Intrusion Detection with Snort Tutorial

The general thought is that if a firewall is protecting one’s network, the network is considered secure. However, that is not entirely true. Firewalls are a fundamental component of a network, but they cannot fully protect the network from forced entries or hostile intent. Intrusion Detection Systems are used to evaluate aggressive or unexpected packets and generate an alert before these programs can harm the network. A host-based Intrusion Detection System runs on all the devices in a network or connects to an organization’s internal network. A network-based Intrusion Detection System is instead deployed at a certain point or group of points from which all ingoing and outgoing traffic can be monitored. An advantage of a host-based Intrusion Detection System is that it also can detect anomalies or malicious traffic being generated from the host itself, i.e., if the host is affected by malware, etc. Intrusion Detection Systems (IDS) work by monitoring and analyzing network traffic and comparing it with an established ruleset, determining what should be taken as normal for the network (i.e., for ports, bandwidths, etc.) and what to take a closer look at.

An Intrusion Detection System can be deployed depending upon the size of the network. There are dozens of quality commercial IDSs, but many companies and small businesses cannot afford them. Snort is a flexible, lightweight, and popular Intrusion Detection System that can be deployed according to the needs of the network, ranging from small to large networks, and provides all the features of a paid IDS. Snort does not cost anything but that does not mean that it cannot provide the same functionalities as an elite, commercial IDS. Snort is considered a passive IDS, which means it sniffs network packets, compares with the ruleset, and, in the case of detecting a malicious log or entry (i.e., detecting an intrusion), generates an alert or places an entry in a log file. Snort is used for monitoring the operations and activities of routers, firewalls, and servers. Snort provides a user-friendly interface, containing a chain of rulesets that can be very helpful to a person who is unfamiliar with IDSs. Snort generates an alarm in case of an intrusion (buffer overflow attacks, DNS poisoning, OS fingerprinting, port scans, and much more), giving an organization greater visibility of the network traffic and making it much easier to meet security regulations.

Installing Snort

Before you install Snort, there are some open-source softwares or packages that you should install first to get the best out of this program.

• Libpcap: A packet sniffer like Wireshark that is used to capture, monitor, and analyze network traffic. To install libpcap, use the following commands to download the packet from the official website, unzip the package, and then install it:

• OpenSSH: A secure connectivity tool that provides a secure channel, even over an insecure network, to remotely log in via ssh protocol. OpenSSH is used to connect to systems remotely with admin privileges. OpenSSH can be installed using the following commands :

• MySQL: The most popular free and open-source SQL database. MySQL is used to store alerted data from Snort. SQL libraries are used by remote machines to communicate and access the database where Snort log entries are stored. MySQL can be installed using the following command:

• Apache Web Server: The most used web server on the internet. Apache is used to display the analysis console through the web server. It can be downloaded from the official website here: http://httpd.apache.org/, or by using the following command:

• PHP: PHP is a scripting language used in web development. A PHP parsing engine is required to run the Analysis console. It can be downloaded from the official website: https://www.php.net/downloads.php, or by using the following commands:

• OpenSSL: Used to secure communications over the network without worrying about third party fetching or monitoring the data sent and received. OpenSSL provides cryptographic functionality to the web server. It can be downloaded from the official website: https://www.openssl.org/.
• Stunnel: A program used to encrypt the arbitrary network traffic or connections inside the SSL and that works alongside OpenSSL. Stunnel can be downloaded from its official website: https://www.stunnel.org/, or it can be installed using the following commands:

• ACID: An abbreviation for Analysis Control for Intrusion Detection. ACID is a query-supported search interface used to find matching IP addresses, patterns given, a specific command, a payload, signatures, specific ports, etc., from all logged alerts. It provides in-depth functionality of packet analysis, allowing identification of what exactly the attacker was trying to accomplish and the type of payload used in the attack. ACID can be downloaded from its official website: https://www.sei.cmu.edu/about/divisions/cert/index.cfm.

Now that all the required basic packages are installed, Snort can be downloaded from the official website, snort.org, and can be installed using the following commands:

Next, run the following command to check whether Snort is installed and the version of Snort you are using:

After the installation is successful, the following files should have been created on the system:

/usr/bin/snort: This is Snort’s binary executable.

/usr/share/doc/snort: Contains the Snort documentation and manpages.

/etc/snort: Contains all the rulesets of Snort and it is also its configuration file.

