Post

Sws101_thm{snort}

Posted
By Pema dolker 4 min read

Topic: Snort

Introduction :

The room aims to encourage to start working with Snort to detect real-time threats, analyse recorded traffic files and identify anomalies. SNORT is the foremost Open Source Intrusion Prevention System(IPS) which uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generate alerts for users.

Traffic Generator

  • Utilized the traffic-generator.sh script to simulate traffic for Snort.
  • Generated traffic tailored for specific exercises.
  • Used the script to trigger traffic and observe Snort’s reaction.

Introduction to IDS/IPS

IDS Types

  • Network Intrusion Detection System (NIDS): Monitors network traffic from various areas to detect threats across the entire subnet.
  • Host-based Intrusion Detection System (HIDS): Monitors traffic on individual endpoint devices for suspicious behavior.

IPS Types

  • Network Intrusion Prevention System (NIPS): Actively prevents threats by terminating connections on the entire subnet.
  • Behaviour-based IPS (Network Behaviour Analysis - NBA): Requires a training period to differentiate normal and abnormal traffic patterns.
  • Wireless Intrusion Prevention System (WIPS): Protects wireless networks by terminating connections upon detection of threats.
  • Host-based Intrusion Prevention System (HIPS): Actively protects traffic on individual endpoint devices.

Detection/Prevention Techniques

  • Signature-Based: Relies on predefined rules to identify known threats.
  • Behaviour-Based: Identifies new threats by comparing normal and abnormal behaviors.
  • Policy-Based: Compares detected activities with system policies to identify violations.

Snort

Snort is an open-source, rule-based Network Intrusion Detection and Prevention System (NIDS/NIPS) developed and maintained by Martin Roesch and the Cisco Talos team. It offers live traffic analysis, attack detection, packet logging, protocol analysis, real-time alerting, and cross-platform support.

Capabilities

  • Live traffic analysis
  • Attack and probe detection
  • Packet logging
  • Protocol analysis
  • Real-time alerting
  • Cross-platform support

Use Models

Snort offers three main use models: Sniffer Mode, Packet Logger Mode, and NIDS/NIPS Modes.

First Interaction with Snort

  • Verified Snort installation with snort -V.
  • Ensured configuration file validity with sudo snort -c /etc/snort/snort.conf -T.
  • Configuration test output provided version, plugins, preprocessor objects, and rules engine information.
  • Configuration file serves as a comprehensive management file for Snort.
  • -q parameter enables quiet mode, suppressing default banner and setup information.
  • Tasks included running Snort instances and checking build number and loaded rules with specific configuration files.

Snort Sniffer Mode Interaction

In Sniffer Mode, Snort acts like tcpdump, providing various flags to view packet data.

Snort Logger Mode Interaction

Snort can function in Logger Mode, where it logs sniffed packets to a specified directory.

Snort in IDS/IPS Mode

Snort’s capabilities extend beyond sniffing and logging traffic; it includes IDS/IPS modes for traffic management based on user-defined rules.

NIDS Mode Parameters

  • -c: Defines the configuration file.
  • -T: Tests the configuration file.
  • -N: Disables logging.
  • -D: Background mode.
  • -A: Alert modes:
    • full: Provides all possible information about the alert.
    • fast: Shows alert message, timestamp, source and destination IP, and port numbers.
    • console: Provides fast-style alerts on the console screen.
    • cmg: Provides basic header details with payload in hex and text format.
    • none: Disables alerting.

Investigating PCAPs with Snort

Parameters for PCAP Analysis

  • -r / –pcap-single=: Reads a single PCAP file.
  • –pcap-list=”pcap1 pcap2 …“: Reads multiple PCAP files provided in the command (space separated).
  • –pcap-show: Displays the name of the PCAP file being processed during analysis.

Snort Rule Structure

Understanding the structure of Snort rules is crucial for effective network security monitoring and threat detection. Snort rules define specific criteria for identifying and responding to network traffic, enabling both detection and prevention of security threats.

Snort2 Operation Logic

Main Components of Snort

  1. Packet Decoder: Collects and prepares packets for pre-processing.
  2. Pre-processors: Arrange and modify packets for the detection engine.
  3. Detection Engine: Analyzes packets using rules for detection.
  4. Logging and Alerting: Generates logs and alerts based on detected activity.
  5. Outputs and Plugins: Integrates with output modules and additional plugins.

Types of Snort Rules

  • Community Rules: Free ruleset under GPLv2, publicly accessible.
  • Registered Rules: Free ruleset with registration required, contains subscriber rules with a 30-day delay.
  • Subscriber Rules (Paid): Paid ruleset with subscription, updated twice a week.

Rule File Management

  • Snort automatically creates required directories and files upon installation.
  • Community or paid rules need to be indicated in the snort.conf file.
  • Configuration files include:
    • snort.conf: Main configuration file.
    • local.rules: User-generated rules file.

Overview of snort.conf Configuration

  1. Step #1: Set the network variables: Manages detection scope and rule paths.
  2. Step #2: Configure the decoder: Manages IPS mode selection using DAQ modules.
  3. Step #6: Configure output plugins: Manages IDS/IPS action outputs (logging, alerting).
  4. Step #7: Customize your ruleset: Includes local and downloaded rules for detection.

DAQ Modules in Snort

  • Pcap: Default sniffer mode.
  • Afpacket: Inline mode (IPS mode), popular choice.
  • Ipq, Nfq: Inline mode on Linux using Netfilter.
  • Ipfw: Inline mode on OpenBSD and FreeBSD using divert sockets.
  • Dump: Testing mode for inline and normalization.

Conclusion

In conclusion, the exploration of Snort through the Try Hack Me rooms has provided valuable network intrusion detection and prevention. Understanding the functionalities of Snort, ranging from traffic analysis to rule-based detection, has equipped us with essential skills for enhancing network security posture. Through practical exercises and theoretical knowledge, we have delved into the intricacies of Snort’s operation logic, rule structure, and deployment modes.

SWS101, journal
SWS101
This post is licensed under CC BY 4.0 by the author.

Trending Tags

SWS101 DBS101