SNORT Configuration
First Step:
Open a web-browser and type www.snort.org
Sign up to download the snort setup and registered-based rules.
First we will download the snort installer and then the registered based rules.
After that we will install, configure & test it snort for training purposes, you can add other things according to your need.
Rules are community-based, registered-based and subscription-based.
In subscription based you get the latest updates when anything comes up.
In registered you have to wait sometime for updates.
Community are older in terms of updates.
Second Step:
Now we have two things Snort installer & Snort rules. The first thing we need to is install snort.
Now to know whether the snort has been installed or not can be seen on the drive you have installed.
If you have correctly installed snort, you can see some sub-folders inside the parent folder.
1. Bin-that’s where the program works
2. Doc-is for documentation
3. Etc.-is where our configuration information goes
4. Lib-is where we have important files
5. Log-all snort logs goes to log directory automatically
And we have two directory for rules i.e.
Preproc_rules and Rules and we have to put something in the rules.
Third Step:
Now double click on the rule folder (the file which we had downloaded earlier) and you see four different folders. Now what we are going to do is copy some files from here.
Open rule folder and select all because we need to extract them to C:\Snort\rules
Fourth Step:
We need the pre-proc rules. Open pre_proc folder and select all because we need to copy these too and extract it to C:\Snort\pre_proc_rules
We are going to ignore so_rules as it’s not compatible with windows.
Fifth Step:
Now we need the to extract some files to etc folder too.So open etc folder and select all and extract it to C"\Snort\etc
Sixth Step:
Now we extracted all packages. Now go to C:\Snort\rules and have a look at the local file which is blank now, but this is where you put your own rules.
We will get to that part a bit later.
Seventh Step:
Now next thing we are going to do is configure snort to run in this computer. So we are going to C:\snort\etc folder. Now we have to edit a file snort.conf. Right click and open it with notepad++ (Preferred) because it numbers the lines which can help us in case we come across errors later on.
Eighth Step:
After we open the snort.conf file we need to make several changes to configure snort to run in this computer.
It’s divided into 9 different sections:
1. Set the network variables.
2. Configure the decoder
3. Configure the base detection engine
4. Configure dynamic loaded libraries
5. Configure pre-processors
6. Configure output plugins
7. Customize your rule set
8. Customize pre-processor and decoder rule set
9. Customize shared object rule set
We are not going to make changes in all of them right now but just a few.
The very first thing we are going to do in step 1:
The very first thing we are going to do is set the home network, snort uses the idea of your own internal network which is your gateway IP address.
Step 1:
ipvar HOME_NET 192.168.2.1 or 192.168.2.1/24
Now over external network is everything that is not our home network: So
ipvar EXTERNAL_NET !$HOME_NET [Here $ Dollar means the variable and ! means not]
You don’t need to change any other things right now. Just scroll down to rule path:
Now we need to redirect the directory where the rules are.
#path to your rules files [this can be realtive path, you are advised to make this an absolute path]
# Note for windows users:
# such as : c:\snort\rules
var RULE_PATH c:\snort\rules
We are not going to use the so_rules so we are going to comment it out. The so_rules are used on Linux systems.
# var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH c:\Snort\preproc_rules
We are going to do the same for whitelist and blacklist.
# if you are using reputation pre-processor set these:
var WHITE_LIST_PATH c:\snort\rules
var BLACK_LIST_PATH c:\snort\rules
And that’s all for Step 1.
Step 2:
For step 2 we are going to leave things as it is, except we are going to enable log directory.
config logdir: c:\snort\log
Step 3: [No changes as most of the things here do not work with Windows it is most there for Linux machine]
Step 4:
In step 4 we need to configure some paths. Snort need to reference something called dynamicpreprocessor.
# path to dynamic preprocessor libararies
dynamicpreprocessor directory c:\Snort\lib\snort_dynamicpreprocessor [If you don’t remember where that is it under c:\snort\lib]
Now dynamciengine is another file which is referenced by snort.
#path to base preprocessor engine
dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll [/ and libsf is for linux]
We are not using rule libraries so we need to comment it out. So,
# Path to dynamic rules libraries
# dynamicdetection directory /usr/local/lib/snort_dynamirules
Step 5:
Now we have pre-processors, snort have dozens of pre-processors. You can run many OS's you can. We are going to disable some, we are going to comment out inline pre-processor because snort inline do not work with windows.
