# Snort Fundamentals Snort is an open-source tool functioning as an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). It can also act as a packet logger or sniffer. Snort inspects all network traffic and can log every activity, providing visibility and comprehensive logging at the application layer. Specific rule sets direct Snort on what to inspect and identify. #### Snort Operation Modes Snort operates in several modes: 1. **Inline IDS/IPS**: Enables active traffic blocking in IPS mode. 2. **Passive IDS**: Observes and logs traffic without blocking. 3. **Network-based IDS**: Monitors network traffic from multiple hosts. 4. **Host-based IDS**: Rarely used for Snort; specialized tools are preferable. **DAQ (Data Acquisition)**: * Snort uses DAQ modules to interface with network data sources. * Modes: * **Passive**: Observes traffic but doesn’t block it. * **Inline**: Blocks traffic in specific scenarios (e.g., `-Q` flag with `afpacket` DAQ). #### Snort Architecture 1. **Packet Sniffer**: Decodes network traffic, forwarding packets to Preprocessors. 2. **Preprocessors**: Analyze packet types and behaviors. Configured in `snort.lua`, these modules perform tasks such as detecting HTTP traffic or scanning. 3. **Detection Engine**: Matches packets against Snort rules. 4. **Logging and Alerting**: Logs matched packets, typically in syslog or databases, managed by Output plugins in `snort.lua`. #### Snort Configuration **Configuration Files**: * `snort.lua`: Main configuration file for Snort, with sections for network variables, decoders, detection engines, and output configurations. * **Default Configurations**: Provided by `snort_defaults.lua`, this file initializes default configurations. To view or edit the configuration file: ``` sudo more /root/snorty/etc/snort/snort.lua ``` #### Validating Snort Configuration To validate configuration: ``` sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq ``` #### Snort Inputs #### Running Snort on PCAP Files To observe Snort’s behavior with a PCAP file: ``` sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -r /path/to/pcapfile.pcap ``` #### Running Snort on an Active Network Interface To actively monitor network traffic: ``` sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -i interface_name ``` #### Snort Rules Snort rules consist of headers and options. They can be configured within `snort.lua` under the `ips` section: ``` ips = { { variables = default_variables, include = '/path/to/rules/file.rules' } } ``` #### Loading Rules via Command Line 1. **Single File**: `-R /path/to/rules/file.rules` 2. **Directory of Rules**: `--rule-path /path/to/rules` #### Snort Outputs Snort provides various output types for alerting and statistics: 1. **Basic Statistics**: Summarizes packet counts, activity counts, file statistics, and runtime performance. 2. **Alert Outputs**: * `-A cmg`: Combines fast alerting with packet headers and payload. * `-A u2`: Unified2 binary format, used for post-processing. * `-A csv`: CSV format output. 3. **Performance Statistics**: Tracks runtime performance, providing memory and CPU utilization details, helpful for optimizing system performance. To list available output plugins: ``` snort --list-plugins | grep logger ``` Example of `-A cmg` alert output: ``` sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -r /path/to/pcapfile.pcap -A cmg ``` #### Snort Key Features 1. Deep packet inspection and logging. 2. Real-time intrusion detection. 3. Network security monitoring. 4. Support for IPv4 and IPv6 traffic. 5. Anomaly detection and multi-tenant support.