NetNacs! eZine
 

Archive | Perspective | Helpful Hints | BizBits
LitKorner | DownUnder | LifeNow | Search

 

Sister Sites > Award Sites! | USA Patriotism! | Poetry Galore

NetNews

July 2004

 

Sniffing Out Snoopers with Snort
by Corey Nachreiner, WatchGuard Technologies Network Security Analyst

If you go behind the scenes at any airport, you'll find huge conveyor belts delivering hundreds of pieces of luggage to the correct loading docks. Now picture a frisky German shepherd, bouncing around the conveyor belt, sniffing each piece of luggage and barking like mad to alert the authorities whenever it smells a suitcase full of drugs. The "conveyor belt" image is what an Ethernet segment might look like as it passes hundreds of packets to different hosts. A drug dog, like this German Shepherd, is a perfect representation of a Network Intrusion Detection System (NIDS), or packet sniffer. However, the makers of Snort went with the analogy of a truffle sniffing pig.

Whatever the mascot, Snort is a fantastic tool for learning to use NIDS. Snort is an open source, signature-based NIDS that has quite a following in the security community. In this article, I'll discuss why I use Snort, pass along some hard-learned installation tips, and start you with the basics on reading Snort logs.

Why choose Snort?

Snort is a great NIDS to use for a number of reasons. First, you really can't beat the price: it's free. Second, Snort is diverse enough to work in almost any network environment, since it installs in most flavors of Linux, BSD, Solaris and Windows. Third, Snort runs on open-source code, an advantage for any security product. Programmers and security experts from all over have viewed the source code and audited the application for security flaws. Having an entire community of programmers checking the code, instead of just a small team at an individual company, potentially makes open-source products amongst the most secure available. 

Snort's popularity has resulted in a large community of users (the project's official Web site boasted nearly 10 million downloads in its first year of operation). Because Snort is signature-based (that is, it recognizes attacks by matching traffic against a library of known attack patterns), Snort is only as good as its library of signatures. The crew at Snort.org does a good job of posting current signatures, plus -- bonus! -- a large community of users also writes signatures for the latest attacks. You can find custom rules for new attacks on many mailing lists.

Snort's large open-source community has developed many spin-off applications or modules, too. At Snort.org, you can find many add-ons that greatly increase the usefulness of Snort. For example, SnortSnarf is a Perl script that can convert Snort logs into a nice, readable HTML format, making it easier to analyze Snort alerts.

Quick 'n' dirty test installation

Since most LiveSecurity readers run Windows, I'll describe how to install Snort in Windows XP. (If you would like to install the Linux version of Snort, I recommend this PDF.)

There are many excellent FAQs on installing Snort in Windows. Many also detail installing add-ons like ACID (explained later in this article) and SnortSnarf. However, Engage Security has designed a very convenient setup package called Eagle X that installs and configures Snort with many of its popular extras in one fell swoop. Eagle X includes:

  • Snort 2.01 Build 88 (The actual NIDS application)
  • IDScenter 1.1 RC4 (A graphical Front-End for Snort)
  • Apache 1.2.28 (A Web server to display Web-based logs)
  • ACID 0.9.6b23 (A Snort add-on to generate graphical, Web-based logs)
  • PHP 4.3.2 (A Web scripting language needed for ACID)
  • JPGraph 1.9.1 (A PHP graph library, again for use with ACID)
  • MySQL 3.23.55 (A database application to store the log messages)
  • OinkMaster 0.8 Win32 (A Snort add-on to automate the download of new Snort rules)
  • WinPcap 3.0 (A network driver to allow promiscuous packet capture)

This quick installation package is enough to get you running a fairly well-configured NIDS without any extra tweaking, although the more time you spend tweaking settings for your network, the better Snort will perform. (As when downloading any shareware, use appropriate caution. WatchGuard is not responsible for what happens if you install this tool, since it's not our software. Eagle X worked fine for us, but our computers may differ from yours, so we recommend you use a test machine to install Eagle X at first, not a machine storing critical files.) Here's an easy Eagle X install:

