1. Snort Based Intrusion Detection System
Part 1

2. Some terms related to security
IDS
NIDS
HIDS
Signatures
Alerts
Logs
False Alarms
Sensor

3. Introduction to Intrusion Detection
Network defense or “protection” model
Planning
Prevention
Detection
Response
Intrusion detection is the process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities

4. Introduction to Intrusion Detection
All network and computer activities fall in one of three categories:
Normal
Abnormal but not malicious
Malicious
Intrusion detection operates in two arenas:
What a computer says: network traffic
What a computer thinks: computer processes

5. Introduction to Intrusion Detection
Network traffic is monitored by network-based intrusion detection systems (NIDS)
Computer processes are monitored by host-based intrusion detection systems (HIDS)
So-called “hybrid” systems examine network traffic to or from a host, as well as processes on that host
NIDS are easier to deploy and manage, but HIDS may give greater visibility to events

6. What is Snort?
Snort is a fast, flexible, small-footprint, open-source NIDS developed by the security community and a “benevolent dictator”
Lead coder: Marty Roesch, now founder of Sourcefire (
Initially developed in late 1998 as a sniffer with consistent output, unlike protocol-dependent output of TCPDump
Sourcefire, owned by Cisco since 2013
In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest open source software of all time"

7. Typical locations for snort

8. Block Diagram Of Complete IDS

9. Multiple Snort sensors in the enterprise logging to a centralized database server

10. Modes of Snort
Sniffer mode-> simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen)
Packet Logger mode-> logs the packets to disk
Network Intrusion Detection System (NIDS) mode -> the most complex and configurable configuration, which allows Snort to analyze network traffic for matches against a user-defined rule set and performs several actions based upon what it sees
Honeypots Monitor ->Used to deceive hostile parties

11. Sniffer Mode Works much like tcpdump
Decodes packets and dumps them to stdout
BPF filtering interface available to shape displayed network traffic

12. What Do The Packet Dumps Look Like?
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/09-11:12: :1032 -> :23
TCP TTL:128 TOS:0x0 ID:31237 IpLen:20 DgmLen:59 DF
***AP*** Seq: 0x16B6DA Ack: 0x1AF156C2 Win: 0x2217 TcpLen: 20
FF FC 23 FF FC 27 FF FC 24 FF FA E #..'..$....ANS
49 FF F I..
11/09-11:12: :23 -> :1032
TCP TTL:255 TOS:0x0 ID:49900 IpLen:20 DgmLen:61 DF
***AP*** Seq: 0x1AF156C2 Ack: 0x16B6ED Win: 0x2238 TcpLen: 20
0D 0A 0D 0A E 4F E 37 0D 0A 0D ....SunOS
00 0D 0A 0D

13. Packet Logger Mode save packets to disk…
Multi-mode packet logging options available
Flat ASCII, tcpdump, XML, database, etc available
Log all data and post-process to look for anomalous activity

14. NIDS Mode Wide variety of rules available for signature engine
Multiple detection modes available via rules and plug-ins
Rules/signature
Statistical anomaly
Protocol verification
Uses all phases of Snort + plug-ins to analyze traffic for both misuse detection and anomalous activity
Can perform portscan detection, IP defragmentation, TCP stream reassembly, application layer analysis and normalization, etc

15. Components of Snort
• Packet Decoder • Preprocessors • Detection Engine • Logging and Alerting System • Output Modules

16. Data Flow Snort Packet Stream Sniffing Packet Decoder Data Flow
Preprocessor
(Plug-ins)
Detection Engine
(Plug-ins)
Output Stage
(Plug-ins)
Alerts/Logs

17. Packet Decoder
The packet decoder takes packets from different types of network interfaces and prepares the packets to be preprocessed or to be sent to the detection engine
The interfaces may be Ethernet, SLIP, PPP and so on

18. Preprocessor
Components or plug-ins that can be used with Snort to arrange or modify data packets before the detection engine does some operation to find out if the packet is being used by an intruder
Important for any IDS to prepare data packets to be analyzed against rules in the detection engine
Also used for packet defragmentation

19. The Detection Engine
The detection engine is the most important part of Snort.
Its responsibility is to detect if any intrusion activity exists in a packet.
The detection engine employs Snort rules for this purpose. The rules are read into internal data structures or chains where they are matched against all packets.
If a packet matches any rule, appropriate action is taken; otherwise the packet is dropped

