I recently came across a project that taught me how to install and configure snort on a host. The main purpose of this was the client wanted to add another layer of security on their network. The client had several ports open on their network which was a concern for him security wise. Among the ports opened on their network was port 22 and 21 where the client wanted to know all the IP that would try to connect to the network. 

Snort is a free open-source network intrusion detection system and prevention system that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies. When suspicious behaviour is detected, Snort sends a real-time alert to syslog, a separate ‘alerts’ file, or to a pop-up window.

Snort has two primary modes that it operates in depending how you set it up

  1. Inline mode – this is the Intrusion Prevention System (IPS) mode
  2. Passive mode – this is the Intrusion Detection System (IDS) mode

Requirements:

The above tools (Winpcap and Npcap) are required in ordered to run with snort. I began by downloading Winpcap and Npcap and then followed by snort.

When you visit the snort page you will land on the home page as shown below.

You will need to click on the get started button and you will be redirected on the page where you can download snort. You will need to scroll down till you see the section written get started, on the first step you will select the operating system your using, where in my case the client was using windows, then you download snort by clicking on the link snort_2.9.17_installer.x86.exe just as shown on the below image.

The next step is you go back to the home page and select the download rules button which would redirect you to the page of snort rules. Snort has 3 types of rules

  1. Community rules
  2. Registered rules
  3. Subscription

 

For this case, we are going to use the registered rules which means that if you want to access them you will be required to create an account with snort. So, register with snort and login and scroll till the section that is written rules as shown in the below image.

Depending on what version of snort you downloaded is the version of rules you are going to download, we downloaded version two of snort, so we are going to download the latest rules which is snortrules-snapshot-29170.tar.gz. The next step would be for you to install everything that we have downloaded from Winpcap, Npcap and snort.

The next step would be working on the rules, you will need to extract the contents of the zipped file, after extraction you will see there are 4 files as shown on the image below.

At the moment we do not have to worry about the so_rules and etc file, we are going to worry about the rules and preproc_rules only. When you go to C drive and then Snort you will see the same folders as the ones from the downloaded snort rules which is preproc_rules and rules but the only difference is that the two files found in snort are empty and that is why we downloaded the rules file from the snort web site so that we could add them on snort once installed. So, what we need to do is transfer the downloaded snort rules to snort file in the C drive of your computer as show in the image below.

The next step is to edit the snort configuration file (snort.conf) in C:\snort\etc\snort.conf. In order to edit the snort configuration file, it is advisable to use notepad ++ as  a editing tool and which we are going to be using the same.

The first thing we are going to edit is on line 45, where we change the last part which was any, just remove that and add your network default gateway as shown on the below image.

To know your default gateway just type ipconfig and you will see your default gateway.

NOTE: do not forget to add the CIDR (/24)

 

On line 48 just replace ANY with !$HOME_NET to limit everything that is not the home network.

On line 104 edit the path of the rules and insert the correct path rules in which is c:\Snort\rules and online 105 comment out the whole line and on line 106 put the correct path to the preproc_rules which is c:\Snort\preproc_rules just as shown in the image below.

Now we need to edit the path of the white and blacklist which is on line 113 and 114 by adding the following path c:\Snort\rules just as shown in the image below

In line 186 delete the hash tag so that it is included as part of the rules and then add the following path c:\Snort\log as shown in the image below

On line 247 and 250 we are going to change the path of the file location since the current ones are for the Linux systems, so we need to change them to make them windows compatible paths.

On line 247 is going to be c:\Snort\lib\snort_dynamicpreprocessor and on line 250 is going to be c:\Snort\lib\snort_dynamicengine\sf_engine.dll

On line 253 we are going to comment it out by adding a hash tag at the beginning because we are not going to use dynamic detection.

From line 265 – 269 comment them all out because we do not need them.

On line 335 you also comment it out as show in the below image.

Line 418 should be activated so remove the hash tag sign as shown in the image below

When we go to C:\snort\rules we can see that they did not create a whitelist rule but there is a blacklist rule so what you need to do next is create a whitelist rule or else snort wont work, to do this you just open the blacklist rule using notepad ++ and rename line 19 from blacklist to whitelist, all in caps as shown in the image below

blacklist

whitelist

Then click on file –> save as  –> whitelist.rules.

On line 511 and 512  of the config file you will need to change the name of the file of the whitelist and blacklist path as saved in the c:\snort\rules and we need to change the forward slash to a back slash which can be seen in the image below

In step 7 from line 546 – 651 all of the forward slash should be changed to back slash. Highlight the forward slash in line 546 and click control + F and a popup screen will appear;  you will insert back slash on the replace with tab and start clicking on the replace button. What will happen is every time you click replace it will replace the current item and automatically move to the next thing to replace.

