Old Linux Admin 2008 -->
Home Debian Install + WIFI WIFI Install cont'd Debian Install Done! Cisco Soho97 Config LinuxCmds Firewalls AntiVirusInfo.html Shorewall Firewall Old Linux Admin Series Java RMI Asterisk_PBX_Info Databases - A Research Paper VPN PPTPD Info Aloha Packet Radio Transmission Apache2_Info.html BasicSecurityConcepts.html C_and_Java_Info.html CV.html Fetchmail_SSL_Info.html Hard_Drive_Info.html LVM2_Volume_Info.html MYSQL_Info.html Networking_Info.html Packet_Inspection_Info.html Security_Info_Wireshark_WIFI.html Snort_Info.html Subnet_Mask_Info.html Useful_One_Liners.html New DebianAdmin Site

#apt-get install snort

Basics:

Get the PDF user manual here: http://www.snort.org/docs

After install, get some bearings..


cat /etc/snort/

classification.config rules/ threshold.conf

community-sid-msg.map sid-msg.map unicode.map

gen-msg.map snort.conf

reference.config snort.debian.conf


You can re-configure base Snort with:

dpkg-reconfigure snort


Snort quick options:

snort \?


Basic sniffer mode – view wire broadcast traffic on the default eth link (to view all subnet traffic in a switched net, you need to mirror a swtich port):

# snort -v

Ctrl-C to stop


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


10/01-11:14:52.179756 192.168.0.2 -> 192.168.0.254

ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF

Type:8 Code:0 ID:26658 Seq:2 ECHO

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


10/01-11:14:52.182679 192.168.0.254 -> 192.168.0.2

ICMP TTL:64 TOS:0x0 ID:18797 IpLen:20 DgmLen:84

Type:0 Code:0 ID:26658 Seq:2 ECHO REPLY

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


^C*** Caught Int-Signal

Run time prior to being shutdown was 11.683340 seconds



===============================================================================


Snort received 55 packets

Analyzed: 54(98.182%)

Dropped: 0(0.000%)

Outstanding: 1(1.818%)

===============================================================================

Breakdown by protocol:

TCP: 27 (50.000%)

UDP: 5 (9.259%)

ICMP: 6 (11.111%)

ARP: 0 (0.000%)

EAPOL: 0 (0.000%)

IPv6: 10 (18.519%)

ETHLOOP: 0 (0.000%)

IPX: 0 (0.000%)

FRAG: 0 (0.000%)

OTHER: 6 (11.111%)

DISCARD: 0 (0.000%)

InvChkSum: 0 (0.000%)

===============================================================================

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

===============================================================================

Snort exiting


View app data in a similar view to Wireshark:

snort -vd


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


10/01-11:23:20.284225 192.168.0.3:445 -> 192.168.0.2:58546

TCP TTL:128 TOS:0x0 ID:7631 IpLen:20 DgmLen:136 DF

***AP*** Seq: 0x32EB5BA9 Ack: 0x3E65D6F5 Win: 0xFF TcpLen: 32

TCP Options (3) => NOP NOP TS: 564817 400207

00 00 00 50 FF 53 4D 42 32 00 00 00 00 80 01 C0 ...P.SMB2.......

00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 0C ................

00 08 8A 01 0A 00 00 18 00 00 00 00 00 38 00 00 .............8..

00 18 00 38 00 00 00 00 00 19 00 00 FF 54 31 01 ...8.........T1.

00 00 00 00 73 A9 0E 00 00 00 00 00 08 00 00 00 ....s...........

00 02 00 00 ....


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Show data link data:

snort -vde


To log to disk use -l and an existing directory e.g.:

snort -d -l /testlog

This creates a subdir/file in snort/tcpdump (or Wireshark) format that can be read back using:

tcpdump -r /testlog/snort.log.1285929597 (slower)

snort -r /testlog/snort.log.1285929597


Conversely, write a log with tcpdump and read back with snort:

tcpdump -w /tcpdump.log

snort -r tcpdump.log


11:40:03.831368 arp who-has Unknown-00-d0-b7-2a-1b-4b.home tell BThomehub.home

11:40:04.163768 IP black.home.58546 > silver.home.microsoft-ds: P 216:288(72) ack 253 win 259 <nop,nop,timestamp 651178 665012>


For hi speed nets, log in binary using the -b switch

snort -l /testlog/ -b

You dont need the other -d-e switches in binary mode as the whole packet is logged with this info.


