Installing Snort 2.9.7.x on Ubuntu – Part 3: Writing and Testing a Single Rule With Snort
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Installing Snort
- Configure Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Installing BASE
- Creating Startup Scripts
- Conclusion
Overview
In the previous two articles in this series, we installed Snort an configured it to run as a NIDS. In this article, we are going to create a rule which causes Snort to generate an alert whenever it sees an ICMP message. If you want, you can skip this section, as it is not required to get a Snort NIDS up and running, but it will help you to gain a better understanding of how Snort rules are created and loaded.
Onward
In the previous article, we created the /etc/snort/rules/local.rules file and left it empty. We also edited the snort.conf file to load this file (when we un-commented the line: include $RULE_PATH/local.rules in snort.conf). When Snort starts, it will use the #include directive in snort.conf to load all rules in local.rules. The local.rules file is a place where we can place rules that are specific to our environment, and is great for testing.
First, we need to edit the local.rules file:
sudo vi /etc/snort/rules/local.rules
input the following text and save the file:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
What this rule says is that for any ICMP packets it sees from any network to our HOME_NET, generate an alert with the text ICMP test.
Since we have made changes to the files that snort loads, it is a good idea to test the configuration file again:
sudo snort -T -c /etc/snort/snort.conf
If sucessful, you should be able to scroll up through the output and see that Snort has loaded our rule:
+++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 0 0 1 0 | nc 0 0 1 0 | s+d 0 0 0 0 +----------------------------------------------------------------------------
Now to test the rule. We need to verify that Snort generates an alert when it processes an ICMP packet. We will launch Snort with the following options:
-A console the console option prints fast mode alerts to stdout -q Quiet. Don't show banner and status report. -u snort run snort as the following user after startup -g snort run snort as the following group after startup -c /etc/snort/snort.conf the path to our snort.conf file -i eth0 the interface to listen on
Run Snort with the command below, modifying the parameters as required specific for your configuration:
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Note: If you are running Ubuntu 15.10, remember that your interface name is not eth0.
Once you have started Snort with the above command, you need use another computer or another terminal window to ping the interface that you directed Snort to listen on. You should see output similar to the below on the terminal of the Snort machine:
10/31-02:27:19.663643 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:19.663675 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 10/31-02:27:20.658378 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:20.658404 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 10/31-02:27:21.766521 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:21.766551 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 10/31-02:27:22.766167 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64 10/31-02:27:22.766197 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74 ^C*** Caught Int-Signal
You have to use ctrl-c to stop snort from running after the above output. What the above example shows is the 4 ICMP Echo Request and Reply messages between our Snort server (IP 10.0.0.64) and our other machine (10.0.0.74). If you look in /var/log/snort, you will also see a file with the name snort.log.nnnnnnnnnn (the n’s are replaced by numbers), which contains the same information that Snort printed to the screen.
Congratulations, if you have output similar to the above then you have successfully created a rule for Snort to alert on. Continue to the next section to Install Barnyard2.
Comments are Disabled