Intrusion detection can be a confusing issue for system administrators. When an intrusion detection system (IDS) is developed, there are several issues to deal with, including:
- · How to monitor the system for intrusion attempts.
- · What traffic should be monitored.
- · How to log intrusion attempts.
- · What to do when an intrusion attempt is detected.
There are several packages available to automate and simplify the process of intrusion detection, and Snort is one of the best. Although Snort has been described as a “lightweight” intrusion detection system, this description refers more to the ease with which Snort may be deployed on a small- to medium-sized network than the capabilities of this highly flexible utility. In this Daily Drill Down, we will cover the procedures for installing and configuring Snort to run on a Linux system.
Downloading and installing Snort
For this Daily Drill Down, I installed Snort on a system running Red Hat 7.0. Although there may be differences between distributions, the procedures will be similar on all Linux and UNIX systems.
Before installing Snort, the packet capture library, libpcap, must first be installed. The libpcap package is available from LBNL's Network Research Group and is also available from most Linux vendors. Once libpcap is downloaded, run the following commands as root to install and configure libpcap:
tar -zxvf libpcap.tar.Z
make install ; make install-incl; make install-man
Once you have libpcap installed, you're ready to install Snort.
For this Daily Drill Down, I used snort-1.7-1.i386.rpm, which can be had from the Official Snort Web site. Once Snort is downloaded, install the rpm package with the command:
rpm -ivh snort-1.7-1.i386.rpm
If the installation proceeds with no problems, the files and directories listed in Table A will be created on your system.
|/usr/bin/snort||This is the binary executable for Snort.|
|/etc/snort||This directory contains the Snort configuration file and the Snort rulesets.|
|/usr/share/doc/snort||This is the documentation for Snort.|
In order to use Snort correctly, the network interface card (NIC) must be running in promiscuous mode. When promiscuous mode is enabled, the NIC listens to all traffic on the network segment it is located on. On most Linux systems, the NIC is placed in promiscuous mode with the following command: /sbin/ifconfig -eth0 -promisc
Configuring logging for Snort
The default Snort installation uses the directory /var/log/snort for logging messages generated by Snort. To create this directory on your system, run the following command as root:
The real strength of Snort lies in its ability to employ rulesets to monitor network traffic. The rulesets for Snort are contained within the lib files in the /etc/snort directory. The current release of Snort comes with 18 existing rulesets. All rulesets use the following naming convention:
For example, you could use:
Each library contains a ruleset. These rulesets determine which action will be taken when a particular intrusion attempt is detected. All rules contain two sections: the rule header and the rule options. The rule header defines the following properties:
- · The action taken by the rule when an intrusion attempt is detected
- · The protocol the rule applies to
- · The source and destination IP addresses and netmask(s) affected by the rule
- · The source and destination ports
The rule options section defines these properties:
- · Which part of an IP packet to inspect for compliance with a specific rule
- · Any alert messages issued when an intrusion attempt is detected
There are five types of actions that may be performed by a Snort rule:
- 1. Alert: Generates an alert message
- 2. Log: Logs the specified IP packet
- 3. Pass: Ignores the specified IP packet
- 4. Activate: Sends an alert message and then activates a dynamic rule
- 5. Dynamic: Activated by an activate rule, this rule then acts as a log rule
Table B lists the options that may be used with Snort rulesets.
|content||Searches incoming or outgoing packets for specified content.|
|flags||Tests TCP flags on IP packets for specified settings.|
|ttl||Checks the time-to-live on IP packets.|
|itype||Looks for matches on the ICMP type field.|
|Icode||Looks for matches on the ICMP code field.|
|minfrag||Sets the minimum value for IP fragmentation.|
|Id||Checks the IP header for a specified value.|
|ack||Checks for a specified acknowledgement number.|
|seq||Checks for a specified TCP sequence number.|
|logto||Logs packets matching this rule to the specified file.|
|dsize||Checks the size of the packet payload.|
|offset||Used to modify the content option. Specifies the number of bytes from the start position to begin searching content.|
|depth||Used to modify the content option. Specifies the number of bytes from the start position to search.|
|msg||Specifies the message sent when a rule is matched.|
Now let's look at a typical Snort rule and how it functions. A typical rule would look like this.
This rule uses the following procedures:
- · The alert option is used. This means that the administrator will be notified when an intrusion attempt is detected.
- · The protocol being monitored is the User Datagram Protocol (UDP).
- · Traffic from any source IP address outside the local network and from any source port will be monitored (!$HOME_NET any).
- · Any UDP traffic destined for port 31337 on the monitoring machine will generate the alert message “Backdoor - Back Orifice.”
Now let's look at another rule. The rule shown here is set to monitor the protocol used with an incoming packet and the port the packet is attempting to access. This rule is meant to monitor attempts to connect to an FTP server using SATAN.
