Modes
- Sniffer Mode - Read IP packets and prompt them in the console application.
- Packet Logger Mode - Log all IP packets (inbound and outbound) that visit the network.
- Log/drop the packets that are deemed as malicious according to the user-defined rules.
- NIDS (Network Intrusion Detection System)
- NIPS (Network Intrusion Prevention System)
Parameter
| Parameter |
Function |
| -l |
set log dir |
| -X |
Dump the raw packet data |
| -r |
read tcpdump-file |
| -N |
turn off packet logging |
| -b |
creates pcap file |
| -K |
Logging-mode: pcap,ascii or none |
testing rules against pcap
# read pcap
snort -c local.rules -A full -l . -r .traffic.pcap
# view result
sudo snort -r snort.log.1672720081
writing rules
# get any tcp traffic from and to port 80
alert tcp any 80 <> any any (msg: "src TCP Port 80"; sid: 100001; rev:1;)
alert tcp any 80 <> any 80 (msg: "src TCP Port 80"; sid: 100002; rev:1;)
# detect failed FTP logins
alert tcp any 21 <> any any (msg:"Detectect Failed FTP Login"; content:"530 User"; sid:100003; rev:1;)
# detect failed FTP logins from Administrator
alert tcp any 21 <> any any (msg:"Detectect Failed FTP Login from Administrator"; content:"331 Password"; content:"Administrator" sid:100003; rev:1;)
# detect png
# List of File Signatures: https://en.wikipedia.org/wiki/List_of_file_signatures
alert tcp any any <> any any (msg:"PNG file"; content:"|89 50 4A 47 0D 0A 1A 0A|"; sid:100001; rev:1;)
# detect http/https traffic:wq
alert tcp any 80,443 -> any any (msg: "HTTPx Packet Found"; sid:1000002; rev:1;)
# detect by bytesize
alert tcp any any <> any any (msg:"detected-Byte size"; dsize:333<>666; sid:100001; rev:1;)
Usage
## version
snort -V
## initialise config
sudo snort -c /etc/snort/snort.conf -T
## sniffing mode
### verbose and interface
sudo snort -v -i eth0
## shows data packages
sudo snort -d
## shows the connection details
snort -d -e
## shows all information full packet mode
sudo snort -X
Investigate traffic, detect attack and drop traffic
# at first see what is going on
sudo snort -v -l .
# after that view in the logs
## grep for sus ports ... | grep :4444
sudo snort -r /var/logs/snort/snort.log.1672697486 -X
# write rule
drop tcp any 4444 <> any any (msg:"drop possible reverse shell traffic"; sid:100001; rev:1)
# drop packages
sudo snort -c local.rule -Q --daq afpacket -i eth0:eth1 -A full
References