If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the remote computer as the directory in which it places packets and sometimes it uses the local host address. In order to log relative to the home network, you need to tell Snort which network is the home network:

./snort -dev -l ./log -h 192.168.1.0/24


For example, if you only wanted to see the ICMP packets from the log file, simply specify a BPF filter at the command line and Snort will only see the

ICMP packets in the file:

snort -vr /testlog/snort.log.1285941179 icmp

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


10/01-14:53:05.042376 192.168.0.254 -> 192.168.0.2

ICMP TTL:64 TOS:0x0 ID:23894 IpLen:20 DgmLen:84

Type:0 Code:0 ID:622 Seq:37 ECHO REPLY

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Run time for packet processing was 0.357 seconds



===============================================================================


Snort processed 12 packets.

===============================================================================

Breakdown by protocol:

TCP: 0 (0.000%)

UDP: 0 (0.000%)

ICMP: 12 (100.000%)

ARP: 0 (0.000%)

EAPOL: 0 (0.000%)

IPv6: 0 (0.000%)

ETHLOOP: 0 (0.000%)

IPX: 0 (0.000%)

FRAG: 0 (0.000%)

OTHER: 0 (0.000%)

DISCARD: 0 (0.000%)

InvChkSum: 0 (0.000%)


To enable Network Intrusion Detection System (NIDS) mode so that you don’t record every single packet sent down the wire, or L2 data, so try this:

mkdir /snorttests

snort -d -h 192.168.1.0/24 -l /snorttests

This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).


Snort processed 419 packets.

===============================================================================

Breakdown by protocol:

TCP: 204 (48.687%)

UDP: 12 (2.864%)

ICMP: 2 (0.477%)

ARP: 87 (20.764%)

EAPOL: 0 (0.000%)

IPv6: 43 (10.263%)

ETHLOOP: 0 (0.000%)

IPX: 0 (0.000%)

FRAG: 0 (0.000%)

OTHER: 71 (16.945%)

DISCARD: 0 (0.000%)

InvChkSum: 0 (0.000%)


So what's of interest in the /etc/snort/snort.conf file?

It references other files for the behaviour of Snort for a traffic type, and can be enabled here. Some are:


include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/community-exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/community-dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules


# Specific web server rules:

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

# Attack-in-progress rules:

include $RULE_PATH/web-attacks.rules

include $RULE_PATH/backdoor.rules

include $RULE_PATH/community-bot.rules

include $RULE_PATH/community-virus.rules

# This ruleset is almost useless currently:

# include $RULE_PATH/virus.rules

# Note: this rule is extremely chatty, enable with care

# include $RULE_PATH/shellcode.rules


So what defines the $RULE_PATH ? The rules folder I guess..later..


Well, I found these URLs in the reference.config...


# $Id$

# The following defines URLs for the references found in the rules

#

# config reference: system URL


config reference: bugtraq http://www.securityfocus.com/bid/

config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=

config reference: arachNIDS http://www.whitehats.com/info/IDS


# Note, this one needs a suffix as well.... lets add that in a bit.

config reference: McAfee http://vil.nai.com/vil/content/v_

config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=

config reference: url http://

That I happened to see called when running Snort before with

snort -vdC

-C Print the character data from the packet payload only (no hex)


10/01-15:42:55.291452 192.168.0.2:58546 -> 192.168.0.3:445

TCP TTL:64 TOS:0x0 ID:37645 IpLen:20 DgmLen:124 DF

***AP*** Seq: 0x3E6E8103 Ack: 0x32F58173 Win: 0x449 TcpLen: 32

TCP Options (3) => NOP NOP TS: 4293959 2122297

...D.SMB2.........................U .....................B......


..I had wondered why there was traffic to the PC from these URL's, which are interesting securty Web Sites in themselves, and must be repos links for Snort updates..?:


http://cve.mitre.org/

http://www.nessus.org/nessus/



Anyway..back to RULES..


