Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Configuration files
  • Sniffer Mode
  • Packet Logger Mode
  • Berkeley Packet Filters (BPF)
  • IDS/IPS
  • PCAP Investigation
  • Snort Rule Structure
  • IP and Port Numbers
  • Direction
  • Rules
  1. Blue team

Snort

https://www.snort.org/

PreviousPhishing AnalysisNextYara

Last updated 1 year ago

: "Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generate alerts for users."

Snort has three main use models;

  • Sniffer Mode - Read IP packets and prompt them in the console application.

  • Packet Logger Mode - Log all IP packets (inbound and outbound) that visit the network.

  • NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System) Modes - Log/drop the packets that are deemed as malicious according to the user-defined rules.

Configuration files

Ensure our configuration file is valid. The configuration file is an all-in-one management file of the snort. Rules, plugins, detection mechanisms, default actions and output settings are identified here. It is possible to have multiple configuration files for different purposes and cases but can only use one at runtime.

sudo snort -c /etc/snort/snort.conf -T

Sniffer Mode

Parameter
Description

-v

Verbose. Display the TCP/IP output in the console.

-d

Display the packet data (payload).

-e

Display the link-layer (TCP/IP/UDP/ICMP) headers.

-X

Display the full packet details in HEX.

-i

This parameter helps to define a specific network interface to listen/sniff. Once you have multiple interfaces, you can choose a specific interface to sniff.

Example, to sniff traffic on eth0 in verbose mode.

sudo snort -v-i eth0

Packet Logger Mode

You can use Snort as a sniffer and log the sniffed packets via logger mode.

Parameter
Description

-l

Logger mode, target log and alert output directory. Default output folder is /var/log/snort

The default action is to dump as tcpdump format in /var/log/snort

-K ASCII

Log packets in ASCII format.

-r

Reading option, read the dumped logs in Snort.

-n

Specify the number of packets that will process/read. Snort will stop after reading the specified number of packets.

Example: Start the Snort instance in packet logger mode.

sudo snort -dev -l .

To read first 10 packets of a log:

snort -r snort.log.XXXX -n 10

Berkeley Packet Filters (BPF)

"-r" parameter also allows users to filter the binary log files. You can filter the processed log to see specific packets with the "-r" parameter and Berkeley Packet Filters (BPF).

  • sudo snort -r logname.log -X

  • sudo snort -r logname.log icmp

  • sudo snort -r logname.log tcp

  • sudo snort -r logname.log 'udp and port 53'

Note that "-X" helps you to display the full packet details.

IDS/IPS

Parameter
Description

-c

Defining the configuration file.

-T

Testing the configuration file.

-N

Disable logging.

-D

Background mode.

-A

Alert modes;

full: Full alert mode, providing all possible information about the alert. This one also is the default mode; once you use -A and don't specify any mode, snort uses this mode.

fast: Fast mode shows the alert message, timestamp, source and destination IP, along with port numbers.

console: Provides fast style alerts on the console screen.

cmg: CMG style, basic header details with payload in hex and text format.

none: Disabling alerting.

Example: Investigate traffic with the default configuration file in full mode while logging the alert.

sudo snort -c /etc/snort/snort.conf -A full -l

PCAP Investigation

Parameter
Description

-r / --pcap-single=

Read a single pcap

--pcap-list=""

Read pcaps provided in command (space separated).

--pcap-show

Show pcap name on console during processing.

Once you have a pcap file and process it with Snort, you will receive default traffic statistics with alerts depending on your ruleset.

Example: Investigate the file.pcap file with the default configuration file.

sudo snort -c /etc/snort/snort.conf -A full -l . -r file.pcap

Snort Rule Structure

Action

There are several actions for rules. Make sure you understand the functionality and test it before creating rules for live systems. The most common actions are listed below.

  • alert: Generate an alert and log the packet.

  • log: Log the packet.

  • drop: Block and log the packet.

  • reject: Block the packet, log it and terminate the packet session.

Protocol

Protocol parameter identifies the type of the protocol that filtered for the rule.

Note that Snort2 supports only four protocols filters in the rules (IP, TCP, UDP and ICMP). However, you can detect the application flows using port numbers and options. For instance, if you want to detect FTP traffic, you cannot use the FTP keyword in the protocol field but filter the FTP traffic by investigating TCP traffic on port 21.

IP and Port Numbers

These parameters identify the source and destination IP addresses and associated port numbers filtered for the rule.

IP Filtering

alert icmp 192.168.1.56 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet originating from the 192.168.1.56 IP address.

Filter an IP range

alert icmp 192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet originating from the 192.168.1.0/24 subnet.

Filter multiple IP ranges

alert icmp [192.168.1.0/24, 10.1.1.0/24] any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet originating from the 192.168.1.0/24 and 10.1.1.0/24 subnets.

