In this blog, we’ll learn about ‘Snort’, an Open Source Intrusion Prevention System (IPS) that helps protect computer networks by analysing the incoming network packets against a pre-defined set of rules.
This aids in intrusion detection and is perfect for Blue Teams defending against cyber threats. Understanding Snort can strengthen a company’s cybersecurity defenses, making their networks safer. We’ll cover the basics and show how to write rules with easy examples to follow.
Table of Contents
What is Snort?
Snort is a tool to detect and prevent cyber attacks, like intrusions and malware. It’s like a digital guard that watches over your network and alerts you if anything suspicious happens.
“Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. “
– Snort.org
How Snort works ?
Snort is like a watchful guardian for computer networks. It sits quietly, observing all the data packets passing through the network. When it notices something suspicious, it doesn’t hesitate to sound the alarm. This is how it works.
Network Traffic Capture : The process starts with capturing network traffic using libpcap. This captured traffic is stored in a pcap format for further analysis.
Analyze Packets : Snort analyzes the captured packets to identify malicious activity.
Match Rules : The captured packets are then matched against a user-defined rule set.
Rule Match Found: This decision point determines if there’s a match between a packet and a rule.
Alert : If there’s a match, Snort generates an alert indicating a potential threat.
Block Rule (Optional) : This decision point determines if Snort should block the traffic based on the matched rule.
Log Collecting (Optional): This step logs the rule details even if the traffic is not blocked.
Pass Rule : If blocking is not enabled or there’s no match, the traffic is allowed to pass through the network.
Snort Installation
For linux ( debian and centos ) you can install snort using the following command.
sudo apt install snort (for Debian/Ubuntu)
sudo yum install snort (for RedHat/CentOS)For other OSes you can follow the detailed installation guide on their website here – snort installation
Snort Rules
Snort rules are sets of conditions and actions used by the Snort “Intrusion Detection System” to analyze network traffic. They specify criteria like patterns or signatures that, when detected in network packets, trigger actions such as generating alerts or blocking traffic.
Snort rules are like a bouncer’s cheat sheet for your network. They tell the bouncer (Snort) who’s okay (safe traffic) and who to be suspicious of (bad guys trying to get in). This keeps your network safe!
Types of Snort Rules
- Snort Community Ruleset – Free; Open-source collection of rules maintained by the Snort community.
- Snort Paid Ruleset – Paid; New Up-to-date rulesets with many more benefits. Found on snort.org/products.
- Custom Rulesets – Create your own personalized Rulesets.
Deep Dive into the Custom Rule-sets
Rule Header
- Action
This field specifies the action that Snort should take if the rule matches a packet. In the example, the action is set to alert, which means Snort will generate an alert message if it detects a packet that matches the rule. - Protocol
This field specifies the network protocol that the rule applies to. In the example, it shows TCP (Transmission Control Protocol). - Source Address
This field specifies the IP address that the rule applies to. In the example, it shows any source address. - Source Port
This field specifies the port number on the source device that the rule applies to. In the example, it shows any source port. - Direction
This field specifies the direction of the traffic that the rule applies to. In the example, the direction is set to ->, which means the rule applies to inbound traffic (traffic going from the source to the destination). - Destination Address
This field specifies the IP address that the rule applies to. In the example, it shows any destination address. - Destination Port
This field specifies the port number on the destination device that the rule applies to. In the example, it shows destination port 21, which is commonly used for FTP (File Transfer Protocol) traffic.
Rule Option
Provide more specific details about the traffic you want to monitor.
- msg: This option allows you to specify a message that will be included in the alert if the rule is triggered.
- sid: This option allows you to specify a unique identifier for the rule.
- classtype: This option allows you to specify the classification of the rule, such as malware, exploit, or scan.
- content: This option allows you to search for specific patterns in the content of the traffic payload.
- flow: This option allows you to specify conditions that must be met by the traffic flow in order for the rule to be triggered.
Example Of Custom Rules
Block SQL Injection Attempts
Rule:
action: alert
protocol: tcp
source ip: any
source port: any
destination ip: your_web_server_ip
destination port: 80 (or 443 for HTTPS)
content: "|*WHERE*| |*UPDATE*| |*SELECT*|"; sid:100002; msg:"Potential SQL Injection Attempt"; classtype: attack-scriptsTCP traffic on ports 80 (HTTP) or 443 (HTTPS) destined for your web server. It searches for keywords commonly used in SQL injection attempts within the content of the packet payload. If a match is found, an alert is generated. Hands On Attack and Defence Using Snort
Rule Used Here
alert tcp any any -> 192.168.78.130 80 (msg:"DOS DETECTED"; flags: S; sid:1000002;)alert: This keyword specifies that Snort should generate an alert when the rule matches.tcp: Specifies that the rule applies to TCP traffic.any any: Matches any source IP address and any source port.->: Indicates the direction of the traffic flow.192.168.78.130 80: Specifies the destination IP address (192.168.78.130) and port (80) where the attack is detected.(msg:"DOS DETECTED";): Provides a descriptive message that will be included in the alert.flags: S: Matches TCP packets with the SYN flag set, indicating the start of a connection.sid:1000002: Specifies a unique identifier for the rule.
TCP SYN flood attacks targeting victim at IP address 192.168.78.130 on port 80.
hping is a command-line tool used for network testing and DoS attacks. Used in the video. Key Takeaways
- Snort, an Open Source Intrusion Prevention System (IPS) and it’s workings
- Breaking down Snort’s rules
- Creating Custom Rule
- Practical Application of Snort to Detect DOS Attack
Snort helps you protect against cyber threats.
Install it, understand its rules, and use it to defend your network.
Thanks ! Hope you learnt something.
Relevant Posts
Common Firewall Rule Mistakes in 2025 and How to Avoid Them
Misconfigured firewall rules can expose networks to cyber threats, from overly permissive settings to neglected updates. Learn how to avoid common mistakes and strengthen security.
Firewall Rules and Compliance: Meeting Security Standards
Firewall rules are essential for ensuring compliance with security standards like PCI-DSS, HIPAA, and GDPR. Proper configuration, audits, and monitoring help businesses protect sensitive data and prevent cyber threats.
How to Test and Audit Your Firewall Rules for Maximum Security
Regular testing and auditing of firewall rules are essential to identify misconfigurations, eliminate outdated rules, and enhance network security. By conducting penetration testing, traffic analysis, and compliance checks, organizations can ensure maximum protection against cyber threats.
The Role of Firewall Rules in Preventing Cyber Attacks
Firewall rules serve as a crucial defense against cyber attacks by controlling network traffic, blocking unauthorized access, and preventing malware infections. Properly configured rules enhance security by enforcing access controls, mitigating DDoS attacks, and safeguarding sensitive data.
Inbound vs. Outbound Firewall Rules: What’s the Difference?
Inbound firewall rules control traffic entering a network, blocking unauthorized access, while outbound rules regulate outgoing connections to prevent data leaks. Understanding both is crucial for robust cybersecurity.
Best Practices for Configuring Firewall Rules in 2025
Configuring firewall rules effectively is crucial for securing networks against cyber threats. By following best practices—such as implementing least privilege access, regularly updating rules, and monitoring traffic—organizations can enhance security while maintaining network efficiency.