  • Download and install EagleX v2.1 (eaglexv21.zip). Unzip the package to extract setup.exe. Double-click setup.exe to begin the installation.
  • Click Yes, when it asks you if you want to install Eagle X. Now, accept all the defaults by continually clicking Next and then finally, Install.
  • Once the initial setup is complete, a WinPcap 3.0 setup appears. Again, keep clicking Next and then finally, OK (you will have to accept a license agreement on one screen).
  • Next you'll reach the Eagle X Setup. The first screen contains all the information about what Eagle X installs and the default configuration it uses, including user logins. (You can always find a copy of this info in the README.txt file in the c:\EagleX directory.) Press Next and then Finish (accepting the defaults) to bring up the Eagle X configuration window.
  • In the Eagle X configuration window, enter the following settings:
    • Apache Webserver Setup
      • DNS/IP. Set this to the IP address of the machine you are installing Eagle X on. If you press the down arrow, you'll find the machine's IP or IPs.
      • Port. This is the port you want your Apache/ACID Snort log server to run on. I just entered 8877, the default.
      • Administrator E-mail Address. Enter the e-mail address where you want to recieve Snort alert e-mails.
      • Authentication. Set which authentication method to use for accessing Snort's Web-based logs. I suggest the default, Basic.
      • Username/Password. Enter a username and password that you want to use to access Snort's Web-based logs.
    • Snort Setup
      • Home Network. Enter the network address for your local network using CIDR notation. (For example, 192.168.0.0/24.)
      • Primary DNS. Enter your primary DNS server's IP address.
      • Secondary DNS. Enter your secondary DNS server's IP address.
      • Leave the rest blank!
  • Finally, click Setup. Wait a few seconds and press OK to complete the installation.

That's it! Eagle X is now installed. Eagle X's front-end, the IDScenter, should be running. It appears as a circular, black icon in your system tray (bottom right corner) that occasionally flashes red. Double-clicking it opens IDScenter so you can further configure Snort. However, the Eagle X installer has already configured IDScenter and Snort enough to work well. It's already monitoring your network, logging to a MySQL database and ready to generate Web-based reports. I encourage you to explore and fine-tune these IDScenter settings later. For now, Eagle X's default settings are good enough.

However, for the most effective scanning, download the latest Snort ruleset. To do so, right-click the IDScenter icon in your system tray and, from Windows' fly-out menu, choose Settings. Click on the Wizards tab in the left-hand window and choose Online Update. Online updates are controlled using OinkMaster. OinkMaster configuration is the only aspect of the Eagle X install that didn't entirely work for me. Make the following changes to get OinkMaster to work:

  • Eagle X sets the Temporary folder for downloading and extracting rules to /cygdrive/c/eaglex/tmp (c:\EagleX\tmp), a directory that doesn't exist. Using Windows Explorer, create a folder called tmp in your C:\EagleX directory to fix this.
  • Eagle X sets URL of ruleset to a currently dead link. Change it to http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz.
  • Under OinkMaster's Options tab, Eagle X set the Backup rules to setting to a directory that not everyone has. Either create a folder called temp under C:\ or press "..." and browse to an existing folder of your choice.

Once you've made those changes, press the Apply button in the top right corner of IDScenter and wait for the DOS windows to close. Finally, press the Test online update button in the top right corner of the OinkMaster window to update Snort with the latest rules. Close IDScenter by clicking the X in the top right corner. The configuration menu disappears, but IDScenter continues to run in the system tray.

For more information on tweaking IDScenter and Snort's configuration, see the IDScenter manual.

Snort is one of many

Although Snort is my "drug dog" sniffer of choice, it's only one of the many great intrusion detection systems available. Experimenting with a free NIDS like Snort can help you decide whether or not an IDS is something you want to implement in your network full-time. It's convenient to go to the dog pound and adopt a free "drug dog" to see if it does what you want. You can always buy a pure breed later -- but who knows? You might find that, with a little house-breaking, the pound dog does everything you want.

Reference:

In-depth Snort article from the creator

Another good article about installing and using Snort (for Linux)

Snort manpage. This page describes Snort usage

Snort Install FAQs: Snort with Windows 2000

Corey Nachreiner
Network Security Analyst
WatchGuard Technologies

 USA Store! ... over a thousand USA themed gifts / products at USA Patriotism!