Difference between revision 8 and current revision
Summary: snort is an open source packet that runs under most operation systems including Windows. It can be run in few modes: * sniffing # snort . . .
No diff available.snort is an open source package that runs under most OSs including Windows.
It can be run in few modes:
snort -dev
-d stands for data (payload)
-e - for Ethernet (L2 headers)
-v - display on a screen
snort -de -l ./log.pcap -b snort -dev -r ./log.pcap
-b - binary logging
vi snort.conf config policy_mode:tap or config policy_mode:inline_test
snort -c snort.conf
vi snort.conf config policy_mode:inline
snort [-Q] -c snort.conf
config <directive>[:value]
var DIR inc portvar PORTS [80,443:444] ipvar IPS [192.168.1.0/24,10.1.1.0/24]
alert tcp any any -> $IPS $PORTS (flags:S; msg:"SYN packet";) include $DIR/more.rules
Preprocessors allow custom modules to be loaded by snort after the decoder module but before the detection engine for out-of-band packet analyzing or modification.
preprocessor <name>[:option,option...]
Frag3 - target-based IP defragmentation module
preprocessor frag3_global[:[max_frags <num>][,memcap <bytes>][,prealloc_memcap <bytes>][,prealloc_frags <num>][,disabled]] preprocessor frag3_engine[:[timeout <sec>][,min_ttl <value>][,detect_anomalies][,bind_to <dest_IPs>]\ [,overlap_limit <frags_per_packet>][,min_fragment_length <bytes>][,policy <bsd|last|first|linux|bsd-right|window>]] preprocessor frag3_engine[:option_set2]
Session (must be used in conjunction with Stream preprocessor) - used for creation and management of a session control block for a flow
preprocessor stream5_global[:[track_tcp <yes|no>][,max_tcp <num>][,memcap <bytes>][,track_udp <yes|no>][,max_udp <num>]\ [,track_icmp <yes|no>][,max_icmp <num>][,track_ip <yes|no>][,max_ip <num>][,flush_on_alert][,show_rebuilt_packet]\ [,prune_log_max <bytes>][,disabled][,enable_ha]]
If enable_ha is used, then
preprocessor stream5_ha[:[min_session_lifetime <msec>][,min_sync_interval <msec>][,startup_input_file <name>]\ [,runtime_output_file <name>][,use_side_channel]]
preprocessor stream5_tcp[:[log_asymmetric_traffic <yes|no>][,bind_to <dest_ip>][,timeout <1-86400>]\ [,policy <target_os>][,overlap_limit <0-255>][,max_window <0-1073725440>][,require_3whs <0-86400>]\ [,detect_anomalies][,check_session_hijacking][,use_static_footprint_sizes][,dont_store_large_packets]\ [,dont_reassemble_async][,max_queued_bytes <0,1024-1073741824>][,max_queued_segs <0,2-1073741824>]\ [,small_segments <0-2048> bytes <0-2048> [ignore_ports number <num>]][,ports <client|server|both> <all|[!]number>]\ [protocol <client|server|both> <all|service <name>>][,ignore_any_rules][,flush_factor <N segs>]]
Default timeout is 30 sec.
<target_os> values are: first, last (favor first or last overlapped segment), bsd, linux(>=2.4), old-linux (<=2.2), windows, win2003, vista, solaris, hpux, hpux10, irix, macos.
require_3whs <0-86400> sets the interval prior to snort startup to consider existing sessions established. Default is 0.
check_session_hijacking performs src and dst MAC addresses check. If either one or the other doesn’t match those in established session, the alert is triggered. It would only work for session hijacking withing the same LAN, I guess.
0 in max_queued_bytes and _segs means unlimited. Default for _bytes is 1MB, for _segs - 2621.
0 in small_segments means disables the small segments queuing and is the default.
