SNORT

Getting Started …
Snort 2
Version 2.9.12.0

• Intrusion Prevention System

• Ability to drop malicious traffic from your network
• Logged Events
• Simple Rule Syntax (Snort Rule Syntax)

Http://www.snort.org/downloads
Life of a packet
(Through Snort’s detection engine)
Preprocessing
IP Fragmentation
Stream Reassembly
Snort Buffers

Protocols

TCP/IP

HTTP

UDP
Snort 3
Features, Changes and Updates

• Redesigned in C++
• Threading and Scalability
• Plugins
• Updated Snort Rule Syntax

Http://www.snort.org/downloads/#snort-30
Snort 3
Upgrading from snort 2

• Transitioning from Snort2 to Snort3 is no problem!

• Snort2Lua tool is included in Snort3 by default.
• Functionality to convert configuration and rules files.

https://github.com/snort3/snort3/blob/master/lua/snort.lua
 Snort Rule Set
Subscription Types

Personal Business Integrator

One-year Subscription One-year Subscription Authorized Reseller

Pulled Pork
Keeping rules updated and organized is hard
• Automatically downloads the newest Rules
• Maintain your custom Rules and Snort Config
• Easy to use
• Third Party

https://github.com/snort3/snort3/blob/master/lua/snort.lua
References
• Download Snort
Snort2 -http://www.snort.org/downloads
Snort3 -http://www.snort.org/downloads/#snort-3
• Snort2Lua
Download -https://github.com/snort3/snort3/tree/master/tools/snort2lua
• Rules
Download -https://www.snort.org/products#rule-download
Subscription -https://www.snort.org/products
• Pulled Pork
Download –https://github.com/shirkdog/pulledpork
Oinkcode -https://www.snort.org/oinkcodes
 Snort2 (Windows)
• For Windows 10 64 bit supported SNORT’s executable file can be
downloaded this link.
1 2 3
 Snort2 on Windows
• Installing Npcap is required by snort for proper functioning.
• Npcap for Windows 10 can be downloaded from here

1 2 3
Snort -V
• Version of snort
Snort (Linux Distribution)
Snort (Installation and configuration)

• Version of snort
Snort Rule Format

• Rule action: alert - Snort will generate an alert when the set condition is met.
(Actions: alert, log, drop)
• Protocol: TCP, UDP, IP, ICMP
• Direction: -> source to destination; <> bi-direction for recording both side traffics
• sid:5000001 – Snort rule ID. Remember all numbers < 1,000,000 are reserved,
this is why we are starting with 1000001 (you may use any number, as long as it’s
greater than 1,000,000).
Snort Rules
• Snort has 3 types of rules/rule-sets:
• Community rules – Free rule-sets created by the Snort
community.
• Registered rules – Free rule-sets created by Talos. In order
to use them, you must register for an account.
• Subscription only rules – These rule-sets require an active
paid subscription in order to be accessed and used.
• Or … we can write our own rules based on your
requirements
Snort IDS Network Placement
 HOME_NET
• The network we will be protecting.
• First, enter ifconfig in your
terminal shell to see the
network configuration.
• Using 192.168.10.8
• Gateway 192.168.10.1

c:\Snort\etc\snort.conf
ipvar HOME_NET 192.168.10.0/16
Snort Environment
Running the rule

• snort -i 1 -c c:\snort\etc\snort.conf -A console

# -i interface -c include local rule file -A set alert mode
• snort --help
• snort --?
• snort -i 1 -c c:\snort\etc\snort.conf -A console > text.txt
• snort -i 1 -c c:\snort\etc\snort.conf -A console –q
Rule Format - IP Address
• alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; sid:1000008;)
• Examples
10.1.1.1
• exact
10.1.1.0/24
• 10.1.1.0 through 10.1.1.255
!10.1.1.0/24
• anything but 10.1.1.0 through 10.1.1.255
[10.1.0.0/24,10.2.0.0./24]
• 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255
![10.1.0.0/24,10.2.0.0./24]
• anything but 10.1.0.0 through 10.1.0.255 or 10.2.0.0 through 10.2.0.255
Rule Format - Port
• alert tcp 10.1.1.1 any -> 10.1.1.2 80 (msg:"foo"; sid:1000010;)
• Examples:
any
80
1:1023
• 1 through 1023 (inclusive)
:1023
• less than or equal to 1023
10:
• greater than or equal to 10
!53
• not 53
!53:100
• not 53 through 100 (inclusive)

NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!!

