|
|
|
```sh
|
|
snort -c /etc/snort/rules/local.rules -A console
|
|
snort -c /etc/snort/rules/local.rules -A full
|
|
```
|
|
* Every rule has an IP source and destination, as well as a port for every endpoint
|
|
* General, payload and non payload rules
|
|
|
|
* Direction of the packet
|
|
* `->` to destination
|
|
* `<>` bidirectional
|
|
|
|
* IDS -> `alert`
|
|
* IPS -> `reject`
|
|
|
|
```sh
|
|
<action> <protocol> <ip.src> <src.port> <> <ip.dst> <dst.port>(msg: "<msg>; <reference>; <ruleID>;<revision info>
|
|
```
|
|
|
|
* Actions
|
|
* `alert`
|
|
* `log`
|
|
* `drop`
|
|
* `reject`
|
|
|
|
* SID rule IDs
|
|
* < 100 reserved rules
|
|
* 100 - 999,999 rules of the build
|
|
* >= 1,000,000 user rules
|
|
|
|
* Reference may be a CVE
|
|
* Revisions are versionings of the rule
|
|
|
|
* Filter address range via CIDR
|
|
```sh
|
|
alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
|
|
```
|
|
* Filter multiple address ranges
|
|
```sh
|
|
alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)
|
|
```
|
|
* Exlude via `!10.10.0.1`
|
|
* Filter via any and ports between 4712 and 8080
|
|
```sh
|
|
alert icmp any 4711,8080: <> any any (msg: "TCP Packet Found"; sid: 100001; rev:1;)
|
|
```
|
|
|
|
### Detection Rules
|
|
|
|
* `/etc/snort/rules/local.rules`
|
|
* ASCII or gex mode
|
|
```sh
|
|
ASCII mode - alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET";content: "/foo"; sid: 100001; rev:1;)
|
|
alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)
|
|
```
|
|
* Case insensitiv
|
|
```sh
|
|
alert tcp any any -> any 8080 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)
|
|
```
|
|
* Fast pattern
|
|
```sh
|
|
alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)
|
|
```
|
|
|
|
* Non payload detection rules
|
|
* TCP flags, `flags: F,S,A,R,P,U`
|
|
* Payload size, `dsize:min<>max`
|
|
* SameIP, `alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)`
|
|
* Packet IDs, `id: 4711`
|