Now let’s look at how this rule monitors intrusion attempts:
- · This rule is monitoring IP addresses from outside the local network on any source port.
- · The protocol being monitored is the Transport Control Protocol (TCP).
- · The port being monitored on the local network is port 21 ($HOME_NET 21).
- · The TCP flags are set at push (P) and ACK (A).
- · Incoming packets must contain "pass -satan.''
- · Whenever all of these conditions are met, this rule will log the message "Port 21-scanned-SATAN.''
Writing rules for Snort
How to write rules for Snort is beyond the scope of this Daily Drill Down. Until you have gotten some experience using Snort and, more importantly, experience with the TCP/IP protocol suite, the best option is to use prepackaged rulesets, which are available from the Snort Web site. These rules are reliable and are available for almost any situation you might face as an administrator.
Snort is typically run in one of the following three modes:
- 1. Packet sniffer: Snort reads IP packets and displays them on the console.
- 2. Packet Logger: Snort logs IP packets.
- 3. Intrusion Detection System: Snort uses rulesets to inspect IP packets. When an IP packet matches the characteristics of a given rule, Snort may take one or more actions.
The mode Snort is run in depends on which flags are used with the Snort command. Table C lists the flags available with the Snort command.
|-v||View packet headers at the console.|
|-d||View application data with IP headers.|
|-D||Run Snort as a daemon.|
|-e||Show data-link layer headers.|
|-l||Run in packet logger mode.|
|-h||Log information relative to the home network.|
|-b||Log information to a single binary file in the logging directory.|
|-r||Read packets contained in a log file.|
|N||Disable packet logging.|
|-c||Specifies which file will be used to provide a ruleset for intrusion detection.|
Let's look at how the snort command might be used to specify how Snort runs. To view IP packet headers at console, use the command:
To run Snort in packet logging mode, use the command:
snort -dev -l /var/log/snort
The -l option
When the -l option is used, Snort knows that packet logging mode is selected.
If Snort is run in packet logging mode with only the -l option set, there may be problems when Snort names the directory where it stores packets. Suppose I am running Snort from a host on the 192.168.10.0 network and I want Snort to log packets related to the 192.168.20.0 network on the local host. To ensure that Snort names the log directories based on the name of the remote host, I would use the command:
snort -dev /var/log/snort -h 192.16820.0/24
The above command tells Snort that I want to log data-link, IP header, and application data into /var/log/snort. This command also ensures that the packets being logged are stored in directories relative to the remote (192.168.20.0) network address. These directories will be created as subdirectories of /var/log/snort.
Logging packets in binary format is a little different. Because binary mode logs all packets in the same format used by tcpdump, all packets are logged to a single binary file in the logging directory.
To log packets in binary format to /var/log/snort, use the command
snort -l /var/log/snort -b
Running Snort in Intrusion Detection mode
The problem with running Snort in packet sniffing mode or packet logging mode is that all packets are logged. This will create a huge amount of information to sort through. When run in Network Intrusion Detection mode, Snort will not record all packets. The only packets logged are the ones that match a specific rule. The simplest way to run Snort for intrusion detection is to log packets in ASCII text to a hierarchical directory structure. If no log file is specified, packets are logged to /var/snort /log. To run Snort for intrusion detection and log all packets relative to the 192.168.10.0 network, use the command:
snort -d -h 192.168.10.0 -l -c snort.conf
The option -c snort.conf tells Snort to use the default /etc/snort.conf file created when Snort was installed. This file instructs Snort to use all of the rulesets contained in the lib files created in /etc/snort when Snort was installed.
Using Snort with Samba
Snort may also be configured to send to workstations connected to the server through Samba.
To use this mode, the source code for Snort must be configured with the options:
Pros and cons of using Snort
- · Snort is quickly installed and running on your network.
- · Snort rules are fairly easy to write.
- · Snort has good support available on the Snort site, as well as its own listserv.
- · Snort is easy to employ as a distributed intrusion detection system (IDS).
- · Snort is free. This is good news for administrators who need a cost-effective IDS.
- · The administrator must develop customized logging and reporting methods.
- · Snort does not support token ring.
- · Although Snort is flexible, it does lack some features found in commercial intrusion detection systems.
- · Snort rules must be developed carefully. This is necessary to reduce the number of false alarms of information generated and to reduce the amount of information logged.
Snort may be used in a variety of ways, including as a packet sniffer, packet logger, or an intrusion detection system (IDS). With the ability to use rulesets to monitor IP packets, Snort is an excellent choice for administrators responsible for security on small- to medium-sized networks.
The ease with which Snort may be deployed on a network allows for the quick installation of a flexible and very cost-effective IDS.