Exclude IP addresses/ranges

"negation operator" is used for excluding specific addresses and ports. Negation operator is indicated with "!"alert icmp !192.168.1.0/24 any <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each ICMP packet not originating from the 192.168.1.0/24 subnet.

Port Filtering

alert tcp !192.168.1.0/24 21 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from port 21.

Exclude a specific port

alert tcp !192.168.1.0/24 !21 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet not originating from port 21.

Filter a port range (Type 1)

alert tcp !192.168.1.0/24 1:1024 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from ports between 1-1024.

Filter a port range (Type 2)

alert icmp any :1024 <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from ports less than or equal to 1024.

Filter a port range (Type 3)

alert icmp any 1024: <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from a source port higher than or equal to 1024.

Filter a port range (Type 4)

alert icmp any 80,1024: <> any any (msg: "ICMP Packet Found"; sid: 100001; rev:1;)This rule will create alerts for each TCP packet originating from a source port 80 and higher than or equal to 1024.

Direction

The direction operator indicates the traffic flow to be filtered by Snort. The left side of the rule shows the source, and the right side shows the destination.

  • -> Source to destination flow.

  • <> Bidirectional flow

Rules

There are three main rule options in Snort;

  • General Rule Options - Fundamental rule options for Snort.

  • Payload Rule Options - Rule options that help to investigate the payload data. These options are helpful to detect specific payload patterns.

  • Non-Payload Rule Options - Rule options that focus on non-payload data. These options will help create specific patterns and identify network issues.

Remember, once you create a rule, it is a local rule and should be in your "local.rules" file. This file is located under "/etc/snort/rules/local.rules"

General Rule Options

Msg

The message field is a basic prompt and quick identifier of the rule. Once the rule is triggered, the message filed will appear in the console or log. Usually, the message part is a one-liner that summarises the event.

Sid

Snort rule IDs (SID) come with a pre-defined scope, and each rule must have a SID in a proper format. There are three different scopes for SIDs shown below.

  • <100: Reserved rules

  • 100-999,999: Rules came with the build.

  • >=1,000,000: Rules created by user.

Briefly, the rules we will create should have sid greater than 100.000.000. Another important point is; SIDs should not overlap, and each id must be unique.

Reference

Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That could be a Common Vulnerabilities and Exposures (CVE) id or external information. Having references for the rules will always help analysts during the alert and incident investigation.

Rev

Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to have the revision information of each rule. Therefore, it will be easy to understand rule improvements. Each rule has its unique rev number, and there is no auto-backup feature on the rule history. Analysts should keep the rule history themselves. Rev option is only an indicator of how many times the rule had revisions.

alert icmp any any <> any any (msg: "ICMP Packet Found"; sid: 100001; reference:cve,CVE-XXXX; rev:1;)

Payload Detection Rule Options

Content

Payload data. It matches specific payload data by ASCII, HEX or both. It is possible to use this option multiple times in a single rule. However, the more you create specific pattern match features, the more it takes time to investigate a packet.

Following rules will create an alert for each HTTP packet containing the keyword "GET". This rule option is case sensitive!

  • ASCII mode - alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; sid: 100001; rev:1;)

  • HEX mode - alert tcp any any <> any 80 (msg: "GET Request Found"; content:"|47 45 54|"; sid: 100001; rev:1;)

Nocase

Disabling case sensitivity. Used for enhancing the content searches.alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; nocase; sid: 100001; rev:1;)

Fast_pattern

Prioritise content search to speed up the payload search operation. By default, Snort uses the biggest content and evaluates it against the rules. "fast_pattern" option helps you select the initial packet match with the specific value for further investigation. This option always works case insensitive and can be used once per rule. Note that this option is required when using multiple "content" options.

The following rule has two content options, and the fast_pattern option tells to snort to use the first content option (in this case, "GET") for the initial packet match.

alert tcp any any <> any 80 (msg: "GET Request Found"; content:"GET"; fast_pattern; content:"www"; sid:100001; rev:1;)

Non-Payload Detection Rule Options

There are rule options that focus on non-payload data. These options will help create specific patterns and identify network issues.

ID

Filtering the IP id field.alert tcp any any <> any any (msg: "ID TEST"; id:123456; sid: 100001; rev:1;)

Flags

Filtering the TCP flags.

  • F - FIN

  • S - SYN

  • R - RST

  • P - PSH

  • A - ACK

  • U - URG

alert tcp any any <> any any (msg: "FLAG TEST"; flags:S; sid: 100001; rev:1;)

Dsize

Filtering the packet payload size.

  • dsize:min<>max;

  • dsize:>100

  • dsize:<100

alert ip any any <> any any (msg: "SEQ TEST"; dsize:100<>300; sid: 100001; rev:1;)

Sameip

Filtering the source and destination IP addresses for duplication.alert ip any any <> any any (msg: "SAME-IP TEST"; sameip; sid: 100001; rev:1;)

The official description