Using Snort

To use Snort, first, you must configure the Home_Net value and give it the value of the IP address of the network that you are protecting. The IP address of the network can be obtained using the following command:

From the results, copy the value of the inet address of the desired network. Now, open the Snort configuration file /etc/snort/snort.conf using the following command:

You will see an output like this:

Find the line “ipvar HOME_NET.” In front of ipvar HOME_NET, write the IP address copied before and save the file. Before running Snort, another thing you must do is run the network in promiscuous mode. You can do so by using the following command:

Now, you are ready to run Snort. To check its status and test the configuration file, use the following command:

Snort Rulesets

The greatest power of Snort lies in its rulesets. Snort has the ability to employ a large number of rulesets to monitor network traffic. In its latest version, Snort comes with 73 different types and over 4150 rules for detecting anomalies, contained in the folder “/etc/snort/rules.”

You can look at the types of rulesets in Snort using the following command:

By default, when you run Snort in Intrusion Detection System mode, all these rules are deployed automatically. Let us now test the ICMP ruleset.

First, use the following command to run Snort in IDS mode:

You will see several outputs on the screen, keep it that way.

Now, you will ping the IP of this machine from another machine using the following command:

Ping it five to six times, and then return to your machine to see if the Snort IDS detects it or not.

Here, we received an alert that someone is performing a ping scan. It even provided the IP address of the attacker’s machine.

Now, we will go to the IP address of this machine in the browser. We will see no alert, in this case. Try connecting to the ftp server of this machine using another machine as the attacker:

We still will not see any alert because these rulesets are not added in the default rules, and in these cases, no alert would be generated. This is when you must create your own rulesets. You can create rules according to your own needs and add them in the “/etc/snort/rules/local.rules” file, and then snort will automatically use these rules when detecting anomalies.

Creating a Rule

We will now create a rule for detecting a suspicious packet sent at port 80 so that a log alert is generated when this occurs:

There are two major parts of writing a rule, i.e., Rule Header and Rule Options. The following is a breakdown of the rule we have just written:

• Header
• Alert: The action specified to be taken on discovering the packet matching the rule’s description. There are several other actions that can be specified in place of the alert according to the user’s needs, i.e., log, reject, activate, drop, pass, etc.
• Tcp: Here, we have to specify the protocol. There are several types of protocols that can be specified, i.e., tcp, udp, icmp, etc., according to the user’s needs.
• Any: Here, the source network interface can be specified. If any is specified, Snort will check for all source networks.
• ->: The direction; in this case, it is set from source to destination.
• $HOME_NET: The place where the destination IP address is specified. In this case, we are using the one configured in the /etc/snort/snort.conf file at the beginning.
• 80: The destination port at which we are waiting for a network packet.
• Options:
• Msg: The alert to be generated or the message to be displayed in the case of capturing a packet. In this case, it is set to “HTTP Packet found.”
• sid: Used to identify Snort rules uniquely and systematically. The first 1000000 numbers are reserved, so you can start with 1000001.
• Rev: Used for easy rule maintenance.

We will add this rule in the “/etc/snort/rules/local.rules” file and see if it can detect HTTP requests on port 80.

We are all set. Now, you can open Snort in IDS mode using the following command:

Navigate to the IP address of this machine from the browser.

Snort can now detect any packet sent to port 80 and will show the alert “HTTP Packet Found” on the screen if this occurs.

We will also create a rule for detecting ftp login attempts:

Add this rule to the “local.rules” file using the following command:

Now, try logging in from another machine and take a look at the results of the Snort program.

As seen above, we received the alert, which means that we have successfully created these rules for detecting anomalies on port 21 and port 80.

Conclusion

Intrusion Detection Systems like Snort are used for monitoring network traffic to detect when an attack is being carried out by a malicious user before it can hurt or affect the network. If an attacker is performing a port scan on a network, the attack can be detected, along with the number of attempts made, the attacker’s IP address, and other details. Snort is used to detect all types of anomalies, and it comes with a large number of rules already configured, along with the option for the user to write their own rules according to his or her needs. Depending on the size of the network, Snort can easily be set up and used without spending anything, as compared to other paid commercial Intrusion Detection Systems. The captured packets can be analyzed further using a packet sniffer, like Wireshark, to analyze and break down what was going in the mind of the attacker during the attack and the types of scans or commands performed. Snort is a free, open-source, and easy-to-configure tool, and it can be a great choice to protect any medium-sized network from attack.