NIDS: Snort - Playing Around with Snort
Author Ashlyn Matthews
What is Snort
Snort is an open source, signature-based Network-based Intrusion Detection System. What does that even mean? Snort inspects packets sent over a network and can detect intrusions and works by implementing rules. It is a very useful tool, in that it can be used for logging, detecting, alerting and preventing dangerous traffic, specifically on a network.
In order to start using snort, I had to download it, so I ran sudo apt install snort. Once downloaded I made a directory for it , naming it snort and within that directory, I made a directory called log, to put my logs into.
A cool way to get to know snort is my playing around with it. So I also opened up my metasploitable machine, to act as a malicious actor.
I opened up wireshark to capture packets on my host-only Ethernet (eth1). I generated some traffic between the hosts by using ping, telnet and nmap. I saved the packet capture as a .pcap file (wireshark/tcpdump). I wanted to mimic what one might see while analyzing their network and build snort rules accordingly.
The basic outline of a snort rule are the action, five tuple followed by the direction, rule options and arguments.
Inside my snort directory I created a file and called it fullstack.rules. I edited it using nano and added a few rules. The first rule I wrote was to catch any ping requests made to my machine from any server on any port. The second rule that I made with the intent to catch any attempts to ssh into my machine from any server on any port. The third rule that I made with the intent to catch and udp requests made to my machine from any server.
In my terminal I ran snort and asked it to monitor eth1 and alert me on the console when one of my snort rules was triggered and log them in my log directory.
I started up the snort console and began to monitor the packets coming in on eth1.
From my metasploitable machine, acting as an attack, I made a ping request.
I got an alert on the console, and became aware of the ping attempt.
Again testing my set rules, I went into metasploitable and attempted to ssh into my machine.
I watched the console and received an alert indicating an ssh attempt occurred.
I went back over to metasploitable and attempted a udp port scan.
I watched the console and and received an alert for the udp request made.
I made these rules pretty loose, and they would essentially catch any traffic regarding these protocols. Rules can always be more concise and built upon based on known threats observed in logs or previously analyzed packets.
Snort can be used for way more than I used it for above. It’s ability to alert users about attacks and other malicious functions makes it the optimal to identify well known backdoors, system vulnerabilities, etc. I plan to exercise some more of snort’s capabilities in later post. Please feel free to follow me if you like what you have read. Thank you for reading.
About the Author: Ashlyn Matthews transitioned into cybersecurity from a background in events and social services. She attended and graduated from Fullstack Academy's cyberanalytics bootcamp and is currently continuing her studies with the help of various platforms such as Hackthebox and Cybrary, to name a few. Ashlyn is currently seeking a full-time position in cyber analytics. She is also very interested in purple teaming. Ashlyn loves learning and it's important to her to share her knowledge with her peers.