Snort

=Basics=
 * Snort is a free and open source NIPS and NIDS which has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.
 * Snort performs protocol analysis, content searching, and content matching.
 * The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
 * Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.
 * BASE is the Basic Analysis and Security Engine.
 * It is based on the code from the Analysis Console for Intrusion Databases (ACID) project.
 * This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.


 * Architecture of Snort


 * 1) Sniffer
 * 2) Packet Decoder
 * 3) Preprocessor
 * 4) Detection Engine <==> Rules
 * 5) Alert or Logging ==> Log File or Database

action proto src_ip src_port direction dst_ip dst_port (options) alert tcp 192.168.1.35 any -> any any (msg:"Traffic from 192.168.1.35";) alert any any -> any any (flags: SF,12; msg: "Possible SYN FIN scan";)
 * General form of a Snort rule:

alert icmp any any -> 4.2.2.2 any (msg: "Ping packet sent to 4.2.2.2"; sid:10000001) alert tcp any any -> any any (msg: "Amandeep Searched"; content:"amandeep"; nocase; sid:100000002) alert tcp any any -> any any (msg: "GET request to tracker"; flow:to_server,established; content:"GET"; http_method; sid:100000003) alert udp any any -> any 53 (msg:"DNS traffic detected"; sid:100000004) alert ip any any -> any any (msg:"More Fragmentations"; fragbits:M; sid:100000005) alert ip any any -> any any (msg:"Dont Fragment Bit Set"; fragbits:D; sid:100000006) alert tcp any any -> any any (msg:"SYN Flags Set"; flags:S; sid:100000007) alert tcp any any -> any any (msg:"FIN Flags Set"; flags:F; sid:100000008) alert tcp any any -> any any (msg:"RST Flags Set"; flags:R; sid:100000009) alert tcp any any -> any 21 (msg:"FTP root login attempt"; content:"user root"; nocase; sid:100000010)
 * Simple Snort Rules

= Standalone Snort Installation =

Install using APT
sudo apt-get install snort

Compiling the Source code
Download Latest snort tar file & extract: tar xvzf snort-2.8.6.1.tar.gz

Make sure you have dev packages of libpcap and libpcre. apt-cache policy libpcap0.8-dev apt-cache policy libpcre3-dev

Compiling the Source: cd snort-2.8.6.1 ./configure make make install snort --version

Installing Rules (register to download All rules eg: snortrules-snapshot-2970.tar.gz): mkdir /etc/snort mkdir /etc/snort/rules mkdir /var/log/snort

Creating test rule: cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules

cat /etc/snort/rules/icmp.rules alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

For testing the above rule, run the following & initiate ping: snort -c /etc/snort/snort.conf -l /var/log/snort/

Execute snort as Daemon snort -D -c /etc/snort/snort.conf -l /var/log/snort/

= Install Snort with Base =

sudo apt-get install apache2
 * Install Apapche2:

mv base /var/www/
 * Download BASE

mv adodb /var/www/base
 * Download ADODB

mysql -u [USER NAME] -p

CREATE DATABASE snort; grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost; grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort; SET PASSWORD FOR snort@localhost=PASSWORD('snort-db'); flush privileges;

apt-get install snort-mysql

cd /usr/share/doc/snort-mysql/ zcat create_mysql.gz | mysql -u snort -D snort -p snort-db

nano /etc/snort/database.conf output database: log, mysql, user=snort password=snort-db dbname=snort host=127.0.0.1

rm /etc/snort/db-pending-config /etc/init.d/snort start

/etc/init.d/snort status
 * Test Snort:

mysql -u "snort" -p"snort-db" -e"use snort; SELECT * FROM event INNER JOIN signature ON event.signature=signature.sig_id ORDER BY event.timestamp;"
 * Test MySQL:

sudo apt-get install php-pear pear install Image_Color2 pear install Image_Canvas-alpha pear install Image_Graph-alpha