1. Introduction
A Network Intrusion Detection System (NIDS) is a
With the increasing proliferation of the internet, web security is becoming increasingly important. An essential component of web security is the Network Intrusion Detection System (NIDS), which plays a crucial role. NIDS is used to monitor network data flows and can provide alerts when an intrusion occurs. Many commercial NIDS are available today; however, most are complex, hard to master, and expensive, making them unaffordable for smaller companies. This article will introduce an excellent free NIDS system – Snort, which is based on the General Public License (GPL) and authored by Martin Roesch. The latest version is 1.70. In this article, we will discuss Snort’s technical features and how to use Snort as a NIDS.
2. Features of SNORT
Snort is a powerful yet lightweight network intrusion detection system. It has the ability to perform real-time traffic analysis and record IP network packets. Snort can conduct protocol analysis and content searching/matching. It can detect various types of attacks in real-time and generate alerts accordingly. Additionally, Snort offers excellent scalability and portability. Since the software adheres to the GPL, any organization or individual can use it freely as long as they comply with the GPL terms.
Snort is a lightweight intrusion detection system Despite its powerful features, Snort has very concise and compact code, with the source code compressed to approximately 110KB.
Snort has excellent portability Snort’s cross-platform performance is outstanding, currently supporting systems like Linux, Solaris, BSD, IRIX, HP-UX, and WinY2K.
Snort has very powerful functionalities Snort can perform real-time traffic analysis and log IP network packets. It can quickly detect network attacks and promptly alert users. Snort’s alert mechanisms are rich, including syslog, user-specified files, UNIX socket, and sending WinPopup messages to Windows clients using the SAMBA protocol. With the XML plugin, Snort can store logs in SNML (Simple Network Markup Language) format or provide real-time alerts.
Snort can perform protocol analysis and content searching/matching. Currently, Snort can analyze protocols such as TCP, UDP, and ICMP. In the future, it may provide support for protocols like ARP, ICRP, GRE, OSPF, RIP, and IPX. It can detect various types of attacks and probes, including buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
Snort’s logs can be in tcpdump-style binary format or decoded into ASCII form, making it easier for users, especially beginners, to check. Using database output plugins, Snort can log into databases like Postgresql, MySQL, any unixODBC database, and Oracle (Oracle support is currently in testing).
Using the TCP stream plugin (tcpstream), Snort can reassemble TCP packets. Snort can match the contents of IP packets, but for TCP attacks, if an attacker uses a program that sends only one byte of TCP data per packet, it can bypass Snort’s pattern matching. The attacked host’s TCP stack will reassemble these data and deliver it to the process listening on the target port, allowing the attack payload to evade Snort. The TCP stream plugin allows buffering and matching of TCP packets, enabling Snort to tackle such attacks.
Using the spade (Statistical Packet Anomaly Detection Engine) plugin, Snort can report suspicious and abnormal packets, effectively detecting port scans.
Snort also has strong system protection capabilities. Using the FlexResp feature, Snort can actively terminate malicious connections.
4). Scalability, rapid response to new threats
As a lightweight network intrusion detection system, Snort has enough extensibility. It uses a simple rule description language. The most basic rules contain just four fields: action, protocol, direction, and the port to monitor. For example:
log tcp any any -> 10.1.1.0/24 79
There are also functional options that can be combined to implement more complex features. There will be a separate article discussing how to write Snort rules. Users can obtain the rule sets from http://www.snort.org. Additionally, renowned hacker Max Vision offers online technical support at http://www.whitehats.com.
Snort supports plugins, allowing its functionalities to be extended with specific report and detection subsystem plugins. Currently supported plugins include database logging plugins, fragmented packet detection plugins, port scan detection plugins, HTTP URI normalization plugin, XML plugin, etc.
Snort’s rule language is very simple, enabling quick reactions to new network attacks. Upon discovering a new attack, one can quickly find out the signature based on the Bugtraq mailing list and write detection rules. Due to its simple rule language, it is easy to learn, saving on personnel training costs.
5). Adherence to GPL
Snort follows the GPL, allowing any company, individual, or organization to freely use it as their NIDS.
3. Installation
3.1 How to obtain Snort
Snort’s source code or RPM package can be obtained from the site http://www.snort.org. Installing Snort from the source code requires the libpcap library, available for download from ftp://ftp.ee.lbl.gov.
3.2 Installing Snort
3.2.1 RPM package: Use the following command to install:
bash#rpm -ihv –nodeps snort-1.7-1.i386.rpm
3.2.2 Source code:
Decompress the libpcap package:
bash#uncompress libpcap.tar.Z bash#tar xvf libpcap.tar
Compile the libpcap library:
bash#./configure bash#make
Decompress snort-1.7.0.tar.gz
bash#tar zxvf snort-1.7.0.tar.gz
Navigate to the directory and compile Snort:
bash# ./configure –with-libpcap-includes=/path/to/your/libcap/headers bash# make bash# make install
The configure script has additional options:
–enable-smbalerts to compile SMB alerting code; –enable-flexresp to compile Flexible Response code; –with-mysql=DIR to support MySQL database; –with-postgresql=DIR to support PostSQL database; –with-odbc=DIR to support ODBC database; –enable-openssl to support SSL. You can choose these options based on your actual requirements.
