Experiment No.

10

Title :- Demonstrate Intrusion Detection (IDS) system using snort tool.

Description :-

➢ SNORT

SNORT is a powerful open-source intrusion detection system (IDS) and intrusion

prevention system (IPS) that provides real-time network traffic analysis and data packet
logging. SNORT uses a rulebased language that combines anomaly, protocol, and signature
inspection methods to detect potentially malicious activity. Using SNORT, network admins
can spot denial-of-service (DoS) attacks and distributed DoS (DDoS) attacks, Common
Gateway Interface (CGI) attacks, buffer overflows, and stealth port scans. SNORT creates a
series of rules that define malicious network activity, identify malicious packets, and send
alerts to users. SNORT is a free-to-use open-source piece of software that can be deployed
by individuals and organizations. The SNORT rule language determines which network
traffic should be collected and what should happen when it detects malicious packets. This
snorting meaning can be used in the same way as sniffers and network intrusion.

detection systems to discover malicious packets or as a full network IPS solution that
monitors network activity and detects and blocks potential attack vectors. What Are the
Features of SNORT? There are various features that make SNORT useful for network admins
to monitor their systems and detect malicious activity. These include:

Real-time Traffic Monitor :- SNORT can be used to monitor the traffic that goes in and out
of a network. It will monitor traffic in real time and issue alerts to users when it discovers
potentially malicious packets or threats on Internet Protocol (IP) networks.

Packet Logging :- SNORT enables packet logging through its packet logger mode, which
means it logs packets to the disk. In this mode, SNORT collects every packet and logs it in a
hierarchical directory based on the host network’s IP address.

Analysis of Protocol :- SNORT can perform protocol analysis, which is a network sniffing
process that captures data in protocol layers for additional analysis. This enables the network
admin to further examine potentially malicious data packets, which is crucial in, for example,
Transmission Control Protocol/IP (TCP/IP) stack protocol specification.

Content Matching :- SNORT collates rules by the protocol, such as IP and TCP, then by
ports, and then by those with content and those without. Rules that do have content use a
multi-pattern matcher that increases performance, especially when it comes to protocols like
the Hypertext Transfer Protocol (HTTP). Rules that do not have content are always evaluated,
which negatively affects performance.

1
OS Fingerprinting :- Operating system (OS) fingerprinting uses the concept that all
platforms have a unique TCP/IP stack. Through this process, SNORT can be used to
determine the OS platform being used by a system that accesses a network. Can Be Installed
in Any Network

Environment :- SNORT can be deployed on all operating systems, including Linux and
Windows, and as part of all network environments. Open Source :- As a piece of open-source
software, SNORT is free and available for anyone who wants to use an IDS or IPS to monitor
and protect their network.

Rules Are Easy to Implement :- SNORT rules are easy to implement and get network
monitoring and protection up and running. Its rule language is also very flexible, and creating
new rules is pretty simple, enabling network admins to differentiate regular internet activity
from anomalous or malicious activity. What Are the Different SNORT Modes? There are
three different modes that SNORT can be run in, which will be dependent on the flags used
in the SNORT command.

Packet Sniffer:- SNORT’s packet sniffer mode means the software will read IP packets then
display them to the user on its console.

Packet Logger :- In packet logger mode, SNORT will log all IP packets that visit the
network. The network admin can then see who has visited their network and gain insight into
the OS and protocols they were using. NIPDS (Network Intrusion and Prevention Detection
System) :- In NIPDS mode, SNORT will only log packets that are considered malicious. It
does this using the preset characteristics of malicious packets, which are defined in its rules.
The action that SNORT takes is also defined in the rules the network admin sets out. Are the
Uses of SNORT Rules? The rules defined in SNORT enable the software to carry out a range
of actions, which include:

Perform Packet Sniffing :- SNORT can be used to carry out packet sniffing, which collects
all data that transmits in and out of a network. Collecting the individual packets that go to
and from devices on the network enables detailed inspection of how traffic is being
transmitted.

Debug Network Traffic :- Once it has logged traffic, SNORT can be used to debug malicious
packets and any configuration issues.

Generate Alerts :-SNORT generates alerts to users as defined in the rule actions created in
its configuration file. To receive alerts, SNORT rules need to contain conditions that define
when a packet should be considered unusual or malicious, the risks of vulnerabilities being
exploited, and may violate the organization’s security policy or pose a threat to the network.

