In this blog, we’ll learn about ‘Snort’, an Open Source Intrusion Prevention System (IPS) that helps protect computer networks by analysing the incoming network packets against a pre-defined set of rules.
This aids in intrusion detection and is perfect for Blue Teams defending against cyber threats. Understanding Snort can strengthen a company’s cybersecurity defenses, making their networks safer. We’ll cover the basics and show how to write rules with easy examples to follow.
Table of Contents
What is Snort?
Snort is a tool to detect and prevent cyber attacks, like intrusions and malware. It’s like a digital guard that watches over your network and alerts you if anything suspicious happens.
“Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. “
– Snort.org
How Snort works ?
Snort is like a watchful guardian for computer networks. It sits quietly, observing all the data packets passing through the network. When it notices something suspicious, it doesn’t hesitate to sound the alarm. This is how it works.
Network Traffic Capture : The process starts with capturing network traffic using libpcap. This captured traffic is stored in a pcap format for further analysis.
Analyze Packets : Snort analyzes the captured packets to identify malicious activity.
Match Rules : The captured packets are then matched against a user-defined rule set.
Rule Match Found: This decision point determines if there’s a match between a packet and a rule.
Alert : If there’s a match, Snort generates an alert indicating a potential threat.
Block Rule (Optional) : This decision point determines if Snort should block the traffic based on the matched rule.
Log Collecting (Optional): This step logs the rule details even if the traffic is not blocked.
Pass Rule : If blocking is not enabled or there’s no match, the traffic is allowed to pass through the network.
Snort Installation
For linux ( debian and centos ) you can install snort using the following command.
sudo apt install snort (for Debian/Ubuntu)
sudo yum install snort (for RedHat/CentOS)
For other OSes you can follow the detailed installation guide on their website here – snort installation
Snort Rules
Snort rules are sets of conditions and actions used by the Snort “Intrusion Detection System” to analyze network traffic. They specify criteria like patterns or signatures that, when detected in network packets, trigger actions such as generating alerts or blocking traffic.
Snort rules are like a bouncer’s cheat sheet for your network. They tell the bouncer (Snort) who’s okay (safe traffic) and who to be suspicious of (bad guys trying to get in). This keeps your network safe!
Types of Snort Rules
- Snort Community Ruleset – Free; Open-source collection of rules maintained by the Snort community.
- Snort Paid Ruleset – Paid; New Up-to-date rulesets with many more benefits. Found on snort.org/products.
- Custom Rulesets – Create your own personalized Rulesets.
Deep Dive into the Custom Rule-sets
Rule Header
- Action
This field specifies the action that Snort should take if the rule matches a packet. In the example, the action is set to alert, which means Snort will generate an alert message if it detects a packet that matches the rule. - Protocol
This field specifies the network protocol that the rule applies to. In the example, it shows TCP (Transmission Control Protocol). - Source Address
This field specifies the IP address that the rule applies to. In the example, it shows any source address. - Source Port
This field specifies the port number on the source device that the rule applies to. In the example, it shows any source port. - Direction
This field specifies the direction of the traffic that the rule applies to. In the example, the direction is set to ->, which means the rule applies to inbound traffic (traffic going from the source to the destination). - Destination Address
This field specifies the IP address that the rule applies to. In the example, it shows any destination address. - Destination Port
This field specifies the port number on the destination device that the rule applies to. In the example, it shows destination port 21, which is commonly used for FTP (File Transfer Protocol) traffic.
Rule Option
Provide more specific details about the traffic you want to monitor.
- msg: This option allows you to specify a message that will be included in the alert if the rule is triggered.
- sid: This option allows you to specify a unique identifier for the rule.
- classtype: This option allows you to specify the classification of the rule, such as malware, exploit, or scan.
- content: This option allows you to search for specific patterns in the content of the traffic payload.
- flow: This option allows you to specify conditions that must be met by the traffic flow in order for the rule to be triggered.
Example Of Custom Rules
Block SQL Injection Attempts
Rule:
action: alert
protocol: tcp
source ip: any
source port: any
destination ip: your_web_server_ip
destination port: 80 (or 443 for HTTPS)
content: "|*WHERE*| |*UPDATE*| |*SELECT*|"; sid:100002; msg:"Potential SQL Injection Attempt"; classtype: attack-scripts
TCP
traffic on ports 80 (HTTP) or 443 (HTTPS) destined for your web server. It searches for keywords commonly used in SQL injection attempts within the content of the packet payload. If a match is found, an alert is generated. Hands On Attack and Defence Using Snort
Rule Used Here
alert tcp any any -> 192.168.78.130 80 (msg:"DOS DETECTED"; flags: S; sid:1000002;)
alert
: This keyword specifies that Snort should generate an alert when the rule matches.tcp
: Specifies that the rule applies to TCP traffic.any any
: Matches any source IP address and any source port.->
: Indicates the direction of the traffic flow.192.168.78.130 80
: Specifies the destination IP address (192.168.78.130) and port (80) where the attack is detected.(msg:"DOS DETECTED";)
: Provides a descriptive message that will be included in the alert.flags: S
: Matches TCP packets with the SYN flag set, indicating the start of a connection.sid:1000002
: Specifies a unique identifier for the rule.
TCP SYN flood attacks
targeting victim at IP address 192.168.78.130 on port 80.
hping
is a command-line tool used for network testing and DoS attacks. Used in the video. Key Takeaways
- Snort, an Open Source Intrusion Prevention System (IPS) and it’s workings
- Breaking down Snort’s rules
- Creating Custom Rule
- Practical Application of Snort to Detect DOS Attack
Snort helps you protect against cyber threats.
Install it, understand its rules, and use it to defend your network.
Thanks ! Hope you learnt something.
Relevant Posts
Expert Pentesting Services US -SecureMyOrg
Protect your business in the US with expert pentesting services from SecureMyOrg. Uncover vulnerabilities, strengthen security, and stay ahead of cyber threats.
What is Symmetric Encryption? A Comprehensive Overview 2024-SecureMyOrg
Discover the fundamentals of symmetric encryption, how it works, its advantages, limitations, and common use cases. Learn why it remains essential in securing sensitive data.
Asymmetric vs Symmetric Encryption-1: Comparing Their Performances
Explore the performance battle between symmetric and asymmetric encryption. Understand their speed, scalability, and security to make an informed choice.
What is Asymmetric Encryption? A Comprehensive Overview 2024-SecureMyOrg
Learn all about asymmetric encryption in this detailed guide. Understand how it works, its advantages, limitations, real-world applications, and why it’s essential for secure communication in the digital age.
Snort IDS/IPS: Mastering Deployment and Configuration
Master the deployment and configuration of Snort IDS/IPS with this comprehensive guide. Learn installation, fine-tuning, and Cisco integration for top-tier network security.
Getting Started With Pentesting-1
Getting your pentest done, successfully. For companies who want to know what all to consider when getting a pentest done. For pentest providers about what all should you care about when doing a pentest.