Snort Rules Writing

News	Recommended Links	Recommended Articles	FAQs	Maillist archives	Packet and Alerts Analysis	Reference
		Ruleset Tools and scripts				False positives
Acid/Base	SnortSnarf	Perl Tools		History	Humor	Etc

If you customized one or several files that constitute Snort rules set you need to merge changes

News

Complete Snort-based IDS Architecture, Part One by Anton Chuvakin and Vladislav V. Myasnyankin 2002-11-06

It is more consistent to accept the default values and then run through a configuration checklist below. First, create snort_log database and set up user passwords:

# cd /usr/share/doc/snort-mysql/contrib.
# gunzip -d create_mysql.gz
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
mysql> create database snort_log;
mysql> connect snort_log;
mysql> source create_mysql
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to snort;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to acid;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_log.* to acid@localhost;
mysql> create database snort_archive;
mysql> connect snort_archive;
mysql> source create_mysql
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_archive.* to acid;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort_archive.* to acid@localhost;
mysql> set password for 'snort'@'localhost'=password('');
mysql> set password for 'snort'@'%'=password('');
mysql> set password for 'acid'@'localhost'=password('');
mysql> set password for 'acid'@'%'=password('');
mysql> exit

Since the IDS platform can be used to sniff many interfaces or many virtual (VLAN) connections, the default set-up needs to be modified. For each VLAN circuit a separate instance of Snort will be used. Provided below is the set of Snort configuration files that seamlessly support any number of VLAN links and are easy to maintain and upgrade.

First, an additional directory needs to be created to store the common config files:

# mkdir  /etc/snort/common

If you need to switch interfaces into promiscuous mode, then simply create a file named "promisc" in the "common" directory, which will be referenced by the start-up script:

# touch promisc

Now one needs to create a file named "interfaces", containing the list of interfaces that Snort must be run on. For example, one can add either real (eth1, eth2 - in the case of multiple network cards) or virtual (eth1.0, eth1.1 - in case of a VLAN set-up) interfaces, one for each monitored line. Virtual interfaces are monitored via the 802.1Q support in Linux, and in this case one must ensure that the master interface is already up, because the ifconfig eth1.1 up command does not bring up the master interface (eth1).

Next, edit the common configuration file. In this example it will contain:

##### begin common.inc file ####

# common variables

pass ICMP $HOME_NET any -> $HOME_NET any
pass TCP $HOME_NET any -> $HOME_NET any
pass UDP $HOME_NET any -> $HOME_NET any

# preprocessors
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode

# output plugins
output database: log, mysql, user=snort password= dbname=snort_log host=localhost

#### end common.inc file ####

The "pass" rules might not be appropriate for all networks since internal-to-internal attacks will not be recorded. For a busy network where the perceived threat is outside the "pass" rules might be a good idea since they will decrease the hardware requirements and thus save some money.

Next, one must create the configuration file for each sensor in /etc/snort directory. The naming convention is simple: "snort.conf.<interface>", where "interface" is eth1, or eth1.0 etc.

Typical config may contain:

#### begin snort.conf.eth1 example file ####

var HOME_NET  #for example: 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

include /etc/snort/common/common.inc

#
# Include classification & priority settings
#

include classification.config


#
# Customize the rule set
#

include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
#include web-coldfusion.rules
#include web-frontpage.rules
#include web-iis.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include x11.rules
#include icmp.rules
#include netbios.rules
include misc.rules
include attack-responses.rules
#include backdoor.rules
#include shellcode.rules
#include policy.rules
#include porn.rules
#include info.rules
#include icmp-info.rules
#include virus.rules
include local.rules

#### end of snort.conf.eth1 example file ####

Of course, one needs to review the set of rules based on the specific conditions. For example, if you do not use any Windows machines or UNIX samba servers, you probably do not need to include the "netbios.rules" file. In some cases, you will need to write your own rules or modify existing rules. See Snort documentation for additional details on rule writing.

What are the factors that might influence the choice of rules? While a detailed discussion of IDS tuning is beyond the scope of this article, readers can refer to Kevin Timm's SecurityFocus article Strategies to Reduce False Positives and False Negatives. That said, one approach is to enable all rules and spend several days flooded with alerts, analyzing them and reducing the rule set accordingly. This route is more appropriate for internal network IDS deployment. Another solution is to narrow the ruleset to only watch the "risky" services. This works better in a highly secure DMZ set-up in which all machines are carefully audited and hardened.

