Software laboratory -IV TE-IT

Name of the Student: ______________________________________ Roll no: ___

CLASS: - T.E [IT] Division:_______ Course: - CNSL
Group B- Assignment No. 1
**Use the snort intrusion detection package to analyze traffic and create a signature to
identify problem traffic**

Marks: /10
Date of Performance:Sign with Date
/ /20

Aim

Use the snort intrusion detection package to analyse traffic and create a signature to identify problem traffic
Theory

This is based on Writing Snort Rules by Martin Roesch and further work from Chris Green
<[email protected]>. It was then maintained by Brian Caswell <[email protected]> and now is maintained by the
Snort Team. If you have a better way to say something or find that something in the documentation is outdated,
drop us a line and we will update it. If you would like to submit patches for this document, you can find the
latest version of the documentation in LATEX format in the Snort CVS repository at /doc/snort_manual.tex.
Small documentation updates are the easiest way to help out the Snort Project.

1.1 Getting Started

Snort really isn't very hard to use, but there are a lot of command line options to play with, and it's not always
obvious which ones go together well. This file aims to make using Snort easier for new users.

Before we proceed, there are a few basic concepts you should understand about Snort. Snort can be
configured to run in three modes:

• Sniffer mode, which simply reads the packets off of the network and displays them for you in a
continuous stream on the console(screen).

• Packet Logger mode, which logs the packets to disk.

• Network Intrusion Detection System (NIDS) mode, the most complex and configurable
configuration, which allows Snort to analyze network traffic for matches against a user-defined ruleset
and performs several actions based upon what itsees.

1.2 Sniffer Mode

First, let's start with the basics. If you just want to print out the TCP/IP packet headers to the screen (i.e.
sniffer mode),try this:

./snort-v
This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else. If you want to
see the application data in transit, try the following:
Software laboratory -IV TE-IT

./snort-vd

This instructs Snort to display the packet data as well as the headers. If you want an even more descriptive
display, showing the data link layer headers, do this:

./snort-vde

(As an a side, these switches may be divided up or smashed together in any combination. The last command
could also be typed out as:

./snort-d -v-e

and it would do the same thing.)

1.3 Packet Logger Mode

OK, all of these commands are pretty cool, but if you want to record the packets to the disk, you need to
specify a logging directory and Snort will automatically know to go in to packet logger mode:

./snort-dev -l./log

Of course, this assumes you have a directory named login the current directory. If you don't, Snort will exit
with an error message. When Snort runs in this mode, it collects every packet it sees and places it in a
directory hierarchy based up on the IP address of one of the hosts in the datagram.

If you just specify a plain-l switch, you may notice that Snort sometimes uses the address of the remote
computer as the directory in which it places packets and sometimes it uses the localhost address. In order to
log relative to the home network, you need to tell Snort which network is the home network:

./snort-dev -l./log-h192.168.1.0/24

This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data
into the directory. /log, and you want to log the packets relative to the 192.168.1.0 class C network. All
incoming packets will be recorded in to sub directories of the log directory, with the directory names being
based on the address of the remote (non-192.168.1)host.

If you're on a high speed network or you want to log the packets into a more compact form for later analysis,
you should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single
binary file in the logging directory:

./snort-l./log -b

Note the command line changes here. We don't need to specify a home network any longer because binary
mode logs everything in to a single file, which eliminates the need to tell it how to format the output directory
structure. Additionally, you don't need to run in verbose mode or specify the -d or-e switches because in
binary mode the entire packet is logged, not just sections of it. All you really need to do to place Snort in to
logger mode is to specify a logging directory at the command line using the-l switch—the -b binary logging
switch merely provides a modifier that tells Snort to log the packets in something other than the default output
format of plain ASCII text.

