Intrusion Detection

INDP3 – Cyber Security and Defense (CySeD)

Network Intrusion Detection using SNORT

Slim Rekhis
Contact: [email protected]

September 2023

1
I. Lab Objective
The aim of this Lab is to install, configure, and use SNORT, which is a free, open source, and one of the most
popular network intrusion detection system that can monitor the package data sent and received through a
specific network interface. Snort uses signature-based detection, real-time traffic analysis and protocol
analysis technologies to detect malicious activity, denial of service attacks, malware infections,
compromised systems, and network policy violations.
In this lab, you will experiment and understand how to install and configure SNORT on CentOS and write
custom signature rules to detect attacks.

II. Installing SNORT on CentOS 8

1. Start by installing the required libraries with the following command
$ sudo yum install -y gcc flex bison zlib libpcap pcre libdnet tcpdump
2. The package libnghttp2 is also required but, it can be downloaded from the Extra Packages for
Enterprise Linux (EPEL) and installed using these commands
$ sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-
release-latest-7.noarch.rpm
$ sudo yum install -y libnghttp2
3. Install the snort package (version 2.9) available on snort website
$ sudo yum install https://www.snort.org/downloads/archive/snort/snort-
2.9.18.1-1.centos8.x86_64.rpm
4. The Security Enhanced Linux (or SELinux) is a security mechanism built into the Linux kernel which us
used to add an additional layer of security to the system by allowing administrators and users to control
access to objects based on policy rules. By default, in CentOS 8, SELinux is enabled in enforcing mode.
To permanently set the SELinux mode to permissive mode, open the /etc/selinux/config file and change
the SELINUX value to disabled:

Then save the file and reboot the system

2
 5. FirewallD is the default daemon responsible for firewall security feature on CentOS 8 Server. This
firewall is also enabled by default allowing for only few services to receive incoming traffic. Stop
firewall and permanently disable it (to not automatically start if the system restarts) by running the
following commands:
$ sudo service firewalld stop
$ sudo systemctl disable firewalld

III. Configuring SNORT to run as a NIDS

The objective of the following steps is to edit some configuration files, download the detection
rules, and take Snort for a test run.
6. Start with updating the shared libraries using the command underneath.
$ sudo ldconfig
7. Now, you need to download the detection rules that will be used by Snort to identify potential attacks.
Snort provides three tiers of rule sets, community, registered and subscriber rules.
 Community rules: Are freely available but are slightly limited.
 Registered rules: By registering for free on the snort website, you will get access to your Oink
code, which lets you download the registered users rule sets.
 Subscriber rules: Are available to users with an active subscription to Snort services.
In the sequel, you will use the Registered rules. First, go to the Snort website, and sign up to register.
Second, sign in and go to user account details to copy the Oinkcode

3
 Replace the oinkcode in the following command with your personal code to download the
registered rules.

$ wget https://www.snort.org/rules/snortrules-snapshot-
29181.tar.gz?oinkcode=85f6df2aba456b13d6d4c44520cd02723deab0d1 -O
registered.tar.gz
8. Once downloaded, extract the rules, and copy them to snort configuration directory.
$ sudo tar -xvf registered.tar.gz -C /etc/snort
9. The rule sets for the registered users include an extensive amount of useful preconfigured detection
rules. They are in the different *.rules files included in the directory /etc/snort/rules/
Count the number of added rules by executing the following command:
$ wc -l /etc/snort/rules/*.rules
10. Create empty white_list.rules and black_list.rules files in the directory /etc/snort/rules/
$ sudo touch /etc/snort/rules/black_list.rules
$ sudo touch /etc/snort/rules/white_list.rules
11. Create a link libdnet.1 that points to libdnet.so.1.0.1.
$ sudo ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1
12. Create the /usr/local/snort/lib/snort_dynamicrules directory, copy the dynamic rules to, and adjust the
access permissions and ownership
$ sudo mkdir /usr/local/lib/snort_dynamicrules
# sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

IV. Configuring the network and rule sets

Once the configuration and rule files are in place, you will configure the file snort.conf to
modify a few parameters.

13. Find the following sections in the configuration file /etc/snort/snort.conf and change the variable
$HOME_NET to the set of addresses representing your local network (10.0.0.0/8, 192.168.0.0/16), and
set the variable EXTERNAL_NET to any address not in local network (!$HOME_NET).

4
14. In /etc/snort/snort.conf file configure the variables RULE_PATH, SO_RULE_PATH and
PREPROC_RULE_PATH as follows.

15. In /etc/snort/snort.conf file configure the variables WHITE_LIST_PATH and BLACK_LIST_PATH as follows.

16. In the same snort.conf file set the output for unified2 to log under filename of snort.log as shown here:

17. Scroll down towards the bottom of the file to find the list of included rule sets. Make sure that that
local.rules is uncommented to allow Snort to load any custom rules (that you will write later in this lab).

