Improved Features

One of the problems that has plagued Snort is that, when it crashes, it can lose significant amounts of data. As a penetration tester, I've known for years that one of the first things you consider is how to crash a network's intrusion detection system. I'm not saying that Snort is now harder to crash, but Snort now has enhanced programming that allows it to lose less data  – or even no data at all – when it actually does crash. So, if Snort encounters a SIGABRT (signal abort) request or, worse, a SIGBUS (signal bus error) alert, Snort will lose less data.

Another important improvement is that Snort now has the ability to read and parse the SSL handshake during SMTP authentication sequences. SMTP is one of the most often-attacked protocols today, and Snort can identify if an attacker is trying to manipulate the SSL session. Many times, an attacker will try to insert a part of the SSL sequence, which creates an out-of-order error that can cause some email servers to crash, or even worse, cause the authentication sequence to fail. The result is that the attacker gains control of the SMTP server. Snort now has the ability to identify this form of attack.

Third, Snort has improved SMTP, POP3, and IMAP features. These features include the ability to inspect the Multipurpose Internet Mail Extensions (MIME) protocol to identify whether an attacker is manipulating the protocol.

Up until this latest version, Snort would try to inject active responses for various types of traffic, including UDP and other connectionless protocols. The developers have now resolved this issue. Snort now only injects packets when it identifies anomalies associated with TCP.

Getting Snort Up and Sniffing?

Snort can operate in three separate modes:

• Packet Logging – Snort goes into promiscuous mode, then logs each individual packet to the disk. This mode is useful if you wish to do long-term analysis of packets you have captured over a long period of time. If you're worried that someone or some entity is scanning your network devices, and you want to identify that pattern, this is the mode for you. Imagine being able to do a Hadoop-style analysis of packets to look for patterns over a period of months and see who is stealthily, slowly mapping your network.
• Sniffer – This simplest mode causes Snort to place the packets your from sensor right onto your screen. This mode is useful for setting up and troubleshooting your system. Sniffer mode is good for making sure Snort is working. Also, this mode is useful when creating or editing Snort rules to help identify false positives and other potential problems.
• Intrusion Detection – The most common Snort mode is used for normal operations.

Following are some simple examples for putting Snort into each mode: Running Snort at the command line in packet sniffing mode:

./snort -vde

Running Snort in packet logging mode:

./snort -dev -l /snort/logs/packetlog -h 10.49.50.0/8

Running Snort in intrusion detection mode:

./snort -dev -l ./log -h 10.49.50.0/8 -c snort.conf

Installing Foundational Libraries

Before you get going with configuring Snort, you first need to install some foundational libraries and applications. It is particularly important to set up these prerequisite components if you install Snort from source.

First, you will need both Flex and Bison, which you can install using RPM, apt-get, or whatever package installation tool your system prefers.

You will also need Libdnet, which provides necessary support for packet capture. As with Snort and DAQ, I prefer using tarballs rather than pre-created packages. If your Linux system doesn't have the proper version of Libdnet installed, you can obtain Libnet from several resources [3] [4].