Yo, digital defenders and cyber-savvy surfers! 🏄♂️ Are you tired of feeling like your network is a wide-open playground for every mischief-maker and data-nabber out there? Well, put on your coolest shades 😎 because we're about to dive into the radical world of Snort – the Swiss Army knife of network security that's about to turn you into a bonafide packet-sniffing, threat-detecting, cyber-ninja!
What's the Buzz About Snort? 🐝
Before we jump into the nitty-gritty, let's rap about what makes Snort the bee's knees of the cybersecurity world. Imagine having a tireless, eagle-eyed guardian that watches every single bit and byte zooming through your network, 24/7. That's Snort for you! It's like having a bouncer at the hottest club in town, but instead of checking IDs, it's checking packets for signs of trouble.
Snort's been in the game since 1998 (practically ancient in internet years!), but like a fine wine, it's only gotten better with age. It's open source (which means it's free, baby! 🆓), flexible as a yoga master, and has a community of fans larger than a Taylor Swift concert.
Why Should You Give a Hoot About Snort? 🦉
In this wild west of a digital world, where cyber baddies are always cooking up new ways to cause chaos, Snort is your trusty sidekick. It can:
- Spot sneaky intrusion attempts faster than you can say "firewall"
- Keep an eye out for nasty malware trying to slide into your DMs (or, you know, your network)
- Alert you when something fishy is going down, like unusual traffic patterns
- Even block the bad stuff if you're feeling extra protective (IPS mode activated! 🛡️)
Plus, it plays nice with other security tools, making it the popular kid in the cybersecurity lunchroom.
Now that we've hyped up Snort more than a new smartphone release, let's get down to business and turn you into a Snort superstar!
Snort Shopping Spree 🛒
Before installing snort we need to check somethings first. Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive Offload” (gro). With these features enabled, the network card performs packet reassembly before they’re processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and GRO.
To disable LRO and GRO for any interface that Snort listens on, we will use the ethtool command in the network interface configuration file /etc/network/interfaces. If you are running Ubuntu, you will need to first install ethtool:
sudo apt-get install -y ethtool
Use nano to edit the network interfaces file:
sudo nano /etc/network/interfaces
Append the following two lines for each network interface, making sure to change eth0 to match the interface you are working on, since your interface names may be different, especially on Ubuntu 15.10:
post-up ethtool -K eth0 gro off
post-up ethtool -K eth0 lro off
An example of how the /etc/network/interfaces file should look for a single interface:
Restart networking (replace eth0 with your interfaces with below) and verify that LRO and GRO are disabled:
ethtool -k eth0 | grep receive-offload
generic-receive-offload: off
large-receive-offload: off
If the interfaces do not show LRO and GRO as off, reboot and check again (it can be difficult to get Ubuntu to reload the network configuration without a reboot).
Also you can use this: sudo ethtool -K ethX gro off lro off
First stop on our Snort adventure: installation station! We're gonna grab Snort faster than you can snag the last slice of pizza at a LAN party.
Open up your terminal (that's command prompt for you Windows folks) and type in these magic words:
sudo apt-get update
sudo apt-get install snort
Boom! 💥 You'll be asked about your home network. Just give it your digits in CIDR notation (like 192.168.1.0/24). Don't know your CIDR? No sweat! Just Google "What's my CIDR" and you'll be sorted faster than you can say "IP address."
Confirm snort installation by using this command:
snort -V
Snort's Secret Diary 📔
Now that Snort's made itself at home on your system, it's time to peek at its personal journal. Don't worry, it won't mind – in fact, it wants you to take a look!
sudo nano /etc/snort/snort.conf
This config file is like Snort's brain. It tells Snort what to look for, where to look, and what to do when it finds something. Key areas to check out:
We need to comment out all of the individual rule files that are referenced in the Snort configuration file, since instead of downloading each file individually, we will use PulledPork to manage our rulesets, which combines all the rules into a single file. The following line will comment out all rulesets in our snort.conf file:
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
We will now manually change some settings in the snort.conf file, using your favourite editor:
sudo nano /etc/snort/snort.conf
Change the following lines to meet your environment, HOME NET should match your internal (friendly) network. In the below example our HOME NET is 192.168.159.0 with a 24-bit subnet mask (255.255.255.0):
ipvar HOME_NET 192.168.159.0/24
Note: You should not set EXTERNAL NET to !$HOME NET as recommended in some guides, since it can cause Snort to miss alerts.
Note: it is vital that your HOME NET match the IP subnet of the interface that you want Snort to listen on. Please use ifconfig ens33 | grep "inet add" to ensure you have the right address and mask set. Often this will be a 192.168.1.x or 10.0.0.x IP address.
