Main Functions of Intrusion Detection Systems (IDS)_Using Snort for Intrusion Detection_Beginnerâs Guide to Vulnerability Learning
Using Snort for Intrusion Detection
This article introduces how to install Snort and how to successfully implement an intrusion detection system by using Snort alerts and rules.
Snort is an intrusion detection system that analyzes traffic and packets to detect anomalies (such as malicious traffic) and reports them. If youâre unfamiliar with intrusion detection systems, you may need to start reading the basics first. If you prefer to dive straight into practical steps, keep reading.
After reading this article, you will be able to install Snort on Linux distributions based on Debian and Red Hat, configure various Snort modes, and define alerts and rules. The instructions for using Snort in this tutorial apply to all Linux distributions.
All instructions in this document include screenshots to help Linux users easily understand and apply them.
Installing Snort
You can install Snort using the apt package manager on Debian-based distributions, as shown in the following screenshot:
sudo apt install snort
During the installation process, the system will prompt you to define the network. Select âOKâ to proceed to the next step.
Now, type your network address in CIDR format. Normally, Snort will detect it automatically.
Then, press âOKâ or ENTER. Donât worry about this step; this configuration can be edited later.
For users of Red Hat-based Linux distributions, you can download the Snort package from the #snort- site and then install it by running the following command. Replace â#â with the version youâve downloaded:
sudo yum install snort-#.rpm
Keeping Snort Rules Updated
Snort includes two main types of rules: community rules created by the Snort community and official rules. By default, you can update community rules at any time. However, to update official rules, you need an Oink code â a code that allows you to download the latest rules.
To obtain an Oink code, register on the Snort website.
After registration, confirm your account via email and log in to the Snort site.
In the left-side menu of the dashboard, click on âGet Code,â where youâll find your code.
.tar.gz?=
For example, I used Snort version 2.9.15.1 with the following link to download the rules:
29151.tar.gz?=
You can create a cron script to download the rules and extract them to the correct directory.
Configuring Snort
Snortâs configuration file is located at /etc/snort/snort.conf. Before getting started, Debian-based Linux users must follow specific steps. Users of other distributions can skip directly to the version of /etc/snort/snort.conf for their distribution.
Debian User Note: Linux may override certain network settings in Snortâs default configuration file. In the /etc/snort directory, there is a /etc/snort/snort.debian.conf file from which network settings are imported.
If youâre a Debian user, run the following command:
sudo nano /etc/snort/snort.debian.conf
Ensure all the information in this configuration file is correct, including CIDR addresses, network interfaces, etc.
Save the file. Now, letâs move on to configuring Snort.
To configure Snort, open the /etc/snort/snort.conf file using any text editor (Iâm using nano) as shown below:
sudo nano /etc/snort/snort.conf
Check your network configurations and scroll down.
Define the ports you want to monitor.
Keep the file open and proceed to the next section.
Snort Rules
You can enable or disable Snort rules by commenting or uncommenting lines in the /etc/snort/snort.conf file. However, the rules themselves are stored in /etc/snort/rules.
To enable or disable rules, open /etc/snort/snort.conf with a text editor. The rules are at the end of the file.
When you reach the end of the file, you will see a list of rules for different purposes. Uncomment the rules you want to enable and comment out the ones you want to disable.
For example, to detect traffic related to DoS attacks, uncomment the DoS rules. Similarly, uncomment FTP rules to monitor Port 21.
sudo nano /etc/snort/snort.conf
After uncommenting rules, save the file, enable them, and exit.
7 Types of Snort Alert Modes
Snort includes 7 different alert modes to notify about events or incidents. These are the 7 modes:
To wrap up this article, letâs try one of the modes by running the following command, where -A fast represents the Fast Alert mode and -c specifies the configuration file (/etc/snort/snort.conf):
sudo snort -A fast -c /etc/snort/snort.conf
Now, initiate some Nmap scans or try to connect to your machine via SSH or FTP and view the last few lines of /var/log/snort/snort.alert.fast to check how traffic is being logged. For example, I initiated an active Nmap scan, and it was detected as malicious traffic.
tail /var/log/snort/snort.alert.fast
I hope this tutorial provides a good introduction to Snort. However, you need to continue learning by reading Snort alerts and Snort rule creation tutorials to get started with Snort.
About Intrusion Detection Systems
The general idea is that if a firewall protects a network, it is considered secure. However, this is not entirely true. Firewalls are a basic component of a network but cannot fully protect it from forced entries or malicious intents. Intrusion detection systems are used to evaluate aggressive or unexpected packets and generate alerts before these actions compromise the network. Host-based intrusion detection systems operate on all devices within a network or are connected to an organizationâs internal network. Network-based intrusion detection systems, on the other hand, are deployed at one or more points and can monitor all inbound and outbound traffic. The advantage of host-based IDS is that it can also detect anomalies or malicious traffic generated by the host itself, such as those caused by malware infection.
IDS determine what the network considers normal behavior (ports, bandwidth, etc.) by monitoring and analyzing traffic and comparing it to an established set of rules to identify suspicious or harmful activities that require attention.
Depending on the size of the network, IDS can be deployed at various scales. While there are dozens of premium commercial IDS solutions, many companies and small businesses cannot afford them. Snort is a flexible, lightweight, and popular IDS that can be deployed to meet the needs of both small and large networks, offering all the features of a paid IDS. Snort is free but does not compromise on functionality compared to elite commercial IDS. It is considered a passive IDS, meaning it sniffing network packets, compares them to rule sets, and generates alerts or logs entries when malicious traffic is detected. Snort is used to monitor the operations and activities of routers, firewalls, and servers. Snort has an intuitive interface with a wide range of pre-defined rulesets, making it particularly helpful for those new to IDS. It generates alerts for incidents like buffer overflow attacks, DNS poisoning, OS fingerprinting, port scanning, and more. This allows organizations to better understand their network traffic and ensures compliance with security regulations.
Now, weâve introduced IDS to you. Letâs get started with setting up Snort.
Conclusion
Intrusion detection systems like Snort are used to monitor network traffic and detect potential attacks that might harm or compromise networks before attackers can cause damage. If an attacker performs port scanning on a network, such IDS can detect the attack, the number of attempts, the attackerâs IP address, and other details. Snort is capable of detecting all kinds of anomalies. It comes with a large array of pre-configured rules, as well as the capability for users to customize their own rules based on their needs. Unlike expensive commercial IDS, Snort is cost-free and is easy to set up and use, regardless of network size. Additionally, data captured by Snort can be further analyzed with tools like Wireshark to study an attackerâs plans and commands during an attack. Snort is a free, open-source tool and a great choice for protecting medium-sized networks from attacks.