In this article, we’re gonna talk about Snort. You have a doubt about what snort is.
When you hear ‘Snort,’ your mind might jump to pigs, laughter, or someone trying to hold in a laugh and failing miserably. But in the world of cybersecurity, Snort is no joke – it’s a powerful tool that sniffs out malicious traffic like a bloodhound on caffeine 😂.
Let’s be serious and learn more about snort.
What is Snort?
Snort is a network tool that acts as an Intrusion Prevention System (IPS) and Intrusion Detection System tool. It is available cross-platform, available for individuals/organizations, and open-source. It was developed in 1998 by Sourcefire’s founder and former CTO, Mr. Martin Roesch.
This tool uses a rules file to define malicious network activity, identify malicious packets, and send/generate user alerts. The rules could be pre-configured or user-written configuration files.
Network admins can use the Snort tool to spot denial-of-service (DoS) attacks, distributed DoS (DDoS) attacks, Common Gateway Interface (CGI) attacks, buffer overflows, and stealth port scans.
Snort is based on libpcap, a packet capture library. Transmission Control Protocol/Internet Protocol (TCP/IP) uses libpcap to address traffic sniffers, content searches, and analyzers for real-time traffic analysis, packet recording, content matching, and protocol analysis.
Snort Architecture
The architecture of snort consists of several components that work together to detect and analyze the network traffic.
- Sniffer: A sniffer collects and analyzes network data according to the packet structure. When the data-gathering phase is finished, the raw data packets are sent to the preprocessors.
- Preprocessors: The preprocessors are responsible for specific operations to verify the nature/behavior of the network packets. They are loaded and configured using the preprocessor keyword. The format of the preprocessor directive in the Snort config file is:
preprocessor <name>: <options>- Detection engine: This engine runs a binary comparison between each packet according to the defined rule. The output is where the detected alerts are being directed.
- Output: The output will record and generate a log file. Log files can be stored in many formats, such as Syslog format, pcap, or unified2. These log files can be used with tools like Splunk, ELK Stack, Graylog, Wazuh, OSSIM, and SIEMonster.
Let’s understand how the tool really works. First up, the sniffer captures all the network packets flying around. Then comes detection, where Snort analyzes those packets based on your configuration (this includes rules and preprocessors). After that, it decides what’s suspicious or worth flagging. Finally, the results get saved in various file formats so you can dig into the details later.
Features
Snort tool comes with various useful features for network administrators and blue teams.
- Content matching
Snort matches rules by protocol, such as IP and TCP, then by port, and finally by whether or not they include content. Rules with content employ a multi-pattern matcher, improving efficiency, particularly for protocols like the Hypertext Transfer Protocol (HTTP). Rules without content are constantly examined, which negatively impacts performance.
- Cross-platform
It can be deployed on all operating systems, including Linux (Ubuntu, Kali Linux) and Windows, and in all network environments.
- OS fingerprinting
Operating system (OS) fingerprinting presupposes each platform has a distinct TCP/IP stack. This tool can be used in this procedure to determine the operating system platform of a system that connects to a network.
- Open source
It is an open-source program, provides free network monitoring and protection through IDS and IPS.
- Packet logging
It also supports packet recording via its packet logger mode, meaning it writes packets to disk. This tool records packets in a hierarchical directory depending on the host network’s IP address in this mode.
- Protocol Analyze
While collecting or sniffing data, Snort may examine protocols. The network administrator may further inspect possibly harmful data packets, which is essential for the Transmission Control Protocol/IP (TCP/IP) stack protocol standard, for instance.
- Real-time traffic monitor
Snort can monitor network traffic in real-time, both inbound and outbound. It even alerts the user if the tool finds malicious packets or IP addresses.
- Rule Implementation
Implementing rules simplifies network monitoring and protection. Its rule language is also quite versatile, and developing new rules is relatively straightforward. Network administrators can distinguish between normal internet behavior and unusual or malicious activity.