# Incline packet normalization.
# Does nothing in IDS mode
# preprocessor normalize_ip4
# preprocessor normalize_tcp: block, rav, pad, urp, req_urg ,req_pay, req_urp, ips, ecn stream
# preprocessor normalize_icmp4
# preprocessor normalize_ip6
# preprocessor normalize_icmp6
We are going to enable ports scan detection.
# Portscan detection.
preprocessor afportscan: proto (all ) memcap ( 10000000 ) sense_level ( low )
Now we will come down to repudiation pre-processor, this is where it gives a list of IP address that are bad in the blacklist or good in the whitelist.
# Repudation preprocessor.
preprocessor repudation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH\white.list, \
blacklist $BLACK_LIST_PATH\black.list [This basically list IP's so it really isnt rules]
Now one important thing, if you enable this two files here than those two file have to exist in the rules. Right now they do not exist. So we can go back to our rules directory, and we will create a new file with notepad.
Now open notepad and type:
# Whitelist file
# put whitelisted IP addresses here, one per line [And save it to rules file as black.list, file type would be .txt]
Now open notepad and type:
# Blacklist file
# put blacklisted IP addresses here, one per line [And save it to rules file as black.list, file type would be .txt]
Now if you look inside the rule folder under c:\snort\rules,you can see the black.list & white.list file has been created.
Step 6:
We have output plugins. Most of the plugins here are designed for python rather than windows. Some of them don’t even work on windows.Unified2 is hard to work with.
Step 7:
In step 7, we have place where snort points to all different rules.
We need to change all / slashes to back slash \ as we are running it in windows and not in Linux.
# Site specific rules
include $RULE_PATH\local.rules to include $RULE_PATH\xll.rules
In step 8:
In step 8 we have 3 pre-processor rules and we got to enable all of those and change the slashes from / to \
# decoder and preprocessor event rules
include $PREPROC_RULE_PATH\preprocessor.rules
include $PREPROC_RULE_PATH\decoder.rules
include $PREPROC_RULE_PATH\sensitive-data.rules
Step 9:
We are going to leave step 9 as it is. We are just going to see if threshold.conf is enabled or not.
include threshold.conf
Step 10:
In step 10, we will save our configuration file. So now we are ready to see if the snort configuration file will run or fire errors.As snort runs on command line. We type the following:
Open command prompt as administration: cd \snort\bin
snort -V (To check the version)
Now we will see what interface we are going to use:
snort -W
Now what we are going to do is text the snort.conf file. So type in;
snort -i 2 -c c:\snort\etc\snort.conf -T
-i 2 is the interface number, it can be anything as it varies from system to system.
-c is short for configuration file
c:\snort\etc\snort.cong is the path for snort.conf
-T is for test, as we are testing our conf file here
[Now this will initialize rule chains, shows errors and finally shows us following message "Snort successfully validated the configuration!" is we are okay will all the steps above.
Now let us go to rule file in c:\snort\rules\local and edit it a bit.
Open local file and write:
1. alert icmp any any -> any any (msg:"Testing ICMP"; sid:1000001;)
2. alert udp any any -> any any (msg:"Testing UDP"; sid:1000002;)
3. alert tcp any any -> any 80 (msg:"Testing TCP"; sid:1000003;)
[The sid is 7 digit and thats a rule because the snort sometime already uses 6 digit sid,to minimize the effect of conflict we are using 7 digit.Well,there are 3 different traffics so we are going to make three different rules,in tcp we use 80 because its a web traffic)
Let’s save that rule.
Step 11:
Open c:cd \snort\etc and type:
snort -i 5 -c -c:\snort\etc\snort.conf -A console [We are using -A console which means whatever happens it’s going to show us in the screen]
What we have to really look here is a phrase called "commencing packets"
If commencing packets freezes try this:
snort -dev -l c:\snort\log\ -h 192.168.2.1/24 -c c:\snort\etc\snort.conf
snort -l -i 5
To go back up a directory:
To go up one level, type cd ..\
To go up two levels, type cd ..\..\
If you files are located elsewhere, just replace the relevant address.
If you run an NMAP scan, use the same IP. i.e. 192.168.1.0/24
Now check your log directory. You should see the appropriate files.
Remember to press CTRL+C to end the packet processing so the files can be logged.
To test further we can open CMD and ping something to see the traffic. We will not stop by pressing CTRL+C
First Step:
Open a web-browser and type www.snort.org
Sign up to download the snort setup and registered-based rules.
