Glad you could stop by the Linux Basement site. Linux Basement is an informational Podcast about Linux, open source software and lots of other wonderful technology. If you want to find out more about open source technologies, subscribe and have a listen!

#linuxbasement is up at irc.freenode.net

MP3 Feed
Ogg Vorbis Feed
MP3 Feed (all episodes)
Ogg Feed (all episodes)

  

Snort - Its not just for druggies anymore

Submitted by chad on Thu, 04/03/2008 - 02:23.





If you've ever had to do any intrusion detection on a large scale network, then you've probably heard of snort. Snort is one of those great success stories of open source. It has been around a long time, and you can read all about it, on their site, at www.snort.org.

In this tutorial, I'm going to give you an idea of how you can use snort, and how to get a basic setup running. However, we are only going to cover a few of the command line options and config options. If you would like to have a nice gui for snort analysis, I highly recommend Basic Analysis and Security Engine (BASE). To see how to install both snort and BASE on an ubuntu system, you can check out this great tutorial over at HowToForge. No sense reinventing the wheel, as the guys over at HowToForge did a great job on this one.

Before you get started you should probably think about how you want to use snort. Snort shines as an intrusion detection suite, but you have to set it up on your network to look at all packets. This can be a little confusing for some people. The two easiest ways to do this is to either put two NICs in a machine, and have all traffic on your network pass through that machine as it enters and exits your network, or, to set up a hub near the exit of you network and place the machine that is running snort on the hub. Using a hub with snort can be a powerful solution, because it can also be a way to sniff a certain portion of a network. You must make sure it is a hub you are using, and not a switch. Switches break up collision domains, and you will not be able to see all traffic with a switch. However, with a hub, all traffic hits all ports to find the host it is looking for, and therefore you can sniff all the packets, depending on where you strategically put the hub on your network.

The other nice use of snort, is to have it waiting on your Linux servers. If you ever suspect that you are hacked, or someone is trying to hack your server, why not then, just fire up snort, and analyze the packets? This is highly useful for things like web servers. Let snort run dormant, but if you suspect foul play because of high bandwidth, fire it up, and see what is really going on. You can use snort to diagnose layer 3 and layer 2 traffic problems on your network.

Keep in mind, wireshark can do similar things to this, but is a graphical program, whereas snort is a lightweight command line program that can easily be installed on any server distro.

Lets get started. Once you've downloaded snort, and snort rules, and put them in your /etc/snort directories as described in the tutorial, it is time to configure your snort.conf file, which can be found at /etc/snort/snort.conf, so in my case I will do

sudo nano /etc/snort/snort.conf

I would recommend reading through this file, as there are a lot of great comments. Pay particularly close attention to the following lines, as described in the tutorial.

Change "var HOME_NET any" to "var HOME_NET yourhomesubnet" (for example 192.168.0.1/24)
Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
Change "var RULE_PATE ../rules" to "var RULE_PATH /etc/snort/rules"

Notice that in the tutorial, they have you make the /etc/snort/rules directory. If you wanted, you can put your rules anywhere, and just change the path here in the snort.conf file.

You will also notice that they show you how to configure snort to log to a mysql database and then use BASE to analyse the output.

The setup in this tutorial is the perfect setup if you would like to set up a permanent solution for analysing the traffic on your network. However, if you just want to fire up snort on a machine, just to try it out, on Ubuntu you could always just do

sudo apt-get install snort

Then make some quick changes in the snort.conf file as noted above, and fire snort up.

A command that I have found come in handy, if you just want to do quick analysis of your ethernet port, and the traffic on it is

snort -vd

-v will output in verbose mode, and -d will strip out the application layer of the packet to make it easier to read for you. For a full list of options, check out snort --help or man snort.

Lets slightly modify this. Perhaps the output is a bit overwhelming to you, why not output it to a text file using a pipe? Or better yet, lets output it to a txt file while still monitoring it. You can do this by using the command

snort -vd | tee /tmp/mylog.txt (use any path here you want to an output file).

There are of course, serveral ways to do this, as always with linux. This just happens to be the way I learned it.

Using snort to just sniff packets is a great way to use it, but it just scratches the surface of snort. You can actually write your own rules to detect packets and notify you. This however, is beyond the scope of this tutorial. I highly recommend checking out the many tutorials on snort.org, and throughout the web.

 

Want to have at it a different way, check out this tutorial, which is ubuntu specific.

http://ubuntuforums.org/showthread.php?t=483488

 

»