In this article we will learn the make up of Snort rules and how we can we configure them on windows to get alerts for any attacks performed. There are various IDS (Intrusion Detection System) and IPS(Intrusion Prevention System) methods available to use, but one of the best and most common method is Snort.
What is Snort?
Snort is a Free and Open Source Network Intrusion Prevention and Detection System. It uses a rule-based language combining signature, protocol and anomaly inspection methods to detect malicious activity such as DOS attacks, Buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. It is capable of performing real time traffic analysis and packet logging on IP networks.
Uses of Snort Rules?
- Snort uses the popular libpcap library (For UNIX/Linux) or winpcap (for Windows), the same library that tcpdump uses to perform packet sniffing.
- Snort’s Packet Logger feature is used for debugging network traffic.
- Snort generates alerts according to the rules defined in configuration file.
- The Snort rule language is very flexible, and creation of new rules is relatively simple.
- Snort rules help in differentiating between normal internet activities and malicious activities.
A simple syntax for a Snort rule:
#### An example for Snort rule:
log tcp !192.168.0/24 any -> 192.168.0.33 (msg: "mounted access" ; )
The direction operators
-> indicate the direction of interest for the traffic, this means traffic can either flow in one direction or in bi-directionally. Keyword
any can be used to define any IP addresses, numeric IP addresses must be used with a CIDR (Classless Inter-domain Routing) netmask. In snort rules the port numbers can be listed in many ways, including
any ports, negation etc. Port ranges are indicated with Range operator
An example for multi-line Snort rule:
log tcp !192.168.0/24 any -> 192.168.0.33 \ (msg: "mounted access" ; )
Usually snort rules were written in a single line, but with the new version snort rules can be written in multi line. This can be done by adding a backslash
\ to the end of the line. This multiple line helps, if a rule is very large and difficult to understand.
Example of a Port negation-
log tcp any any -> 192.168.1.0/24 !6000:6010
For better understanding refer to this table:
|Protocols||Ip Address||*Action performed|
|*log tcp any :1024 ->||192.168.1.0/24 400:||It will log traffic from various ports and will go to ports which are greater than or equal to 400|
|log udp any any ->||22.214.171.124/24 1:1024||It will log traffic from any port and destination ports ranging from 1 to 1024|
Snort rules must be contained on a single line, unless the multi-line char
\is used, the snort rule parser does not handle rules on multiple lines. Usually it is contained in
It come with two logical parts: 1. Rule header – Identifies rule actions such as alerts, log, pass, activate, dynamic and the CIDR (Classless inter-domain routing) Block.
2. Rule options – Identifies rule’s alert messages.
Snort rules must be written in such a way that it describes all the following events properly:
- The conditions in which a user thinks that a network packet(s) is not same as usual or if the identity of the packet is not authentic.
- Any violation of the security policy of the company that might be a threat to the security of the company’s network and other valuable information.
- All well known and common attempts to exploit the vulnerabilities in the company’s network.
The rules defined to the system should be compatible enough to act immediately and take necessary remedial measures, according to the nature of the intrusion.Snort Does not evaluate the rules in that order that they appear in the snort rules file. By default, the order is:
- Alert rules – It generates an alert using alert method.
- Log rules – After generating alert, it then log the packet.
- Pass rules – It ignore the packet and Drop it.
As we know IP is a unique address for every computer and is used for transferring data or packet over the internet from one network to the other network and each packet contains a message, Data, source, destination address and much more. Snort supports three IP protocols for suspicious behavior:
- TCP (Transmission control protocol) – It is used to connect two different hosts and exchange data between them. Example – HTTP, SMTP, FTP
- UDP (User datagram protocol) – It is used to broadcasting messages over the internet. Example – DNS Traffic
- ICMP (Internet control message protocol) – It is used in windows to send network error messages. Example – Ping, Traceroute etc.
Installing and configuring Snort rules on windows:
As we have discussed earlier, snort rules can be defined on any Operating system. Here we will configure Snort rules on windows.The first step is to download snort itself, which you can download from here (DOWNLOAD SNORT). After you have downloaded snort, download Snort rules from here (DOWNLOAD SNORT RULES). These rules are community rules and you can download it without signing up. If you want the greatest snort rules, getting updates for new rules set, then you should go for subscription rules, which will cost you like 30$/year for an indvidual. There is not much difference between the community rules and the subscribers rules, they have same structure but you will get updates for new snort rules really quick if you are a subscriber.
