Protect your network with Snort

Whether meaning to be mischievous or malicious, hackers can wreak havoc on your network. Fortunately, Snort makes it easy to spot them and set up protection

network sniffer

Step 12

Intrusion detection mode

First, find the IP address of the machine running Snort by using ‘ifconfig’ and make a note of it. Now run ‘./start_snort’. Some extra startup information scrolls past as we are now using the Snort configuration file and the rules files that it references.

Step 13

Simulate an attack (Nmap)

We’ll begin by carrying out a port scan on the machine running Snort using Nmap, a common first step in a typical intrusion attempt. From a different machine on your network, type ‘nmap [IP address of Snort machine]’. A file called ‘alert’ should have appeared in the log folder. Examine it.

network sniffer
Simulate an attack

Step 14

Automatically start Snort

The method to launch a script at startup varies between distributions. On Ubuntu, simply add our ‘start_snort’ script to ‘/etc/init’ by typing ‘ln start_snort /etc/init/’. Remember to use fully qualified path names in the script.

Step 15

Protect the network

Protecting an entire network requires either a dedicated Snort machine or a dedicated network adaptor on your server. This is because the network card must be put into promiscuous mode to capture all traffic being transmitted, and this is the scenario we will work with here. Once you have installed the second card and rebooted the machine, determine the naming of the two network interfaces by typing ‘ifconfig’. In this example, the second network card is called ‘eth1’. Now open ‘/etc/networking/interfaces’ in a text editor.

Step 16

Configure promiscuous mode

Add the following lines to the file: ‘iface eth1 inet manual’, ‘up ifconfig $IFACE up’, ‘up ip link set $IFACE promisc on’, ‘down ip link set $IFACE promisc off’, ‘down ifconfig $IFACE down’. Type ‘sudo ifup eth1’ to start up the second Ethernet adaptor and physically plug it into your router, hub or spanning switch.

Step 17

Test promiscuous mode

Type ‘ifconfig’ and eth1 should be listed without an IP address. Now add ‘sudo ifup eth1’ to your Snort startup script along with the flag ‘-i eth1’ on the Snort launch command. When launched, Snort will now monitor all traffic on your network.

Step 18

Create a simple Snort rule

For the sake of simplicity, we are going to add a rule to the configuration file rather than create a new rule file. As root, open up snort.conf in a text editor. On the final line of the configuration file, add the following line: ‘alert tcp any any -> any 23 ( msg: “telnet alert!”; sid: 1; )’.

Step 19

Test simple rule

Launch Snort with ‘snort -dev -l ./snort_logs -c /etc/snort.conf’. From another machine, type ‘telnet [IP address of Snort machine]’. If everything has worked, you should now have an update in the alert file. See the Snort manual for a full breakdown, but open the file and check that source IP and destination IP look correct.

Step 20

Fetch extra rules

Get extra rules from the Snort website (free sign-up required). They belong in ‘/etc/ snort/rules’ and should be enabled using the ‘include’ directive in snort.conf. The comprehensive selection is an excellent starting point for creating your own rules for dealing with, for example, application-specific exploits.

Step 21

Add CSV output module

Unless you know that you are going to have to use Snort alert logs as input for another networking utility, consider switching it to CSV output so that you can view the data in a spreadsheet. Simply add the line ‘output alert_csv: alert.csv default’ to the end of the configuration file.

Network sniffer
Add CSV output module

Step 22

Interpreting an attack

When an attack is logged, begin by looking up the IP address with the ‘whois’ command or by using an online geographic IP lookup address. Note the port number of the attack to try to figure out the service or application that is the focus of the attack.

Step 23

Block an attack (part 1)

Block the IP address of the attacker as reported in the alert file. Obviously, the address can change, but they tend to be fairly static from the most common type of automated attacks. Use the command ‘iptables -A INPUT -s [attacker IP address] -j DROP’.

Step 24

Block an attack (part 2)

It’s possible that an attack is targeting an unused or unimportant port on your network. Use ‘/iptables -A INPUT -p tcp –destination- port 80 -j DROP’ to block a port, if you have determined that it will not harm the normal function of your system. To unblock a port or IP address, use the ‘-D’ switch instead of ‘-A’.