Snort has three works of operation: IDS mode, logging mode, and sniffer mode. Snort is the world’s most popular Open-Source Intrusion Prevention System (IPS). Snort IPS uses a set rules to help identify harmful network activity and then uses those rules to find packets that fit them, generating alerts for users.
Writing Snort rules can be used inline to block these packets. Snort rules files can be used in three ways: a packet sniffer similar to tcpdump, a packet logger for network traffic debugging, or a full-fledged network intrusion prevention system. Snort is available for download and configuration for both personal and business use.
In our guide, you can find Snort rules examples and other information relating to the alerting engine of this free software.
How Do You Write Rules in Snort?
Snort cheat sheet rule options are the heart of Snort’s intrusion detection engine, making it easy to use yet retain power and flexibility.
- All Snort rule options are separated using a semicolon “;.”
- Rule option keywords are separated from arguments using a colon “:”
There are fifteen rule option keywords for Snort:
An example for the Snort rule:
log TCP !192.168.0/24 any -> 192.168.0.33 (msg: “mounted access”; )
The direction operators <> and -> show traffic direction which to watch. Traffic can either flow in one direction or bi-directionally. The keyword can define any source IP address, and numeric IP addresses must be used and have a Classless Inter-Domain Routing (CDIR) subnet mask.
With Snort rules, destination port numbers can be listed, including any ports, negation, etc. Port ranges are shown with the Range direction operator.
Example of multi-line Snort rule:
- log tcp !192.168.0/24 any -> 192.168.0.33 \
- (msg: “mounted access”; )
Typically, Snort rules are written one rule per line when you see cheat sheets, though the recent version lets Snort rules be written in multi-line. You do this by adding a backslash \ to the end of the line. Usually, they are held in a snort.conf configuration file.
Example of a Port number negation
log TCP any any -> 192.168.1.0/24 !6000:6010
Protocols Ip Address Action performed
*log TCP any:1024 -> 192.168.1.0/24 400: Here, you log traffic from a source port and goes to a destination port number above or equal to 400
log udp any -> 220.127.116.11/24 1:1024: Logs traffic from the port and destination port from 1 to 1024
Rules come with two logical parts:
Rule header: Identifies rule actions such as alerts, log, pass, activate, dynamic, and the CDIR block.
Rule options: Identifies the rule’s alert messages.
Snort rules must be written in such a way that they describe all the following events properly:
What is a Snort Detection Rule?
Snort cheat sheet rules are a unique method for performing detection, which offers 0-day detection to the logging and alerting engine. Unlike signatures, a rules file is based on detecting the vulnerability rather than an exploit or a unique piece of data. (Read No Interfaces Found Wireshark)
Developing your snort configuration file and variables requires an understanding of how the vulnerability actually works.
As an example, here, you have IMAP buffer overflow where it collects the next 50 packets headed for port 143 coming from outside. It will either alert UDP or create a packet dump when using inline mode toward the destination IP.
How Can We Work in Snort?
Snort rules from your Snort Cheat sheet are defined on any operating system. Here, you can see how to configure Snort rules on Windows.
- Download Snort and then download Snort rules. The rules are community rules, so you can download them with no need to sign up. If you choose subscription rules, it costs around $30 for an individual.
- When installing Snort in the root directory, a popup will appear for installing Winpcap. Install it if it’s not already installed in your Windows.
- Extract the Snort rules folders you downloaded and copy the content to c:\Snort\rules. Similarly, copy all the content from the preproc_rules folder to c:/Snort/preproc_rules. Say yes to overwrite any files.
- Open the Snort.conf configuration file Wordpad. Snort.conf has nine sections.
- HOME_NET: You can leave this, although add your machine IP address is recommended.
- EXTERNAL_NET: Any line as it is listed.
- DNS_SERVERS: If you use a DNS SERVER, change the line by replacing $HOME_NET with DNS server IP address or leave blank if no DNS lookup is available.
