Linux optimize

Detect intruders on your network with Snort


Snort is a Network Intrusion Detection System (NIDS), which can view and analyze packets on a network to determine whether or not a system is being attacked by remote. Most Linux distributions come with Snort, so it's simply a matter of installing Snort via urpmi, apt-get, or yum. Snort can write its collected information to a variety of different sources for later analysis, be it flat files or a database such as PostgreSQL or MySQL. As well, Snort can be used as a simple packet logger, sniffer, or a full-blown NIDS.

Once Snort is installed, it can be used right away. Simply executing:

# snort -v

will put Snort into packet sniffing mode; traffic will be scrolled on the screen showing what packets Snort is seeing. To exit, hit CTRL-C and you will see a brief analysis of what Snort detected. To see even more information -- like you might with tcpdump -- use the -vd option instead.

To have Snort log data, simply tell it where to log the information. In the next example, Snort will log information to the /usr/local/log/snort directory, so make sure it exists first.

# snort -l /usr/local/log/snort -d

Snort will log packets in a binary file, such as /usr/local/log/snort/snort.log.1199665001. To view the log, use the -r option with Snort in order to replay the captured data.

# snort -r /usr/local/log/snort/snort.log.1199665001

Using Snort as an NDIS takes a little more work; you must configure Snort appropriately, using the configuration file /etc/snort/snort.conf. Be warned, this configuration file can be quite hefty! Some of the rules available on the Snort Web site may be packaged with Snort, depending on the Linux distribution.

The Snort rules can be downloaded from http://www.snort.org/pub-bin/downloads.cgi. The community rules are available for anyone to use and are most likely to be bundled with any prepackaged vendor-supplied copies of Snort. You can also subscribe to receive updated rules from Sourcefire on a regular basis.

Once you have downloaded a rules package, such as the Community-Rules-CURRENT.tar.gz file, unpack it on the system with Snort installed in the directory where the Snort configuration is:

# cd /etc/snort
# tar xvzf Community-Rules-CURRENT.tar.gz

The new rules will now be in the rules/ directory.

To enable them, edit snort.conf and add:

var RULE_PATH rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules
...

Include whichever rules you like. Snort can now be started to load the configuration file /etc/snort/snort.conf, which will, in turn, load the downloaded rules:

# snort -c /etc/snort/snort.conf

Snort will then print information about its initialization to the screen and then start logging packets that match the defined rules. The rules will determine what Snort will log and what it will ignore, so unlike running Snort as a sniffer, the generated logs will be much smaller as only packets "of consequence" will be logged. These logs will be stored, by default, in /var/log/snort/ and can be analyzed by Snort using the -r option as noted previously.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

18 comments
john3347
john3347

Wish there were an equivalent application that ordinary people could learn how to download and use.

JerkyChew
JerkyChew

Can anybody recommend a tool that will parse these logs into something human readable? Perhaps a webpage like Nagios / Webmin / Splunk / Spiceworks? It would be nice to be able to view and sort the resulting logs to get a better idea of what's going on.

BALTHOR
BALTHOR

I think that retail cashier computers run Windows in the CPU from a BIOS taskbar at a very high clock speed.They access or log on to the Government Torrent network.Hackers use this method along with virus to invade systems.Stolen computers or fraudulent retail stores.

NaughtyMonkey
NaughtyMonkey

sguil. It took a lot to get running, but is the greatest tool I have ever used. We use snort and sguil and have great visibility of our network.

DanLM
DanLM

snort will use every bit of memory you have. There is an option(don't ask me where), to run at a minimum... I had to do that, it would not start because it required so much memory. There are a boat load of rule files, which most I wanted to use... Those suckers will load into me memory to be real time, thus.. Also, be ready to spend the first week tweaking what you want to appear in your logs... I had a partition fill up because of log's.... That sucker blew chunks all over. This machien was a 1.8 amd with a gig of memory, freebsd 6.1 I think. I am not trying to talk anyone out of using snort, trust me. What I am trying to do is warn you that you must spend time fine tuning it... Be ready for the following: 1). Decide what rules you want to load... And you have a bunch of choices. 2). Be ready to fine tune how much resources this will use. 3). Be ready to fine tune what you want to appear in your logs. *** This can be broken down to individual rules... And there are thousand of rules. 4). Be ready to take the time to review these logs and tune it further. I am NOT trying to talk anyone out of using snort. I am trying to WARN you that it requires work. It is not a ready, lock and load application. I decided not to use it(actually, I was just lazy). I will probably go back to it, but I will be much more carefull this time around... Dan

Dumphrey
Dumphrey

attach it to a port mirrored on the gateway port?

jrosewicz
jrosewicz

If only it was that easy. Setting it up as an IDS is full of fun anomalies and many web searches. Then you have to tune it down to make the logs manageable on a busy network. It is a great tools once you get it working though.

Neon Samurai
Neon Samurai

Get out of my head!! hehe.. I was just adding snort to my systems at home. This is going directly to PDF for reference after the work day ends. (The author should really be the one to start the forum after each of there articles but since they didn't; First Post!)

jrosewicz
jrosewicz

Try WinIDS, which is a Windows based install of Snort with a built in Web interface. Check out "www.winsnort.com". It has a very noob friendly step by step guide to installing snort and setting up the configs. It even walks you through setting up a website interface and allows you to setup automated email alerts.

jrosewicz
jrosewicz

I use Base /ACID to view the logs. Its a fairly basic Web interface, but it gives me all the information I need.

catseverywhere
catseverywhere

Razorback is a minimalistic GUI for snort logs. Not very useful, tho. There's supposed to be some kind of web interface, IIRC, but I could never get it working. I concur with the opinion snort is a lot of work. I add the latest rules are not free, you have to subscribe, or wait a month or so to get the latest. This might be a show stopper depending on your needs. And snort will indeed suck up your available memory. All these factors are why I haven't used snort in a couple of years now. If I were going to use it I would feel compelled to subscribe.

seanferd
seanferd

to XSS. P4P will give the Government even More Control.

jdclyde
jdclyde

it "should" have the option to mirror everything to that port.

catseverywhere
catseverywhere

Never heard of it, thanks for the info. I'll have to look into base / ACID. Razorback is pretty lame...

Dumphrey
Dumphrey

all our cash registers were computers with a touch screen instead of mouse/keyboard. When it booted up there was a bios screen, it ran an embedded windows 2000 system on a 800 Mhz pentium with 256 ram. All of this was connected by cat 5 to a cisco router with a vpn to home office. Credit cards were all done by dial up. The system would be vulnerable once an attack vector could be found.

Dumphrey
Dumphrey

That would be a ton o traffic getting dumped to one port. But without doing that, you would not get much of an acurate picture. But as Neon was saying butting it at the head of the line lets it act as an IDS.... Hmmm. Maybe after I get Nagios up and running i'll work on SNORT. Also, I have no idea how to mirror ports in CatOS, on our 4006, I can manage in IOS, but not CatOS. Freakin cisco...

Neon Samurai
Neon Samurai

ISP connection hits firewall, snort, AV and other detection services in series before it hits the switch appliance. It's another option anyhow.