Snort’s third operating mode – network intrusion detection – is when the magic happens. Here, Snort actually pays attention to the network traffic passing its electronic eyes and matches what it sees according to a database of updatable signatures as well as any custom user-defined rules. In this mode, Snort does for networks what anti-virus tools do for filesystems.
What’s best is it still runs when you’re asleep, processing packets, log files and more. Actually, you can configure it to send alerts via SMS or other means that can even wake up your network or security staff. Or, you could define rules so Snort blocks the suspicious traffic as well as other traffic from the originating host.
Where Snort isn’t so great is the massive amounts of disk space it chews up with the log files it produces as well as the signature files used to detect rule violations. It’s not unrealistic that Snort operating within a high-traffic site could consume up to 100Gb of disk space. Snort doesn’t especially require any particular level of processor but it really will need a fast disk controller and a lot of space – let alone a network card that is as fast as or faster than the rest of your network (or else you can miss packets.) If the budget can cater to it, really, the best advice would even be to dedicate a machine directly to Snort’s use.
Wherever you choose to run Snort, you do have to remember to place it on your network in a strategic location, because it can only see traffic on its own subnet. There’s little point running Snort on your office desktop computer if your public-facing web and mail servers are housed in a co-location facility, for instance. In fact, depending on the complexity and size of your network, you may want to consider multiple Snort installations, to ensure all your key assets are protected by having one Snort system within each key subnet.
Get going with Snort
Snort is freely downloaded from www.snort.org. Regular rules updates from the Snort Vulnerability Research Team (VRT) can be found here also, as well as documentation and community forums.
At this time, the latest stable release is Snort 126.96.36.199 but Snort 2.8.0 beta is also available but is not final release code. Both versions have binary and source code downloads. As with any Linux app, the considerations are that the binary release is ready-to-run whereas the source code release can be tailored to your needs with possibly additional libraries or different combinations of compile-time flags for greater optimisation. When it comes to security tools, compiling from source becomes even more worth considering to give extra peace of mind that the resulting executable did genuinely result from the program code without any hostilities.
Be sure to check out the documentation page for many very detailed papers covering setup and deployment and general intricacies of intrusion detection in general.
You can further refine Snort by filtering traffic by subnet using the –h flag and an IP address or a network range like 192.168.1/24. This might give a command line like snort –vde –h 192.168.1/24. Those familiar with TCPdump will be familiar with the flexibility in which a range can be specified.
If you have a busy network, data will fly by pretty fast. Things lead us to Snort’s packet logging which is enabled simply by adding the –l flag followed by a directory to save log files. Your command line now might read snort –vde –h 192.168.1/24 –l /var/log/snort.
Finally, to use Snort as an IDS, you add one more item to the command line, namely the location of your Snort configuration file that holds all your rules using the –c flag. This gives a final command line along the lines snort –vde –h 192.168.1/24 –l /var/log/snort –c /etc/snort.conf.
If you are not getting results, be certain that your network card is capable of operating in so-called promiscuous mode and also be sure to run the program as the super-user of your system.
The Snort architecture
To make the best use of Snort, it helps to know how it has been put together. Snort essentially has four components, namely
- The sniffer
- The pre-processor
- The detection engine
- The output renderer
The packet sniffer eavesdrops on network traffic. This doesn’t have to be for surreptitious reasons like snooping for passwords; legitimate and legal packet sniffing encompasses many things – like analysing network performance and troubleshooting application or network faults.
This first component of Snort provides the first two operating modes described above. However, here’s where Snort gets its name: it does so much more than merely sniff; it snorts!
In its third and most versatile and useful mode, Snort herds the sniffed traffic on through its pre-processor. Here, the raw packets are analysed for specific types of behaviour. By “behaviour”, we mean the packets are matched against many heuristics and rules in an attempt to “discover” whether the traffic has any meaningful patterns. This means, for example, Snort is able to pick up if a buffer overflows or if someone is, say, scanning sequential ports on the system. This behaviour may or may not be harmful but is worthy of further analysis.
So then, if Snort identifies a particular behaviour in the raw network data the detection engine is invoked. Here’s where the signatures and rules referred to above come into play. This is where the actual intrusion detection takes part.
The signatures identify packets that contain specific sequences of data. These may be strings of text or sequences of program code that are known to be virus or spam or Trojan activity, for example. The rules fire when any such pattern is detected, directing whether the situation calls for an alert to be logged to disk, a database, a pop-up message, a system log file or in some other way.
We said earlier Snort could wake up your systems administrator via SMS if need be; actually, this isn’t strictly true. Snort does not have built-in capabilities to perform this function – but other freeware add-ons will do this for you. Such a system is Swatch which monitors log files and sends alerts via e-mail. If you have an e-mail-to-SMS gateway (like Telstra’s OnlineSMS) then it is a no-brainer to have these e-mails hop off the TCP/IP network and on to the mobile phone network.
Actually, there’s no shortage of add-ons for Snort. For those who like to know just what’s going on, try sguil which provides a TCL/TK GUI giving access to realtime events, data and raw packets while Snort is running. Alternatively, SnortSnarf will analyse Snort’s activity and render HTML output, suitable for posting to a private web site for easy monitoring.
Windows users should be sure also to try the disgustingly named snot.exe; this is a small tool to simulate network traffic. For our purposes, this means you can test your Snort rules by simulating the very traffic you wish to deny.
Remember too, just like anti-virus apps, intrusion detection systems need their rules to be kept current as new hostilities become known. The Snort web site contains regular ruleset updates, and additional community maintained rules can be downloaded from Bleeding Edge threats. More add-ons help in this area too; use Oinkmaster to keep your rules up to date, and SneakyMan to manually configure your Snort rules within a GNOME window. Finally, be sure to keep Snort itself up to date, being diligent to apply updates when they become available.