Exploring the latest version of Snort

Improved Features

One of the problems that has plagued Snort is that, when it crashes, it can lose significant amounts of data. As a penetration tester, I've known for years that one of the first things you consider is how to crash a network's intrusion detection system. I'm not saying that Snort is now harder to crash, but Snort now has enhanced programming that allows it to lose less data  – or even no data at all – when it actually does crash. So, if Snort encounters a SIGABRT (signal abort) request or, worse, a SIGBUS (signal bus error) alert, Snort will lose less data.

Another important improvement is that Snort now has the ability to read and parse the SSL handshake during SMTP authentication sequences. SMTP is one of the most often-attacked protocols today, and Snort can identify if an attacker is trying to manipulate the SSL session. Many times, an attacker will try to insert a part of the SSL sequence, which creates an out-of-order error that can cause some email servers to crash, or even worse, cause the authentication sequence to fail. The result is that the attacker gains control of the SMTP server. Snort now has the ability to identify this form of attack.

Third, Snort has improved SMTP, POP3, and IMAP features. These features include the ability to inspect the Multipurpose Internet Mail Extensions (MIME) protocol to identify whether an attacker is manipulating the protocol.

Up until this latest version, Snort would try to inject active responses for various types of traffic, including UDP and other connectionless protocols. The developers have now resolved this issue. Snort now only injects packets when it identifies anomalies associated with TCP.

Getting Snort Up and Sniffing?

Snort can operate in three separate modes:

  • Packet Logging – Snort goes into promiscuous mode, then logs each individual packet to the disk. This mode is useful if you wish to do long-term analysis of packets you have captured over a long period of time. If you're worried that someone or some entity is scanning your network devices, and you want to identify that pattern, this is the mode for you. Imagine being able to do a Hadoop-style analysis of packets to look for patterns over a period of months and see who is stealthily, slowly mapping your network.
  • Sniffer – This simplest mode causes Snort to place the packets your from sensor right onto your screen. This mode is useful for setting up and troubleshooting your system. Sniffer mode is good for making sure Snort is working. Also, this mode is useful when creating or editing Snort rules to help identify false positives and other potential problems.
  • Intrusion Detection – The most common Snort mode is used for normal operations.

Following are some simple examples for putting Snort into each mode: Running Snort at the command line in packet sniffing mode:

./snort -vde

Running Snort in packet logging mode:

./snort -dev -l /snort/logs/packetlog -h

Running Snort in intrusion detection mode:

./snort -dev -l ./log -h -c snort.conf

Installing Foundational Libraries

Before you get going with configuring Snort, you first need to install some foundational libraries and applications. It is particularly important to set up these prerequisite components if you install Snort from source.

First, you will need both Flex and Bison, which you can install using RPM, apt-get, or whatever package installation tool your system prefers.

You will also need Libdnet, which provides necessary support for packet capture. As with Snort and DAQ, I prefer using tarballs rather than pre-created packages. If your Linux system doesn't have the proper version of Libdnet installed, you can obtain Libnet from several resources [3] [4].

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Snort Helpers

    Snort is the de facto standard for open source network intrusion detection. The developer community has kept a fairly low profile for a couple of years, but extensions like Snorby, OpenFPC, and Pulled Pork have given the old hog a new lease on life.

  • Sniffing Out Intruders

    Snort lets you protect your network from intruders with a customizable ruleset.

  • Snort

    Search out hidden attacks with the Snort intrusion detection system.

  • Intrusion Detection

    The Prelude security information management system receives both host- and network-based IDS messages and displays them in an easy web interface. We show you how to set it up.

  • Suricata

    Snort isn't the only free intrusion detection tool in the barnyard. We'll show you a powerful and promising alternative known as Suricata.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More