Installing Snort 2.9.7.x on Ubuntu – Part 3: Writing and Testing a Single Rule With Snort

UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.

I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  1. Installing Snort
  2. Configure Snort to Run as a NIDS
  3. Writing and Testing a Single Rule With Snort
  4. Installing Barnyard2
  5. Installing PulledPork
  6. Installing BASE
  7. Creating Startup Scripts
  8. Conclusion

Overview

In the previous two articles in this series, we installed Snort an configured it to run as a NIDS. In this article, we are going to create a rule which causes Snort to generate an alert whenever it sees an ICMP message. If you want, you can skip this section, as it is not required to get a Snort NIDS up and running, but it will help you to gain a better understanding of how Snort rules are created and loaded.

Onward

In the previous article, we created the /etc/snort/rules/local.rules file and left it empty. We also edited the snort.conf file to load this file (when we un-commented the line: include $RULE_PATH/local.rules in snort.conf). When Snort starts, it will use the #include directive in snort.conf to load all rules in local.rules. The local.rules file is a place where we can place rules that are specific to our environment, and is great for testing.

First, we need to edit the local.rules file:

sudo vi /etc/snort/rules/local.rules

input the following text and save the file:

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

What this rule says is that for any ICMP packets it sees from any network to our HOME_NET, generate an alert with the text ICMP test.

Since we have made changes to the files that snort loads, it is a good idea to test the configuration file again:

sudo snort -T -c /etc/snort/snort.conf

If sucessful, you should be able to scroll up through the output and see that Snort has loaded our rule:

		+++++++++++++++++++++++++++++++++++++++++++++++++++
		Initializing rule chains...
		1 Snort rules read
			1 detection rules
			0 decoder rules
			0 preprocessor rules
		1 Option Chains linked into 1 Chain Headers
		0 Dynamic rules
		+++++++++++++++++++++++++++++++++++++++++++++++++++

		+-------------------[Rule Port Counts]---------------------------------------
		|             tcp     udp    icmp      ip
		|     src       0       0       0       0
		|     dst       0       0       0       0
		|     any       0       0       1       0
		|      nc       0       0       1       0
		|     s+d       0       0       0       0
		+----------------------------------------------------------------------------

Now to test the rule.  We need to verify that Snort generates an alert when it processes an ICMP packet. We will launch Snort with the following options:

-A console                    the console option prints fast mode alerts to stdout
-q                            Quiet. Don't show banner and status report.
-u snort                      run snort as the following user after startup
-g snort                      run snort as the following group after startup
-c /etc/snort/snort.conf      the path to our snort.conf file
-i eth0                       the interface to listen on

Run Snort with the command below, modifying the parameters as required specific for your configuration:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Note: If you are running Ubuntu 15.10, remember that your interface name is not eth0.

Once you have started Snort with the above command, you need use another computer or another terminal window to ping the interface that you directed Snort to listen on.  You should see output similar to the below on the terminal of the Snort machine:

10/31-02:27:19.663643  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:19.663675  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:20.658378  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:20.658404  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:21.766521  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:21.766551  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:22.766167  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:22.766197  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
^C*** Caught Int-Signal

You have to use ctrl-c to stop snort from running after the above output. What the above example shows is the 4 ICMP Echo Request and Reply messages between our Snort server (IP 10.0.0.64) and our other machine (10.0.0.74). If you look in /var/log/snort, you will also see a file with the name snort.log.nnnnnnnnnn (the n’s are replaced by numbers), which contains the same information that Snort printed to the screen.

Congratulations, if you have output similar to the above then you have successfully created a rule for Snort to alert on. Continue to the next section to Install Barnyard2.

Comments are Disabled