In layman language, Snort works on the basis of deep packet inspection for a pattern and once matched, extracts the captured string and triggers some actions defined by user. Those actions may include:
1. Pass – Let the packet pass through the network.
2. Alert – Trigger an alarm to user, once the pattern matched and let that packet pass through the network.
3. Drop – Block the packet to pass into the network.
Of course, you already know what a packet is or you wouldn’t have read this far. And i am sure, basic network terminologies are on your fingertips so let’s start on how this IDS flow goes with snort.
Imagine a packet with multiple headers added by sender over the data sent to a receiver. Now, we got two type of connection, one sender can make here – tcp and udp. TCP keeps data through single virtual channel and gives assurace to sender that data will be received at receiver’s end safe, secured and in order, Vice-versa in case of UDP.
Now, what are we expecting the role of IDS here. IDS – Intrusion Detection System, means a system which we are relying on to give us a Detection report/alert/block whenever there is an intrusion happening in the channel of communication between sender and receiver. Those who got it in first line, please skip this one, Any malicious activity happening over the channel, doesn’t matter by whom(sender, receiver or third party), must be well detected and a concerned person must be given a full report/logs for deep down inspection in answering all w’s questions(what, when, why, who .. etc).
#So How do we do it??
Well, we just install snort in our system and rules will do the rest.
#Rules — What are these??
Well, Rule is nothing but a query here. Most of malicious activities going through the network have a pattern in form of strings, words, sometimes digits and many more ways. So what do we do, we create a similar pattern to match against that and once succeeds, gives an alert in form of log or direct dumping on stdout screen.
Example of one rule:
Let’s say i am considering every HTTP packet going out of my local network as worth creating detection for. So, what i am gonna do, i create a rule(some people call it signature just to confuse around as one term was not enough):
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"HTTP Packet Detected";)
Add this rule to your local.rules file in /usr/local/etc/snort/rules/local.rules folder and run the snort.
But first lemme explain what is this rule telling:
alert – one of the actions user wants from IDS. In this case, just dump details about the detection in log or in stdout.
tcp – HTTP headers are added over TCP packets.
$HOME_NET – Just a variable covering your home network IPs.
80 – Port no 80 HTTP uses.
$EXTERNAL_NET – Just another variable covering outside network.
any – Any port the sender used to transmit the packet.
msg – Content that explains “what just happened”.
How to Run the Snort??
It’s a piece of cake to run snort. A simple command can do that:
[email protected]# snort -c /etc/snort/snort.conf -l /var/log/snort/
“/etc/snort/snort.conf” is the configuration file
“/var/log/snort/” is the log output file