4. Usage
Now, Snort is successfully installed. In this section, we will discuss how to use Snort. As a network intrusion detection software, Snort has three main uses: packet sniffer, packet analyzer, and network intrusion detection system. Let’s start with the simplest command to list all command-line switches:
bash# snort -? -*> Snort! <*- Version 1.7 By Martin Roesch ( [email protected], www.snort.org) USAGE: snort [-options] Options: -A Set alert mode: fast, full, none (alert file only), unsock (log to UNIX socket, testing phase) -a Display ARP (Address Resolution Protocol) packets -b Use tcpdump format for log files (faster) -c Specify rules file rules -C Only print payload in character mode (without hex) -d Copy application layer -D Run snort in background (daemon mode) -e Display the second layer (data link layer) packet header -F Read BPF filters from file -g After init, associated Snort’s GID with gname -h Home network as hn -i Listen on interface if -I Include interface name in the alert output -l Set ld as the log directory -M Send SMB messages to workstations listed in file wrkst (Requires smbclient to be in PATH) -n Exit after receiving cnt packets -N Disable logging (alerts are still enabled) -o Change rule-testing order to: Pass|Alert|Log -O Obfuscate logged IP addresses -p Disable promiscuous sniffing mode -P Set packet snapshot length for copying (default: 1514) -q Quiet mode. Do not output banner and status report. -r Read and process tcpdump file tf (playback mode) -s Log all alerts to syslog -S <n=v> Set variable n to value v in rules file -t
4.1 Sniffer Mode
Sniffer mode means Snort reads packets from the network and displays them on your console. Let’s start with the most basic usage. If you want to print the header information of TCP/IP packets to the screen, just input the following command:
./snort -v
This command will make Snort print only the IP and TCP/UDP/ICMP header information. If you want to see the application layer data, use:
./snort -vd
This command will cause Snort to display both the header and the data of the packets. If you also want to see data link layer information, use:
./snort -vde
Note that these option switches can be written separately or combined in any manner. For instance, the following command is equivalent to the last one above:
./snort -d -v -e
4.2 Recording Packets
If you want to log all the packets to the hard drive, you need to specify a logging directory, and Snort will automatically log the packets:
./snort -dev -l ./log
Of course, the ./log directory must exist; otherwise, Snort will report an error and exit. When Snort runs in this mode, it will log all the packets it sees and place them in a directory named after the destination IP address of the packets, e.g., 192.168.10.1
If you only specify the -l switch without a directory name, Snort sometimes uses the remote host’s IP address as the directory or the local host’s IP address. To log only the local network, you need to specify the home net:
./snort -dev -l ./log -h 192.168.1.0/24
This command tells Snort to log the data link, TCP/IP, and application layer data for all packets entering the Class C network 192.168.1 to the ./log directory.
If your network speed is high, or you want the log to be more concise for later analysis, you should use the binary log file format. The so-called binary log file format is the format used by the tcpdump program. Use the following command to log all packets to a single binary file:
./snort -l ./log -b
Note that the command line here is quite different from the one above. We don’t need to specify the home network, because everything is logged to a single file. You also don’t need to use verbose mode or use the -d or -e options, because everything in the packet is logged to the log file.
You can read packets from this file using any sniffer program that supports the tcpdump binary format, such as tcpdump or Ethereal. You can also have snort read packet data using the -r switch. Snort can process tcpdump format files in all modes. For example, if you want to print packets from a tcpdump format binary file to the screen in sniffer mode, you can enter the following command:
./snort -dv -r packet.log
In the log packet and intrusion detection modes, you can use the BPF (BSD Packet Filter) interface to maintain the data in the log file in many ways. For example, if you only want to extract ICMP packets from the log file, just enter the following command line:
./snort -dvr packet.log icmp
As an intrusion detection system
The most important use of snort is as a network intrusion detection system (NIDS). You can start this mode using the following command line:
./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
snort.conf is a rule set file. Snort will match each packet with the rule set and take corresponding actions when such a packet is found. If you do not specify an output directory, snort will output to the /var/log/snort directory.
Note: If you want to use snort as your own intrusion detection system for a long time, it is best not to use the -v option. Because using this option will cause snort to output some information to the screen, slowing down the processing speed and discarding some packets during the output process.
In addition, in most cases, it is not necessary to log the packet header of the data link layer, so the -e option can also be omitted:
./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf
This is the most basic form of using snort as a network intrusion detection system. The log file contains the packet content that meets the rules and is saved in a hierarchical directory structure in ASCII format.
Output options in network intrusion detection mode
In NIDS mode, there are many ways to configure snort’s output. By default, snort logs in ASCII format and uses the full alarm mechanism. If the full alarm mechanism is used, snort will print an alarm message after the packet header. If you do not need to log packets, you can use the -N option.