20. Detection Engine The time-critical part of Snort
The load on the detection engine depends upon the following factors:
Number of rules
Power of the machine on which Snort is running
Speed of internal bus used in the Snort machine
Load on the network
The detection system can dissect a packet and apply rules on different parts of the packet

21. Rules rule header rule options In a single line
Rules are created by known intrusion signatures.
Usually place in snort.conf configuration file.
rule header
rule options

22. Snort Rule The basic format of a rule is as follows:
function protocol source_ip/mask source_port -> destination_ip/mask destination_port options
let's look at a simple rule:
log tcp any any -> /24 23
This rule says to log tcp traffic coming from any IP address and any source port to this network where the destination port is 23 (telnet)

23. Rule example destination ip address Apply to all ip packets
Destination port
Source ip address
Source port #
Rule options
Alert will be generated if criteria met
Rule header

24. Snort Rules
Snort rules are extremely flexible and are easy to modify, unlike many commercial NIDS
Sample rule to detect SubSeven trojan:
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;)
Elements before parentheses comprise ‘rule header’
Elements in parentheses are ‘rule options’

25. Snort Rules alert action to take; also log, pass, activate, dynamic
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;)
alert action to take; also log, pass, activate, dynamic
tcp protocol; also udp, icmp, ip
$EXTERNAL_NET source address; this is a variable – specific IP is ok
27374 source port; also any, negation (!21), range (1:1024)
-> direction; best not to change this, although <> is allowed
$HOME_NET destination address; this is also a variable here
any destination port
Why need “pass”, like firewall, you may have some specific traffic you want to allow.
Activate/dynamic rule pairs give Snort a powerful capability. You can now have one rule activate another when it's action is performed for a set number of packets. This is very useful if you want to set Snort up to perform follow on recording when a specific rule goes off. Activate rules act just like alert rules, except they have a *required* option field: activates. Dynamic rules act just like log rules, but they have a different option field: activated_by. Dynamic rules have a second required field as well, count.
Activate rules are just like alerts but also tell Snort to add a rule when a specific network event occurs. Dynamic rules are just like log rules except are dynamically enabled when the activate rule id goes off.

26. Snort Rules other rule options possible, like offset, depth, nocase
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d d0a|"; reference:arachnids,485; reference:url, sid:103; classtype:misc-activity; rev:4;)
msg:”BACKDOOR subseven 22”; message to appear in logs
flags: A+; tcp flags; many options, like SA, SA+, !R, SF*
content: “|0d0…0a|”; binary data to check in packet; content without | (pipe) characters do simple content matches
reference…; where to go to look for background on this rule
sid:103; rule identifier
classtype: misc-activity; rule type; many others
rev:4; rule revision number
other rule options possible, like offset, depth, nocase

27. Snort Rules bad-traffic.rules exploit.rules scan.rules
finger.rules ftp.rules telnet.rules
smtp.rules rpc.rules rservices.rules
dos.rules ddos.rules dns.rules
tftp.rules web-cgi.rules web-coldfusion.rules
web-frontpage.rules web-iis.rules web-misc.rules
web-attacks.rules sql.rules x11.rules
icmp.rules netbios.rules misc.rules
backdoor.rules shellcode.rules policy.rules
porn.rules info.rules icmp-info.rules
virus.rules local.rules attack-responses.rules

28. Snort Rules Rules which actually caught intrusions
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:2;) caught Code Red infection
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP \"MKD / \" possible warez site"; flags: A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:3;) caught anonymous ftp server

29. Logging and Alerting System
Depending upon what the detection engine finds inside a packet, the packet may be used to log the activity or generate an alert
All of the log files are stored under /var/log/snort folder by default

30. Detection Engine: Rules
Rule Header
Rule Options
Alert tcp any -> any
(flags: SF; msg: “SYN-FIN Scan”;)
Alert tcp any -> any
(flags: S12; msg: “Queso Scan”;)
Alert tcp any -> any
(flags: F; msg: “FIN Scan”;)
Queso scan, a tool similar to NMAP,

31. Detection Engine: Internal Representation
Rule Node
Alert tcp any -> any
Option Node
(flags: SF; msg: “SYN-FIN Scan”;)
(flags: S12; msg: “Queso Scan”;)
(flags: F; msg: “FIN Scan”;)

32. Detection Engine: Fully Populated
Rule
Node
Rule
Node
Rule
Node
Rule
Node
Rule
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node
Option
Node

33. Output Modules
Output modules or plug-ins can do different operations depending on how we want to save output generated by the logging and alerting system of Snort

