Snort is a well-known, free, and powerful lightweight intrusion detection system (IDS) characterized by ease of use, lightweight design, and high blocking efficiency. This article introduces how to use Snort to secure Internet-connected hosts from a practical operational perspective.
Intrusion detection technology represents the next generation of security safeguards following traditional security measures like âfirewallsâ and âdata encryption.â It identifies and responds to malicious behavior targeting computer and network resources. Not only does it detect external intrusions, but it also monitors unauthorized activities by internal users. Moreover, as network servers face increasing demands for security, effectively defending against hacker intrusions and attacks in a Linux environment is of great practical importance.
Snort is a powerful, lightweight, and free network intrusion detection system with the following features:
1. Lightweight Network Intrusion Detection System
Although Snort is powerful, its codebase is remarkably concise and minimal, with the compressed source code package being slightly over 1.8 MB.
2. Excellent Portability
Snort is highly portable, offering exceptional cross-platform performance. It currently supports Linux, Solaris, FreeBSD, IRIX, HP-UX under Unix-like systems, as well as Windows 2000 and other Microsoft server platforms.
3. Robust Functionality
Snort supports real-time traffic analysis and logging for IP network packets. It quickly identifies network attacks and issues alerts in a timely manner. By leveraging XML plugins, Snort can use SNML (Simple Network Markup Language) to store logs in files or issue real-time alerts. Snort provides protocol analysis and content searching/matching capabilities. Currently, Snort supports TCP, UDP, and ICMP protocols, with potential future support for ARP, IPX, and others. It can detect a variety of attacks and probes, including buffer overflows, stealth port scans, CGI attacks, SMB probes, and attempts to gather fingerprint signatures of systems. Snort log formats can be in binary tcpdump format or decoded into ASCII, making inspection easier, especially for new users. By utilizing database output plugins, Snort can log information into databases, and with TCP stream plugins, Snort can reassemble TCP packets.
4. Extensibility and Rapid Response to New Attacks
Snort, as a lightweight IDS, has excellent extensibility. Its simple rule description language allows users to write rules containing just four fields: action, protocol, direction, and the port of interest (e.g., `log tcp any any -> 192.168.0.1/24 79`). When a new attack is identified, users can quickly create detection rules based on patterns obtained from the âbugtraqâ mailing list. The simplicity of the rule language lowers the learning curve and training cost for staff.
5. Follows the General Public License (GPL)
Since Snort adheres to the GPL, any organization or individual can freely use it as long as they comply with the GPL.
Snort Architecture
# Packet Decoder
Snortâs packet decoder supports Ethernet, SLIP, and PPP media. Its main function is to collect network traffic data and parse packets according to TCP/IP protocol layers. Using the `libpcap` library API, Snort directly captures packets at the link layer. This allows the setting of filters for capturing specific packets. Efficient data acquisition and parsing form the backbone of NIDS implementation, relying on both software efficiency and hardware processing capabilities. Additionally, the decoder must handle diverse packet types.
# Detection Engine
The detection engine is Snortâs core. It analyzes every data packet against the loaded rules. Snort parses its rules into chain headers and options. Chain headers identify general attributes such as source/destination IP addresses and ports, while chain options define detailed conditions like TCP flags, ICMP code types, content types, and payload sizes. The engine sequentially evaluates packets based on the rules. The first matching rule triggers the action specified in the rule, while unmatched packets are discarded.
# Logging/Alert System
The alert and logging systems are separate subsystems. Logs can record information collected by the packet decoder in a readable or tcpdump format. Alerts can be configured to send messages to syslog, flat files, UNIX sockets, or databases. Alerts can also be disabled during testing or learning phases. By default, logs are written to `/var/log/Snort`, and alert files are written to `/var/log/Snort/alerts`. The packet logging subsystem provides the following options: âFast Modelâ (logs data in tcpdump format); âReadable Modelâ (logs data in protocol format for easy interpretation); âAlert to syslogâ (sends alerts to syslog); âAlert to text fileâ (records alerts in plain text).
Itâs worth noting that for high-performance needsâsuch as handling large network trafficâSnort can compress packet information to enable faster alerts.
How to Use Snort
# Installing Snort
Snort relies on `libpcap`. If `libpcap` is not already installed, it can be downloaded from [http://www.tcpdump.org](http://www.tcpdump.org). Installation steps:
1. Execute: `mkdir Snortinstall` and `cd Snortinstall`.
2. Download `Snort-2.0.0.tar.gz` and `Snortrules.tar.gz` from [www.Snort.org](http://www.snort.org) to the newly created directory using a browser or `wget`.
3. Run the following commands:
bash
tar -zxvf Snort-2.0.0.tar.gz
cd Snort-2.0.0
./configure
make
make install
# Using Snort
Letâs demonstrate Snortâs usage by observing host activity with the common Ping command. Execute `./Snort -v` to run Snort and display IP, TCP/UDP/ICMP header information. When you run the command, `ping 192.168.0.1`, Snort will display output such as:
plaintext
06/10-10:21:13.884925 192.168.0.2 -> 192.168.0.1
ICMP TTL:64 TOS:0x0 ID:4068
To decode application-layer data, run `Snort -d` and use `ping`. This will display additional payload details.
For Ethernet frame header details, run `Snort -vde`.
Writing Snort Rules
Snortâs popularity stems from its lightweight nature and the ability for users to write dynamic and programmable rules. Users can also download ready-made rule sets from [www.Snort.org](http://www.snort.org). Examples include:
â SMB alert configuration:
`output alert_smb:workstation.list`
â Port scan detection module configuration:
`preprocessor portscan:192.168.1.0/24 5 7 /var/log/portscan.log`
â Blocking inappropriate packets:
`alert tcp any any -> 192.168.1.0/24 80 (content-list:âadultsâ;msg:âNot for children!â;react:block,msg)`
Background Knowledge: Intrusion Detection Systems Overview
Intrusion Detection Systems (IDS) detect intrusion attempts by collecting and analyzing information from key points in computer networks or systems. Their features include:
â Monitoring and analyzing user/system actions.
â Checking system configurations and vulnerabilities.
â Evaluating the integrity of critical data and files.
â Identifying intrusion patterns and alerting administrators.
IDS systems commonly use two techniques:
1. Anomaly Detection: Flags deviations from normal system behavior as suspicious.
2. Signature-Based Detection: Relies on defined patterns for known attacks.
(Source: 51CTO.COM Blog)
Let me know if you need further assistance or refinements!