Snort has 6 alarm mechanisms: full, fast, socket, syslog, smb (winpopup) and none. Four of them can be set using the -A option in the command line state. These four are:
-A fast: Alarm information includes: a timestamp, alarm message, source/destination IP address and port.
-A full: This is the default alarm mode.
-A unsock: Send the alarm to a UNIX socket, which requires a program to listen for timely alarms.
-A none: Turn off the alarm mechanism.
Using the -s option, snort can send alarm messages to syslog. The default devices are LOG_AUTHPRIV and LOG_ALERT. You can modify the snort.conf file to configure it.
Snort can also use the SMB alarm mechanism to send alarm messages to Windows hosts through SAMBA. In order to use this alarm mechanism, you must use the –enable-smbalerts option when running the ./configure script.
Here are some examples of output configuration:
Use the default logging mode (in decoded ASCII format) and send alerts to syslog:
./snort -c snort.conf -l ./log -s -h 192.168.1.0/24
Use binary log format and SMB alert mechanism:
./snort -c snort.conf -b -M WORKSTATIONS
Introduction to snort rules
The most important use of snort is as a network intrusion detection system. It has its own rule language. From a grammatical point of view, this rule language is very simple, but it is powerful enough for intrusion detection. For packets matching specific rules, snort has three processing actions: pass, log, and alert.
pass: release the packet
log: record the packet to the log file
alert: generate an alarm message and record the packet
Each snort rule can be divided into two logical parts: the rule header and the rule options. The rule header includes: rule’s action, protocol, source/destination IP address, subnet mask, and source/destination port. The rule options contain alarm messages and information about abnormal packets (signature codes), which are used to decide whether to take the actions specified by the rule. The most basic rule only contains four fields: processing action, protocol, direction, and ports to be noted. For example:
log tcp any any -> 10.1.1.0/24 79
This rule means: let snort log all packets from the external network to the class C address 10.1.1.0/24.
Snort rules can also have rule options (rule options), which can be used to define more complex behaviors and achieve more powerful functions. The following is a rule with rule options (note that the entire rule should be in one line, but it is divided into two lines for layout reasons):
alert tcp any any -> 10.1.1.0/24 80 (content:”/cgi-bin/phf”; msg:”PHF probe!”)
This rule is used to detect the detection of the PHF service of the local network web server. Once such a detection packet is detected, Snort will issue an alarm message and log the entire detection packet.
In the rule, the definition of IP addresses is also very flexible. Use the any keyword to represent any IP address or port. Generally, IP addresses can be defined in the form of xx.xx.xx.xx/subnet mask, where xx.xx.xx.xx is a four-byte number separated by .. Note that the domain name method cannot be used. Snort does not resolve the domain name, of course, for efficiency considerations^_^. You can also use the non-operator! to operate on IP addresses and ports. This operator means logical negation. For ports, you can also use the operator: to limit the range of ports. For example:
alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 6000:6010 (msg:”X traffic”;)
This rule enables snort to alert packets from the external network to the internal network’s X-window service port.
There are 23 rule option keywords in the current version of snort (1.7). As snort continues to add support for more protocols and expand its functions, more function options will be added. These function options can be combined in any way to classify and detect packets. Currently, snort supports the following options: msg, logto, ttl, tos, id, ipoption, fragbits, dsize, flags, seq, ack, itype, icode, icmp_id, content, content-list, offset, depth, nocase, session, rpc, resp, react. In each rule, the rule options are logically ANDed. Snort will only take rule actions if all test options in the rule (e.g., ttl, tos, id, ipoption, etc.) are true.
How to write rules
Since the syntax of snort’s rule language is very simple, it can respond quickly to newly discovered attacks and quickly develop new snort rules. The most important thing to write new rules is to know the signature code of the new attack. To get the signature code of a new attack, the usual method is to conduct actual tests. Attack a test network and use snort to record the data flow between the attacking host and the test network. Then, analyze the recorded data to obtain its unique signature code, and finally add the obtained signature code to the rule. Let’s take IMAP buffer overflow as an example. The following are the packets recorded for a hypothetical IMAP buffer overflow attack:
052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143
TCP TTL:64 TOS:0x0 DF
**PA Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78
90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ……………;
5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n. B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 …..n….n….. 31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1…@….. 90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ………… 2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh………
The signature code of this attack is the /bin/sh string and the machine code in front of it. This is actually a shellcode. Using this information, a new rule can be quickly developed:
alert tcp any any -> 192.168.1.0/24 143 (content:”|E8C0FFFF/bin/sh”; msg:”New IMAP Buffer Overflow detected!”)
The signature code contains two forms, text and hexadecimal, which are separated by | and will be converted to binary form when snort is running.
Summary
This article introduces a lightweight intrusion detection system snort. It mainly discusses its features, how to install it, the most basic usage, and how to develop new rules. Snort is a high-performance intrusion detection system suitable for large, medium and small networks, especially for small and medium-sized companies that cannot afford the high cost of large commercial intrusion detection systems.