34. Continued…..
Depending on the configuration, output modules can do things like the following:
Simply logging to /var/log/snort/alerts file or some other file
Sending SNMP traps
Sending messages to syslog facility
Logging to a database like MySQL or Oracle
Generating eXtensible Markup Language (XML) output
Modifying configuration on routers and firewalls.
Sending Server Message Block (SMB) messages to Microsoft Windows-based machine

36. Challenges with snort Misuse detection – avoid known intrusions
Rules database is larger and larger
It continues to grow
snort version 2.3.2, there are 2,600 rules (present version 2.9.8)
80% of them are signatures
Snort spends 80% work time to do string match
Anomaly detection – identify new attacks
Probability of detection is low

37. How to protect IDS itself
Not run any service on your IDS sensor itself
New threats are discovered and patches are released by vendors
Configure the IDS machine so that it does not respond to ping (ICMP Echotype) packets
You should use IDS only for the purpose of intrusion detection

38. Snort in special cases
Snort on Stealth Interface->listens to the incoming traffic but does not send any data packets out
Snort with no IP address Interfaces->when the Snort host doesn’t have an IP address itself, nobody can access it

39. Supported Platform
• Linux • OpenBSD • FreeBSD • NetBSD • Solaris (both Sparc and i386) • HP-UX • AIX • IRIX • MacOS • Windows

41. Onicode Oinkcodes are unique keys associated to your user account.
The oinkcode acts as an api key for downloading rule packages with the urls listed below.
You can find your oinkcode in your user account settings page once you have logged in

42. We will need to become a Registered member on the Snort website.
This is needed in order to download and use the Sourcefire VRT Certified Rules. Snort will not be able to use updated rules without registering (and Oinkmaster will not work)

43. After you have created an account, log in to the Snort website and get a personalized Oinkcode (to be used by Oinkmaster).

44. Download the Sourcefire VRT Certified Rules (registered-user release) – be sure to grab the rules forthe version you are installing Snort for (in our case it is 2861)

45. Right-click on the snortrules-snapshot-2861. tar
Right-click on the snortrules-snapshot-2861.tar.gz file that we downloaded and choose “Extract Here”

46. Right-click on the newly extracted file (snortrules-snapshot-2861
Right-click on the newly extracted file (snortrules-snapshot-2861.tar) and choose “Extract files...”
Change the Path to C:\Snort and check “Overwrite without prompt”

47. Open a Command Prompt and run c:\snort\bin\snort -W (be sure to use a capital “W

48. While still leaving the Snort command prompt window open, launch a second command prompt window. From the new window, run the command ping google.com If it hasn't occurred already, this ping command will trigger a Snort alert

49. You can now close both command prompt windows, as we have verified that Snort is installed and alerting correctly in verbose mode.
To test that our configuration file is correct, open a new command
prompt window and type:
c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf –T (replace X with your Device Interface number)
If you have correctly entered all information, you should receive a graceful exit such as the screen shot below.
If you receive a fatal error, you should first verify that you have typed all modifications
correctly into the snort.conf file and then search through the file for entries matching your fatal error message

50. Now run c:\snort\bin\snort -v -iX (X is your Device Interface number found from running the previous line)
After a couple of seconds you will see “Not Using PCAP_FRAMES”. Snort is now running and will alert you if a Rule is triggered. If a Rule us triggered the command prompt window will rapidly scroll text

51. Snort Files
Snort files can be categorized as follows: • The Snort binary files, which is the actual executable. • The Snort configuration file, which is typically snort.conf. • Other Snort configuration files like classification.config and reference.config. • Rule files. • Log files.

52. Location of Snort Files
Snort binary file is usually installed in /usr/sbin directory
The main configuration file snort.conf is installed in /etc/snort directory. However, we can save this file in any directory because we have to specify path to this file on the command line when starting Snort
Other configuration files like classification.config and reference.config are usually stored in the same location as the snort.conf file
Rules files are referenced in the snort.conf file
The location of Snort log files can be set with the help of snort.conf file or using command line options. Typically the log files are stored in /var/log/snort directory. If the log directory does not exist, we have to create it manually

53. Snort Command Line Option
-A -> sets Alert Mode
-b -> used to log packets in tcpdump format
-c-> to specify the location of snort.conf file
-D-> enables Snort to run in the background
-i-> to start Snort so that it listens to particular network interface
-l-> used to set the directory where Snort logs messages
-M-> have to specify a text file as argument to this option. The text file contains a list of Microsoft Windows hosts to which you want to send SMB pop-up windows
-T-> useful for testing and reporting on the Snort configuration