ICMP based Rule
alert icmp any any -> $HOME_NET any (msg: “ICMP test”; sid: 1000005; rev:1;
classtype: icmp-event;)

• $HOME_NET – Destination IP. We are using the HOME_NET value from the snort.conf
file.
• rev:1 – Revision number. This option allows for easier rule maintenance.
• classtype:icmp-event – Categorizes the rule as an “icmp-event”, one of the predefined
Snort categories. This option helps with rule organization.

snort -i 1 -c c:\snort\etc\snort.conf -A console –K ascii

• Default log is pcap file, this gives asci log, check the log folder
More Specific Rule
alert tcp 192.168.10.8 any -> $HOME_NET 21 (msg:“FTP Connection
attempt”; sid:1000006; rev:1;)

Exercise
Write a rule that will fire when you browse to www.Bahria.edu.pk from
the machine Snort is running on; it should look for any outbound TCP
request to Bahria.edu.pk and alert on it.
Content Keyword
• One important feature of Snort is its ability to find a data pattern inside a packet.
• The pattern may be presented in the form of an ASCII string or as binary data in the form
of hexadecimal characters.

alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any \

(content: "GET"; msg: "GET matched"; sid:1000011;)

• The above mentioned rule detects a pattern “GET” in the data part of all TCP packets that
are leaving 192.168.1.0 network and going to an address that is not part of that network.
• The following rule does the same thing but the pattern is listed in hexadecimal.

alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any \

(content: "|47 45 54|"; msg: "GET matched"; sid:1000012;)
Content Search Options
• Depth is how far to LOOK into the payload from the start of the payload.
• Distance is how far to SKIP from the LAST byte of the previous match
before looking for the current match
• Offset is how far to SKIP into the packet from the beginning of the
payload before looking for the current match
• Within says only look in the NEXT x bytes AFTER the last byte of the last
content match.

• So offset and depth are from the start of payload and often used together,
distance and within are similar but relevant to the last content match.
Offset
• The offset keyword is used in combination with the content keyword.
Using this keyword, you can start your search at a certain offset from
the start of the data part of the packet.
• Use a number as argument to this keyword. The following rule starts
searching for the word “HTTP” after 4 bytes from the start of the
data.
alert tcp 192.168.1.0/24 any -> any any (content: "HTTP"; offset: 4;
msg: "HTTP matched"; sid:1000013;)
• You can use the depth keyword to define the point after which Snort
should stop searching the pattern in the data packets.
Depth
• The depth keyword is also used in combination with the content
keyword to specify an upper limit to the pattern matching.
• This keyword is very important since you can use it to limit searching
inside the packet. For example, information about HTTP GET requests
is found in the start of the packet. There is no need to search the
entire packet for such strings.
• alert tcp 192.168.1.0/24 any -> any any (content: "HTTP"; offset: 4;
depth: 40; msg: "HTTP matched";)
dsize
• The dsize keyword is used to find the length of the data part of a packet.
• Many attacks use buffer overflow vulnerabilities by sending large size
packets.
• Using this keyword, you can find out if a packet contains data of a length
larger than, smaller than, or equal to a certain number.
• The following rule generates an alert if the data size of an IP packet is
larger than 6000 bytes

alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: "Large size IP
packet detected";)
Flags keyword
• The flags keyword is used to find out which flag bits are set inside the
TCP header of a packet.
• Each flag can be used as an argument to flags keyword in Snort rules.

alert tcp any any -> 192.168.1.0/24 any \

(flags: SF; msg: “SYNC-FIN packet detected”;)