Running Snort to Detect Intrusions
Problem
I want to use Snort to detect, log, and alert on certain types of network traffic.
Solution
To log traffic using the rules files in snort.conf, use the -c option:
C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf
To log traffic with less output using fast alert mode, use the -A fast option:
C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf -A fast
Discussion
Snort can log certain subsets of network traffic so you don't have to log every single packet. This is done by using the Snort rules file snort.conf. Snort inspects each packet and applies a set of rules to decide what action to take. For example, the packet may be ignored and passed, or logged, or an alert may be generated.
C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf
Snort displays information on the screen as it initializes the preprocessors. The default settings are used when no configurations or arguments are supplied. Packets that trigger a rule in the snort.conf file are logged in the C:Snortlog directory under the source IP address directory, and also in the alert.ids file, such as the following:
[**] [1:1411:3] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] 09/14-15:43:49.265790 0:C:F1:11:D:66 -> 0:5:5D:ED:3B:C6 type:0x800 len:0x77 192.168.100.70:1025 -> 192.168.130.36:161 UDP TTL:128 TOS:0x0 ID:14800 IpLen:20 DgmLen:105 Len: 77 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517]
By default, Snort logs in decoded ASCII format and uses full alerts. A full alert includes the alert message and the full packet header. Snort also includes other alert output options and logging methods. To produce less output, you can use the fast alert mode with the -A fast command-line option.
C:Snortin>snort -de -l c:snortlog -c c:snortetcsnort.conf -A fast
The output looks like the following:
09/14-16:15:09.058512 [**] [1:1411:3] SNMP public access udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} 192.168.100.70:1025 -> 192.168.130.36:161
Using Snort as a network intrusion detection system (NIDS) takes full advantage of its features and capabilities. The snort.conf file comes configured with default settings and rules. However, it is beneficial to "tune" the settings and rules to your environment. This helps alleviate both false positives and false negatives, and creates a faster, more efficient IDS. One thing to note is that command-line logging options override any options specified in the configuration files.
See Also
Recipe 1.17
Reading a Saved Capture File
|