Once the packets have been logged to the binary file, you can read the packets back out of the file with any
sniffer that supports the tcp dump binary format (such as tcpdump or Ethereal). Snort can also read the
Software laboratory -IV TE-IT

packets back by using the-r switch, which puts it in to play back mode. Packets from any tcp-dump formatted
file can be processed through Snort in any of its run modes. For example, if you wanted to run a binary log
file through Snort in sniffer mode to dump the packets to the screen, you can try something like this:

./snort-dv -rpacket.log

You can manipulate the data in the file in a number of ways through Snort's packet logging and intrusion
detection modes, as well as with the BPF interface that's available from the command line. For example, if
you only wanted to see the ICMP packets from the log file, simply specify a BPF filter at the command line
and Snort will only see the ICMP packets in the file:

./snort-dvrpacket.logicmp

For more information how to use the BPF interface, read the Snort and tcp-dump man
pages.

1.4 Network Intrusion Detection System Mode

To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet
sent down the wire, try this:

./snort-dev -l./log-h192.168.1.0/24-c snort.conf

where snort configuration the name of your snort configuration file. This will apply the rules configured in the
snort. conffile to each packet to decide information based upon the rule type in the file should be taken. If you
don't specify an output directory for the program, it will default to/var/log/snort.

One thing to note about the last command line is that if Snort is going to be used in a long term way as an
IDS, the-v switch should be left off the command line for the sake of speed. The screen is a slow place to
write data to, and packets can be dropped while writing to the display.

It'salsonotnecessarytorecordthedatalinkheadersformostapplications,soyoucanusuallyomitthe-eswitch,too.

./snort-d -h192.168.1.0/24-l./log-c snort.conf

This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in
the snort. Confin plain ASCII to disk using a hierarchical directorys tructure (just like packet logger mode).

1.4.1 NIDS Mode Output Options

There are a number of ways to configure the output of Snort in NIDS mode. The default logging and alert
ingmecha-nisms are tologindecodedASCIIformatanduse full alerts. The full alertmechanism
printsoutthealertmessageinadditiontothefullpacketheaders.Thereareseveralotheralertoutput modes
availableatthecommandline,aswellastwologging facilities.
Alertmodesaresomewhatmorecomplex.Therearesevenalertmodesavailableatthecommandline:
full,fast,socket,syslog,console,cmg,andnone.Six of these modes are accessedwiththe-Acommand
lineswitch.These options are:

PacketscanbeloggedtotheirdefaultdecodedASCIIformatortoabinarylogfileviathe-bcommand
lineswitch.Todisablepacketloggingaltogether,usethe-Ncommandlineswitch.

Tosendalertstosyslog,usethe-sswitch.Thedefaultfacilitiesforthesyslogalertingmechanismare
LOGAUTHPRIVandLOGALERT.Ifyouwanttoconfigureotherfacilitiesforsyslogoutput,use the
outputplugindirectivesinsnort.conf.SeeSection2.6.1 formoredetailsonconfiguringsyslogoutput.
Software laboratory -IV TE-IT

Forexample,usethe followingcommandlinetologtodefault(decodedASCII)facilityandsendalertsto syslog:

./snort-c snort.conf-l./log -h192.168.1.0/24 -s

Asanotherexample,use the followingcommandline tologtothe defaultfacilityin/var/log/snort and sendalertstoa

fastalertfile:

./snort-c snort.conf-Afast-h192.168.1.0/24

1.4.2 UnderstandingStandardAlertOutput

WhenSnortgenerates analertmessage,itwillusuallylooklikethefollowing: [**]

[116:56:1](snort_decoder):T/TCP Detected[**]
ThefirstnumberistheGeneratorID,thistellstheuserwhatcomponentofSnortgeneratedthisalert.
ForalistofGIDs,pleasereadetc/generatorsintheSnortsource.Inthiscase,weknowthatthisevent
camefromthe“decode” (116)componentofSnort.

The secondnumberisthe SnortID(sometimesreferredtoasSignature ID).Foralistofpreprocessor SIDs,pleasesee

etc/gen-msg.map.Rule-basedSIDs are writtendirectlyintotheruleswiththesidoption.
Inthiscase,56representsaT/TCPevent.

The thirdnumberisthe revisionID.Thisnumberisprimarilyusedwhenwritingsignatures,aseach renditionof

theruleshouldincrementthisnumberwiththerevoption.

Conclusion:Thus,wehaveConfiguredanddemonstrateduseofvulnerabilityassessment tooli.esnort.