DOWNDLOAD

Sax2 Intrusion Prevention System

  • Prevent hacker & virus attacks
  • Securing your network & business
Read More…
Free Download

Comprehensive Guide to Using Snort: The Leading Open-Source Intrusion Prevention System

AndyHuang

Contents hide
1. Overview
2. Installation
2.1. Install daq
2.2. Install Snort open-source intrusion prevention
3. Rule Configuration
4. Usage
4.1. Sniffer
4.2. Packet Logger
4.3. Network Intrusion Detection System
Related posts:

1. Overview

Snort is the world’s most significant open-source intrusion prevention system (IPS). Snort IPS uses a series of rules to help define malicious network activity and uses these rules to detect matching packets, generating alerts for users.

Snort can also be deployed inline to block these packets. Snort has three primary uses: as a packet sniffer like tcpdump, as a packet logger—useful for network traffic debugging, or as a comprehensive network intrusion prevention system.

open-source intrusion prevention

2. Installation

2.1. Install daq

Visit the official website https://www.snort.org/downloads to download daq-2.0.7.tar.gzopen-source intrusion prevention

tar -zxvf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
makemakeinstall

Error Handling: configure error: configure: error: Your operating system’s lex is insufficient to compile libsfbpf. You should install both bison and flex.

Solution: yum install flex bison -y

configure error: ERROR! Libpcap library version >= 1.0.0 not found.

Solution: yum install libpcap libpcap-devel -y

2.2. Install Snort open-source intrusion prevention

Download the version snort-2.9.9.0.tar.gz from the official website

tar -zxvf snort-2.9.9.0.tar.gz
cd snort-2.9.9.0
./configure --enable-sourcefire
makemakeinstall

Error Handling: configure error: ERROR! dnet header not found, go get it from

Solution: wget https://nchc.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz

        tar -zxf libdnet-1.11.tar.gz

        cd libdnet-1.11

       ./configure && make && make install

3. Rule Configuration

# First, create the snort configuration (and rules) directory
mkdir -p /etc/snort/rules
# Create required directories for operation
mkdir /usr/local/lib/snort_dynamicrules

# First, copy the default configuration files in the etc from 2.2 to the snort configuration directory
cp etc/*.conf* /etc/snort
cp etc/*.map /etc/snort

# Download community rules and extract to the rules directory
wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -zxf community-rules.tar.gz -C /etc/snort/rules

# Comment out all default rule files to be loaded
sudosed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

# Enable community rule files
echo '' >> /etc/snort/snort.conf
echo '# enable community rule' >> /etc/snort/snort.conf
echo 'include $RULE_PATH/community-rules/community.rules' >> /etc/snort/snort.conf

# Reset variable values in snort.conf
sed -i 's/var RULE_PATH ..\/rules/var RULE_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var WHITE_LIST_PATH ..\/rules/var WHITE_LIST_PATH .\/rules/' /etc/snort/snort.conf
sed -i 's/var BLACK_LIST_PATH ..\/rules/var BLACK_LIST_PATH .\/rules/' /etc/snort/snort.conf

# Create the default whitelist file
touch /etc/snort/rules/white_list.rules
# Create the default blacklist file
touch /etc/snort/rules/black_list.rules
# Create a default custom rules file, though we noticed other includes only include community rules, so this is a formality
touch /etc/snort/rules/local.rules

# Test if the configuration file has errors
snort -T -c /etc/snort/snort.conf
Insert image description here

4. Usage

4.1. Sniffer

The so-called sniffer mode means that snort reads packets from the network and displays them on your console. Let’s start with the most basic usage. If you only want to print the TCP/IP header information on the screen, just enter the following command: ./snort -v Using this command will cause snort to only output the header information of IP and TCP/UDP/ICMP. If you want to see application layer data, you can use: ./snort -vd

This command causes snort to display the data information of the packets while outputting the header information. If you also want to display data link layer information, use the following command:

./snort -vde

Note that these option switches can be written separately or combined in various ways. For example, the following command is equivalent to the last command above:

./snort -d -v –e

4.2. Packet Logger

If you want to log all packets to the hard drive, you need to specify a log directory, and snort will automatically log the packets: ./snort -dev -l ./log Of course, the ./log directory must exist, otherwise snort will report an error message and exit. When snort runs in this mode, it logs all seen packets into a directory, which is named after the destination host IP address of the packet, for example: 192.168.10.1

If you only specify the -l switch and do not set a directory name, snort will sometimes use the remote host IP address as the directory, and sometimes use the local host IP as the directory name. To only log the local network, you need to provide the local network:

./snort -dev -l ./log -h 192.168.1.0/24

This command tells snort to record the data link, TCP/IP, and application layer data of all packets entering the 192.168.1 Class C network to the ./log directory.

If your network speed is high, or you wish to make the logs more compact for later analysis, it is advisable to use the binary log file format. The so-called binary log file format is the format used by the tcpdump program. Use the command below to record all packets to a single binary file:

./snort -l ./log -b

Note the significant difference in the command line here from the above. We do not need to specify the local network because everything is recorded to a single file. You also do not need verbose mode or use the -d, -e feature options because all content in the packet will be logged in the log file.

You can use any sniffer program that supports the tcpdump binary format to read packets from this file, such as tcpdump or Ethereal. The -r switch allows snort to read packet data. Snort can handle tcpdump format files in all operating modes. For example, if you want to print packets from a tcpdump format binary file to the screen in sniffer mode, you can enter the following command: ./snort -dv -r packet.log

In packet log and intrusion detection mode, you can use many methods to maintain data in log files through the BPF (BSD Packet Filter) interface. For instance, if you only want to extract ICMP packets from the log file, you only need to input the following command line: ./snort -dvr packet.log icmp

4.3. Network Intrusion Detection System

The most important use of snort is as a network intrusion detection system (NIDS). Use the command line below to start this mode: ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

snort.conf is the rule set file. Snort will match every packet against the rule set and take appropriate action for matching packets. If you do not specify an output directory, snort will output to the /var/log/snort directory.

Note: If you plan to use snort as your intrusion detection system for a long time, it is best not to use the -v option. Using this option causes snort to output information to the screen, significantly reducing snort’s processing speed, thereby dropping some packets during the display process.

Moreover, in most cases, there is no need to log data link layer headers, so the -e option can also be omitted: ./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf

This is the most basic form of using snort as a network intrusion detection system, logging packets matching the rules, saved in ASCII format in a hierarchical directory structure.

Related posts:

  1. How to Avoid Phishing Scams
  2. Block bad ICMP messages to Prevent ICMP attacks
  3. DNS spoofing
  4. How to Prevent Denial of Service Attack (DDoS Attack)