Networking

SolutionBase: Use Snort to find out who's trying to break in to your network

Intrusion-detection systems can help you track down hackers and find out what they're doing on your network. Most IDSes are expensive however. In this article, David Davis shows how you can use the open-source utility called Snort to sniff out hackers on your network.

If your network is attached to the Internet, the question you need to ask yourself is "What do I do WHEN my network gets hacked?" not "What do I do IF my network gets hacked. It's only a matter of time before it happens. Do you want to be alerted when a known attack enters your network from the Internet or goes across your LAN? This is a job for Snort. And Snort will fit into you're IT budget because it's free. Here's how it works.

What's Snort?

Snort is very popular and there is a lot of organic support for Snort (organic meaning unpaid community support from the user base). Contrary to many other open source software packages, popularity for Snort is huge. So huge that there are a number of books available for Snort (listed at the bottom of this article).

Since most of us aren't programmers/developers so the fact that something is open source really doesn't help us much. What does really help us is that, because something is open source, it is free. One of the greatest advantages to Snort is that it is free and open source software. Another advantage to Snort being open source is that it is available on more than one platform. You can run it on Linux, Windows, and Mac OS X. However, as the source is available, I don't see why it couldn't be compiled for other platforms.

What can Snort do for me?

The purpose of Snort is to act like a network packet analyzer and listen to every packet sent and received across the wire that is being monitored. Snort has a database of traffic signatures that are common network attacks or other malicious activity. Snort compares every packet to that database. If a match is found then rules can be configured to take action. That action varies between passive response (just logging it or sending an email) to active response (doing something to stop the malicious activity from happening.

Keep in mind that a Snort system will only see what packets are sent to it by the switch or hub that it is connected to. In the case of a switch, it is intelligent and only forwards traffic meant for the MAC address of your workstation and broadcast/multicast packets. If you had a hub, you would see all traffic on the network. So, proper placement of your workstation to capture the right amount of packets is critical. Many times, port mirroring is enabled on switches to mirror the port with the relevant traffic to your port.

For example, you could mirror the core router's Ethernet port to your port. Thus, proper placement of your Snort sensor, on the network, is critical to seeing the right traffic. To learn about Snort, find classes on Snort, interact with the Snort community, or download Snort software, go to www.snort.org.

Downloading and installing Snort

To download Snort, click on the Download section on the www.snort.org website. If you click on binaries, you will find the pre-complied Snort software for Linux, Windows, or Mac OS X. In the Win32 binaries section, you will find the Snort 243 Installer.exe file (or newer).

To begin using Snort, download and run this application. Once you run it, you will see a request to accept the license agreement. After clicking Yes, you will be given choices concerning the Snort database as seen in Figure A.

Figure A

Control how you want Snort to access its databases.

A production Snort server will create a huge number of logs. It is preferable to store these logs in a database. Snort supports MySQL, Oracle, and Microsoft SQL server through database clients already installed. Or, you can just log to your local hard drive. For the purposes of testing, choose I do not plan to log to a database.

On the next screen, you will see the components you can install. Notice that if you install all packages, Snort is only 6.3MB at the maximum. So, choose to install all packages by clicking Next. Finish up by selecting the installation and you're done.

You may see a message saying that WinpCap is required. Winpcap is a standard package capture library in Windows. It is used by a number of packet analysis tools like Snort and Ethereal. If you don't have it installed for another tool already, it can be obtained from www.winpcap.org. After installing it, you will have to reboot your machine.

The hard part

You must manually edit the snort.conf file. This is one of the more non-user-friendly parts of using Snort. The file will actually be located in c:\snort\etc, assuming you chose the default installation path. Another unfriendly part of using Snort is that you'll notice that there is no program group or any programs named Snort when you go to Start | Programs. Even if you go to c:\snort\bin and run the program called snort.exe, you will only see a bunch of text flash in front of a Windows command window and nothing else will happen.

What I am trying to tell you is that snort does not have a graphical interface. Yes, it is for Windows but, no, it doesn't have a graphical interface. Most people, even Linux users would like to have the option of a graphical interface. The Snort website has a download page for most available front-end environments, located here. All, to my knowledge, are free.

Some work on Windows but many are for Linux. If you are using Windows, you have to choose carefully. One of them that I know works for Windows is IDSCenter. I did, however, try IDS sensor and, after installing it, could not get the right combination of configuration options to capture packets with Snort. I am sure that, with some research and testing, it would be a helpful GUI if you are going to be a serious Snort user.

Using Snort

You can use Snort as an interactive packet sniffer with the following command: snort -dv

This will produce output that looks like this:

C:\Snort\bin>snort -dvi4

Running in packet dump mode

 

Initializing Network Interface \Device\NPF_{F3D55A22-91A9-44D7-B1DE-18967E17A696

}

—== Initializing Snort ==—

Initializing Output Plugins!

Decoding Ethernet on interface \Device\NPF_{F3D55A22-91A9-44D7-B1DE-18967E17A696

}

 

—== Initialization Complete ==—

 

,,_ -*> Snort! <*-

o" )~ Version 2.4.3-ODBC-MySQL-FlexRESP-WIN32 (Build 26)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html

(C) Copyright 1998-2005 Sourcefire Inc., et al.

NOTE: Snort's default output has changed in version 2.4.1!

The default logging mode is now PCAP, use "-K ascii" to activate

the old default logging mode.

 

02/21-16:18:55.707158 ARP who-has 192.168.0.10 tell 192.168.0.10

 

02/21-16:18:55.804184 ARP who-has 10.253.1.14 tell 10.253.1.206

 

 

===============================================================================

 

Snort received 39 packets

Analyzed: 39(100.000%)

Dropped: 0(0.000%)

===============================================================================

Breakdown by protocol:

TCP: 0 (0.000%)

UDP: 18 (46.154%)

ICMP: 0 (0.000%)

ARP: 17 (43.590%)

EAPOL: 0 (0.000%)

IPv6: 0 (0.000%)

ETHLOOP: 1 (2.564%)

IPX: 0 (0.000%)

FRAG: 0 (0.000%)

OTHER: 1 (2.564%)

DISCARD: 0 (0.000%)

===============================================================================

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

===============================================================================

pcap_loop: read error: PacketReceivePacket failed

Snort exiting

The -d command shows the application layer. This results in packets being decoded. If you notice, I had to specify a certain interface by using -i4, for the 4th interface on my system. If you have only one interface, you won't have to do this. To list available interfaces in Windows, use the snort -W option.

What you can see from the output is that Snort is sniffing the packets, real-time, that go across my network. With the flags given, snort is not really detecting any intrusions. To detect and report on intrusions using signature, you must tell snort how. This means specifying a rule and editing the Snort configuration file, located at c:\snort\etc\snort.conf. Performing these types of tasks from the command line requires some reading and research so I won't get into too much detail on that.

Some other useful Snort options are:

  • -l Log to a directory
  • -E Log to NT even viewer
  • -c <rules> to specify a certain rule to alert on. Snort comes with 38 rules, located at c:\snort\rules
  • -w show 802.11 wireless management and control frames if you are using IDS on a wireless network

For full documentation on how to use Snort, a complete Snort Manual is available at this website: Snort Official Documentation

Snorting out intruders for free

Snort is a very powerful intrusion detection and packet capture system. Complex rules can be written to identify just about any type of traffic going across the network and perform some action. As Snort is a feature-rich product, its configuration can also be complex. Keep in mind that you can save thousands of dollars by using Snort instead of a commercial IDS system. On the other hand, you may also spend many hours configuring and tweaking Snort.

Editor's Picks

Free Newsletters, In your Inbox