Snort: Network Intrusion Detection and Prevention System

Introduction
Snort is a powerful, open-source network intrusion detection and prevention system
(NIDS/NIPS) that monitors network traffic in real-time to detect and prevent malicious
activities. Developed by Martin Roesch in 1998 and now maintained by Cisco, Snort analyzes
packets, identifies suspicious patterns, and alerts administrators to potential threats. This
refined tutorial expands on the basics, providing a comprehensive guide from installation to
advanced usage. It is designed for beginners and intermediate users aiming to implement robust
network security.

Why Use Snort?

Snort stands out due to its:

• Open-source nature: Free and community-driven.

• Customizability: Tailor rules to specific needs.
• Versatility: Supports multiple OS and integrates with SIEM systems like Splunk or
ELK Stack.
• Comprehensive detection: Handles packet sniffing, logging, and active prevention.

Snort Architecture
Snort’s modular design includes:

• Packet Decoder: Extracts packets from the wire.

• Preprocessors: Normalizes traffic (e.g., HTTP inspection, portscan detection).
• Detection Engine: Matches traffic against rules using algorithms like Aho-Corasick.
• Logging and Alerting: Outputs to files, databases, or consoles.
• Output Modules: Formats data for tools like Barnyard2 or unified2 logs.

Snort Modes of Operation

Snort can operate in several modes, each suited for different tasks:

• Sniffer Mode: Captures and displays packets in real-time. Useful for debugging.
• Packet Logger Mode: Saves packets to files for later analysis.
• Network Intrusion Detection System (NIDS): Passively monitors traffic and alerts on
matches to rules.
• Network Intrusion Prevention System (NIPS): Actively blocks threats by dropping
packets.

1. Installation on windows
Step 1: Download and install Npcap installer for windows (for packet capturing)
https://npcap.com/#download

Step 2: Download snort installer (.exe) https://www.snort.org/downloads

Step 3: Install Snort in default setting. Click I Agree to terms  Select Snort, Dynamic
Modules and Documentation then click Next  Choose a destination folder (Default path is
C:/Snort) then click Next  After Successful installation, “snort has successfully been
installed” will display on the screen click Ok.

2. Download Snort rules

Step 1: Register and download latest snortrules-snapshot that matches your version of snort
from https://www.snort.org/downloads#rules . (Eg:
https://www.snort.org/downloads/registered/snortrules-snapshot-29111.tar.gz)

Step 2: Extract the downloaded rule zip file. Copy rules and preproc_rules folders from the
extracted file.
Step 3: Go to snort folder C:\Snort and paste the rules and preproc_rules here (Note it will
replace the existing folders).

3. Configuration
Step 1: Locate snort.conf in C:\Snort\etc\snort.conf. This is the main config file snort.

Step 2: Set HOME_NET. In snort.conf file Line No. 45: ipvar HOME_NET any change any
to your Local IP or Subnet. Find your IP using ipconfig. Eg: 192.168.1.6

Make the following changes with respect to line number

Step 3: Line No. 48: ipvar EXTERNAL_NET any  !$HOME_NET

Step 4: Line No. 104: var RULE_PATH ../rulesc:\snort\rules

Step 5: Line No. 106: var PREPROC_RULE_PATH ../rulesc:\snort\preproc_rules

Step 6: Go to C:\Snort\rules make a file whitelist.rules and copy paste content

of blacklist.rules.

Step 7: Line No. 113: var WHITE_LIST_PATH ../ C:\Snort\rules

Step 8: Line No. 114: var BLACK_LIST_PATH ../C:\Snort\rules

Step 9: Remove comment at Line No. 186: config logdir : C:\Snort\rules

Step 10: Line No. 247: dynamicpreprocessor directory C:\Snort/lib/snort_dynamicpreprocessor/

Step 11: Line No.250: dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

Step 12: Line No. 253: Comment Out #dynamicdetection directory

C:/Snort/lib/snort_dynamicrules

Step 13: Line No 335: Comment Out #preprocessor bo

Step 14: Line No 418: Remove Comment preprocessor sfportscan: proto { all } memcap {
10000000 } sense_level { low }

Step 15: Line No 511: whitelist $WHITE_LIST_PATH/whitelist.rules, \

Step 16: Line No. 512: blacklist $BLACK_LIST_PATH/blacklist.rules

Step 17: From Line number 546-661 change /\

4. Validate the Configuration
 Check the for the active interface index: snort –W
 Test config: snort –i interface_No –c C:\Snort\etc\Snort.conf –T
 After snort validate all the configuration it says Snort successfully validated the
configuration

