SecureMyOrg Logo

Mastering Snort: Comprehensive Guide to Intrusion Detection

By Darshan Jogi on 9th Apr, 2024

BlueTeamIntrusionDetectionSecurityTools
Mastering Snort: Comprehensive Guide to Intrusion Detection

In this blog, we'll learn about 'Snort', an Open Source Intrusion Prevention System (IPS) that helps protect computer networks by analysing the incoming network packets against a pre-defined set of rules.

This is perfect for Blue Teams defending against cyber threats. Understanding Snort can strengthen a company's cybersecurity defenses, making their networks safer. We'll cover the basics and show how to write rules with easy examples to follow.

What is Snort?

Snort is a tool to detect and prevent cyber attacks, like intrusions and malware. It's like a digital guard that watches over your network and alerts you if anything suspicious happens.

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

- Snort.org

How Snort works ?

Snort is like a watchful guardian for computer networks. It sits quietly, observing all the data packets passing through the network. When it notices something suspicious, it doesn't hesitate to sound the alarm. This is how it works.

  • Network Traffic Capture : The process starts with capturing network traffic using libpcap. This captured traffic is stored in a pcap format for further analysis.

  • Analyze Packets : Snort analyzes the captured packets to identify malicious activity.

  • Match Rules : The captured packets are then matched against a user-defined rule set.

  • Rule Match Found: This decision point determines if there’s a match between a packet and a rule.

  • Alert : If there’s a match, Snort generates an alert indicating a potential threat.

  • Block Rule (Optional) : This decision point determines if Snort should block the traffic based on the matched rule.

  • Log Collecting (Optional): This step logs the rule details even if the traffic is not blocked.

  • Pass Rule : If blocking is not enabled or there’s no match, the traffic is allowed to pass through the network.

Flow how snort works

Working of Snort

Snort Installation

For linux ( debian and centos ) you can install snort using the following command.

sudo apt install snort (for Debian/Ubuntu) 
sudo yum install snort (for RedHat/CentOS)

For other OSes you can follow the detailed installation guide on their website here - https://docs.snort.org/start/installation

Snort Rules

Snort rules are sets of conditions and actions used by the Snort "Intrusion Detection System" to analyze network traffic. They specify criteria like patterns or signatures that, when detected in network packets, trigger actions such as generating alerts or blocking traffic.

Snort rules are like a bouncer's cheat sheet for your network. They tell the bouncer (Snort) who's okay (safe traffic) and who to be suspicious of (bad guys trying to get in). This keeps your network safe!

Types Of Snort rules

  1. Snort Community Ruleset - Free; Open-source collection of rules maintained by the Snort community.
  2. Snort Paid Ruleset - Paid; New Up-to-date rulesets with many more benefits. Found on snort.org/products.
  3. Custom Rulesets - Create your own personalized Rulesets.

Deep Dive into the Custom Rulesets

Rules Structure

Snort Rule

Rule Header

Defines the basic characteristics of the traffic you want to monitor.

  • Action
    This field specifies the action that Snort should take if the rule matches a packet. In the example, the action is set to alert, which means Snort will generate an alert message if it detects a packet that matches the rule.
  • Protocol
    This field specifies the network protocol that the rule applies to. In the example, it shows TCP (Transmission Control Protocol).
  • Source Address
    This field specifies the IP address that the rule applies to. In the example, it shows any source address.
  • Source Port
    This field specifies the port number on the source device that the rule applies to. In the example, it shows any source port.
  • Direction
    This field specifies the direction of the traffic that the rule applies to. In the example, the direction is set to ->, which means the rule applies to inbound traffic (traffic going from the source to the destination).
  • Destination Address
    This field specifies the IP address that the rule applies to. In the example, it shows any destination address.
  • Destination Port
    This field specifies the port number on the destination device that the rule applies to. In the example, it shows destination port 21, which is commonly used for FTP (File Transfer Protocol) traffic.

Rule Option

Provide more specific details about the traffic you want to monitor.

  • msg: This option allows you to specify a message that will be included in the alert if the rule is triggered.
  • sid: This option allows you to specify a unique identifier for the rule.
  • classtype: This option allows you to specify the classification of the rule, such as malware, exploit, or scan.
  • content: This option allows you to search for specific patterns in the content of the traffic payload.
  • flow: This option allows you to specify conditions that must be met by the traffic flow in order for the rule to be triggered.

Example Of Custom Rules

Block SQL Injection Attempts

Problem: Malicious actors might try to inject SQL code into website forms to gain unauthorized access.

Rule:

action: alert
protocol: tcp
source ip: any
source port: any
destination ip: your_web_server_ip
destination port: 80 (or 443 for HTTPS)
content: "|*WHERE*| |*UPDATE*| |*SELECT*|"; sid:100002; msg:"Potential SQL Injection Attempt"; classtype: attack-scripts

Explanation: This rule monitors incoming TCP traffic on ports 80 (HTTP) or 443 (HTTPS) destined for your web server. It searches for keywords commonly used in SQL injection attempts within the content of the packet payload. If a match is found, an alert is generated.

Hands On Attack and Defence Using Snort


Rule Used Here

alert tcp any any -> 192.168.78.130 80 (msg:"DOS DETECTED"; flags: S; sid:1000002;)

Let's break down the components:

  • alert: This keyword specifies that Snort should generate an alert when the rule matches.
  • tcp: Specifies that the rule applies to TCP traffic.
  • any any: Matches any source IP address and any source port.
  • ->: Indicates the direction of the traffic flow.
  • 192.168.78.130 80: Specifies the destination IP address (192.168.78.130) and port (80) where the attack is detected.
  • (msg:"DOS DETECTED";): Provides a descriptive message that will be included in the alert.
  • flags: S: Matches TCP packets with the SYN flag set, indicating the start of a connection.
  • sid:1000002: Specifies a unique identifier for the rule.

This rule is designed to detect TCP SYN flood attacks targeting victim at IP address 192.168.78.130 on port 80.

hping is a command-line tool used for network testing and DoS attacks. Used in the video.

Key Takeaways

  1. Snort, an Open Source Intrusion Prevention System (IPS) and it's workings
  2. Breaking down Snort's rules
  3. Creating Custom Rule
  4. Practical Application of Snort to Detect DOS Attack

Snort helps you protect against cyber threats.
Install it, understand its rules, and use it to defend your network.

Thanks ! Hope you learnt something.

Ready to take the next step in securing your company's digital infrastructure ?
Explore our blog on
  ➡️ Getting Started With Pentest for actionable insights and proactive cybersecurity measures

Subscribe to our newsletter !