First we will download the snort installer and then the registered based rules.
After that we will install, configure & test it snort for training purposes, you can add other things according to your need.
Rules are community-based, registered-based and subscription-based.
In subscription based you get the latest updates when anything comes up.
In registered you have to wait sometime for updates.
Community are older in terms of updates.
Second Step:
Now we have two things Snort installer & Snort rules. The first thing we need to is install snort.
Now to know whether the snort has been installed or not can be seen on the drive you have installed.
If you have correctly installed snort, you can see some sub-folders inside the parent folder.
1. Bin-that’s where the program works
2. Doc-is for documentation
3. Etc.-is where our configuration information goes
4. Lib-is where we have important files
5. Log-all snort logs goes to log directory automatically
And we have two directory for rules i.e.
Preproc_rules and Rules and we have to put something in the rules.
Third Step:
Now double click on the rule folder (the file which we had downloaded earlier) and you see four different folders. Now what we are going to do is copy some files from here.
Open rule folder and select all because we need to extract them to C:\Snort\rules
Fourth Step:
We need the pre-proc rules. Open pre_proc folder and select all because we need to copy these too and extract it to C:\Snort\pre_proc_rules
We are going to ignore so_rules as it’s not compatible with windows.
Fifth Step:
Now we need the to extract some files to etc folder too.So open etc folder and select all and extract it to C"\Snort\etc
Sixth Step:
Now we extracted all packages. Now go to C:\Snort\rules and have a look at the local file which is blank now, but this is where you put your own rules.
We will get to that part a bit later.
Seventh Step:
Now next thing we are going to do is configure snort to run in this computer. So we are going to C:\snort\etc folder. Now we have to edit a file snort.conf. Right click and open it with notepad++ (Preferred) because it numbers the lines which can help us in case we come across errors later on.
Eighth Step:
After we open the snort.conf file we need to make several changes to configure snort to run in this computer.
It’s divided into 9 different sections:
1. Set the network variables.
2. Configure the decoder
3. Configure the base detection engine
4. Configure dynamic loaded libraries
5. Configure pre-processors
6. Configure output plugins
7. Customize your rule set
8. Customize pre-processor and decoder rule set
9. Customize shared object rule set
We are not going to make changes in all of them right now but just a few.
The very first thing we are going to do in step 1:
The very first thing we are going to do is set the home network, snort uses the idea of your own internal network which is your gateway IP address.
Step 1:
ipvar HOME_NET 192.168.2.1 or 192.168.2.1/24
Now over external network is everything that is not our home network: So
ipvar EXTERNAL_NET !$HOME_NET [Here $ Dollar means the variable and ! means not]
You don’t need to change any other things right now. Just scroll down to rule path:
Now we need to redirect the directory where the rules are.
#path to your rules files [this can be realtive path, you are advised to make this an absolute path]
# Note for windows users:
# such as : c:\snort\rules
var RULE_PATH c:\snort\rules
We are not going to use the so_rules so we are going to comment it out. The so_rules are used on Linux systems.
# var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH c:\Snort\preproc_rules
We are going to do the same for whitelist and blacklist.
# if you are using reputation pre-processor set these:
var WHITE_LIST_PATH c:\snort\rules
var BLACK_LIST_PATH c:\snort\rules
And that’s all for Step 1.
Step 2:
For step 2 we are going to leave things as it is, except we are going to enable log directory.
config logdir: c:\snort\log
Step 3: [No changes as most of the things here do not work with Windows it is most there for Linux machine]
Step 4:
In step 4 we need to configure some paths. Snort need to reference something called dynamicpreprocessor.
# path to dynamic preprocessor libararies
dynamicpreprocessor directory c:\Snort\lib\snort_dynamicpreprocessor [If you don’t remember where that is it under c:\snort\lib]
Now dynamciengine is another file which is referenced by snort.
#path to base preprocessor engine
dynamicengine c:\Snort\lib\snort_dynamicengine\sf_engine.dll [/ and libsf is for linux]
We are not using rule libraries so we need to comment it out. So,
# Path to dynamic rules libraries
# dynamicdetection directory /usr/local/lib/snort_dynamirules
Step 5:
Now we have pre-processors, snort have dozens of pre-processors. You can run many OS's you can. We are going to disable some, we are going to comment out inline pre-processor because snort inline do not work with windows.