Finally, on line 659 – 661 all you need to do is activate them by removing the hash tag sign.

We are now going to test if all the configurations have been configured well in snort and to do this you just have to run your command prompt as an administrator.

Once you have launched cmd you need to change directory from the current to bin, then we need to check the version of snort by typing the command snort -V and finally we need to check the lists of interfaces that we have by typing the command snort -W as shown in the image below.

If you don’t know your interface that connects you to the internet just open a new terminal and type the command ipconfig and then double check the interfaces with the ones shown by snort.

The next step is to test the configuration file if everything is setup well or not, to do that we type in the following command snort -i 3 -c c:\Snort\etc\snort.conf -T where the command tags mean.

  1. I – stands for interface, here is where you tell snort what network interface it should sniff on
  2. C – is where you tell snort the location of the file you want it to run
  3. T – means test

When you hit enter after execution it should say successfully validated as shown in the image below. This means that all our configurations are okay.

Before we go and test the next command of snort, we are supposed to add few rules in the local.rules files. To access the local.rules file we need to go to c:\Snort\rules and search for local.rules file as shown in the image below.

Open the and then type in the following commands

alert icmp any any -> any any (msg: “testing ICMP”; sid:1000001)

alert tcp any any -> any any (msg: “testing ICMP”; sid:1000002)

alert udp any any -> any any (msg: “testing ICMP”; sid:1000003)

After adding the rules in the local.rules file the next thing is to run the following command snort -i 3 -c c:\Snort\etc\snort.conf -A console

  1. I – stands for interface, here is where you tell snort what network interface it should sniff on
  2. C – is where you tell snort the location of the file you want it to run
  3. A – means print output in the terminal

Then press enter

Snort will start sniffing the network interface we have specified and all the traffic that is passing through our network whether tcp, udp or icmp based on the rules we had specified on the local.rules file.

SNORT RULE STRUCTURE

Snort has its own structure used to create set of rules. The syntax should be followed in order to create rules which can be used by snort when sniffing the network looking for malicious payloads. Below is the structure to be followed when creating rules for snort.

———————————————————————————

STEP 1: SNORT RULE STRUCTURE

———————————————————————————

 

<Rule Actions> <protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination Port> (Rule options)

 

 

———————————————————————————

EXAMPLE

———————————————————————————

 

#ALERT ON ANY FTP CONNECTION ATTEMPT

alert tcp any any -> $HOME_NET 21 (msg:” FTP connection attempt”; sid:1000001 rev:1;)

 

#ALERT ON SPECIFIC IP SSH CONNECTION ATTEMPT

alert tcp any any -> $192.168.1.4 22 (msg:” SSH connection attempted”; sid:1000002 rev:1;)

 

#ALERT ON SPECIFIC WEBSITE VISITED

alert tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg: “test ebay.com rule”; content:”ebay.com”; nocase; sid:1000003 rev:1;)

———————————————————————————

STEP 2: RULE ACTIONS

———————————————————————————

  1. alert – generate an alert using the selected alert method and then log the packet
  2. log – log the packet
  3. pass – ignore the packet
  4. activate – alert and then turn on another dynamic rule
  5. dynamic – remain idle until activated by an active rule then act as a log rule
  6. drop – block and log the packet
  7. reject – block the packet, log it and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
  8. sdrop – block the packet but do not log it

———————————————————————————

STEP 3: PROTOCOL

———————————————————————————

  1. TCP
  2. UDP
  3. ICMP
  4. IP

———————————————————————————

STEP 4: SOURCE/DESTINATION IP ADDRESS

———————————————————————————

  1. preset using the $HOME_NET, $EXTERNAL_NET variables
  2. hardcoded IP address using CIDR notation i.e., 10.0.0.1/16
  3. “any” IP address
  4. by negation i.e., “!” operator

 

———————————————————————————

STEP 5: SOURCE/DESTINATION PORT

———————————————————————————

  1. “any” port
  2. static port definition
  3. ranges
  4. by negation i.e., “!” operator

 

———————————————————————————

STEP 6: DIRECTION  Operator

———————————————————————————

  1. “->” – one way of traffic
  2. “<>” – bidirectional traffic

 

———————————————————————————

STEP 7: RULE OPTIONS

———————————————————————————

  1. general – These options provide information about the rule that do not have any effect during detection
  2. payload – these options all look for data inside the packet payload and can be inter-related
  3. non-payload – these options look for non-payload data
  4. post-detection – these options are rule-specific triggers that happen after a rule has “fired”

 

 

 

Click on the link below to download PDF file of this article 

Leave a Reply

Your email address will not be published. Required fields are marked *