Snort Tutorial :
-------------------
3 Basic Modes :
--------------------
1. Sniffer Mode
2. Packet Logger Mode (Logs Packets to disk)
3. Network Intrusion Detection System (NIDS) , analyze network traffic as per Rules Defined by users.
Sniffer Mode :
------------------
[root@universe rules]# snort -v
10/23-16:53:37.964423 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:9175 IpLen:20 DgmLen:712 DF
***AP*** Seq: 0xE9BBEF63 Ack: 0x7C361CE8 Win: 0x4B60 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2482891 2406025
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/23-16:53:37.964504 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:9176 IpLen:20 DgmLen:360 DF
***AP*** Seq: 0xE9BBF1F7 Ack: 0x7C361CE8 Win: 0x4B60 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2482891 2406025
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Display packet data + Headers :
---------------------------------
[root@universe rules]# snort -vd
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/23-16:55:25.083474 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:10322 IpLen:20 DgmLen:168 DF
***AP*** Seq: 0xE9C66BA7 Ack: 0x7C364A68 Win: 0x4B60 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2509669 2416736
87 45 00 A3 DC 71 91 72 AE 1E 8B B0 A6 A6 2E 56 .E...q.r.......V
9A 29 BE 45 64 80 28 71 5C 46 02 FF 52 FF 54 8B .).Ed.(q\F..R.T.
51 39 5D B0 3E 14 BA 5D 99 27 FA 89 D8 0C DC EC Q9].>..].'......
46 5A 27 29 DB DA E4 20 00 3B 93 3A C6 A4 43 A9 FZ')... .;.:..C.
E9 99 30 EC 69 5B 83 8D 46 9D DF FA C8 93 F9 04 ..0.i[..F.......
A4 02 28 33 4F CF 2D 15 EB 48 1D 55 C7 17 20 2A ..(3O.-..H.U.. *
F3 58 C7 73 EA A5 2D 3F 66 82 64 F3 AE 76 C3 42 .X.s..-?f.d..v.B
C8 52 A5 88 .R..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/23-16:55:25.084084 192.168.0.104:22 -> 192.168.0.102:51490
TCP TTL:64 TOS:0x10 ID:10323 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xE9C66C1B Ack: 0x7C364A68 Win: 0x4B60 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2509669 2416736
46 18 30 B7 BD 5C A8 16 E8 38 87 49 A7 CA DF 6C F.0..\...8.I...l
AD 79 02 5F 17 A5 AF 17 6D 66 F6 E0 1F 3C 5B F9 .y._....mf...<[.
47 D4 CD 3C 62 03 D6 09 FB B3 B2 F5 4F 10 3C 05 G..
34 BA 04 EB 0C EF 2A 7D 79 63 AE 3B AB 22 DE 2E 4.....*}yc.;."..
CE 79 D1 FB .y..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
3 Main Commands :
--------------------
snort -v --> Headers
snort -dv --> Headers + Packet Data
snort -dev --> Headers + Packet Data + Data Link Layer
snort -dev -l ./log --> -l for specifying Log Directory
snort -dev -l ./log -h 192.168.0.0/24 --> Log data with specified network range
snort -dev -l ./log -b --> Binary mode logging
snort -dev -r packet.log --> Read packets with -r switch
Links :
----------
http://seclists.org/snort/2010/q4/533
How to create own snort Rules :
--------------------------------------
SQL Injections are becoming very common attacks on websites , in such cases we can detect attemps on IDS like snort
We need to find signature for most common SQL Injection Queries
Ex.
' or 1=1-- --> %27+or+1%3D1--
Rule for attack :
--------------------
alert tcp any any -> any any (content:"%27+or+1%3D1--";msg:"Dude Someone is performing SQL INJECTION";sid:1000003;rev:1;)
Content = %27+or+1%3D1--
msg = Message you want to display
sid = Unique ID assigned to this rule
sid & rev uniquely identify the rule
Implement Rule in Snort :
-------------------------------
1. vi sqlinjection.rules (I created this file /etc/snort/rules )
2. alert tcp any any -> any any (content:"%27+or+1%3D1--";msg:"Dude Someone is performing SQL INJECTION";sid:1000003;rev:1;)
3. Save and Exit
4. vi /etc/snort/snort.conf
5. Edit As Below :
----------------------------------
include $RULE_PATH/youtube.rules
include $RULE_PATH/sqlinjection.rules
----------------------------------
In our case #RULE_PATH = /etc/snort/rules/
6. Save and Exit
7. snort -v -i eth0 -l . -c /etc/snort/snort.conf --snaplen 1518
-l . --> Save files in current directory
-c --> Snort configuration file
--snaplen 1518 -->
8. Execute attack on client machine
Snort Output :
-----------------
Action Stats:
Alerts: 5 ( 0.074%) --> We successfully caught ATTACK!!!
Logged: 5 ( 0.074%)
Passed: 0 ( 0.000%)
9. Check file alert in current directory
[root@universe rules]# pwd
/etc/snort/rules
[root@universe rules]# cat alert
[**] [1:1000003:1] Dude Someone is performing SQL INJECTION [**]
[Priority: 0]
10/23-20:05:06.145217 192.168.0.101:45670 -> 192.168.0.13:8080
TCP TTL:64 TOS:0x0 ID:2665 IpLen:20 DgmLen:332 DF
***AP*** Seq: 0x6564F124 Ack: 0x28B08D67 Win: 0x2E TcpLen: 32
TCP Options (3) => NOP NOP TS: 42526540 5354755
[**] [1:1000003:1] Dude Someone is performing SQL INJECTION [**]
[Priority: 0]
10/23-20:05:06.230814 192.168.0.104:28692 -> 220.226.205.30:80
TCP TTL:64 TOS:0x0 ID:41431 IpLen:20 DgmLen:260 DF
***AP*** Seq: 0x29121933 Ack: 0x43B3A536 Win: 0x2E TcpLen: 32
TCP Options (3) => NOP NOP TS: 5354776 23618074
Now we have All required information about ongoing Attack!!!!
Why we used --snaplen ??
------------------------------
Command : snort -V
My Current Snort version : Version 2.9.0.5
When I use snort without --snaplen option , I was not able to collect alerts , nor any alert file was generated
With reference to :
http://seclists.org/snort/2010/q4/533
The IPQ and NFQ DAQs had an internal buffer limitation that is fixed in the latest release.
Will be adding more soon.....
Best Regards,
Girish