Using Snort for intrusion detection

Intrusion detection can be a confusing issue for system administrators. When an intrusion detection system (IDS) is developed, there are several issues to deal with, including:

• ·        How to monitor the system for intrusion attempts.
• ·        What traffic should be monitored.
• ·        How to log intrusion attempts.
• ·        What to do when an intrusion attempt is detected.

There are several packages available to automate and simplify the process of intrusion detection, and Snort is one of the best. Although Snort has been described as a “lightweight” intrusion detection system, this description refers more to the ease with which Snort may be deployed on a small- to medium-sized network than the capabilities of this highly flexible utility. In this Daily Drill Down, we will cover the procedures for installing and configuring Snort to run on a Linux system.

Downloading and installing Snort
For this Daily Drill Down, I installed Snort on a system running Red Hat 7.0. Although there may be differences between distributions, the procedures will be similar on all Linux and UNIX systems.

Before installing Snort, the packet capture library, libpcap, must first be installed. The libpcap package is available from LBNL’s Network Research Group and is also available from most Linux vendors. Once libpcap is downloaded, run the following commands as root to install and configure libpcap:
tar -zxvf libpcap.tar.Z
cd libpcap-0.4
./configure
make install ; make install-incl; make install-man

Once you have libpcap installed, you’re ready to install Snort.

For this Daily Drill Down, I used snort-1.7-1.i386.rpm, which can be had from the Official Snort Web site. Once Snort is downloaded, install the rpm package with the command:
rpm -ivh snort-1.7-1.i386.rpm

If the installation proceeds with no problems, the files and directories listed in Table A will be created on your system.

Configuring logging for Snort

The default Snort installation uses the directory

for logging messages generated by Snort. To create this directory on your system, run the following command as root:

mkdir /var/log/snort

Snort rulesets
The real strength of Snort lies in its ability to employ rulesets to monitor network traffic. The rulesets for Snort are contained within the lib files in the /etc/snort directory. The current release of Snort comes with 18 existing rulesets. All rulesets use the following naming convention:
<ruleset-name>-lib

For example, you could use:
scan-lib.

Each library contains a ruleset. These rulesets determine which action will be taken when a particular intrusion attempt is detected. All rules contain two sections: the rule header and the rule options. The rule header defines the following properties:

• ·        The action taken by the rule when an intrusion attempt is detected
• ·        The protocol the rule applies to
• ·        The source and destination IP addresses and netmask(s) affected by the rule
• ·        The source and destination ports

The rule options section defines these properties:

• ·        Which part of an IP packet to inspect for compliance with a specific rule
• ·        Any alert messages issued when an intrusion attempt is detected

There are five types of actions that may be performed by a Snort rule:

1. 1.      Alert: Generates an alert message
2. 2.      Log: Logs the specified IP packet
3. 3.      Pass: Ignores the specified IP packet
4. 4.      Activate: Sends an alert message and then activates a dynamic rule
5. 5.      Dynamic: Activated by an activate rule, this rule then acts as a log rule

Table B lists the options that may be used with Snort rulesets.

Now let’s look at a typical Snort rule and how it functions. A typical rule would look like this.

This rule uses the following procedures:

• ·        The alert option is used. This means that the administrator will be notified when an intrusion attempt is detected.
• ·        The protocol being monitored is the User Datagram Protocol (UDP).
• ·        Traffic from any source IP address outside the local network and from any source port will be monitored (!$HOME_NET any).
• ·        Any UDP traffic destined for port 31337 on the monitoring machine will generate the alert message “Backdoor – Back Orifice.”

Now let’s look at another rule. The rule shown here is set to monitor the protocol used with an incoming packet and the port the packet is attempting to access. This rule is meant to monitor attempts to connect to an FTP server using SATAN.

Now let’s look at how this rule monitors intrusion attempts:

• ·        This rule is monitoring IP addresses from outside the local network on any source port.
• ·        The protocol being monitored is the Transport Control Protocol (TCP).
• ·        The port being monitored on the local network is port 21 ($HOME_NET 21).
• ·        The TCP flags are set at push (P) and ACK (A).
• ·        Incoming packets must contain “pass -satan.”
• ·        Whenever all of these conditions are met, this rule will log the message “Port 21-scanned-SATAN.”

