SnortA practical NIDSBreno de Medeiros Florida State UniversityFall 2005What is SNORTSnort is a packet logger/analyzer, whichcan be used to implement a NIDS.It can based be used in 4 modes:Sniffer modePacket Logger modeNetwork Intrusion Detection System(NIDS) modeInline ModeBreno de Medeiros Florida State UniversityFall 2005Example: logging packets The command snort -dev -l ./log -h 192.168.1.0/24 results in packets being logged. Flag -d tells to log the data, as well as header portion of packets Flag -v is visual, causing Snort to display information in the screen Flag -e tells to log extended header information (e.g., data link layerheaders) Flag -l indicates a location (directory) to use for logging purposes(subdirectory log of current directory in the above example) Flag -h indicates how to create subdirectories. Each packet will be stored in a log file with a name that matches either source ordestination addresses in a datagram. By specifying the prefix 192.168.1.x, itindicates you want the packets logged under the local host in the communicationBreno de Medeiros Florida State UniversityFall 2005Using binary mode storage Alternatively, you can use the compact binary storage form tostore packets snort -l ./log -b This causes Snort to log all packets in binary form (tcpdumpstorage). No flags are needed, because all the packet is stored. You can then read them back in playback mode---useful toexperiment with new rules. ./snort -dv -r packet.log You can also playback only packets of a particular type ./snort -dvr packet.log icmpBreno de Medeiros Florida State UniversityFall 2005NIDS mode NIDS mode enables modification of Snort basicbehavior (i.e., log everything) and have it first apply aset of rules, taking the appropriate action when apacket matches the rule. snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf Results in Snort logging only packets that matchesthe rules specified in snort.conf Don’t use -v or -e when using as NIDS, for the sakeof speed (otherwise Snort may loose packets)Breno de Medeiros Florida State UniversityFall 2005Alerts in NIDS modeUsing the flag -A will add alerting behavior toSnort-A can be followed by the keywords full(default), fast, unsock, none, console,and cmg.To use syslog for remote logging, of alerts,use the flag -sExample:snort -b -A fast -c snort.confBreno de Medeiros Florida State UniversityFall 2005Inline SnortObtain packets from IPTables instead oflibpcap and uses Snort rules to instructIPtables whether to drop or pass packets In order for snort_inline to work properly, you mustdownload and compile the iptables code to include “makeinstall-devel.” This will install the libipq library thatallows snort_inline to interface with iptables. Also, youmust build and install LibNet. http://www.iptables.org http://www.packetfactory.net.Breno de Medeiros Florida State UniversityFall 2005Running Snort Inline The QUEUE target should be specified in IPtables for interfacingwith Snort iptables -A OUTPUT -p tcp --dport 80 -j QUEUE Then run Snort inline snort_inline -QDc ../etc/drop.conf -l /var/log/snort The flags mean: -Q: Obtain input from iptables QUEUE target -D: Run in daemon mode (i.e., continuously in the background) -c: Use the configuration file -l: Use the log fileBreno de Medeiros Florida State UniversityFall 2005Snort configuration Snort configuration is highly customizable, in order toachieve high performance and full flexibility of use. config checksum_mode: none, noip, notcp,noicmp, noudp, ip, tcp, udp, icmp, all An important feature of Snort is the use of pre-processors. For instance, the de-fragmentation pre-processor frag3allows you to use different policies to re-produced the de-fragmentation policies of various operating systems. Or, youcan define your own policy. Similarly, the stream4_reassemble pre-processor enablesyou to choose your policies with overlapping packets.Breno de Medeiros Florida State UniversityFall 2005Detecting port scanssfPortscan processorDetects NMAP-style port scans, as wellas “decoy” and distributed port scansCan detect port sweeps as well as portscansCan be tuned for sensitivity/ accuracyBreno de Medeiros Florida State UniversityFall 2005Application layer pre-processorsTelnet_decodeRPC_decodeHTTP_inspectApache profileIIS profilemany customizable