54. Snort Installation on linux
Snort can be easily installed using RPM package using only one command
rpm -install <snort_file_name.rpm>
Installing from source code is a complex process and requires following steps:

55. Steps for installing using source code
Download source code file from
Unpack the tar file using “tar zxvf <filename.tar.gz>” command.
Run the configure script. Typical command line is something like “configure --prefix=/opt/snort --with-mysql –withsnmp -with-opnssl”.
Run the make command.
Run the “make install” command.
Create a directory /var/log/snort.
Create a directory /opt/snort/etc.
Create a directory /opt/snort/rules.
Copy snort.conf to /opt/snort/etc directory.
Copy classification.config file to /opt/snort/etc directory.
Copy reference.config file to /opt/snort/etc directory.
Copy all rule files to /opt/snort/rules directory.
Create startup script snortd and copy it to /etc/init.d directory. Create its links in /etc/rcx directories, where x is a run level number, so that Snort starts at the boot time.
If you are using MySQL with Snort, it should be started before starting Snort

56. Sniffer Mode
First, let's start with the basics. If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), try this:
./snort -v This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else. If you want to see the application data in transit, try the following:
./snort -vd This instructs Snort to display the packet data as well as the headers. If you want an even more descriptive display, showing the data link layer headers, do this:
./snort -vde (As an aside, these switches may be divided up or smashed together in any combination. The last command could also be typed out as:
./snort -d -v -e and it would do the same thing.)

57. Analysis
Analyze the information displayed on screen when we run Snort in the packet capture mode.

58. Analysis Continued
11/20-15:56: :22 -> :2474TCP TTL:64 TOS:0x10 ID:57044 IpLen:20 DgmLen:184 DF ***AP*** Seq: 0xF5683D7A Ack: 0x9DAEEE9C Win: 0x6330 TcpLen: 20
• Date and time the packet was captured. • Source IP address is • Source port number is 22. • Destination IP address is • Destination port is • Transport layer protocol used in this packet is TCP. • Time To Live or TTL value in the IP header part is 64. • Type of Service or TOS value is 0x10. • Packet ID is • Length of IP header is 20. • IP payload is 184 bytes long. • Don’t Fragment or DF bit is set in IP header. • Two TCP flags A and P are on. • TCP sequence number is 0xF5683D7A. • Acknowledgement number in TCP header is 0xDAEEE9C. • TCP Window field is 0x6330. • TCP header length is 20.

59. Reading Pcaps
Instead of having Snort listen on an interface, you can give it a packet capture to read.
Snort will read and analyze the packets as if they came off the wire.
This can be useful for testing and debugging Snort.

60. NIDS Mode ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, try this:
./snort -dev -l ./log -h /24 -c snort.conf
where snort.conf is the name of your snort configuration file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don't specify an output directory for the program, it will default to /var/log/snort.
One thing to note about the last command line is that if Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display.
It's also not necessary to record the data link headers for most applications, so you can usually omit the -e switch, too.
./snort -d -h /24 -l ./log -c snort.conf This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).

61. Alert Modes in NIDS Mode
Fast Mode
Full Mode
Unix socket Mode
No Alert Mode
Sending Alert to Syslog
Sending Alerts to SNMP
Sending Alerts to Windows

62. Fast Mode
The fast alert mode logs the alert with following information
• Timestamp
• Alert message (configurable through rules)
• Source and destination IP addresses
• Source and destination ports
The following command starts Snort in fast alert mode:
/opt/snort/bin/snort -c /opt/snort/etc/snort.conf -q -A fast
This alert mode causes less overhead

63. Full mode This is the default alert mode.
It prints the alert message in addition to the packet header.
We can start Snort with full alerting enabled with the following command:
/opt/snort/bin/snort -c/opt/snort/etc/snort.conf -q -A full
Additional Information contains TTL, TOS, length of IP packet, Total length of IP Packet, ICMP Type Field etc.

64. Packet logger mode
Specify a logging directory and Snort will automatically know to go into packet logger mode:
./snort -dev -l ./log
When Snort runs in this mode, it collects every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram.
plain -l switch Snort sometimes uses the address of the remote computer as the directory in which it places packets and sometimes it uses the local host address.
In order to log relative to the home network, tell Snort which network is the home network:
./snort -dev -l ./log -h /24