Practical :-

2
Configuration of SNORT
Setting up Snort from the source code consists of a couple of steps: downloading the code,
configuring it, compiling the code and lastly installing it. First up make a temporary download
folder to your home directory and then move into it with the these commands mkdir
~/snort_src cd ~/snort_src

After it is downloaded we have to configure the downloaded code. Following is the snapshot
of the commands for the configuration of SNORT.
./snort -v

If we want to see the application data in transit, following command is used

./snort -vd

This instructs Snort to display the packet data as well as the headers. If we want more
descriptive display, showing the data link layer headers, following command need to be run.
./snort -vde

As an aside, notice that the command line switches can be listed separately or in a combined
form. The last command could also be typed out as:
./snort -d -v –e

This will produce the same result.

3
 Snort uses a configuration file at start up time. A sample configuration file snort.conf is
included in the Snort Snort using snort.conf file distribution. You can use any name for the
configuration file, however snort.conf is the conventional name. You use the - c command
line switch to specify the name of the configuration file. The following command:- uses
/opt/snort/snort.conf as the configuration file. We can also save the configuration file in our
home directory as snortrc, but most commonly used method is specifying it on the command
line. There are other advantages to using the configuration file name as a command line
argument to Snort. It is possible to invoke multiple Snort instances on different network
interfaces with different configuration. $ sudo /usr/local/bin/snort A console -q -u snort -g
snort –c /etc/snort/snort.conf -i lo This command should be run in our terminal to run snort
using our snort configuration file. It can be modified according to the user suitability. Snort
has various modes; few of them are listed here Description of the command:
-c: specifies the config file
-i : specifies the interface mode , if a loopback address
is running then “lo” will be written , for Ethernet “eth0”
or “eth1” will be written.
-A: It will print the output to the console

Once we run this command, then type $ ping 127.0.0.1 We should see that the snort
logs this packet and displays it on the terminal. Here is the image of the terminal logging the
ping packets.

4
Writing rules:
Rules are written by the user, snort will log the packets and generate alert if there if finds any
match with the rules that user defined in the rules file. Here is an example of how to write
rules. 1. Alert ip $EXTERNAL_NET any -> $HOME_NET any (ip_proto:igmp;
rev:1000000) For igmp traffic alert 3. tcp any any -> any (msg:"exploit"; content:"|90|";
rev:1000002)

4.alert $EXATERNAL_NET any -> $HOME_NET any (flags: SF,12; msg:"SYN FIN scan";
rev:1000003)

5.alert any any -> $HOME_NET 21(msg:"Incoming FTP";rev:1000004)

6. alert tcp $HOME_NET any -> $EXTERNAL_NET 80(msg:”Invalid Content Found”;

content:”terrorism”;nocase; rev:1000005)

7.alert icmp $EXTERNAL_NET any -> $HOME_NET any(msg:”PING ALERT”;

icode:0;itype:8;rev:1000006)

8.alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT ntpdx overflow";

dsize:>128; classtype:attempted-admin; priority:10 )
9. log tcp !192.168.0/24 any -> $HOME_NET any (msg: "mounted access" ; )

10. $ alert tcp any any -> $HOME_NET 21 (msg:"Possible FTP Login"; sid:1000004;
rev:004;) alert: it will generate alert packets tcp: protocol which is being used any: it
specifies that log packets coming from any IP address.

$HOME_NET: It is our local IP address, it is mapped in snort.conf file

21 : It tells snort to generate alerts of any packet which try to send request to port 21.

3. Barnyard Barnyard automatically inserts all the alerts generated by snort into a
database. In our research paper we have used mysql to access the information given
by snort. Barnyard is easy to set up and runs by typing the following command:

5
$ sudo barnyard2 -c /etc/snort/barnyard2.conf –d /var/log/snort -f snort.u2 –w
/var/log/snort/barnyard2.bookmark -g snort -u snort -d:
tells where to save the output
-g: run as a specific user
-c: specifies the user
-w: gives the bookmark file used in barnyard

Results
The result of our project will be the display of all packets which matches the snort defined
by the administrator. The information will get stored in a mysql database using which we
have made a UI to display all the necessary Ind=formation about the alert generated. The
information includes Source IP, Destination IP, Alert generated, Date and Time of when the
packet was received. In this case we have used a single system for testing purpose therefore
the source and destination IP are my loopback address , however when run on a server it will
give the Source and Destination IP of the systems generating and receiving the packets.

6
Haresh S. Kurade FW20CO002 CS Exp.9

Conclusion :-
Thus, in this experiment we learnt about Intrusion Detection System. We have
seen how this works and how it gives information of each and every activity. We have
practically used and demonstrated Snort.