- Install snort in root directory, a popup will appear for installing Winpcap, install it if its not already installed in your windows.
- To check weather Snort has successfully installed, Open Command Prompt and go to Snort Directory.
- Check if there is a bin directory created under directory folder.
- Now go to Bin directory and check Snort version.
- Extract all the Snort rules folders, that you donwloaded before and from there copy all the content from folder to
- Similarly, copy all the content from
If it ask to overwrite the files say yes to all. It will replace all the old versions with new preproc rules.
- After you have copied all the contents the main task starts here, Go to
Snort.conf** with wordpad. CONF stands for configure.
- Snort.conf has Nine different sections, First thing we will set the variables. The first variable we have is
HOME_NET, You can leave this to any but it is preferred to put your machine IP address, In my case the IP is
EXTERNAL_NETany line as it is.
- If you have a DNS SERVER, then make changes in the
DNS_SERVERSline by replacing
$HOME_NETwith your DNS server IP address, otherwise leave it blank.
- Now scroll down to
RULE_PATH, and replace
c:\Snort\so_rules, At last replace
- Also change the
- Now navigate to
c:\Snort\rules, and create two text files named whitelist andblacklist and change their file extension from** .txt** to **.rules, **if a pop up appears click yes.
- That’s all for step one, and there is nothing much to do in step two but set
#config logdir:to **
config logdir:c:\Snort\log**, this will help snort to write the output in a particular location.
- Now straightway go to step 4, in this we have to configure dynamic loaded libraries. At path to dynamic preprocessor libraries replace
usr/local/lib/snort_dynamicpreprocessorwith your dynamic preprocessor which is
- Similarly replace
usr/local/lib/snort_dynamicengine/libsf_engine.sowith your base preprocessor engine which is
- Comment (#) the dynamic rule libraries line as we have already configured the libraries.
- Now we are on step 5, add a comment(#) before all the listed preprocessors under inline packet normalization, they do nothing but generate errors at the run time.
- In step 6 configuring output plugins, provide the location of the classification.config and replace it with
C:\Snort\etc\classification.config, Similarly provide the location of the reference.config and repalce it with
- In the next line add
output alert_fast: alert.ids, for snort to dump all logs in
- In Snort.conf file, find and replace
var. By default the string ipvar is not recognized by snort, so we replace it with var. To find and replace press
Ctrl + Hand in find what field write ipvar and the replace field write var and click Replace all.
- The last step is to remove the back slash and add comment characters
#on lines 501 to 507. These lines can be found above step6.
- Save the snort.conf file and close the window.
- Now its time to set Snort rule, Go to
c:\Snort\rulesand open **
- At the end add a rule as per required such as
alert tcp any any -> any any(msg: "Testing Alert" ; sid:1000001)
In my case, I don’t have any criteria so it will load on any ICMP packet it receives. In the above rule we have also provide a signature id (sid) which is highly required. Bciy convention when you write your own snort rules, you have to start above 999999
- To verify the snort is actually generating alerts, open Command prompt and go to
c:\Snort\binand write a command
snort -iX -A console -c C:\snort\etc\snort.conf -l C:\Snort\log -K ascii
where X is your device index number. In My case its 1 . Hit Enter and you are all set.
If snort occupies high cpu usage without high amounts of traffic to analyze, it may be indicative of too high a volume of traffic, insufficient system resources, or some other process is consuming most of the CPU. Although sometimes, too many rules are added, in which the packet queue drops the packet because it fills before snort has a chance to look at them. Best practice is to only enable rules you need so snort can spend more time grabbing packets from the queue. Never enable all rules or you will most likely experience performance issues. For example, if you are in a Windows only environment, then only enable Windows related rules. In addition, use Berkeley Packet Filters (BPF) to limit traffic to machines or ports that need to be inspected. For example, if you have a network backup server, it’s best to tell Snort to ignore traffic from it since it will generate a large amount of traffic. BPF’s are added as the last command-line options to snort:
snort -iX -A console -c C:\snort\etc\snort.conf -l C:\Snort\log -K ascii 'not host 192.168.1.100' --== Initializing Snort ==-- Initializing Output Plugins! Snort BPF option: not host 192.168.1.100
Another performance consideration is to only log alerts in the unified2 binary format rather than ascii, this will speed up the process of writing out logs.