Everything should run properly once the configurations are completed, but sometimes bugs and crashes happen. To automatically restart the Snort instances, the following root-owned cron job will be used:

*/5 * * * * /usr/local/bin/snortcheck >/dev/null 2>&1

It uses the script provided below:

#### begin /usr/local/bin/snortcheck ####

#!/bin/sh

#snort restarting
num=`ps aux|grep "\/etc\/snort"|wc -l|awk '{print $1}'`

if [ $num -lt 3 ]
then
/etc/init.d/snort restart
date >> /var/log/snortrestart
echo "Snort was restarted at `date`" | /usr/bin/mail root
fi

####end of  /usr/local/bin/snortcheck ####

One should ensure the appropriate permissions on the file /usr/local/bin/snortcheck (read and execute by the owner i.e. root).

The final step in the set-up process is to edit the Snort startup script:

#### begin /etc/init.d/snort ####
#!/bin/sh
#
# Script to control SNORT execution under Debian
# Written by Vladislav V. Myasnyankin .

PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
DAEMON=/usr/sbin/snort
PIDFILES=`ls /var/run | grep snort`
INTERFACES=`cat /etc/snort/common/interfaces`

# Arguments passed to SNORT
#
# To watch only our system
ARGS="-o -p -X -u snort -g snort -D"

#
# Check if we need to watch all packets in the segment
if [ -e /etc/snort/common/promisc ]
then
ARGS="-o -X -u snort -g snort -D"
fi

test -x $DAEMON || exit 0

case "$1" in
  start)
    echo -n "Starting Network Intrusion Detection System: snort"
    for IFACE in $INTERFACES;
        do
        PIDFILE=/var/run/snort_$IFACE.pid
        CONFIG=/etc/snort/snort.conf.$IFACE
        echo $IFACE
        echo $CONFIG
        echo $PIDFILE
         /sbin/ifconfig | grep $IFACE > /dev/null 
         if [ $? -ne 0 ] 
           then                                
          /sbin/ifconfig $IFACE up            
        fi

 /sbin/start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON -- -i $IFACE $ARGS -c $CONFIG

	case "$?" in
	  0) echo "." ;;
	  1) echo "...already running." ;;
	  2) echo "...failed." ;;
	esac
        done
    ;;
  stop)
    echo -n "Stopping Network Intrusion Detection System: snort"
    for PIDFILE in $PIDFILES;
        do
        echo
        echo $PIDFILE
        echo
        /sbin/start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/$PIDFILE --exec $DAEMON
        echo "."
        rm -f /var/run/$PIDFILE
        done
    ps cax | grep '/usr/sbin/snort' 	   | awk '{ print $1 }' 	   | xargs --no-run-if-empty kill -9 >/dev/null
    ;;
  restart|force-restart|reload|force-reload)
	/etc/init.d/snort stop 
	# stop will take care that the thing is really dead
	/etc/init.d/snort start
       	;;
  *)
    echo "Usage: /etc/init.d/snort {start|stop|restart|force-reload|reload}"
    exit 1
    ;;
esac

exit 0
#### end of /etc/init.d/snort ####

Now the IDS can be safely restarted using the new multisensor configuration.

Conclusion

This concludes the first part of our two-part discussion of how to build a Snort-based IDS from scratch. In the next installment, we shall discuss Web interface configuration, summaries and daily reporting, automated attack response, sensor installation, installation of the central station, and big distributed IDS systems.

To read Complete Snort-based IDS Architecture, Part Two, click here.

Vladislav V. Myasnyankin, security expert, author and translator of several IT security related papers. At present time he works as Chief Information Security Officer at the bank. The author would like to thank Paul Pokrovsky and Michael Plotnikov for help with article development.

Anton Chuvakin, Ph.D., GCIA is a Senior Security Analyst with a major information security company. His areas of infosec expertise include intrusion detection, UNIX security, honeypots, etc. In his spare time he maintains his security portal http://www.info-secure.org. SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html.

Packets and Alerts Analysis

Whitehats.com features open Intrusion Detection database, arachNIDS. It can be used to undestand Snort messages. Whitehats is authored by Max Vision a silicon valley consultant specializing in penetration testing.

AMNESI the Domain Name Search Engine. Reverse IP lookup finds info for any IP address.

Google Web Directory - Computers Internet Domain Names Name Search

Network Sorcery

Ruleset Tools and Scripts

Dupl.pl - a snort rules beautifier. - Removes duplicate rules from *-lib, vision.conf and the xxxx-rules files
Homepage : http://www.norz.org/
Changelog: http://www.norz.org/software/dupl.chglog
Download: http://www.norz.org/software/dupl.pl

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last modified: August 15, 2009