Running Snort to Detect Intrusions

Problem

I want to use Snort to detect, log, and alert on certain types of network traffic.

Solution

To log traffic using the rules files in snort.conf, use the -c option:

C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf

To log traffic with less output using fast alert mode, use the -A fast option:

C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf

-A fast

 

Discussion

Snort can log certain subsets of network traffic so you don't have to log every single packet. This is done by using the Snort rules file snort.conf. Snort inspects each packet and applies a set of rules to decide what action to take. For example, the packet may be ignored and passed, or logged, or an alert may be generated.


C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf

Snort displays information on the screen as it initializes the preprocessors. The default settings are used when no configurations or arguments are supplied. Packets that trigger a rule in the snort.conf file are logged in the C:Snortlog directory under the source IP address directory, and also in the alert.ids file, such as the following:

[**] [1:1411:3] SNMP public access udp [**]

[Classification: Attempted Information Leak] [Priority: 2] 

09/14-15:43:49.265790 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800

len:0x77

192.168.100.70:1025 -> 192.168.130.36:161 UDP TTL:128 TOS:0x0

ID:14800 IpLen:20 DgmLen:105

Len: 77

[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013]

[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012]

[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517]

By default, Snort logs in decoded ASCII format and uses full alerts. A full alert includes the alert message and the full packet header. Snort also includes other alert output options and logging methods. To produce less output, you can use the fast alert mode with the -A fast command-line option.

C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf 

-A fast

The output looks like the following:

09/14-16:15:09.058512 [**] [1:1411:3] SNMP public access udp [**]

[Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.100.70:1025 -> 

192.168.130.36:161

Using Snort as a network intrusion detection system (NIDS) takes full advantage of its features and capabilities. The snort.conf file comes configured with default settings and rules. However, it is beneficial to "tune" the settings and rules to your environment. This helps alleviate both false positives and false negatives, and creates a faster, more efficient IDS. One thing to note is that command-line logging options override any options specified in the configuration files.

See Also

Recipe 1.17

Reading a Saved Capture File

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net