Detect intruders on your network with Snort

From PeformIQ Upgrade
Revision as of 16:06, 25 April 2008 by PeterHarding (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

by Vincent Danen, TechRepublic


Snort (http://www.snort.org/) is a Network Intrusion Detection System (NIDS), which can view and analyse packets on a network to determine whether or not a system is being attacked by remote. Most Linux distributions come with Snort, so it's simply a matter of installing Snort via urpmi, apt-get, or yum. Snort can write its collected information to a variety of different sources for later analysis, be it flat files or a database such as PostgreSQL or MySQL. As well, Snort can be used as a simple packet logger, sniffer, or a full-blown NIDS.

Once Snort is installed, it can be used right away. Simply executing:

  1. snort -v

will put Snort into packet sniffing mode; traffic will be scrolled on the screen showing what packets Snort is seeing. To exit, hit CTRL-C and you will see a brief analysis of what Snort detected. To see even more information -- like you might with tcpdump -- use the -vd option instead.

To have Snort log data, simply tell it where to log the information. In the next example, Snort will log information to the /usr/local/log/snort directory, so make sure it exists first.

  1. snort -l /usr/local/log/snort -d

Snort will log packets in a binary file, such as /usr/local/log/snort/snort.log.1199665001. To view the log, use the -r option with Snort in order to replay the captured data.

  1. snort -r /usr/local/log/snort/snort.log.1199665001

Using Snort as an NDIS takes a little more work; you must configure Snort appropriately, using the configuration file /etc/snort/snort.conf. Be warned, this configuration file can be quite hefty! Some of the rules available on the Snort Web site may be packaged with Snort, depending on the Linux distribution.

The Snort rules can be downloaded from http://www.snort.org/pub-bin/downloads.cgi. The community rules are available for anyone to use and are most likely to be bundled with any prepackaged vendor-supplied copies of Snort. You can also subscribe to receive updated rules from Sourcefire on a regular basis.

Once you have downloaded a rules package, such as the Community-Rules-CURRENT.tar.gz file, unpack it on the system with Snort installed in the directory where the Snort configuration is:

  1. cd /etc/snort
  2. tar xvzf Community-Rules-CURRENT.tar.gz

The new rules will now be in the rules/ directory.

To enable them, edit snort.conf and add:

var RULE_PATH rules include $RULE_PATH/sql.rules include $RULE_PATH/icmp.rules ...

Include whichever rules you like. Snort can now be started to load the configuration file /etc/snort/snort.conf , which will, in turn, load the downloaded rules:

  1. snort -c /etc/snort/snort.conf

Snort will then print information about its initialisation to the screen and then start logging packets that match the defined rules. The rules will determine what Snort will log and what it will ignore, so unlike running Snort as a sniffer, the generated logs will be much smaller as only packets "of consequence" will be logged. These logs will be stored, by default, in /var/log/snort/ and can be analysed by Snort using the -r option as noted previously.