Snort Tool

Introduction
Snort is an application developed by Martin Roesch which today is primarily used as an
Intrusion Detection System/Intrusion Protection System (IDS/IPS). Snort, however, is capable of
more:
1. Packet sniffing
2. Packet logging
3. Intrusion detection
Additionally, Snort is supported on a wide variety of OS platforms including a wide variety of
Unix platforms and Windows. Another distinguishing feature of Snort is that it is completely
Open source. This gives Snort a big advantage over many of its commercial counterparts because
users can see what its doing and tune the system accordingly. That degree of visibility into the
intimal of the product is generally not an option in the commercial IDSIIPS world. It's free
availability and broad platform support has made Snort one of the most popular and widely used
network security tools.

Basic Architecture of Snort

Snort has four primary components:
1. Packet sniffer
Packet sniffing is the act of reading datagrams offthe wire. Normally, a device's MC is only
concemed with the kaflic addressed specifically to the device. However, the sniffing component
of Snort places the interface into a state known as promiscuous mode which enables the NIC to
read all the traffic on the wire not just the traffic directly addressed to it.
2.

Preprocessors

In order for packets to be inspected in a contextually relevant way, some further processing must
be performed on them to reveal the context in which the packets are intended to be used. This is
a sampling of some of the things that must be done so that packets are presented in a contextually
relevant way. Snort preprocessors handle this task. They are specially designed to put network
traffic into context for presentation to the other elements of the Snort architecture. Some of the
preprocessors are protocol decoders and sfPortScan.
3.

Detection engine

The detection engine accepts the parsed, normalized and stream-reassembled network traffic
for inspection against the rule base.
4.

Output and alerting module

The output module handles the task of writing and displaying events. Snort-generated data can
be presented to standard output, logged to files or logged to a database.

Snort Installation
To download Snort go to https://www.snort.org/#get-started.
Select the appropriate package according to the OS. The following section targets installation on
Windows 7 machine.
Click on Sign Up and register to get an activation code.
Run the executable (make sure when you download the installer files you save the file as
an .exe so you can install it.) and click the I Agree button on the license agreement screen:

Then on the next screen leave the defaults selected and click the Next button:

Then on the choose install location leave the default location, which is c:\Snort and
click the Next button:

The installation will then occur and you can click the show details to see all that was
extracted during the installation, then click the Close button:

You will then see the following screen if the installation was successful, simply click the OK button:

Checking Installation
Go to Command Prompt and type the following command:
c:\snort\bin snort W
The above commands change your prompt to the bin directory, which is where the snort.exe is
located. The second line checks for all available network interfaces that snort can run on
After you have checked for a device interface you can use the following command to actually run
snort on your computer:
snort d
To stop the capturing simply click CTRL-C and this will stop the capturing. Below is screen capture of
what occurs when you stop capturing packets:

Finally, you will need to run the following command to actually write files to a log file.
snort c c:\Snort\etc\snort.config l c:\Snort\log K ascii

Configuring Snort.conf
After the installation and checking to make sure everything is running properly, you will need to
modify the snort.conf file located in the following Snort directory:
c:\Snort\etc\snort.conf
If you open this file in notepad++ you can view the line numbers and make the following changes:

Change the below ipvar to the network you are going to be running snort on:
Default:

Change to:

Next, we need to change the below paths below to the correct location on our
Windows 7 computer. The Defaults are set to run on the Linux operating system.
Default:

Change to:

Next we need replace additional Linux paths to the correct paths in Microsoft
Windows 7 and we actually comment out the dynamicprocessor library, change the
libsf_engine.so to a .dll file and comment out (#) the dynamicdetection line as we
have below:
Default:

Change to:

The next sections we need to change is below, we dont use inline packet
normalization in Microsoft Windows 7:

Default:

Change To:

Next we need provide the direct path to the metadata reference data:
Default:

Change to:

The next issue is the below lines, these files do not exist in the rules directory.
The solution is to simply create the 2 files in the rules directory. Note that there is a
blacklist.rules files, we simply renamed that file as indicated below.
Default

Change to:

Next, we need to change the following lines and then we should be able to
run Snort 2.9:
Default:

Change to:

At this point snort will run, but you can make one more change to the blacklist
rule path as we did below:
Default:

Change to:

The final step is to setup the output of the events, add the following line of
code:
Default:

Change to:

Operating Snort
Snort has three modes of operation:
1. Packet sniffer
2. Packet logger

3.

Intrusion detection

The mode you choose to use is mainly a function of how you configure its command line switches and how you

configure its primary configuration file:

snort . conf .

Snort as a Packet Sniffer

Sniffing and logging are the functions that Snort was originally designed to do. Today
however, its primary use is as an intrusion detection/protection system. Although it is primarily
used as an IDSIIPS, the sniffing and logging capability still exists and may be a useful
alternative to other tools that do the same thing since the capability is natively part of your
Snort installation.

For sniffing network traffic, there me three command line switches you must know:
-fl - Dump or display application layer infomration.
-e - Dump or display data link layer information.
-v - verbose.
-d include payload information

Packet Logging with Snort

Snort can act as a packet logger. The command line syntax is basically
the same as the previous examples only you also specify the output type and a location for
where it should go.

snort -i ethl

-I /war/Log/snort -K ascii

Snort as an Intrusion Sensor

Snort's configuration file snort.conf basically contains all the settings and configurations ofits detection
features.

Variabieconfigurations

Preprocessor configurations
Output settings

Pointers to rule files