Set or verify the following file paths in snort.conf, beginning:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
In order to make testing Snort easy, we want to enable the local.rules file, where we can add rules that Snort can alert on. Un-comment (remove the hash symbol) from line 545 so it looks like this:
include $RULE_PATH/local.rules
Once the configuration file is ready, we will have Snort verify that it is a valid file, and all necessary files it references are correct. We use the -T flag to test the configuration file, the -c flag to tell Snort which configuration file to use, and -i to specify the interface that Snort will listen on.
Run sudo snort -T -c /etc/snort/snort.conf -i ens33.
Run this command as shown below and look for the following output (only the last few lines of the output are shown for clarity):
Pro tip: Take your time here. Getting this right is like giving Snort the perfect pair of glasses – it'll see threats clear as day!
Snort's Dual Personalities: NIDS and IDS Mode 🎭
Alright, network ninjas, it's time to unleash Snort's powers! Our packet-sniffing pal has two awesome modes: Network Intrusion Detection System (NIDS) and Intrusion Detection System (IDS). Let's break 'em down and get Snort running faster than you can say "cybersecurity"!
1. NIDS Mode: The Network Watchdog 🐕🦺
In NIDS mode, Snort is like a super-attentive guard dog, sniffing every packet that passes by on your network. It's perfect for real-time traffic analysis and alerting.
To run Snort in NIDS mode, use this command:
sudo snort -dev -l /var/log/snort -h 192.168.1.0/24 -c /etc/snort/snort.conf
Let's break down this magic spell:
- -dev: Shows you the packet headers (it's like X-ray vision for your network!)
- -l /var/log/snort: Tells Snort where to keep its diary of suspicious activities
- -h 192.168.1.0/24: Your home network address (change this to match your setup)
- -c /etc/snort/snort.conf: Points to Snort's configuration file
This mode is live anything that happens will show in real time and update as new events happen.
2. IDS Mode: The Rule-Based Sentry 🛡️
In IDS mode, Snort becomes a discerning bouncer, checking network traffic against a set of rules you've defined. It's like giving Snort a "naughty list" of network behaviors to watch out for.
To run Snort in IDS mode, try this command:
sudo snort -q -l /var/log/snort -i eth0 -A console -c /etc/snort/snort.conf
Breaking it down:
- -q: Quiet mode (Snort works in stealth!)
- -l /var/log/snort: The log directory (Snort's secret notebook)
- -i eth0: Your network interface (change if needed)
- -A console: Alerts go to your console (instant notifications, baby!)
- -c /etc/snort/snort.conf: The all-important config file
In this mode the logs are stored in the log folder.
Craft Your Own Snort Spells 🧙♂️
Alright, wand-wavers, time to write some security magic! We're gonna create a custom rule that'll make Snort perk up its ears like a dog hearing a squirrel.
sudo nano /etc/snort/rules/local.rules
Rule 1: Detect ICMP (Ping) Flooding
Rule Description:
This rule will detect if an unusual number of ICMP Echo Request packets (pings) are being sent from a single source, which might indicate a ping flood attack.
Snort Rule:
alert icmp any any -> any any (msg:"ICMP Flood detected"; itype:8; detection_filter:track by_src, count 100, seconds 10; sid:1000007;)
- itype:8: This specifies that the rule is looking for ICMP Echo Request messages (ping requests).
- detection_filter:track by_src, count 100, seconds 10;: This triggers the rule if more than 100 ICMP Echo Request packets are detected from a single source within 10 seconds.
- sid:1000007;: This is the unique signature ID for this rule.
Testing Method:
Use the ping command to simulate an ICMP flood:
Use this command on a different host connected to the same network.
- Replace target-ip with the IP address of the target machine.
Note: Before starting the attack start snort using any of the two modes (IDS or NIDS). It stores log data based on the mode.Rule 2: Detect Multiple SSH Connection Attempts
This rule detects multiple connection attempts to the SSH port, indicative of a brute-force attack.
Snort Rule:
alert tcp any any -> any 22 (msg:"Multiple SSH connection attempts detected"; flow:to_server, established; detection_filter:track by_src, count 5, seconds 60; sid:1000008; rev:1;)
Testing Method:
Use Hydra to simulate an SSH brute-force attack:
hydra -l username -P /path/to/password/list.txt ssh://target-ip - Replace username with the username to attack.
- Replace /path/to/password/list.txt with the path to your password list.
- Replace target-ip with the IP address of the target machine.
Rule 3: Detect Port Scanning Activity
This rule detects port scanning activity by monitoring multiple connection attempts to different ports from the same source.
Snort Rule:
alert tcp any any -> any any (msg:"Port scan detected"; detection_filter:track by_src, count 20, seconds 60; sid:1000009; rev:1;)
Testing Method:
Use nmap to perform a port scan from your Kali VM:
nmap -p 1-100 target-ip
Replace target-ip with the IP address of the target machine.
Rule 4: Detect Communication with Known Malicious IPs
This rule detects if any internal host communicates with a known malicious IP address.
