Mastering Snort Rules: A Comprehensive Guide to Installation, Configuration, and Intrusion Detection on Kali Linux

Introduction to Snort

Snort is an open-source intrusion detection tool that offers significant reference value for developing intrusion detection systems. It primarily involves Snort rules, which are used to detect and respond to network intrusions.

initialization work, parsing command-line inputs, loading rule libraries, generating three-dimensional rule chains for detection, and then cyclical detection.

Flowchart:

 Snort rules >

1. Installing Snort on Kali Linux

(1) Download from the official website https://www.snort.org/downloads

snort-2.9.15.1.tar.gz

daq-2.0.6.tar.gz

Decompress installation packages:

tar -zxvf snort-2.9.15.1.tar.gz

tar -zxvf daq-2.0.6.tar.gz

(2) Install the development packages needed by daq, direct compilation will result in errors

Apt-get install flex

Apt-get install bison

Apt-get install libpcap-dev

(3) View files in the directory and compile the dag package

 Snort rules >

(4) Install packages required by Snort

Apt-get install libpcre3-dev

Apt-get install libdumbnet-dev

Apt-get install zlibig-dev

Compile Snort package as well: ./configure –disable-open-appid && make && make install

(5) Check if Snort is installed successfully

2. Configure Snort Rules for Ping Attack Detection

Download the rules package from the official website: (registration required)

Download and decompress the latest rules package

Replace the package in Snort installation directory with the rules package

Practice a Rule

Configure rules under rules/local.rules

Detect and alert on intra-network traffic related to the UDP protocol

Restart Snort to apply the rules.

Using Snort to Detect Ping Attacks

Set the following rule in the file rules/icmp-info.rules:

Create Snort detection logs

Change the path in Snort rules (RULE_PATH) to the rules path under Snort

Use Snort rules to detect traffic and output results to the Snort log

Successfully enabled Snort for detection

Using a host within the local area network to perform a ping attack with a packet size >800 on the Snort-installed host

View detection results in the log:

Successfully detected a ping attack with packets larger than 800!

Using Snort to Detect Nmap Scans

1. Modify Snort rules and change the monitored home network to the local area network

2. Configure TCP rules under rules/local.rules

3. Start Snort for LAN scan detection

4. Perform an Nmap scan on the LAN using the host machine

5. Check detection results in var/log/snort

Problems Encountered and Solutions:

1. The following error occurred when starting Snort rules:

This error is related to installed dependencies. Comment on lines 326, 327 and delete the trailing \ on 324

2. No while_list.rules and black_list.rules in Snort files:

They can be deleted or commented out

3. No sid number in TCP rule settings cause errors (Note: <100 reserved, 100~999999 for Snrot releases, >=1000,000 for local use)

 

Conclusion

Snort can also detect website access.

Since Snort can only detect intrusion activities and send alert information but cannot directly block intrusion activities, Snort can be linked with iptables

to solve this problem.

①Use Snort’s extension functions to develop custom integrated plugins (snortsam): Snort has a plugin mechanism that provides a way for pre-processing and processing plugins. Custom development and loading of plugins in Snort are supported. Therefore, the first implementation method is to develop custom plugins, which call firewalls on remote or corresponding hosts when rule matches are detected, establishing a corresponding

Iptables rule that discards the connection, port data packets, or all packets of the IP with invasive behaviors.

②Utilize Snort’s alert logs and develop custom scripts. Compared to Snort’s plugin method, the second implementation is very simple and easy to execute, using a simple script to read the alert logs in real-time. The IPs and ports recorded are used to create a corresponding Iptables rule, added to a firewall rule on a remote or corresponding host, effectively achieving the same function as the first method. Even though the processing speed is not as immediate as the first method, the overall protective capability shows no significant difference.