These files are in the /etc/snort/rules/ directory:


vi /etc/snort/rules/TAB

attack-responses.rules icmp-info.rules

backdoor.rules icmp.rules

bad-traffic.rules imap.rules

chat.rules info.rules

community-bot.rules local.rules

community-deleted.rules misc.rules

community-dos.rules multimedia.rules

community-exploit.rules mysql.rules

community-ftp.rules netbios.rules

community-game.rules nntp.rules

community-icmp.rules oracle.rules

community-imap.rules other-ids.rules

community-inappropriate.rules p2p.rules

community-mail-client.rules policy.rules

community-misc.rules pop2.rules

community-nntp.rules pop3.rules

community-oracle.rules porn.rules

community-policy.rules rpc.rules

community-sip.rules rservices.rules

community-smtp.rules scan.rules

community-sql-injection.rules shellcode.rules

community-virus.rules smtp.rules

community-web-attacks.rules snmp.rules

community-web-cgi.rules sql.rules

community-web-client.rules telnet.rules

community-web-dos.rules tftp.rules

community-web-iis.rules virus.rules

community-web-misc.rules web-attacks.rules

community-web-php.rules web-cgi.rules

ddos.rules web-client.rules

deleted.rules web-coldfusion.rules

dns.rules web-frontpage.rules

dos.rules web-iis.rules

experimental.rules web-misc.rules

exploit.rules web-php.rules

finger.rules x11.rules

ftp.rules


For interest, looking at the backdoor rules file, it holds info on known Trojan port numbers, messages etc:


alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:6;)

alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev


If you want to run Snort in daemon mode, you can the add -D switch to any combination described in the previous sections. Please notice that if you want to be able to restart Snort by sending a SIGHUP signal to the daemon, you must specify the full path to the Snort binary when you start it.

...or just

# /etc/init.d/snort stop

Stopping Network Intrusion Detection System : snort (eth0 ...done).



1.4 Network Intrusion Detection System Mode

To enable Network Intrusion Detection System (NIDS) mode so that you don’t record every single packet sent down the wire, try this:

./snort -dev -l ./log -h 192.168.1.0/24 -c /etc/snort/snort.conf

where snort.conf is the name of your rules file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don’t specify an output directory for the program, it will default to /var/log/snort.

One thing to note about the last command line is that if Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display.

It’s also not necessary to record the data link headers for most applications, so you can usually omit the -e switch, too.

./snort -d -h 192.168.1.0/24 -l ./log -c /etc/snort/snort.conf

This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the snort.conf in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode).


# snort -dc /etc/snort/snort.conf -A console

Running in IDS mode


--== Initializing Snort ==--

Initializing Output Plugins!

Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0

Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file /etc/snort/snort.conf


10/01-19:23:15.981863 [**] [122:1:0] (portscan) TCP Portscan [**] [Priority: 3] {PROTO:255} 192.168.0.11 -> 192.168.0.2

10/01-19:23:15.991111 [**] [1:1421:11] SNMP AgentX/tcp request [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.0.11:44769 -> 192.168.0.2:705

10/01-19:23:40.335384 [**] [122:1:0] (portscan) TCP Portscan [**] [Priority: 3] {PROTO:255} 192.168.0.11 -> 192.168.0.2

10/01-19:23:40.359940 [**] [1:1418:11] SNMP request tcp [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.0.11:36502 -> 192.168.0.2:161

10/01-19:23:40.410780 [**] [1:1421:11] SNMP AgentX/tcp request [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.0.11:36502 -> 192.168.0.2:705

10/01-19:23:40.414240 [**] [1:1420:11] SNMP trap tcp [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.0.11:36502 -> 192.168.0.2:162



Breakdown by protocol:

TCP: 8131 (83.747%)

UDP: 129 (1.329%)

ICMP: 52 (0.536%)

ARP: 578 (5.953%)

EAPOL: 0 (0.000%)

IPv6: 336 (3.461%)

ETHLOOP: 0 (0.000%)

IPX: 0 (0.000%)

FRAG: 0 (0.000%)

OTHER: 483 (4.975%)

DISCARD: 0 (0.000%)

InvChkSum: 993 (10.228%)

===============================================================================

Action Stats:

ALERTS: 60

LOGGED: 74

PASSED: 0


 Steve 2008-2022