For an effective way of protecting your system and network from potential threats and attacks, count on Snort. When used properly, Snort is an effective tool for identifying suspicious patterns and behaviors, providing early alerts so that you can take precautions. Nevertheless, to get the most out of Snort’s abilities, you must understand how to write and use Snort rules effectively. What are the Snort rules, examples, and usage? Read on!
What is Snort?
Snort is an open-source intrusion detection and intrusion prevention system (IDS/IPS) that monitors and analyzes network traffic in real-time to help identify and prevent potential security breaches. It was developed in 1998 by Martin Roesch and has been one of the most popular and effective IDS/IPS tools since then.
Snort is designed to monitor a network for suspicious activity and alert system administrators so they can take preventative measures to mitigate it. It analyzes network activity and compares it to predefined rules to identify unusual patterns or behaviours that might indicate an intrusion or attack attempt. Besides, Snort can be set up to actively block or prevent malicious traffic from getting to its target, making it an effective tool for intrusion prevention.
Furthermore, Snort’s versatility and extensibility allow users to customize the program by creating and modifying their own rules to meet their security needs. It’s compatible with various operating systems, including Windows, Linux, and macOS, and conveniently integrates with other security monitoring tools and platforms.
Now that we know what Snort is and how it works, let’s check out the Snort rules, examples, and usage.
What Are the Main Modes of Snort?
Snort has three major operating modes, which usually determine how it generates alerts and processes network traffic.
1. Sniffer Mode
In this mode, Snort captures and logs network traffic as it passes by simulating a packet sniffer. Snort can be configured to write the intercepted packets to a file, display them on the console, or upload them to a remote server for further analysis. Besides, sniffer mode generates no alerts or intrusion detection.
However, sniffer mode is useful for achieving your IDS objectives if:
- You need to print out data: ./snort -v
- You need slightly detailed information about data packets: ./snort -vde
- To list the command lines entirely: ./snort -d -v -e
- There is no need to see the information in transit and inspect IP and TCP/ICMP/UDP headers: ./snort -vd.
2. Logging Mode
In this mode, Snort usually captures and logs network traffic like a sniffer mode but also performs content matching and provides alerts depending on the user’s rules. Though logging mode is handy for analyzing network traffic and identifying unusual behavior, it can be resource-intensive and produce many alerts.
To keep a record/log of the data packets, you can create a “logging” directory, as the name suggests. The data packets are logged in the directory. Here is the line that logs the data in an assumption that you have generated a directory called ‘log’: ./snort -dev -l ./log -h 192.168.1.0/24
3. Network Intrusion Detection Mode
This is Snort’s main mode of operation, as it performs a real-time intrusion detection system by monitoring network traffic and producing alerts based on predefined rules.
Intrusion detection mode can detect network scans, malware infections, SQL injection threats, and other intrusions. In addition to detecting threats, you can configure Snort to respond by blocking traffic from a certain IP address or port.
Steps on How to Write Snort Rules
Writing effective Snort rules usually requires a good understanding of network protocols and security threats and the ability to analyze network traffic to identify potential attack patterns. Besides, when writing Snort rules, we recommend starting with simple rules and gradually building up your knowledge and skills. Here are the basic steps to follow:
1. Define the Protocol
First, define the protocol you want to match to write an effective snort rule. This can be ICMP, TCP, UDP, or other protocols.
2. Determine the Direction
After defining the protocol, determine the direction of the traffic you want to match. For instance, if you want to match traffic from the server to the client, you would use “<-,” and if you want to match traffic from the client to the server, you will use “->.”
3. Determine the Source and Destination IP Addresses and Ports
You must determine the source and destination IP addresses and ports for the traffic you want to match. You can use “any” to match any port or IP address or specify ports or specific addresses.
4. Define the Rule Options
Lastly, describe the snort rule options that will trigger the alert when traffic matches the rule. You can choose from various rules, such as content, threshold, PCRE, and class type, among many others.
Snort Rule Header
The Snort rule header consists of the following parts:
1. Rule Action
When a rule is met, it specifies what action to take. When executing a standard Snort rule, there are five rule actions by default: Alert, Pass, Dynamic, Log, or/and Activate. The most common rule action is “alert,” which, as its name implies, sends an alert to the network administrator if a security threat is detected.
