Last but not least, we come to the venerable snort.
snort is developed by Marty Roesch (with many other developers now participating), and is based on the same
libpcap utility as tcpdump. It works on any form of Unix and also has a Windows client. Because of
snort's power and flexibility, it's fast becoming the intrusion detection system of choice by many people. The nice folks at HoneyNet Project advocate
snort is a nice lightweight utility that packs quite a powerful punch. It can perform real-time traffic analysis and packet-logging on IP networks, protocol analysis, content searching/matching, and can detect many different attacks and probes. Like many other utilities,
snort uses a rule-based language to describe traffic that it will collect or pass and also includes a detection engine with a plug-in architecture to further expand on
The web site, www.snort.org has a rule creation system so you can develop your own rule sets. In addition, you can download literally thousands of different filters from the web site that were contributed or developed by the security community.
snort can be used in three different ways: as a packet sniffer like
tcpdump, a packet logger, or a full-blown intrusion detection system (IDS).
snort will create files in
tcpdump binary format or its own ASCII-based format and can even log to an XML file. Additionally, there are a few different add-ons to
snort to make logging and interpreting the data somewhat easier.
snort command might look something like this:
snort -i eth1 -A fast -l logdir -F filterfile -c rulefile
The first thing to note is
snort can only be run by the root user. As for the rest of the command, it breaks down as follows:
The interface to read from. If none is specified, the default interface (usually
Stands for "Alert Mode."
Uses the filters file specified by filter file. The filter file is in the same format (called BDF or Berkley Packet Filter) as a
Reads the ruleset specified by rule file.
If you've already captured packet data using
tcpdump or some other tool that supports the
tcpdump binary format, you could process the file with this command instead:
snort -A fast -l logdir -F filterfile -c rulefile -r TCPdumpfile
In this example, I'm telling
snort to get its input from
TCPdumpfile using the
-r option instead of specifying an Ethernet interface. \
Snort stores all its configuration files in
/etc/snort by default. All the rules are also stored in this directory. Let's take a look at a couple rules.
alert tcp 188.8.131.52/17 any -> 184.108.40.206/16 666 (msg:"The beast is coming!!!";)
This rule generates an alert on any TCP packet with a source IP in the range 220.127.116.11 through 18.104.22.168 (any port) with a destination IP in the range 22.214.171.124 through 126.96.36.199 (port 666). The alert record is labeled "The beast is coming!!!".
Why would you do this? Well, say you know that a cracker is trying to gain access to your system. However, the intruder seems to never be at the same machine twice (he's using DHCP, for example) but you've seen attempts from various IP addresses in the source range. Not only that, the intruder has tried similar attacks against several of your systems in the destination range. Here's one from the
snort distribution itself:
alert tcp any any -> $HOME_NET 25 (msg:"Happy 99 Virus"; content:"X-Spankska\: Yes"; flags: PA;)
This rule looks for packets from any source and any port that are destined to your home network on port 25.
$HOME_NET is defined in the
/etc/snort/snort.conf file. Furthermore, the packet must contain the string "X-Spankska\: Yes" and the TCP Flags must be set to
PUSH-ACK. The alert is labled "Happy 99 Virus". Rules such as this can help you detect known viruses attached to incoming e-mail.
snort web site contains an exhaustive document on how to create rules to meet virtually every situation.
Network Intrusion Detectsion, 2nd Ed. (New Riders) ISBN: 0-7357-1008-2
Intrusion Signatures & Analysis (New Riders) ISBN: 0-7357-1063-5
Maximum Linux Security (SAMS) ISBN: 0-672-31670-6
Linux Network Administrator's Guide, 2nd Edition (O'Reilly) ISBN: 1-56592-400-2
Practical Unix and Internet Security (O'Reilly) ISBN: 1-56592-148-8
Running Linux, 3rd Edition (O'Reilly) ISBN: 1-56592-469-X
Linux System Security (Prentice Hall) ISBN: 0-13-015897-0
As mentioned previously,
snort filters are BDF filters, the same as those used by
tcpdump. The filters can be specified on the command-line or in a filters file using the
-F option noted above.
In order to create a good filter, you must:
- Know the signature of the attack for which you want to create a filter.
- Be fluent in the filter programming language and understand the basics of IP.
- Be proficient with filter-installation procedures.
System security is a 24/7 job. There always seems to be something to do. You can start your trek toward better security by making sure you keep all security patches for your system completely up-to-date. From there, you should perform regular audits of your system to keep track of potential "holes" that may open up, or try to catch someone in the act of trying to break into your system.
There are many other tools available, SHADOW, portsentry, ACID, and many more -- just take a look at freshmeat.net or securityportal.com -- each has strengths and weaknesses. Take appropriate measures to lock down your network, disable telnet, FTP, and the BSD r-commands and use secure replacements. Download, compile, and install some of the security tools I've talked about in this series to get the big picture of your network.
Above all, keep up-to-date. Don't give up. If even after taking some precautions, your site gets broken into, don't be dismayed. Learn from it and plug the leaks!
Carl Constantine works for Open Source Solutions, Inc. (www.os-s.com) as a Linux Trainer and Programmer.
Previously in this series:
Return to the Linux DevCenter.