Sunday, 09 September 2007 19:39

Breathe easily: protect your Linux box with Snort


An intrusion detection system – or IDS – is a high-tech burglar alarm, keeping a watchful eye on your computer and alerting when computer or network activity indicates unauthorised or malicious activity. An IDS is a must-have app, and Snort is rapidly becoming the tool of choice.

Snort, with its funny name, has three primary operating modes. The first two are not really intrusion-related and merely reads network packets received and displays them on-screen or to disk. In these modes, Snort acts as a network sniffer and packet logger. These in themselves can be useful applications but is not where Snort really shows its stuff.

Snort’s third operating mode – network intrusion detection – is when the magic happens. Here, Snort actually pays attention to the network traffic passing its electronic eyes and matches what it sees according to a database of updatable signatures as well as any custom user-defined rules. In this mode, Snort does for networks what anti-virus tools do for filesystems.

What’s best is it still runs when you’re asleep, processing packets, log files and more. Actually, you can configure it to send alerts via SMS or other means that can even wake up your network or security staff. Or, you could define rules so Snort blocks the suspicious traffic as well as other traffic from the originating host.

Where Snort isn’t so great is the massive amounts of disk space it chews up with the log files it produces as well as the signature files used to detect rule violations. It’s not unrealistic that Snort operating within a high-traffic site could consume up to 100Gb of disk space. Snort doesn’t especially require any particular level of processor but it really will need a fast disk controller and a lot of space – let alone a network card that is as fast as or faster than the rest of your network (or else you can miss packets.) If the budget can cater to it, really, the best advice would even be to dedicate a machine directly to Snort’s use.

Wherever you choose to run Snort, you do have to remember to place it on your network in a strategic location, because it can only see traffic on its own subnet. There’s little point running Snort on your office desktop computer if your public-facing web and mail servers are housed in a co-location facility, for instance. In fact, depending on the complexity and size of your network, you may want to consider multiple Snort installations, to ensure all your key assets are protected by having one Snort system within each key subnet.

Get going with Snort

Snort is freely downloaded from Regular rules updates from the Snort Vulnerability Research Team (VRT) can be found here also, as well as documentation and community forums.

At this time, the latest stable release is Snort but Snort 2.8.0 beta is also available but is not final release code. Both versions have binary and source code downloads. As with any Linux app, the considerations are that the binary release is ready-to-run whereas the source code release can be tailored to your needs with possibly additional libraries or different combinations of compile-time flags for greater optimisation. When it comes to security tools, compiling from source becomes even more worth considering to give extra peace of mind that the resulting executable did genuinely result from the program code without any hostilities.

Be sure to check out the documentation page for many very detailed papers covering setup and deployment and general intricacies of intrusion detection in general.

Snort's operating modes are not actually completely separate, but rather they incrementally build on each other to add greater functionality. The simplest way to become familiar with Snort is to try it out, a mode at a time, adding features slowly. So, begin by running it as a packet sniffer. This command line is pretty simple - run snort -vde. The -vde is actually three distinct flags, namely -v which tells Snort to operate in packet-sniffing mode, but for TCP headers only. The -d and -e flags turn on additional headers.

You can further refine Snort by filtering traffic by subnet using the –h flag and an IP address or a network range like 192.168.1/24. This might give a command line like snort –vde –h 192.168.1/24. Those familiar with TCPdump will be familiar with the flexibility in which a range can be specified.

If you have a busy network, data will fly by pretty fast. Things lead us to Snort’s packet logging which is enabled simply by adding the –l flag followed by a directory to save log files. Your command line now might read snort –vde –h 192.168.1/24 –l /var/log/snort.

Finally, to use Snort as an IDS, you add one more item to the command line, namely the location of your Snort configuration file that holds all your rules using the –c flag. This gives a final command line along the lines snort –vde –h 192.168.1/24 –l /var/log/snort –c /etc/snort.conf.

If you are not getting results, be certain that your network card is capable of operating in so-called promiscuous mode and also be sure to run the program as the super-user of your system.

The Snort architecture

To make the best use of Snort, it helps to know how it has been put together. Snort essentially has four components, namely

  1. The sniffer
  2. The pre-processor
  3. The detection engine
  4. The output renderer

The packet sniffer eavesdrops on network traffic. This doesn’t have to be for surreptitious reasons like snooping for passwords; legitimate and legal packet sniffing encompasses many things – like analysing network performance and troubleshooting application or network faults.

This first component of Snort provides the first two operating modes described above. However, here’s where Snort gets its name: it does so much more than merely sniff; it snorts!

In its third and most versatile and useful mode, Snort herds the sniffed traffic on through its pre-processor. Here, the raw packets are analysed for specific types of behaviour. By “behaviour”, we mean the packets are matched against many heuristics and rules in an attempt to “discover” whether the traffic has any meaningful patterns. This means, for example, Snort is able to pick up if a buffer overflows or if someone is, say, scanning sequential ports on the system. This behaviour may or may not be harmful but is worthy of further analysis.

So then, if Snort identifies a particular behaviour in the raw network data the detection engine is invoked. Here’s where the signatures and rules referred to above come into play. This is where the actual intrusion detection takes part.

The signatures identify packets that contain specific sequences of data. These may be strings of text or sequences of program code that are known to be virus or spam or Trojan activity, for example.  The rules fire when any such pattern is detected, directing whether the situation calls for an alert to be logged to disk, a database, a pop-up message, a system log file or in some other way.


Enhancing Snort

We said earlier Snort could wake up your systems administrator via SMS if need be; actually, this isn’t strictly true. Snort does not have built-in capabilities to perform this function – but other freeware add-ons will do this for you. Such a system is Swatch which monitors log files and sends alerts via e-mail. If you have an e-mail-to-SMS gateway (like Telstra’s OnlineSMS) then it is a no-brainer to have these e-mails hop off the TCP/IP network and on to the mobile phone network.

Another worthwhile add-on system is LogHog; this works directly in conjunction with Snort responding to its events with user-definable actions like e-mail and also by blocking traffic by dynamically creating new rules for iptables, the Linux firewall.

Actually, there’s no shortage of add-ons for Snort. For those who like to know just what’s going on, try sguil which provides a TCL/TK GUI giving access to realtime events, data and raw packets while Snort is running. Alternatively, SnortSnarf will analyse Snort’s activity and render HTML output, suitable for posting to a private web site for easy monitoring.

Windows users should be sure also to try the disgustingly named snot.exe; this is a small tool to simulate network traffic. For our purposes, this means you can test your Snort rules by simulating the very traffic you wish to deny.

Remember too, just like anti-virus apps, intrusion detection systems need their rules to be kept current as new hostilities become known. The Snort web site contains regular ruleset updates, and additional community maintained rules can be downloaded from Bleeding Edge threats. More add-ons help in this area too; use Oinkmaster to keep your rules up to date, and SneakyMan to manually configure your Snort rules within a GNOME window. Finally, be sure to keep Snort itself up to date, being diligent to apply updates when they become available.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News