Sniffing Your Way through Snort NIDS

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are currently hot topics in the cyber security space and for good reason. Threats and exploits aren’t slowing down and the pressure is ramping up on organizations to do a better job in securing their IT infrastructure. This is a good thing. Too many organizations have been asleep at the switch for too long when it comes to IT security. IDSs and IPSs aren’t magic bullets, but they’re additional bricks that can be used in constructing your IT wall of security.A lot of attention has been paid recently to the next generation of IDS/IPS platforms that leverage artificial intelligence (AI). This is the future and certainly something to anticipate albeit with a healthy dose of patience and caution. In the mean time, before we completely turn things over to HAL (Watson) to protect us, we’re going to need to get down and dirty with systems that get their marching orders from humans. One such system is the venerable Snort project.Snort has been around since 1998 and was created by Martin Roesch. Today it is developed by Sourcefire which has been owned by Cisco since 2013. Roesch is still involved with the project and serves as CTO of Sourcefire. Snort does things so well that it gained entry into InfoWorld’s Open Source Hall of Fame in 2009. How about that for an accolade? Snort is available for just about every major Linux distro in existence from Fedora to Ubuntu to OpenSuSE. There’s even a version for Windows.I should state at the outset that getting Snort up and running is not for the faint of heart. Snort requires several other applications to be installed in order to run along with an extensive configuration process. Installing Snort on Linux requires downloading the source code and compiling it for your particular flavor of Linux. The Snort.org website does provide binaries for download, but real Cybrarians compile from source. And they like it!But if you’re like me and prefer a somewhat easier route to getting Snort up and running, then you may want to give the Windows version a try. It comes as an .exe so no compiling is required, but you still have to spend the time tweaking the configuration file, same as with the Linux versions. This YouTube video has an excellent overview of the installation and configuration process of Snort in Windows.So what can you do with Snort? In addition to serving as a Network Intrusion Detection System (NIDS), Snort offers several other operating modes. At its core, Snort is a packet sniffer. This is why it requires libpcap on Linux or an installed packet sniffer under Windows such as Wireshark. Snort monitors IP traffic in real-time in order to detect suspicious traffic as part of its function as an NIDS. However, you can run it as a standalone IP protocol analyzer allowing you to examine a host of traffic types. Want to examine ICMP, UDP, or TCP packets? Then have at it. You can even switch on and off various layers such as the data link layer to get in-depth protocol analysis. This can serve as a fantastic learning tool if you’re just beginning your journey in IT and networking certification. There’s nothing better for your professional development than getting hands on with the various layers of the OSI protocol stack!Where Snort really shines is as an NIDS. It relies on a set of rules, much like as AV software does on a malware signature database. These rules are maintained by Sourcefire and are updated on a regular basis. There are three levels of access to Snort rules files from the Snort project: Community, Registration, and Subscription. The Community level is completely free but you’ll be waiting a while to receive rules updates. The Registration level is also free, but as its name implies, you’ll need to give up your email address to receive updates on a timelier basis. And finally, Registration is the commercial level of Snort. You pay a $30 annual fee to get immediate updates of rules files. This seems a small price to pay to keep your NIDS updated.Snort can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, OS fingerprinting attempts, and much more. In effect, Snort and IDS/IPS systems in general, are on the defensive side of the field from pentesting tools such as Kali Linux. Pentesting attempts to find and exploit vulnerabilities while covering its tracks in the process to evade discovery. Snort and IDS/IPS tools try to catch them in the act.Rules files may be at the heart of Snort but logging is the workhorse behind this NIDS. As might be imagined, logging can get to be pretty resource-intensive. That’s why Snort offers several options when it comes to logging and alerts. There are a range of alert options in Snort ranging from the default “full” mode to “fast” mode or completely disabled. Snort also allows logging to a database such as MySQL for enhanced performance and analysis.A good place to get started with NIDS tools is to view the introductory courses here on Cybrary.it on IDS and IPS. Then if you’re up for it, take the plunge into installing and running Snort. There are plenty of great resources out there to help you sniff your way through getting started with Snort.