Exploring the latest version of Snort
Improved Features
One of the problems that has plagued Snort is that, when it crashes, it can lose significant amounts of data. As a penetration tester, I've known for years that one of the first things you consider is how to crash a network's intrusion detection system. I'm not saying that Snort is now harder to crash, but Snort now has enhanced programming that allows it to lose less data – or even no data at all – when it actually does crash. So, if Snort encounters a SIGABRT
(signal abort) request or, worse, a SIGBUS
(signal bus error) alert, Snort will lose less data.
Another important improvement is that Snort now has the ability to read and parse the SSL handshake during SMTP authentication sequences. SMTP is one of the most often-attacked protocols today, and Snort can identify if an attacker is trying to manipulate the SSL session. Many times, an attacker will try to insert a part of the SSL sequence, which creates an out-of-order error that can cause some email servers to crash, or even worse, cause the authentication sequence to fail. The result is that the attacker gains control of the SMTP server. Snort now has the ability to identify this form of attack.
Third, Snort has improved SMTP, POP3, and IMAP features. These features include the ability to inspect the Multipurpose Internet Mail Extensions (MIME) protocol to identify whether an attacker is manipulating the protocol.
Up until this latest version, Snort would try to inject active responses for various types of traffic, including UDP and other connectionless protocols. The developers have now resolved this issue. Snort now only injects packets when it identifies anomalies associated with TCP.
Getting Snort Up and Sniffing?
Snort can operate in three separate modes:
- Packet Logging – Snort goes into promiscuous mode, then logs each individual packet to the disk. This mode is useful if you wish to do long-term analysis of packets you have captured over a long period of time. If you're worried that someone or some entity is scanning your network devices, and you want to identify that pattern, this is the mode for you. Imagine being able to do a Hadoop-style analysis of packets to look for patterns over a period of months and see who is stealthily, slowly mapping your network.
- Sniffer – This simplest mode causes Snort to place the packets your from sensor right onto your screen. This mode is useful for setting up and troubleshooting your system. Sniffer mode is good for making sure Snort is working. Also, this mode is useful when creating or editing Snort rules to help identify false positives and other potential problems.
- Intrusion Detection – The most common Snort mode is used for normal operations.
Following are some simple examples for putting Snort into each mode: Running Snort at the command line in packet sniffing mode:
./snort -vde
Running Snort in packet logging mode:
./snort -dev -l /snort/logs/packetlog -h 10.49.50.0/8
Running Snort in intrusion detection mode:
./snort -dev -l ./log -h 10.49.50.0/8 -c snort.conf
Installing Foundational Libraries
Before you get going with configuring Snort, you first need to install some foundational libraries and applications. It is particularly important to set up these prerequisite components if you install Snort from source.
First, you will need both Flex and Bison, which you can install using RPM, apt-get, or whatever package installation tool your system prefers.
You will also need Libdnet, which provides necessary support for packet capture. As with Snort and DAQ, I prefer using tarballs rather than pre-created packages. If your Linux system doesn't have the proper version of Libdnet installed, you can obtain Libnet from several resources [3] [4].
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
KDE Plasma 5.27 Beta is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.
-
Critical Linux Vulnerability Found to Impact SMB Servers
A Linux vulnerability with a CVSS score of 10 has been found to affect SMB servers and can lead to remote code execution.
-
Linux Mint 21.1 Now Available with Plenty of Look and Feel Changes
Vera has arrived and although it is still using kernel 5.15, there are plenty of improvements sure to please everyone.