Writing rules for Snort
How to write rules for Snort is beyond the scope of this Daily Drill Down. Until you have gotten some experience using Snort and, more importantly, experience with the TCP/IP protocol suite, the best option is to use prepackaged rulesets, which are available from the Snort Web site. These rules are reliable and are available for almost any situation you might face as an administrator.

Running Snort
Snort is typically run in one of the following three modes:

1. 1.      Packet sniffer: Snort reads IP packets and displays them on the console.
2. 2.      Packet Logger: Snort logs IP packets.
3. 3.      Intrusion Detection System: Snort uses rulesets to inspect IP packets. When an IP packet matches the characteristics of a given rule, Snort may take one or more actions.

The mode Snort is run in depends on which flags are used with the Snort command. Table C lists the flags available with the Snort command.

Let’s look at how the snort command might be used to specify how Snort runs. To view IP packet headers at console, use the command:
snort -v

To run Snort in packet logging mode, use the command:
snort -dev -l /var/log/snort

If Snort is run in packet logging mode with only the -l option set, there may be problems when Snort names the directory where it stores packets. Suppose I am running Snort from a host on the 192.168.10.0 network and I want Snort to log packets related to the 192.168.20.0 network on the local host. To ensure that Snort names the log directories based on the name of the remote host, I would use the command:

snort -dev /var/log/snort -h 192.16820.0/24

The above command tells Snort that I want to log data-link, IP header, and application data into /var/log/snort. This command also ensures that the packets being logged are stored in directories relative to the remote (192.168.20.0) network address. These directories will be created as subdirectories of /var/log/snort.

Logging packets in binary format is a little different. Because binary mode logs all packets in the same format used by tcpdump, all packets are logged to a single binary file in the logging directory.

To log packets in binary format to /var/log/snort, use the command
snort -l /var/log/snort -b

Running Snort in Intrusion Detection mode
The problem with running Snort in packet sniffing mode or packet logging mode is that all packets are logged. This will create a huge amount of information to sort through. When run in Network Intrusion Detection mode, Snort will not record all packets. The only packets logged are the ones that match a specific rule. The simplest way to run Snort for intrusion detection is to log packets in ASCII text to a hierarchical directory structure. If no log file is specified, packets are logged to /var/snort /log. To run Snort for intrusion detection and log all packets relative to the 192.168.10.0 network, use the command:
snort -d -h 192.168.10.0 -l -c snort.conf

The option -c snort.conf tells Snort to use the default /etc/snort.conf file created when Snort was installed. This file instructs Snort to use all of the rulesets contained in the lib files created in /etc/snort when Snort was installed.

Using Snort with Samba
Snort may also be configured to send to workstations connected to the server through Samba.

To use this mode, the source code for Snort must be configured with the options:
./configure -enable-smbalerts

Pros and cons of using Snort
Pros:

• ·        Snort is quickly installed and running on your network.
• ·        Snort rules are fairly easy to write.
• ·        Snort has good support available on the Snort site, as well as its own listserv.
• ·        Snort is easy to employ as a distributed intrusion detection system (IDS).
• ·        Snort is free. This is good news for administrators who need a cost-effective IDS.

Cons:

• ·        The administrator must develop customized logging and reporting methods.
• ·        Snort does not support token ring.
• ·        Although Snort is flexible, it does lack some features found in commercial intrusion detection systems.
• ·        Snort rules must be developed carefully. This is necessary to reduce the number of false alarms of information generated and to reduce the amount of information logged.

Conclusion
Snort may be used in a variety of ways, including as a packet sniffer, packet logger, or an intrusion detection system (IDS). With the ability to use rulesets to monitor IP packets, Snort is an excellent choice for administrators responsible for security on small- to medium-sized networks.

The ease with which Snort may be deployed on a network allows for the quick installation of a flexible and very cost-effective IDS.