- RULE_PATH: Replace ../rules with c:\Snort\rules and replace ../so_rules with c:\Snort\so_rules, then replace ../preproc_rules with c:\Snort\preproc_rules
- Change WHITE_LIST_PATH and BLACK_LIST_PATH from ../rules to c:\Snort\rules
- Navigate to c:\Snort\rules and create two text files named whitelist and blacklist. Change file extension from .txt to .rules. Select yes if it asks.
- Set #config logdir: to config logdir: c:\Snort\log as this helps Snort write the output in a particular location.
- Replace usr/local/lib/snort_dynamic preprocessor with your dynamic preprocessor, which is C:\Snort\lib\snort_dynamic preprocessor.
- Replace usr/local/lib/snort_dynamicengine/libsf_engine.so with your base preprocessor engine, which is C:\Snort\lib\snort_dynamicengine\sf_engine.dll
- Add a comment(#) before any listed preprocessors under inline packet normalization. All they do is generate errors during runtime.
- Configuring your output plugins provides a location for the classification.config, then replaces it with C:\Snort\etc\classification.config.
- Likewise, please provide the location for the reference.config and replace it with C:\Snort\etc\reference.config.
- Add output alert_fast: alert.ids for snort the output directory and file to dump logs in
- In the Snort.conf file, find and replace ipvar with var as ipvar is not recognized by snort. Ctrl + H and replace all IPvar with var.
- Remove backslash and add comment characters.
- Set the Snort rule. Go to c:\Snort\rules and open icmp-info.rules in Wordpad.
- Add a rule at the end, such as: alert tcp any -> any (msg: “Testing Alert”; sid:1000001)
How Many Snort Rules Are There?
You will find 5 basic Snort rule examples used most often.
The rule header has information defining “who, where, and what” of packets and what to do if a packet indicated by a rule applies to a packet.
The first item in a rule is the rule action, which tells Snort what to do when it finds a packet. The five default actions in Snort, alert, log, pass, activate, and dynamic. You can set your own variables for what to check in traffic or the IPtables drop list. (Learn How To Cancel Avast VPN Subscription)
- alert – generate an alert using the selected alert method, and then log the packet
- log – log the packet
- pass – ignore the packet
- activate – alert and then turn on another dynamic rule
- dynamic – remain idle until activated by an activate rule, then act as a log rule
You can also define Snort commands, rule types and associate one or more of your own variables with them. You can use this rule option as actions in Snort rules.
Snort has three modes of operation:
Snort will sniff all packets in iptables in sniffer mode and drop them to stdout if it finds any.
- v (verbose): tells snort to dump output to the screen.
- d: dumps packet payload (application data)
- x: dumps entire packet in Hex (Including frame headers)
- e: display link layer data
Snort rules example: snort -dve
Packet Logger Mode
Here, packet logger mode sends the output file to a log file, which you can use to read back through snort using the ‘–r’ switch search string.
- l (log directory): log to a directory in tcpdump (binary) format
- k (ASCII): Dump packets in ASCII
- h Home subnet (/ notation)
- snort – v – l /var/log/snort/ -h 10.0.1.0/24
- snort – v – k ASCII -l /var/log/snort
To read that saved packet:
The stuff in packet logger mode and comes after the log file name will be Berkly Packet Filter(BPF) statements, like the TCP session tcpdump filters.
- Snort – dve – r /var/log/snort [tcp|udp|icmp]
- Snort – dve – r /var/log/snort host
Here, the mode processes the config file and applies snort rules to any collected traffic.
- c: path to the configuration file
- T: Test the configuration and rules.
Always test first once you have altered a config file or modified the rules files.
- snort – Tc /etc/snort/snort.conf
- snort – c /etc/snort/snort.conf
In reality, a log rule drop when in inline mode would make iptables drop a packet and log it when iptables drop the packet, and then send an alert TCP reset if the protocol is TCP or ICMP port unreachable message if your protocol is UDP.(Learn What Is The Main Difference Between TCP And UDP)
You can quickly see how there are not many entries, yet your Snort Cheat sheet can really help you remember what you need at that ideal moment.