The default for “protocol” option is “protocol client ftp telnet smtp nameserver dns http pop3 sunrpc dcerpc netbios-ssn imap login shell mssql oracle cvs mysql”.
ignore_any_rules is literal: any → any for ports rules are ignored (see the manual for more details).
flush_factor will flush (reassemble) upon detection of a segment size drop after N identical segment sizes.
preprocessor stream5_udp[:[timeout <1-86400>][,ignore_any_rules]]
preprocessor stream5_ip[:timeout <1-86400>]
Stream preprocessor is focused on functions specific to reassembling and protocol-aware flushing. Session management is handled by Session preprocessor. Protocol-aware flushing of HTTP, SMB, DCE/RPC can be enabled with:
config paf_max: <max_pdu>
<max-pdu> is between 0 (off) and 63780. It allows snort to reassemble protocol-specific PDU regardless of segmentation.
Used to detect traditional and modified port scans.
preprocessor sfportscan[:[proto <TCP[,UDP][,ICMP][,ip_proto]|all>][,scan_type <portscan[,portsweep][,decoy_portscan]\ [,distributed_portscan]|all>][,sense_level <low|medium|high>][,watch_ip <ip|ip/mask [port|port1-port10]]\ [,ignore_scanners <ips and ports>][,ignore_scanned <ips and ports>][,logfile <name>][,include_midstream]\ [,detect_ack_scans][,disabled]]
rpc_decode preprocessor normalizes fragmented RPC traffic. If stream5 is enabled, then it will only process client-side traffic. By default, it is enabled on ports 111 and 32771.
preprocessor rpc_decode:<ports>[alert_fragments][,no_alert_multiple_requests][,no_alert_large_fragments]\ [,no_alert_incomplete]
There are many other protocol-specific preprocessors defined. See the snort manual for their configuration options:
These rules are located under preproc_rules directory in decoder.rules and preprocessor.rules files. To enable them, define the directory path and include the files in to the snort.conf:
var PREPROC_RULE_PATH /path/to/preproc/rules ... include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules
A rule may have the following actions: alert, log, pass, drop, sdrop, reject.
Snort provides 4 mechanisms to tune events:
rate_filter gen_id 135, sig_id 1, track by_src, count 100, seconds 1, new_action drop, timeout 10
gen_id stands for generator_id and identifies a component of snort, listed in etc/generators in the source code.
sig_id stands for snort_id or signature_id. Preprocessors SIDs are listed in etc/gen_msg.map. There are also rule-based SIDs.
event_filter gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60
suppress gen_id 1, sig_id 1851
Snort supports multiple output modules for formatting and presentation purposes. For example:
output alert_syslog: log_auth log_alert
Other supported modules include:
Network nodes can be described in XML-type files. The files can be reloaded at run-time.
Snort supports:
pkill SIGHUP snort
If configuration reload option is not compiled in, then snort will restart. And there are some config changes that are not reloadable; for example, any changes related to output or changes in dynamically loaded modules.
Snort supports multiple configurations for different VLANs or subnets withing a single instance of snort.
config binding: <path1_to_snort.conf> vlan <list> config binding: <path2_to_snort.conf> net <subnet> config binding: <path3_to_snort.conf> policy_id <0-4095>
The rule has the following format:
<rule_header>[(rule options)]
For example,
alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
The rule header format:
<action> <protocol> <src_addr> <src_port> <directional_operator> <dest_addr> <dest_port>
Active and dynamic actions are being phased out in favor of combination of tagging and flowbits.
Custom rule types may be defined and used as actions:
ruletype suspicious
{
type log
output log_tcpdump: suspicious.log
}Currently only TCP, UDP, ICMP and IP are analyzed.
Can be either “->” or “<>” - for bidirectional traffic, therefore, source and destination fields can be on either side of “<>” operator.
There are four rule option types:
These option keywords are supported:
Typically snort is used with Barnyard2 to parse snort binary log and populate !MySQL database. !PulledPork is used to automatically download and install the latest snort rules and signatures. Various GUI are available for snort as well: Snorby, BASE, Sguil, Splunk to forward the alerts to SIEM. Autosnort, !EasyIDS or Security Onion can be used to install all of those together.