Operating Model
There are three types of operating models used in Snort:
- Sniffer Mode: This mode reads IP packets and shows them in the console.
- Packet Logger Mode: It will create a log file (including inbound and outbound IPs) for each user who visits the network.
- NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System) Mode: According to the rules, packets can be captures in the log (if its marked as malicious) or drop.
Sniffer Mode
In sniffer mode, various parameters available to work with.
| Parameter | Description |
|---|---|
| -v | Verbose. Display the TCP/IP output in the console. |
| -d | Display the packet data (payload). |
| -e | Display the link-layer (TCP/IP/UDP/ICMP) headers. |
| –X | Display the full packet details in HEX. |
| –i | This parameter helps to define a specific network interface to listen/sniff. Once you have multiple interfaces, you can choose a specific interface to sniff. |
- Parameter “-i”
sudo snort -i ens33
The above parameter specifies which network interface should be used. By default, the eth0 interface is used. In my case, the ens33 network interface is used in my network interface.
Use the ifconfig command to check which network interface should be used.
- Parameter “-v”
sudo snort -v
Parameter -v is known as verbose mode; the snort will print all the details of what happens in that particular instance. In this parameter, we are not detecting or logging. Just real-time traffic.
In networking language, -v displays IP-level and transport-level headers (such as IP, TCP, UDP, and ICMP).
The default interface is (eth0), which displays packet information as it scans packets. The primary purpose is to check that the interface and setup are working.
- Parameter “-d”
The parameter -d displays the payload of the packet, which often includes the application-layer data like HTTP requests, FTP commands, or file signatures.
sudo snort -d
- Parameter “-e”
When Snort operates in packet display mode, the -e option instructs it to show Ethernet (data-link layer) headers.
sudo snort -e
- Parameter “X”
The -X parameter supports the whole packet’s hex and ASCII packet dumps, including headers and payload.
sudo snort -X
Packet Logger Mode
In Snort, packet logger mode enables working with log files, such as creating or reading them.
The different parameters are listed below:
| Parameter | Description |
|---|---|
| -l | Logger mode, target log, and alert output folder. The default output directory is /var/log/snort. The default action is to dump in the tcpdump format in /var/log/snort. |
| -K ASCII | Log packets in ASCII format. |
| -r | Reading option: read the dropped logs in Snort. |
| -n | Specify how many packets will be processed/read. Snort will end after reading the specified amount of packets. |
- Parameter “-l”
The -l argument specifies the log directory where Snort will keep alarms, logs, and captured packets.
The above command line,
sudo snort -dev -l .
- -dev: It will run in sniffer mode. It will show ethernet headers, IP headers, and payload.
- -l: It will save the log file in the directory path. The
-l .command produces logs in the current directory.
- Parameter “-K ASCII”
The -K option defines the log format for Snort’s alert output. Using -K ascii instructs Snort to log alerts in human-readable ASCII rather than the standard binary (unified2) format.
The configuration file is going to be used during the snort scan. Once the traffic is created, Snort will begin displaying the packets in verbosity mode as follows:
sudo snort -dev -K ASCII -l .After the command, let’s look at the created log file.
- Parameter “-r”
Snort can read and process binary-formatted output, just like tcpdump and Wireshark.
This parameter helps to filter the binary log file according to the protocols and so on.
For examples,
- Below command will print those packet’s payloads in hex and ASCII formats for inspection.
sudo snort -r logname.log -X
- Below command will print the payloads only TCP protocols after filtering as in the log file.
sudo snort -r Desktop/snort.log.1425743287.pcap tcp
sudo snort -r logname.log 'udp and port 53'This command will print the payloads only for UDP protocols and port 53 after filtering, as in the log file.
- Parameter “-n”
sudo snort -r Desktop/snort.log.1425743287.pcap -n 10The following command will print the first 10 packets.
IDS/IPS Mode
Snort has more capabilities than sniffing and recording traffic. IDS/IPS mode makes using user-defined rules to regulate traffic easier.