Snort Rule:
alert ip any any -> [192.0.2.0/24] any (msg:"Communication with known malicious IP detected"; sid:1000011; rev:1;)
Replace 192.0.2.0/24 with the actual malicious IP address or range.
Testing Method:
Attempt to communicate with the malicious IP from your Kali VM:
ping 192.0.2.1
Replace 192.0.2.1 with the IP address that you’ve listed as malicious in the rule.
Bonus Round: Snort as a Service 🎰
Want Snort to run 24/7 without you babysitting? Let's set it up as a service:
Create a service file:
sudo nano /etc/systemd/system/snort.service
Add this cool content:
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
#Create a user and group named "snort" and give proper permissions to run snort as a user not as root. Root is very dangerous.
[Service]
Type=simple
ExecStart=/usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Restart=always
[Install]
WantedBy=multi-user.target
Start 'er up:
sudo systemctl daemon-reload
sudo systemctl enable snort.service
sudo systemctl start snort.service
Now Snort's running 24/7, keeping your network safe while you sleep, work, or binge-watch your favorite shows. It's like having a tireless cybersecurity guardian angel! 👼
Note: Only applicable when snort is installed manually from source.
Keep Snort Hip and Happening 🕺
Just like how you update your phone to get the latest emoji, Snort needs updates to stay on top of new threats. You can manually download new rules from the Snort website, or use a tool called PulledPork (yes, that's really its name, and no, we're not making this up! 🐷).
PulledPork is like a personal shopper for Snort rules. It goes out, grabs the latest and greatest rules, and serves them up to Snort on a silver platter. Here's how to get this little piggy working for you:
Install PulledPork:
Install the PulledPork pre-requisites:
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
git clone https://github.com/shirkdog/pulledpork.git
cd pulledpork
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort
Check that PulledPork runs by checking the version, using the -V flag:
Configure PulledPork (it's like teaching the pig new tricks):
sudo nano /etc/pulledpork/pulledpork.conf
Anywhere you see <oinkcode> enter the oinkcode you received from snort.org (if you didn’t get an oinkcode, you’ll need to comment out lines 19 and 26):
Line 19 & 26: enter your oinkcode where appropriate (or comment out if no oinkcode)
Line 29: Un-comment for Emerging threats ruleset (not tested with this guide)
Line 74: change to: rule_path=/etc/snort/rules/snort.rules
Line 89: change to: local_rules=/etc/snort/rules/local.rules
Line 92: change to: sid_msg=/etc/snort/sid-msg.map
Line 96: change to: sid_msg_version=2
Line 119: change to: config_path=/etc/snort/snort.conf
Line 133: change to: distro=Ubuntu-24-4
Line 141: change to: black_list=/etc/snort/rules/iplists/black_list.rules
Line 150: change to: IPRVersion=/etc/snort/rules/iplists
Make sure you've got your Snort Oinkcode in there (it's like a VIP pass for rule updates).
Run PulledPork and watch it bring home the bacon:
sudo pulledpork.pl -c /etc/pulledpork/pulledpork.conf -l
Now your Snort is always dressed in the latest threat-detecting fashion! 🕴️
Snort's Workout Routine: Performance Tuning 🏋️♂️
Just like how you wouldn't run a marathon without training, Snort needs some fine-tuning to perform at its best. Here are some pro tips to keep Snort in tip-top shape:
- Rule Selection: Don't be a rule hoarder! Only enable the rules you actually need. It's like cleaning out your closet – keep what you use, ditch what you don't.
- Hardware Matters: Snort loves CPU power and memory. If you can, give it a beefy machine to run on. It's like giving Snort a sports car instead of a bicycle.
- Network Segmentation: Break your network into smaller chunks and have a Snort for each. It's like having multiple bouncers at a club, each watching their own section.
- Regular Check-ups: Keep an eye on Snort's performance. If it's running slower than molasses, it might be time for an upgrade or some optimization.
Snort's Social Circle: Integration with Other Tools 🤝
Snort plays well with others! It's like the popular kid who gets along with everyone. Here are some cool tools you can introduce Snort to:
- Splunk: This is like a super-smart librarian for your logs. It can help you make sense of all the data Snort collects.
- ELK Stack (Elasticsearch, Logstash, Kibana): Think of this as Snort's data visualization buddy. It turns boring logs into cool graphs and charts.
- OSSEC: This is like Snort's bodyguard friend. While Snort watches the network, OSSEC keeps an eye on your files and systems.
The Grand Finale: You're Now a Snort Superstar! 🌟
Congratulations, digital defender! You've just leveled up from newbie to Snort ninja. Your network is now under the watchful eye of one of the coolest security tools in the cyber universe.
Remember, with great power comes great responsibility... and a lot of fun log reading! Keep those rules updated, those logs monitored, and may your packets always be protected!
Stay snorty, stay safe, and keep surfing those digital waves like the cybersecurity pro you now are! 🏄♂️🔒
