We covered configuring snort as an IDS/IPS open-source solution. Snort operates as sniffer, packet logger and IPS/IDS. This was part of TryHackMe Snort.
Introduction to Snort and IDS/IPS Concepts:
- Snort can operate both as an IDS and IPS, depending on its configuration. IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) work by analyzing network traffic against a set of rules.
- IDS: Monitors and alerts when traffic matches rules but does not block the traffic.
- IPS: Monitors, alerts, and can actively block or reject malicious traffic.
Explanation of IDS and IPS:
- IDS: Logs and alerts when traffic matches pre-configured rules but does not interfere with the network traffic.
- IPS: In addition to logging and alerting, it can drop or reject packets or entire connections based on the detected threat.
- Difference between drop and reject: Dropping only removes the identified packet, while rejecting cuts off the entire connection.
- Both IDS and IPS work based on a set of rules that define acceptable and unacceptable network traffic patterns.
NIDS and HIDS (Network and Host Intrusion Detection Systems):
- NIDS (Network Intrusion Detection System): Operates on a network level and monitors traffic across an entire subnet or range of IPs.
- HIDS (Host Intrusion Detection System): Works on a single host or endpoint, monitoring traffic only for that specific machine.
Detection and Prevention Techniques:
- Signature-based detection: Matches known patterns (like malware or attack signatures) with network traffic.
- Behavior-based detection: Learns normal traffic behavior over time and flags abnormal behavior, even if it doesn’t match a known signature.
- Policy-based detection: Uses system configurations or security policies to define what traffic or actions are allowed or blocked.
Snort Overview:
- Snort is a flexible IDS/IPS tool capable of real-time traffic analysis and packet logging.
- It operates in three main modes:
- Sniffer mode: Captures and displays network traffic in real-time.
- Packet Logger mode: Logs packets for future analysis.
- NIDS/NIPS mode: Acts as either a network IDS or IPS, analyzing and acting on traffic in real-time.
Snort Configuration:
- Configuration file: Defines key settings such as the path to rules, variables for home and external networks, and plugins. By default, the configuration file is located in
/etc/snort/snort.conf. - Rules file: Located in
/etc/snort/local.rules, where specific traffic patterns are defined for Snort to detect and respond to.
The snort.conf file is the central nervous system for Snort’s operation. It’s where you define how Snort understands your network:
- Key Purpose: Defines critical network variables (IP addresses, network ranges) and port variables.
- Why Variables Matter: These variables (e.g.,
$HOME_NET,$EXTERNAL_NET,$HTTP_PORTS) are used in Snort rules, making them more readable, manageable, and adaptable to different environments. - Descriptive Naming: The tutorial emphasizes using clear, descriptive names for variables.
- Core Variables:
$HOME_NET: Defines your internal network’s IP range that you want to protect.$EXTERNAL_NET: Represents all networks outside your$HOME_NET.
Editing Snort.config
Editing the File: Typically done using a command-line editor like nano.
Defining $HOME_NET: Modifying this variable to accurately reflect your local network’s IP address and subnet mask (e.g., ipvar HOME_NET 192.168.94.0/24).
Defining $EXTERNAL_NET: Often set to any or !$HOME_NET due to the impracticality of listing all external IPs.
Other Network Variables: You can also define variables for specific servers like DNS_SERVERS, SMTP_SERVERS, or SQL_SERVERS using the ipvar keyword (e.g., ipvar DMZ_NET [10.0.0.0/24]).
Defining Port Variables: Similar to IP variables, port variables like $HTTP_PORTS (e.g., portvar HTTP_PORTS 80) or $SSH_PORTS (e.g., portvar SSH_PORTS 22) simplify rule writing.
Saving is Key: Always remember to save your changes to snort.conf!
Configuring Alerts
An IDS is only useful if it tells you what it finds. Configuring alert logging is essential:
- Location: Also configured within
snort.conf. - Output Plugins: Find the “configure output plugins” section (often labeled as step six).
- Enabling Fast Alerts: Add or uncomment a line like
output alert_fast: fast_alert.log(the video mentionsfast_packet, butalert_fastis common for a summarized log format). This ensures that when Snort detects suspicious activity, an alert is logged for review and incident response.
Snort Rules
Understanding the structure of a Snort rule is fundamental:
Rule Action Protocol Source_IP Source_Port Direction_Operator Destination_IP Destination_Port (Rule_Body_Options)
- Rule Action: What Snort does (e.g.,
alert,log,pass,drop). - Protocol: The network protocol (
tcp,udp,icmp,ip). - Source IP & Port: Origin of the traffic (can use variables like
$EXTERNAL_NET). - Direction Operator:
->(unidirectional) or<>(bidirectional). - Destination IP & Port: Target of the traffic (can use variables like
$HOME_NET). - Rule Body (Options): Enclosed in parentheses; contains keywords for detailed inspection, messages, SIDs, etc.