The table below explains the NIDS mode settings:
| Parameter | Description |
|---|---|
| -c | Defining the configuration file. |
| -T | Testing the configuration file. |
| -N | Disable logging. |
| -D | Background mode. |
| -A | Different Alert modes |
- Parameter “-c” and parameter “-T”
The parameters -c and -T are used for the configuration file. -c invokes the configuration file to scan according to the config file. -T is used to test the configuration file that will be used.
sudo snort -c /etc/snort/snort.conf -T
- Parameter “-N”
The parameter -N will disable the functionality to save the log file.
sudo snort -c /etc/snort/snort.conf -N
- Parameter “-D”
The -D parameter in Snort runs Snort as a daemon (in the background). This is useful for production environments, where Snort runs continuously in the background, monitoring traffic.
sudo snort -c /etc/snort/snort.conf -i ens33 -D
Once the background mode is activated, quickly check the process through the ps command as shown below:
ps -ef | grep snort
To stop the daemon, use the kill command:
sudo kill -9 1838The Snort daemon mode is mainly used to automate the process. Scripts mainly use this argument to launch the Snort service in the background. It is not suggested to use this mode unless you have a working understanding of Snort and a consistent configuration.
- Parameter “-A”
| Alert Mode | Description |
|---|---|
| full | Full alert mode, providing all possible information about the alert. This one also is the default mode; once you use -A and don’t specify any mode, snort uses this mode. |
| fast | Fast mode shows the alert message, timestamp, source and destination IP, along with port numbers. |
| console | Provides fast style alerts on the console screen. |
| cmg | CMG style, basic header details with payload in hex and text format. |
| none | Disabling alerting. |
- Alert mode: console
The scan will be done quickly in console mode and shown in the terminal/console.
sudo snort -c /etc/snort/snort.conf -A console- Alert mode: cmg
The CMG mode offers minimal header information and the payload in hex and text format.
sudo snort -c /etc/snort/snort.conf -A cmg- Alert mode: fast
Fast mode includes alert messages, timestamps, and source and destination IP addresses. In this mode, the console does not show output. Always refer to the alarm file for alerts.
sudo snort -c /etc/snort/snort.conf -A fast- Alert mode: full
The full mode will give all possible information about the alerts. In this mode, the console does not show output. Always refer to the alarm file for alerts.
sudo snort -c /etc/snort/snort.conf -A full- Alert mode: none
This option turns off alerting and does not produce an alert file. However, it logs traffic and generates a file in binary dump format.
sudo snort -c /etc/snort/snort.conf -A none- Using rule file without configuration file
The snort.conf configuration file is available by default. However, there is a functionality to use your own rules. To use your own rules, make the changes to the local.rules file.
The location of the local.rules file is /etc/snort/rules/local.rules. Below is the code to access the local rules file in Snort.
sudo snort -c /etc/snort/local.rules -A console- IPS mode and dropping packets
To run Snort in IPS mode, you can activate it using the -Q –daq afpacket parameters, which enable inline packet processing with the afpacket DAQ module. IPS can also be allowed to go into mode by editing the snort.conf file, which is not necessary within the scope of this setup.
To use Snort as an IPS, specify the interfaces with the -i eth0:eth1 option—this tells Snort to inspect traffic passing between two network interfaces. Remember that IPS mode requires at least two network interfaces to function correctly, one for incoming traffic and the other for outgoing, allowing Snort to sit in line and actively block malicious packets.
sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A consoleConclusion
Snort is still one of the most trusted and commonly used network intrusion detection and prevention tools. Its adaptable design, real-time traffic analysis, and multi-mode operation make it appropriate for various applications, including home labs and business networks. Snort, whether used as a basic packet sniffer, a sophisticated logger, or a complete IDS/IPS system, provides the visibility and control required to fight against attacks. Getting started may require some configuration, but once it is in place, it becomes a valuable ally in network security.
