Building a budget-friendly intrusion detection system, Part 2


If you followed the steps outlined in my last column, you should now have a fully operational Linux system with the Snort packet sniffing software installed. The rest of the tutorial depends on having Snort up and running; if you haven't installed the software, do it now.

Snort analyzes captured packets by applying one-line rules. This is an important distinction between Snort and more complex analysis packages such as Network Flight Recorder. All Snort rules must be one line in length.

We'll start by running Snort in the "no rules" packet header mode: dumping captured traffic directly to the screen. From the Linux command line type the following:

<font face="courier">./snort -v <cr></font>

If you've installed your test probe on an Ethernet switch, you'll only see broadcast traffic and packets originating from or destined to the probe. If the system is on a shared network segment, you should see a large number of decoded packets. Break out of Snort with Ctrl-C.

Let's take a look at a three simple Snort rules:

<font face="courier">
log tcp any any -> 23 <br>
alert tcp any any -> 16660 (msg:"stacheldraht client to handler";<br>
alert tcp any any -> 143 (content: "|90C8 C0FF FFFF|/bin/sh")<br>

The first rule logs all inbound TCP traffic destined for port 23 (telnet) in the network address space.

The second rule generates an alert -- logged to an alert text file or to syslog -- when inbound traffic destined for port 16660 in the address space is detected.

The final rule looks for the pattern "90C8 C0FF FFFF|/bin/sh" in the packet payload and generates an alert message. That string indicates an IMAP buffer overflow attempt.

Snort comes with several rule files -- scan-lib, web-lib, and misc-lib -- that are worth examining. The best way to learn to write rules is by studying the existing rule files and modifying them for your own network environment.

In our next installment, we'll conclude this series by showing you how to analyze the data that Snort logs, how to generate reports, and where you should deploy the probe on the network.

Free Course: JavaScript: The Good Parts
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies