Snort Rules Writing

If you customized one or several files that constitute Snort rules set you need to merge changes

News

Complete Snort-based IDS Architecture, Part One by Anton Chuvakin and Vladislav V. Myasnyankin 2002-11-06

It is more consistent to accept the default values and then run through a configuration checklist below. First, create snort_log database and set up user passwords:

# cd /usr/share/doc/snort-mysql/contrib.
# gunzip -d create_mysql.gz
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
mysql> create database snort_log;
mysql> connect snort_log;
mysql> source create_mysql
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to snort;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to acid;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to acid@localhost;
mysql> create database snort_archive;
mysql> connect snort_archive;
mysql> source create_mysql
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_archive.* to acid;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_archive.* to acid@localhost;
mysql> set password for 'snort'@'localhost'=password('');
mysql> set password for 'snort'@'%'=password('');
mysql> set password for 'acid'@'localhost'=password('');
mysql> set password for 'acid'@'%'=password('');
mysql> exit

Since the IDS platform can be used to sniff many interfaces or many virtual (VLAN) connections, the default set-up needs to be modified. For each VLAN circuit a separate instance of Snort will be used. Provided below is the set of Snort configuration files that seamlessly support any number of VLAN links and are easy to maintain and upgrade.

First, an additional directory needs to be created to store the common config files:

# mkdir  /etc/snort/common

If you need to switch interfaces into promiscuous mode, then simply create a file named "promisc" in the "common" directory, which will be referenced by the start-up script:

# touch promisc

Now one needs to create a file named "interfaces", containing the list of interfaces that Snort must be run on. For example, one can add either real (eth1, eth2 - in the case of multiple network cards) or virtual (eth1.0, eth1.1 - in case of a VLAN set-up) interfaces, one for each monitored line. Virtual interfaces are monitored via the 802.1Q support in Linux, and in this case one must ensure that the master interface is already up, because the ifconfig eth1.1 up command does not bring up the master interface (eth1).

Next, edit the common configuration file. In this example it will contain:

##### begin common.inc file ####

# common variables

pass ICMP $HOME_NET any -> $HOME_NET any
pass TCP $HOME_NET any -> $HOME_NET any
pass UDP $HOME_NET any -> $HOME_NET any

# preprocessors
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode

# output plugins
output database: log, mysql, user=snort password= dbname=snort_log host=localhost

#### end common.inc file ####

The "pass" rules might not be appropriate for all networks since internal-to-internal attacks will not be recorded. For a busy network where the perceived threat is outside the "pass" rules might be a good idea since they will decrease the hardware requirements and thus save some money.

Next, one must create the configuration file for each sensor in /etc/snort directory. The naming convention is simple: "snort.conf.<interface>", where "interface" is eth1, or eth1.0 etc.

Typical config may contain:

#### begin snort.conf.eth1 example file ####

var HOME_NET  #for example: 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

include /etc/snort/common/common.inc

#
# Include classification & priority settings
#

include classification.config


#
# Customize the rule set
#

include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
#include web-coldfusion.rules
#include web-frontpage.rules
#include web-iis.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include x11.rules
#include icmp.rules
#include netbios.rules
include misc.rules
include attack-responses.rules
#include backdoor.rules
#include shellcode.rules
#include policy.rules
#include porn.rules
#include info.rules
#include icmp-info.rules
#include virus.rules
include local.rules

#### end of snort.conf.eth1 example file ####

Of course, one needs to review the set of rules based on the specific conditions. For example, if you do not use any Windows machines or UNIX samba servers, you probably do not need to include the "netbios.rules" file. In some cases, you will need to write your own rules or modify existing rules. See Snort documentation for additional details on rule writing.

What are the factors that might influence the choice of rules? While a detailed discussion of IDS tuning is beyond the scope of this article, readers can refer to Kevin Timm's SecurityFocus article Strategies to Reduce False Positives and False Negatives. That said, one approach is to enable all rules and spend several days flooded with alerts, analyzing them and reducing the rule set accordingly. This route is more appropriate for internal network IDS deployment. Another solution is to narrow the ruleset to only watch the "risky" services. This works better in a highly secure DMZ set-up in which all machines are carefully audited and hardened.