2. Protocol
This specifies the protocol the rule applies, such as TCP, UDP, ICMP, etc. The protocol is the unique address of a computer. While writing the rule, you can enter the Protocol address you should be wary of based on experience or past events.
3. Source IP Address
This specifies the source IP address that the rule applies to. For instance, assuming your threat is from Mr. Martin, the IP address, or in certain situations, his network ID identifies the computer making the connection. If you want alerts from any and every source, you can key in “any” in this part of the rule.
4. Destination IP Address
This specifies the destination address to which the rule applies. This is where network packets originate at a given Source IP address and are routed through a certain source port and destination port.
5. Source Port
This specifies the source port that the rule applies to. This functions similarly to the intermediary between two or more computer networks, relaying communications between them. The default number of TCP ports on a computer is 65,536; however, you can use “any” to specify all of these ports in the rule.
6. Destination Port
This specifies the destination port that the rule applies to. The destination port allows destination TCP/UDP to communicate with the Source ports in the same way as the Source ports allow for communication amongst each other.
7. Direction
This specifies the direction of traffic that the rule applies to, such as incoming or outgoing. Using this keyword/symbol, we may target just specified traffic segments. It is denoted with the arrow (</>) symbol.
Snort Rules Examples
1. A Rule to Detect a Simple HTTP GET Request to a Certain Domain
This rule will create an alert if it sees a TCP connection on port 80 (HTTP) with a GET request to the domain “example.com.”
alert tcp anyany -> any 80 (msg: “Possible HTTP GET request”; content: “GET”; http_method; content: “example.com”; http_host; sid:1000001; rev:1;)
2. A Rule to Detect a Suspicious User-Agent String
This rule will create an alert if it sees a TCP connection with a user-agent string that contains “curl,” often used by attackers to launch attacks or perform reconnaissance.
alert tcp any any -> any any (msg:”Suspicious User-Agent detected”; flow:to_server,established; content:”User-Agent|3a| “; nocase; content:”curl|2f|”; nocase; sid:1000002; rev:1;)
3. A Rule to Detect a Specific Vulnerability in a Web Application
This rule will create an alert if it sees a TCP connection with a POST request to a web application’s “/login.php” page with a username and password parameter followed by a single quote, a common indicator of a SQL injection attempt.
alert tcp anyany -> anyany (msg: “Possible SQL Injection attempt”; flow:to_server, established; content: “POST”; nocase; content:”/login.php”; nocase; content: “username=”; nocase; content: “password=”; nocase; content:”‘”; sid:1000003; rev:1;)
4. A Rule to Detect a Suspicious DNS Query
This rule will create an alert if it sees a UDP connection on port 53 (DNS) with a DNS query for the domain “example.com.” The rule uses the “depth” option to specify that it should only check the first six bytes of the DNS query, which are the standard DNS header fields.
alert udp anyany -> any 53 (msg: “Suspicious DNS Query detected”; content:”|00 01 00 00 00 01|”; depth:6; content: “example.com”; nocase; sid:1000004; rev:1;)
5. A Rule to Detect a Known Malware Signature in Network Traffic
This rule will create an alert if it sees a TCP connection with a payload with a specific sequence of bytes (in this case, the string “ZOOM”). This sequence is a known signature of the Zeus botnet malware used for financial fraud and other malicious activities.
alert tcp any any -> any any (msg:”Possible Zeus Botnet C&C Traffic”; flow:established,to_server; content:”|5a 4f 4f 4d 00 00|”; depth:6; sid:1000005; rev:1;)
Uses of Snort Rules
To use Snort, you must first install it on your local machine or server. The next step is to set it up to analyze network traffic according to your specifications by creating rules. You can modify one of Snort’s pre-set rules or write your own. You can use Snort for various purposes, such as:
1. Intrusion Detection
Snort is an intrusion detection system that monitors a network for malicious activity, including port scans, denial-of-service (DoS) attacks, and exploit attempts.
2. Packet Logging
Snort can be set up to log/record network traffic for troubleshooting and analysis.
3. Network Traffic Analysis
With Snort, you can analyse your network’s traffic and identify unusual behaviour, including unusual transfers of data or unexpected sudden spikes in network traffic.
4. Compliance Monitoring
Snort can be used to detect network traffic to ensure compliance with industry-specific policies or regulations.
Let’s talk
If you would like to learn more about how Sapphire can support your organisation’s cyber resilience, get in touch with us.