Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
HowtouseSNORT
SearchGooglefor"snortlib"
HowtouseSnortbyMartinRoesch
1.0GETTINGSTARTED
Snort really isn't very hard to use, but there are a lot of command line options to
playwith,andit'snotalwaysobviouswhichonesgotogetherwell.Thisfileaimsto
make using Snort easier for new users. Before we proceed, there are a few basic
conceptsyoushouldunderstandaboutSnort.Therearethreemainmodesinwhich
Snort can be configured: sniffer, packet logger, and network intrusion detection
system.Sniffermodesimplyreadsthepacketsoffofthenetworkanddisplaysthem
foryouinacontinuousstreamontheconsole.Packetloggermodelogsthepackets
tothedisk.Networkintrusiondetectionmodeisthemostcomplexandconfigurable
configuration, allowing Snort to analyze network traffic for matches against a user
definedrulesetandperformseveralactionsbaseduponwhatitsees.
2.0SNIFFERMODE
First, let's start with the basics. If you just want to print out the TCP/IP packet
headerstothescreen(i.e.sniffermode),trythis:
./snortv
This command will run Snort and just show the IP and TCP/UDP/ICMP headers,
nothingelse.Ifyouwanttoseetheapplicationdataintransit,trythefollowing:
./snortvd
This instructs Snort to display the packet data as well as the headers. Ifyouwant
anevenmoredescriptivedisplay,showingthedatalinklayerheadersdothis:
./snortvde
anditwoulddothesamething.
3.0PACKETLOGGERMODE
Ok,allofthesecommandsareprettycool,butifyouwanttorecordthepacketsto
thedisk,youneedtospecifyaloggingdirectoryandSnortwillautomaticallyknow
togointopacketloggermode:
http://usuaris.tinet.cat/sag/lsnort.htm
1/5
1/24/2015
HowtouseSNORT
./snortdevl./log
Ofcourse,thisassumesyouhaveadirectorynamed"log"inthecurrentdirectory.
Ifyoudon't,Snortwillexitwithanerrormessage.WhenSnortrunsinthismode,it
collectseverypacketitseesandplacesitinadirectoryhierarchybasedupontheIP
addressofoneofthehostsinthedatagram.Ifyoujustspecifyaplain"l"switch,
youmaynoticethatSnortsometimesusestheaddressoftheremotecomputeras
the directory in which it places packets, and sometimes it uses the local host
address.Inordertologrelativetothehomenetwork,youneedtotellSnortwhich
networkisthehomenetwork:
./snortdevl./logh192.168.1.0/24
ThisruletellsSnortthatyouwanttoprintoutthedatalinkandTCP/IPheadersas
well as application data into the directory ./log, and you want to log the packets
relative to the 192.168.1.0 class C network. All incoming packets will be recorded
intosubdirectoriesofthelogdirectory,withthedirectorynamesbeingbasedonthe
address of the remote (non192.168.1) host. Note that if both hosts are on the
home network, then they are recorded based upon the higher of the two's port
numbers, or in the case of a tie, the source address. If you're on a high speed
networkoryouwanttologthepacketsintoamorecompactformforlateranalysis
you should consider logging in "binary mode". Binary mode logs the packets in
"tcpdumpformat"toasinglebinaryfileintheloggingdirectory:
./snortl./logb
Notethecommandlinechangeshere.Wedon'tneedtospecifyahomenetworkany
longerbecausebinarymodelogseverythingintoasinglefile,whicheliminatesthe
need to tell it how to format the output directory structure. Additionally, you don't
need to run in verbose mode or specify the d or e switches becuase in binary
modetheentirepacketislogged,notjustsectionsofit.Allthatisreallyrequiredto
place Snort into logger mode is the specification of a logging directory at the
command line with the l switch, the b binary logging switch merely provides a
modifier to tell it to log the packets in something other than the default output
format of plain ASCII text. Once the packets have been logged to the binary file,
you can read the packets back out of the file with any sniffer that supports the
tcpdump binary format such as tcpdump or Ethereal. Snort can also read the
packetsbackbyusingtherswitch,whichputsitintoplaybackmode.Packetsfrom
anytcpdumpformattedfilecanbeprocessedthroughSnortinanyofitsrunmodes.
Forexample,ifyouwantedtorunabinarylogfilethroughSnortinsniffermodeto
dumpthepacketstothescreen,youcantrysomethinglikethis:
./snortdvrpacket.log
YoucanmanipulatethedatainthefileinanumberofwaysthroughSnort'spacket
logging and intrusion detection modes, as well as with the BPF interface that's
availablefromthecommandline.Forexample,ifyouonlywantedtoseetheICMP
packetsfromthelogfile,simplyspecifyaBPFfilteratthecommandlineandSnort
willonly"see"theICMPpacketsinthefile:
./snortdvrpacket.logicmp
http://usuaris.tinet.cat/sag/lsnort.htm
2/5
1/24/2015
HowtouseSNORT
FormoreinfoonhowtousetheBPFinterface,readthemanpage.
4.0NETWORKINTRUSIONDETECTIONMODE
Toenablenetworkintrusiondetection(NIDS)mode(sothatyoudon'trecordevery
singlepacketsentdownthewire),trythis:
./snortdevl./logh192.168.1.0/24csnort.conf
This will configure Snort to run in it's most basic NIDS form, logging packets that
therulestellittoinplainASCIItoahierarchicaldirectorystructure(justlikepacket
loggermode).
