Snort ToolIntroductionSnort is an application developed by Martin Roesch which today is primarily used as an Intrusion Detection System/Intrusion Protection System (IDS/IPS). Snort, however, is capable of more:1. Packet sniffing2. Packet logging3. Intrusion detectionAdditionally, Snort is supported on a wide variety of OS platforms including a wide variety of Unix platforms and Windows. Another distinguishing feature of Snort is that it is completelyOpen source. This gives Snort a big advantage over many of its commercial counterparts because users can see what its doing and tune the system accordingly. That degree of visibility into the intimal of the product is generally not an option in the commercial IDSIIPS world. It's free availability and broad platform support has made Snort one of the most popular and widely used network security tools.

Basic Architecture of Snort

Snort has four primary components:1. Packet sniffer

Packet sniffing is the act of reading datagrams offthe wire. Normally, a device's MC is only concemed with the kaflic addressed specifically to the device. However, the sniffing component of Snort places the interface into a state known as promiscuous mode which enables the NIC to read all the traffic on the wire not just the traffic directly addressed to it.

2. Preprocessors

In order for packets to be inspected in a contextually relevant way, some further processing must be performed on them to reveal the context in which the packets are intended to be used. This is a sampling of some of the things that must be done so that packets are presented in a contextually relevant way. Snort preprocessors handle this task. They are specially designed to put network traffic into context for presentation to the other elements of the Snort architecture. Some of the preprocessors are protocol decoders and sfPortScan.

3. Detection engine

The detection engine accepts the parsed, normalized and stream-reassembled network trafficfor inspection against the rule base.

4. Output and alerting module

The output module handles the task of writing and displaying events. Snort-generated data canbe presented to standard output, logged to files or logged to a database.Snort Installation

To download Snort go to https://www.snort.org/#get-started. Select the appropriate package according to the OS. The following section targets installation on Windows 7 machine. Click on Sign Up and register to get an activation code.

Run the executable (make sure when you download the installer files you save the file as an .exe so you can install it.) and click the I Agree button on the license agreement screen:

Then on the next screen leave the defaults selected and click the Next button:

Then on the choose install location leave the default location, which is c:\Snort and click the Next button:

The installation will then occur and you can click the show details to see all that was extracted during the installation, then click the Close button:

You will then see the following screen if the installation was successful, simply click the OK button:

Checking Installation

Go to Command Prompt and type the following command:c:\snort\bin snort WThe above commands change your prompt to the bin directory, which is where the snort.exe is located. The second line checks for all available network interfaces that snort can run onAfter you have checked for a device interface you can use the following command to actually run snort on your computer:snort dTo stop the capturing simply click CTRL-C and this will stop the capturing. Below is screen capture of what occurs when you stop capturing packets:

Finally, you will need to run the following command to actually write files to a log file.snort c c:\Snort\etc\snort.config l c:\Snort\log K ascii

Configuring Snort.confAfter the installation and checking to make sure everything is running properly, you will need to modify the snort.conf file located in the following Snort directory:c:\Snort\etc\snort.confIf you open this file in notepad++ you can view the line numbers and make the following changes: Change the below ipvar to the network you are going to be running snort on:Default:

Change to:

Next, we need to change the below paths below to the correct location on our Windows 7 computer. The Defaults are set to run on the Linux operating system.Default:

Change to:

Next we need replace additional Linux paths to the correct paths in Microsoft Windows 7 and we actually comment out the dynamicprocessor library, change the libsf_engine.so to a .dll file and comment out (#) the dynamicdetection line as we have below:Default:

Change to:

The next sections we need to change is below, we dont use inline packet normalization in Microsoft Windows 7:Default:

Change To:

Next we need provide the direct path to the metadata reference data:Default:

Change to:

The next issue is the below lines, these files do not exist in the rules directory. The solution is to simply create the 2 files in the rules directory. Note that there is a blacklist.rules files, we simply renamed that file as indicated below.Default

Change to:

Next, we need to change the following lines and then we should be able to run Snort 2.9:Default:

Change to:

At this point snort will run, but you can make one more change to the blacklist rule path as we did below:Default:

Change to:

The final step is to setup the output of the events, add the following line of code:Default:

Change to:

Operating SnortSnort has three modes of operation:1. Packet sniffer2. Packet logger3. Intrusion detectionThe mode you choose to use is mainly a function of how you configure its command line switches and how you configure its primary configuration file: snort . conf .

Snort as a Packet SnifferSniffing and logging are the functions that Snort was originally designed to do. Todayhowever, its primary use is as an intrusion detection/protection system. Although it is primarilyused as an IDSIIPS, the sniffing and logging capability still exists and may be a usefulalternative to other tools that do the same thing since the capability is natively part of yourSnort installation.For sniffing network traffic, there me three command line switches you must know: -fl - Dump or display application layer infomration. -e - Dump or display data link layer information. -v - verbose.-d include payload information

Packet Logging with Snort

Snort can act as a packet logger. The command line syntax is basicallythe same as the previous examples only you also specify the output type and a location forwhere it should go.snort -i ethl -I /war/Log/snort -K ascii

Snort as an Intrusion Sensor

Snort's configuration file snort.conf basically contains all the settings and configurations ofits detectionfeatures. Variabieconfigurations Preprocessor configurations Output settings Pointers to rule files