# Incline packet normalization.
# Does nothing in IDS mode
# preprocessor normalize_ip4
# preprocessor normalize_tcp: block, rav, pad, urp, req_urg ,req_pay, req_urp, ips, ecn stream
# preprocessor normalize_icmp4
# preprocessor normalize_ip6
# preprocessor normalize_icmp6
We are going to enable ports scan detection.
# Portscan detection.
preprocessor afportscan: proto (all ) memcap ( 10000000 ) sense_level ( low )
Now we will come down to repudiation pre-processor, this is where it gives a list of IP address that are bad in the blacklist or good in the whitelist.
# Repudation preprocessor.
preprocessor repudation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH\white.list, \
blacklist $BLACK_LIST_PATH\black.list [This basically list IP's so it really isnt rules]
Now one important thing, if you enable this two files here than those two file have to exist in the rules. Right now they do not exist. So we can go back to our rules directory, and we will create a new file with notepad.
Now open notepad and type:
# Whitelist file
# put whitelisted IP addresses here, one per line [And save it to rules file as black.list, file type would be .txt]
Now open notepad and type:
# Blacklist file
# put blacklisted IP addresses here, one per line [And save it to rules file as black.list, file type would be .txt]
Now if you look inside the rule folder under c:\snort\rules,you can see the black.list & white.list file has been created.
Step 6:
We have output plugins. Most of the plugins here are designed for python rather than windows. Some of them don’t even work on windows.Unified2 is hard to work with.
Step 7:
In step 7, we have place where snort points to all different rules.
We need to change all / slashes to back slash \ as we are running it in windows and not in Linux.
# Site specific rules
include $RULE_PATH\local.rules to include $RULE_PATH\xll.rules
In step 8:
In step 8 we have 3 pre-processor rules and we got to enable all of those and change the slashes from / to \
# decoder and preprocessor event rules
include $PREPROC_RULE_PATH\preprocessor.rules
include $PREPROC_RULE_PATH\decoder.rules
include $PREPROC_RULE_PATH\sensitive-data.rules
Step 9:
We are going to leave step 9 as it is. We are just going to see if threshold.conf is enabled or not.
include threshold.conf
Step 10:
In step 10, we will save our configuration file. So now we are ready to see if the snort configuration file will run or fire errors.As snort runs on command line. We type the following:
Open command prompt as administration: cd \snort\bin
snort -V (To check the version)
Now we will see what interface we are going to use:
snort -W
Now what we are going to do is text the snort.conf file. So type in;
snort -i 2 -c c:\snort\etc\snort.conf -T
-i 2 is the interface number, it can be anything as it varies from system to system.
-c is short for configuration file
c:\snort\etc\snort.cong is the path for snort.conf
-T is for test, as we are testing our conf file here
[Now this will initialize rule chains, shows errors and finally shows us following message "Snort successfully validated the configuration!" is we are okay will all the steps above.
Now let us go to rule file in c:\snort\rules\local and edit it a bit.
Open local file and write:
1. alert icmp any any -> any any (msg:"Testing ICMP"; sid:1000001;)
2. alert udp any any -> any any (msg:"Testing UDP"; sid:1000002;)
3. alert tcp any any -> any 80 (msg:"Testing TCP"; sid:1000003;)
[The sid is 7 digit and thats a rule because the snort sometime already uses 6 digit sid,to minimize the effect of conflict we are using 7 digit.Well,there are 3 different traffics so we are going to make three different rules,in tcp we use 80 because its a web traffic)
Let’s save that rule.
Step 11:
Open c:cd \snort\etc and type:
snort -i 5 -c -c:\snort\etc\snort.conf -A console [We are using -A console which means whatever happens it’s going to show us in the screen]
What we have to really look here is a phrase called "commencing packets"
If commencing packets freezes try this:
snort -dev -l c:\snort\log\ -h 192.168.2.1/24 -c c:\snort\etc\snort.conf
snort -l -i 5
To go back up a directory:
To go up one level, type cd ..\
To go up two levels, type cd ..\..\
If you files are located elsewhere, just replace the relevant address.
If you run an NMAP scan, use the same IP. i.e. 192.168.1.0/24
Now check your log directory. You should see the appropriate files.
Remember to press CTRL+C to end the packet processing so the files can be logged.
To test further we can open CMD and ping something to see the traffic. We will not stop by pressing CTRL+C
.png)
.png)
.png)
0 Comments
I'd love to hear your thoughts!