While Snort comes with community rule sets, you’ll often need to write your own:
- Purpose: The
local.rulesfile is the designated place for users to add their custom Snort rules or make modifications without altering the main rule files.
Understanding Rule Actions
alert: Generates an alert and logs the packet (primary for IDS).log: Logs the packet.pass: Ignores the packet.drop: (IPS mode) Blocks the packet silently.reject: (IPS mode) Blocks and sends a TCP reset/ICMP error.sdrop: (IPS mode) Silently blocks the packet, no logging.
Crafting Snort Rules
- Basic Alert:
alert tcp any any -> $HOME_NET any (msg:"Incoming TCP Traffic to HOME_NET"; sid:1000001; rev:1;)- Alerts on any TCP traffic from any external source to your home network.
- Bidirectional Alert:
alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"Bidirectional TCP Traffic"; sid:1000002; rev:1;) - Drop Rule (IPS example):
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLOCKING Outbound Internet Access"; sid:1000003; rev:1;)- This would severely restrict internet access.
- Snort ID (SID) [00:20:43 – 00:21:45]: A unique identifier for each rule. Custom rules usually start from a high number (e.g., 1,000,000) to avoid clashes with official rule sets.
- Commenting [00:21:56 – 00:24:30]: Always add comments (
#) to yourlocal.rulesto explain the purpose of each custom rule.
Deep Packet Inspection with Content Matching
Snort’s true power lies in its ability to inspect the payload of packets:
- The
contentKeyword: Allows searching for specific byte sequences, strings, or patterns within packet data. - Precision: Snort can use offsets and depth parameters to look at specific parts of the payload.
- Detection Capabilities:
- File Hashes: Match against known malicious file hashes.
- Hex Values: Detect specific byte sequences (e.g., shellcode).
- Keywords/Strings: Find suspicious words in web pages, commands, etc.
- URLs: Inspect URLs for malicious patterns.
- Combined with Actions: When a
contentmatch occurs, the defined rule action (alert,drop, etc.) is triggered.
TryHackme Snort Room Answers
Which snort mode can help you detect threats on a local network?
Which snort mode can help you detect the threats on a local machine?
Which snort mode can help you stop the threats on a local network?
Which snort mode works similar to NIPS mode?
According to the official description of the snort, what kind of NIPS is it?
NBA training period is also known as …
Run the Snort instance and check the build number.
Test the current instance with “/etc/snort/snort.conf” file and check how many rules are loaded with the current build.
Test the current instance with “/etc/snort/snortv2.conf” file and check how many rules are loaded with the current build.
Investigate the traffic with the default configuration file with ASCII mode.
sudo snort -dev -K ASCII -l .
sudo ./traffic-generator.sh
Use snort.log.1640048004
Read the snort.log file with Snort; what is the IP ID of the 10th packet?
snort -r snort.log.1640048004 -n 10
Read the “snort.log.1640048004″ file with Snort; what is the referer of the 4th packet?
Read the “snort.log.1640048004″ file with Snort; what is the Ack number of the 8th packet?
Read the “snort.log.1640048004″ file with Snort; what is the number of the “TCP port 80” packets?
Investigate the traffic with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l .
sudo ./traffic-generator.sh
Investigate the mx-1.pcap file with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-1.pcap
Keep reading the output. How many TCP Segments are Queued?
Keep reading the output.How many “HTTP response headers” were extracted?
Investigate the mx-1.pcap file with the second configuration file.
sudo snort -c /etc/snort/snortv2.conf -A full -l . -r mx-1.pcap
Investigate the mx-2.pcap file with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . -r mx-2.pcap
Keep reading the output. What is the number of the detected TCP packets?
Investigate the mx-2.pcap and mx-3.pcap files with the default configuration file.
sudo snort -c /etc/snort/snort.conf -A full -l . --pcap-list="mx-2.pcap mx-3.pcap"
Use “task9.pcap”.
Write a rule to filter IP ID “35369” and run it against the given pcap file. What is the request name of the detected packet? snort -c local.rules -A full -l . -r task9.pcap
Create a rule to filter packets with Syn flag and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule.
Write a rule to filter packets with Push-Ack flags and run it against the given pcap file. What is the number of detected packets?
Clear the previous log and alarm files and deactivate/comment out the old rule.
Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of detected packets?
Case Example – An analyst modified an existing rule successfully. Which rule option must the analyst change after the implementation?