4.1NIDSMODEOUTPUTOPTIONS
There are a number of ways to configure the output of Snort in NIDS mode. The
defaultloggingandalertingmechanismsaretologindecodedASCIIformatanduse
"full"alerts.Thefullalertmechanismprintsoutthealertmessageinadditiontothe
full packet headers. There are several other alert output modes available at the
command line, as well as two logging facilities. Packets can be logged to their
defaultdecodedASCIIformatortoabinarylogfileviathebcommandlineswitch.
Ifyouwishtodisablepacketloggingalltogether,usetheNcommandlineswitch.
Alertmodesaresomewhatmorecomplex.Therearesixalertmodesavailableatthe
command line, full, fast, socket, syslog, smb (winpopup), and none. Four of these
modesareaccessedwiththeAcommandlineswitch.Thefouroptionsare:
Afastfastalertmode,writethealertinasimpleformatwitha
timestamp,alertmessage,sourceanddestinationIPs/ports
Afullthisisalsothedefaultalertmode,soifyouspecifynothing
thiswillautomaticallybeused
AunsocksendalertstoaUNIXsocketthatanotherprogramcanlistenon
Anoneturnoffalerting
To send alerts to syslog, use the s switch. The default facilities for the syslog
alerting mechanism are LOG_AUTHPRIV and LOG_ALERT. If you want to configure
http://usuaris.tinet.cat/sag/lsnort.htm
3/5
1/24/2015
HowtouseSNORT
other facilities for syslog output, use the output plugin directives in the rules files
(see the snort.conf file for more information). Finally, there is the SMB alerting
mechanism.ThisallowsSnorttomakecallstothesmbclientthatcomeswithSamba
and send WinPopup alert messages to Windows machines. To use this alerting
mode, you must configure Snort to use it at configure time with the enable
smbalertsswitch.Herearesomeoutputconfigurationexamples:
1)Logtodefault(decodedASCII)facilityandsendalertstosyslog
./snortcsnort.confl./logsh192.168.1.0/24
2)Logtothedefaultfacilityin/var/log/snortandsendalertstoafastalertfile:
./snortcsnort.confsh192.168.1.0/24
3)LogtoabinaryfileandsendalertstoWindowsworkstation:
./snortcsnort.confbMWORKSTATIONS
4.2PERFORMANCECONFIGURATION
IfyouwantSnorttogo*fast*(likekeepupwitha100Mbpsnetfast)usethe"b"
and "A fast" or "s" (syslog) options. This will log packets in tcpdump format and
produceminimalalerts.Forexample:
./snortbAfastcsnortlib
In this configuration, Snort has been able to log multiple simultaneuos probes and
attacksona100MbpsLANrunningatasaturationlevelofapproximately80Mbps.
Inthisconfigurationthelogsarewritteninbinaryformattothesnort.logtcpdump
formatted file. To read this file back and break out the data in the familiar Snort
format,justrerunSnortonthedatafilewiththe"r"optionandtheotheroptions
youwouldnormallyuse.Forexample:
./snortdcsnortlibl./logh192.168.1.0/24rsnort.log
Once this is done running, all of the data will be sitting in the log directory in its
normaldecodedformat.Cool,eh?
4.3OTHERSTUFF
Somepeopledon'tlikethedefaultwayinwhichSnortappliesit'srulestopackets,
withtheAlertrulesappliedfirst,thenthePassrules,andfinallytheLogrules.This
sequence is somewhat counterintuitive, but it's a more foolproof method than
allowing the user to write a hundred alert rules and then disable them all with an
errantpassrule.Forpeoplewhoknowwhatthey'redoing,the"o"switchhasbeen
provided to change the default rule applicaition behavior to Pass rules, then Alert,
thenLog:
./snortdh192.168.1.0/24l./logcsnort.confo
http://usuaris.tinet.cat/sag/lsnort.htm
4/5
1/24/2015
HowtouseSNORT
5.0MISCELLANEOUSSTUFF
If you are willing to run snort in "daemon" mode, you can add D switch to any
combination above. Please NOTICE that if you want to be able to restart snort by
sendingSIGHUPsignaltothedaemon,youwillneedtousefullpathtosnortbinary,
whenyoustartit,i.g.:
/usr/local/bin/snortdh192.168.1.0/24l/var/log/snortlogsc/usr/local/etc/snortlibsD
Relativepathesarenotsupportedduetosecurityconcerns.
Ifyou'regoingtobepostingpacketlogstopublicmailinglistsyoumightwanttotry
out the O switch. This switch "obfuscates" your the IP addresses in the packet
printouts.Thisishandyifyoudon'twantthepeopleonthemailinglisttoknowthe
IP addresses involved. You can also combine the O switch with the h switch to
onlyobfuscatetheIPaddressesofhostsonthehomenetwork.Thisisusefulifyou
don'tcarewhoseestheaddressoftheattackinghost.Forexample:
./snortdvrsnort.logOh192.168.1.0/24
This will read the packets from a log file and dump the packets to the screen,
obfuscatingonlytheaddressesfromthe192.168.1.0/24classCnetwork.
Well,that'saboutitfornow.
If you have any further questions about using Snort, drop me an email at
roesch@clark.net
DownloadSnortandothersecuritysoftware(Saint,Nmap,Nessus,Hackbot,
LogSentry,...)
http://usuaris.tinet.cat/sag/lsnort.htm
5/5