18. Open the configuration file /etc/sysconfig/snort using the following command and sets the name of the
listening interface appropriately (enp0s3 in this example):
$ sudo vi /etc/sysconfig/snort

V. Validating settings
19. Test the configuration using the parameter -T to enable test mode and validate the configuration.
$ sudo snort -T -c /etc/snort/snort.conf

5
 You should get a message as shown in the following. At this step SNORT should be ready to
run.

20. To test if Snort is generating alerts as intended, open the local.rules file using the following command
# vi /etc/snort/rules/local.rules
and add the following detection rule to detect outgoing icmp echo-request messages (from internal to
external)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (icode:0; itype:8; msg: "Ping Detected"; sid:10000001; rev:1;)

21. Explain all the fields in the above rule.

22. Start Snort with -A console options to print the alerts to stdout. You will need to select the correct
network interface (it is set to "enp0s3" in the following command)
# sudo snort -A console -i enp0s3 -c /etc/snort/snort.conf
23. Open a new terminal and ping an external IP address (e.g., 8.8.8.8).
# ping 8.8.8.8
You should see a notice for each ICMP call in the terminal running Snort.

24. After the alerts show up you can stop Snort with ctrl+C. The alerts were recorded to a log
under /var/log/snort/snort.log.timestamp, where the timestamp is the point in time when Snort started

6
 (this is a Unix timestamp which is the number of seconds between a particular date and the Unix Epoch
on January 1st, 1970 at UTC). You can read the logs with the following command<
$ sudo snort -r /var/log/snort/snort.log.1697447169
VI. Adding our own rules to SNORT and generating alerts
VI.1. Detecting PNG file transfer
25. A PNG file starts always with 0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A bytes. That sequence would
constitute a signature to detect PNG files from traffic capture. Open an existing PNG file using a
hexadecimal editor and make sure of the existence of the PNG file signature.
$ hexdump -C /usr/share/icons/hicolor/16x16/status/bluetooth-
active.png

26. In SNORT, using the content keyword, you can instruct the IDS engine to examine the application layer
content (the payload) of a packet for the data (which can be expressed as text, binary data in
hexadecimal format, or a combination of both). The binary data can be expressed as hexadecimal
characters surrounded by pipe symbols (|). Therefore, if we want to examine packet data for the
existence of PNG files by matching occurrences of the PNG “magic numbers”, we will express this as:
content:"|89 50 4E 47 0D 0A 1A 0A|"
In the rule file /etc/snort/rules/local.rules add the following signature to detect the transfer of any PNG
file toward any machine in your network.
alert tcp any any -> $HOME_NET any (msg:"PNG file transfer detected"; content:"|89 50
4E 47 0D 0A 1A 0A|"; sid:1000002; rev:1;)

27. Download the following traffic capture, which contains HTTP traffic with PNG file, and open it using the
Wireshark tool.
$ wget https://asecuritysite.com/log/with_png.zip
$ unzip with_png.zip
$ wireshark with_png.pcap
If the wireshark cannot start, execute the following command as a simple user (the user account used to
open the XWindow Session) to broaden access to its X server
$ xhost +local:root

7
28. Check that packet number 109 in the traffic capture includes a PNG File

29. Stop Snort with ctrl+C and restart it using the command:
$ sudo snort -A console -i enp0s3 -c /etc/snort/snort.conf
30. Open new terminal and replay the pcacp file (with_png.pcap) over the network interface enp0s3 using
the command:
$ sudo tcpreplay -i enp0s3 with_png.pcap

31. In the terminal running snort, you should see an alert for the captured PNG file

VI.2. Detecting GIF file transfer

The same pcap file with_png.pcap contains a traffic capture of a transmitted GIF image.
32. Explain how to detect the existence of a GIF file inside a network traffic?
33. Propose a snort signature allowing to detect GIF files transmitted over the network
34. Which datagram(s) (inside the pcap file with_png.pcap) contain the transmitted GIF file ?
35. Test the new proposed snort rule and show the generated alert.

8
VI.3. Detecting clear text card numbers
According to the Payment Card Industry Data Security Standard (PCI DSS for short) card numbers should not
be transmitted insecurely and are not displayed to most users unmasked. An IDS or an IPS could be used as
an enforcement system to ensure that such information is not sent in clear text (against the regulation)
over a network. SNORT rules can use PCRE (Perl Compatible Regular Expressions). Regular expressions are
incredibly powerful and provide syntax that allows for matching any type of content you can think of.
In the following, we will focus on the detection of the Visa card format, which is 16 digits long and starts
with a "4". Examples include:
 4xxx-xxxx-xxxx-xxxx
 4xxx xxxx xxxx xxxx
 4xxxxxxxxxxxxxxx
Following the PCRE (Perl Compatible Regular Expressions) the following regular expression can be used
describe visa card numbers:
4d{3}(s|-)?d{4}(s|-)?d{4}(s|-)?d{4}
36. In the rule file /etc/snort/rules/local.rules add the following signature to detect the transmission of VISA
card number from local to external network in cleartext.
alert tcp $HOME_NET any <> any any (pcre:"/4\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-
)?\d{4}/"; msg:"Visa number detected in clear text";sid:1000004;rev:1;)

37. Download the following traffic capture, which contains email content exchanged via SMTP in clear text,
and check that packet number 15 (an smtp data fragment of 1460 bytes) contains VISA credit numbers
in cleartext
$ wget https://asecuritysite.com/log/email_cc2.zip
$ unzip email_cc2.zip
$ wireshark email_cc2.pcap

9
38. Stop SNORT with ctrl+C and restart it using the command:
$ sudo snort -A console -i enp0s3 -c /etc/snort/snort.conf
39. Open new terminal and replay the pcacp file (email_cc2.pcap) over the network interface enp0s3 using
the command:
$ sudo tcpreplay -i enp0s3 email_cc2.pcap
40. In the terminal running snort, you should see an alert for the captured visa card numbers

10