5. Sniffer Mode Commands

 Just display packet details in real time — no rules, no alerts.
 snort –i 5 : Shows packet headers + payload in a combined hex/ASCII format.
 snort -v -i 5: Verbose mode Prints TCP/IP headers only (no payload dump).
 snort –vd –i 5: Dispaly TCP/IP headers and ICMP headers
 snort -v -v -i 5: Very Verbose mode. Shows headers + application layer data in a
more readable format.
 Snort –X –i 5: Display full packet details in HEX

6. Start Detection Engine

 By default snort is in Alert mode. It uses rules and generates
alert.
 snort –i interface no –c C:\Snort\etc\Snort.conf –A console
 Different Alert modes:
o –A console: Prints alerts directly to the terminal in real
time (fast mode format).
o –A fast: Logs alerts in a single-line format with
timestamp, signature ID, and brief details.
o –A full: Gives detailed multi-line alerts with packet
headers and rule info.
o –A cmg: Uses the CMG (Cisco IDS) format for alerts, useful
for Cisco integration.
o –A none: Disables alerting (logging only).

7. Logging Alerts
 snort -i 5 -l C:\Snort\log: Captures all raw packets without using rules and save
it in a directory C:\Snort\log.
  snort -i 2 -c C:\Snort\etc\snort.conf -l C:\Snort\log: Captures all raw packets
using configuration files (What traffic to inspect and what rules to apply) and save
it in a directory C:\Snort\log

8. Read the logged files

 snort –r C:\Snort\log\snort.log.1234: Display all the packet information logged
in a particular file.

Rules
Snort rules are the core detection mechanism of Snort.
They tell Snort what network traffic to look for and what action to take when it finds a
match.

A Snort rule has two parts:

1. Rule Header – defines the action, protocol, source/destination IPs, and ports.
2. Rule Options – provide detailed matching criteria like content strings, flags, and
thresholds.

General Structure
action protocol src_ip src_port direction dst_ip dst_port (options)

Parts of a Rule
(a) Action

Determines what Snort does when the rule matches:

 alert – Log the packet and generate an alert.

 log – Just log the packet.
 pass – Ignore the packet.
 drop – Block the packet (IPS mode).
 reject – Block and send an error message.
 sdrop – Block silently.

Example:

alert tcp any any -> any 80 (msg:"TCP traffic to port 80"; sid:1001;)

Protocol
Can be tcp, udp, icmp, or ip.

(c) Source/Destination IP and Port

 IP: any for all, or specific IP/subnet (192.168.1.0/24)

 Port: any for all, or specific (80, 21), or range (1024:65535)

(d) Direction

 -> : One-way
 <- : Reverse
 <> : Both ways

(e) Options

Inside parentheses, separated by semicolons ;

Common options:

 msg:"text" → Description of the alert.

 content:"string" → Match a string in packet payload.
 nocase → Ignore case in content matching.
 sid:number → Unique Snort rule ID (must be ≥ 1000000 for custom rules).
 rev:number → Rule revision number.
 classtype → Classification of attack.
 priority:number → Alert priority.

Example of a Rule
alert tcp any any -> 192.168.1.5 80 (msg:"Possible HTTP Access";
sid:1000001; rev:1;)

Meaning:
If TCP traffic from any IP and port is going to 192.168.1.5 port 80, generate an alert.

Custom Rules in local.rules

The local.rules file (usually in C:\Snort\rules\local.rules on Windows) is where
you define your own rules.

Example:
Detect ping requests to your network

alert icmp any any -> 192.168.1.0/24 any (msg:"ICMP Ping Detected";
sid:1000002; rev:1;)

Steps to Add Custom Rules

1. Open local.rules in a text editor.
2. Write your rule(s).
3. Save the file.
4. Ensure include $RULE_PATH/local.rules is enabled in snort.conf.
5. Restart Snort.

Exercise
(a) Detect FTP traffic

alert tcp any any -> any 21 (msg:"FTP traffic detected"; sid:1000003;
rev:1;)

(b) Detect access to a specific website (by keyword in HTTP)

alert tcp any any -> any 80 (msg:"Access to example.com";

content:"example.com"; nocase; sid:1000004; rev:1;)

(c) Detect Telnet connections

alert tcp any any -> any 23 (msg:"Telnet connection detected"; sid:1000005;
rev:1;)

(d) Detect suspicious executable download

alert tcp any any -> any 80 (msg:"EXE file download detected";
content:".exe"; nocase; sid:1000006; rev:1;)