Snort is an open source intrusion detection and prevention system which was created in 1998 by Martin Roesch. Martin Roesch founded Sourcefire in 2001 which was acquired by Cisco in 2013. The company is now developed by Cisco.
Snort has currently two versions which are Snort 2 and Snort 3. Snort 3 is an updated version of Snort that features a new design and better efficacy, performance, scalability and extensibility.
In this article we will discuss how to install and configure Snort 2 on Ubuntu as it is the most widely implemented version and has extensive support, documentation and rule-sets.
First, we should update the packages on the Ubuntu operating system using the following command:
sudo apt-get update
Installing Snort on Ubuntu is effortless, simply use the following command:
sudo apt-get install snort -y
While installing Snort, we will be asked to determine which interface will be listened to by Snort.
To determine which interface Snort should listen on, type the interface on the Snort configuration area after typing the following command.
ip a
In the next step Snort will ask us to determine HOME_NET. In this article we are using Snort as a Host Based IDS, so we should only type the Ubuntu machine’s IP address.
To determine which version of the Snort is installed, type the following command:
snort -V
Snort configuration file snort.conf will be seen under the /etc/snort directory. Snort will run according to this file.
We are using Snort as a Host Based IDS, so we should type the Ubuntu Machine’s IP address as a HOME_NET variable with an editor of your choice. We will be using VIM as an editor to configure /etc/snort/snort.conf file.
sudo vim /etc/snort/snort.conf
Then, change the HOME_NET as following:
The RULE_PATH variable in the snort.conf file determines the location of the snort rule files.
/etc/snort/rules/local.rules files contain our snort rules. When writing Snort rules, this file will be used.
Snort installation comes with some default community rules with classification. For example, if we want to examine backdoor rules we can examine the backdoor.rules file.
To efficiently test Snort, we will comment out the community rules and we will use the local.rules which consists of our own rules.
To generate log files to examine alerts for the rule matching traffic pattern, we can use several methods. In this article we will write the logs to CSV files and PCAP files.
To generate logs in CSV files, the following line in the snort.conf file should be added to the “Configure output plugins” section.
output alert_csv: /var/log/snort/alert.csv default
To generate logs in PCAP files, the following line in the snort.conf file should be added to the “Configure output plugins” section.
output log_tcpdump: /var/log/snort/tcpdump.log
We can test our configuration with the following command. The relevant command will produce an error if we made any mistakes in the configuration file.
sudo snort -T -i ens33 -c /etc/snort/snort.conf
If everything is configured correctly, you will see a “Snort successfully validated the configuration!” message at the bottom of the screen as shown below.
Snort rules consist of two parts which are Rule Header and Rule Options.
Rule header contains the Rule’s Action, Protocol, Source IP Address, Source Port, Direction, Destination IP Address and Destination Port information.
Rule options form the heart of Snort’s intrusion detection engine combining ease of use with power and flexibility. All Snort Rule Options are seperated from each other using semicolon(;). Rule option keywords are separated from their arguments with a colon(:).
Some general rule options are: message, SID, REV.
Some general detection options are: content, distance, within, PCRE
Here is the snort rule structure:
action protocol sourceIP sourceport -> destinationIP destinationport ([Rule options])
Now we will create three simple snort rules to understand snort rule structure.
Open /etc/snort/rules/local.rules file to write custom ICMP rule with the editor of your choice and add the following rule to detect incoming ICMP packets.
alert icmp any any -> $HOME_NET any (msg:”ICMP Detection Rule”; sid:100001;)
As you know SSH protocol is running on TCP 22 by default. There is an SSH Server running on the Ubuntu machine. To detect incoming SSH connection attempts with the snort add the second rule to the /etc/snort/rules/local.rules file as following:
alert tcp any any -> $HOME_NET 22 (msg: “SSH Connection Attempts”; sid:100002; )
Note: As you may have noticed, each rule is assigned a SID number, which must be unique.
Now we will create a snort rule to detect command execution attempts. If an HTTP gets a request containing /etc/passwd, this attack will be detected by Snort. Add a third rule to the /etc/snort/rules/local.rules file to detect command execution attempts as following:
alert tcp any any -> $HOME_NET 80 (msg:”Command Execution Attempt”; content:”GET”; content:”/etc/passwd”; sid:100003; )
Now it is time to test Snort rule alert. To generate an alert;
Before generating alerts, we will run the following Snort command to view generated alerts on the command prompt.
sudo snort -q -l /var/log/snort -i ens33 -A console -c /etc/snort/snort.conf
Snort will also write alerts to the CSV file and PCAP file because we configured it in Step 3. We can use these files to investigate attacks later. We can reach this file in the /var/log/snort directory.
Now, send an ICMP request from the attacker to test the first rule.
Now, check the Snort Console.
We have successfully generated a Snort alert.
To test SSH connection attempts rule, we will send SSH connection attempt from the Attacker Machine to the Ubuntu Machine as following:
Check the Snort alert on the Ubuntu Machine:
To test the third rule, we will send the command execution attack with curl from the Attacker Machine as following;
curl http[:]//192[.]168.189.129/etc/passwd
Now, check the command execution attempt alert on the Snort Console.
We have successfully generated an alert with Snort.
If you want to get familiar with Firewall, IPS/IDS, Antivirus, EDR and more, we have the perfect courses for you in our SOC Analyst Learning Path!
Snort is a very powerful and easy to use IDS/IPS system. In this article we configured Snort as a Host Based Intrusion Detection System. Snort can be run as an IPS to prevent attack according to our configuration. Snort can read PCAP files to detect if there is a malicious signature in it. We can visualize snort alerts with several open source tools and we can send snort logs to SIEM systems to expand our Security Operation Center capabilities.