Breathe easily: protect your Linux box with Snort

David M Williams
Sunday, 09 September 2007 20:39

Business IT - Open Source

Be sure to check out the documentation page for many very detailed papers covering setup and deployment and general intricacies of intrusion detection in general.

Snort's operating modes are not actually completely separate, but rather they incrementally build on each other to add greater functionality. The simplest way to become familiar with Snort is to try it out, a mode at a time, adding features slowly. So, begin by running it as a packet sniffer. This command line is pretty simple - run snort -vde. The -vde is actually three distinct flags, namely -v which tells Snort to operate in packet-sniffing mode, but for TCP headers only. The -d and -e flags turn on additional headers.

You can further refine Snort by filtering traffic by subnet using the –h flag and an IP address or a network range like 192.168.1/24. This might give a command line like snort –vde –h 192.168.1/24. Those familiar with TCPdump will be familiar with the flexibilty in which a range can be specified.

If you have a busy network, data will fly by pretty fast. Things leads us to Snort’s packet logging which is enabled simply by adding the –l flag followed by a directory to save log files. Your command line now might read snort –vde –h 192.168.1/24 –l /var/log/snort.

Finally, to use Snort as an IDS, you add one more item to the command line, namely the location of your Snort configuration file that holds all your rules using the –c flag. This gives a final command line along the lines snort –vde –h 192.168.1/24 –l /var/log/snort –c /etc/snort.conf.

If you are not getting results, be certain that your network card is capable of operating in so-called promiscuous mode and also be sure to run the program as the super-user of your system.

The Snort architecture

To make best use of Snort, it helps to know how it has been put together. Snort essentially has four components, namely

1. The sniffer
2. The pre-processor
3. The detection engine
4. The output renderer

The packet sniffer eavesdrops on network traffic. This doesn’t have to be for surreptitious reasons like snooping for passwords; legitimate and legal packet sniffing encompasses many things – like analysing network performance and troubleshooting application or network faults.

This first component of Snort provides the first two operating modes described above. However, here’s where Snort gets its name: it does so much more than merely sniff; it snorts!

In its third, and most versatile and useful mode, Snort herds the sniffed traffic on through its pre-processor. Here, the raw packets are analysed for specific types of behaviour. By “behaviour”, we mean the packets are matched against many heuristics and rules in an attempt to “discover” whether the traffic has any meaningful patterns. This means, for example, Snort is able to pick up if a buffer overflows or if someone is, say, scanning sequential ports on the system. This behaviour may or may not be harmful but is worthy of further analysis.

So then, if Snort identifies a particular behaviour in the raw network data the detection engine is invoked. Here’s where the signatures and rules referred to above come into play. This is where the actual intrusion detection takes part.

The signatures identify packets that contain specific sequences of data. These may be strings of text or sequences of program code that are known to be virus or spam or Trojan activity, for example.  The rules fire when any such pattern is detected, directing whether the situation calls for an alert to be logged to disk, a database, a pop-up message, a system log file or in some other way.