Everything should run properly once the configurations are completed, but sometimes bugs and crashes happen. To automatically restart the Snort instances, the following root-owned cron job will be used:

*/5 * * * * /usr/local/bin/snortcheck >/dev/null 2>&1

It uses the script provided below:

#### begin /usr/local/bin/snortcheck ####

#!/bin/sh

#snort restarting
num=`ps aux|grep "\/etc\/snort"|wc -l|awk '{print $1}'`

if [ $num -lt 3 ]
then
/etc/init.d/snort restart
date >> /var/log/snortrestart
echo "Snort was restarted at `date`" | /usr/bin/mail root
fi

####end of  /usr/local/bin/snortcheck ####

One should ensure the appropriate permissions on the file /usr/local/bin/snortcheck (read and execute by the owner i.e. root).

The final step in the set-up process is to edit the Snort startup script:

#### begin /etc/init.d/snort ####
#!/bin/sh
#
# Script to control SNORT execution under Debian
# Written by Vladislav V. Myasnyankin .

PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
DAEMON=/usr/sbin/snort
PIDFILES=`ls /var/run | grep snort`
INTERFACES=`cat /etc/snort/common/interfaces`

# Arguments passed to SNORT
#
# To watch only our system
ARGS="-o -p -X -u snort -g snort -D"

#
# Check if we need to watch all packets in the segment
if [ -e /etc/snort/common/promisc ]
then
ARGS="-o -X -u snort -g snort -D"
fi

test -x $DAEMON || exit 0

case "$1" in
  start)
    echo -n "Starting Network Intrusion Detection System: snort"
    for IFACE in $INTERFACES;
        do
        PIDFILE=/var/run/snort_$IFACE.pid
        CONFIG=/etc/snort/snort.conf.$IFACE
        echo $IFACE
        echo $CONFIG
        echo $PIDFILE
         /sbin/ifconfig | grep $IFACE > /dev/null 
         if [ $? -ne 0 ] 
           then                                
          /sbin/ifconfig $IFACE up            
        fi

 /sbin/start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- -i $IFACE $ARGS -c $CONFIG

	case "$?" in
	  0) echo "." ;;
	  1) echo "...already running." ;;
	  2) echo "...failed." ;;
	esac
        done
    ;;
  stop)
    echo -n "Stopping Network Intrusion Detection System: snort"
    for PIDFILE in $PIDFILES;
        do
        echo
        echo $PIDFILE
        echo
        /sbin/start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/$PIDFILE --exec $DAEMON
        echo "."
        rm -f /var/run/$PIDFILE
        done
    ps cax | grep '/usr/sbin/snort' 	   | awk '{ print $1 }' 	   | xargs --no-run-if-empty kill -9 >/dev/null
    ;;
  restart|force-restart|reload|force-reload)
	/etc/init.d/snort stop 
	# stop will take care that the thing is really dead
	/etc/init.d/snort start
       	;;
  *)
    echo "Usage: /etc/init.d/snort {start|stop|restart|force-reload|reload}"
    exit 1
    ;;
esac

exit 0
#### end of /etc/init.d/snort ####

Now the IDS can be safely restarted using the new multisensor configuration.

Conclusion

This concludes the first part of our two-part discussion of how to build a Snort-based IDS from scratch. In the next installment, we shall discuss Web interface configuration, summaries and daily reporting, automated attack response, sensor installation, installation of the central station, and big distributed IDS systems.

To read Complete Snort-based IDS Architecture, Part Two, click here.

Vladislav V. Myasnyankin, security expert, author and translator of several IT security related papers. At present time he works as Chief Information Security Officer at the bank. The author would like to thank Paul Pokrovsky and Michael Plotnikov for help with article development.

Anton Chuvakin, Ph.D., GCIA is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, honeypots, etc. In his spare time he maintains his security portal http://www.info-secure.org. SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html.

Packets and Alerts Analysis

Whitehats.com  features open Intrusion Detection database, arachNIDS. It can be used to undestand Snort messages. Whitehats is authored by Max Vision a silicon valley consultant specializing in penetration testing.

AMNESI the Domain Name Search Engine. Reverse IP lookup finds info for any IP address.

Google Web Directory - Computers Internet Domain Names Name Search

Network Sorcery

• RFC Sourcebook
• ICMP type 8, Echo request message

Ruleset Tools and Scripts

Dupl.pl - a snort rules beautifier. - Removes duplicate rules from *-lib, vision.conf and the xxxx-rules files
Homepage : http://www.norz.org/
Changelog: http://www.norz.org/software/dupl.chglog
Download: http://www.norz.org/software/dupl.pl

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019