Question

How is snort used to detect malicious activities?

Answer 1

Snort is a light-weight intrusion detection tool which logs the
packets coming through the network and analyzes the
packets. Snort checks the packets coming against the rules
written by the user and generate alerts if there are any
matches found. The rules are written by the user in a text file
which is linked with snort.conf file where all the snort
configurations are mentioned. There are few commands
which is used to get snort running so that it can analyze
network behavior.

Snort uses a configuration file at start up time. A sample
configuration file snort.conf is included in the Snort
distribution. You can use any name for the configuration file,
however snort.conf is the conventional name. You use the -
c command line switch to specify the name of the
configuration file. The following command
uses /opt/snort/snort.conf as the configuration file.
We can also save the configuration file in our home directory
as snortrc, but most commonly used method is specifying it
on the command line. There are other advantages to using
the configuration file name as a command line argument to
Snort. It is possible to invoke multiple Snort instances on
different network interfaces with different configuration.
$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c
/etc/snort/snort.conf -i lo
This command should be run in our terminal to run snort
using our snort configuration file. It can be modified according to the user suitability. Snort has various modes;
few of them are listed here
Description of the command:
-c: specifies the config file
-i : specifies the interface mode , if a loopback address is
running then “lo” will be written , for Ethernet “eth0” or
“eth1” will be written.
-A: It will print the output to the console
Once we run this command, then type $ ping 127.0.0.1
We should see that the snort logs this packet and displays it
on the terminal. Here is the image of the terminal logging the
ping packets.

Writing rules:
Rules are written by the user, snort will log the packets
and generate alert if there if finds any match with the rules
that user defined in the rules file. Here is an example of
how to write rules.
1. alert ip $EXTERNAL_NET any -> $HOME_NET any
(ip_proto:igmp; rev:1000000)

For igmp traffic
2. alert tcp any any -> any 80 (content:"ABC";
content:"EFG"; http_raw_cookie;rev:1000001)
detects unnormalised cookie header
3. alert tcp any any -> any (msg:"exploit"; content:"|90|";
rev:1000002)
4.alert $EXATERNAL_NET any -> $HOME_NET any (flags:
SF,12; msg:"SYN FIN scan"; rev:1000003)
5.alert any any -> $HOME_NET 21(msg:"Incoming
FTP";rev:1000004)
6. alert tcp $HOME_NET any -> $EXTERNAL_NET
80(msg:”Invalid Content Found”;
content:”terrorism”;nocase; rev:1000005)
7.alert icmp $EXTERNAL_NET any -> $HOME_NET
any(msg:”PING ALERT”; icode:0;itype:8;rev:1000006)
8.alert tcp $EXTERNAL_NET any -> $HOME_NET 80
(msg:"EXPLOIT ntpdx overflow"; dsize:>128;
classtype:attempted-admin; priority:10 )
9.log tcp !192.168.0/24 any -> $HOME_NET any (msg:
"mounted access" ; )
10. $ alert tcp any any -> $HOME_NET 21 (msg:"Possible
FTP Login"; sid:1000004; rev:004;)
alert: it will generate alert packets
tcp: protocol which is being used
any: it specifies that log packets coming from any IP
address.
$HOME_NET: It is our local IP address, it is mapped in
snort.conf file
21 : It tells snort to generate alerts of any packet which try
to send request to port 21.