Building a budget-friendly intrusion detection system, Part 2
If you followed the steps outlined in
href="http://mithras.itworld.com/articles/columns/net-currier-0303a.html"> my last
column, you should now have a fully operational Linux system with the href="http://www.clark.net/~roesch/security.html">Snort packet sniffing software
installed. The rest of the tutorial depends on having Snort up and running; if you
haven't installed the software, do it now.
Snort analyzes captured packets by applying one-line rules. This is an important
distinction between Snort and more complex analysis packages such as href="http://www.nfr.com/">Network Flight Recorder. All Snort rules must be one
line in length.
We'll start by running Snort in the "no rules" packet header mode: dumping captured
traffic directly to the screen. From the Linux command line type the following:
./snort -v <cr>
If you've installed your test probe on an Ethernet switch, you'll only see broadcast
traffic and packets originating from or destined to the probe. If the system is on a
shared network segment, you should see a large number of decoded packets. Break out of
Snort with Ctrl-C.
Let's take a look at a three simple Snort rules:
log tcp any any -> 188.8.131.52/16 23
alert tcp any any -> 184.108.40.206/16 16660 (msg:"stacheldraht client to handler";
alert tcp any any -> 220.127.116.11/24 143 (content: "|90C8 C0FF FFFF|/bin/sh")
The first rule logs all inbound TCP traffic destined for port 23 (telnet) in the
18.104.22.168 network address space.
The second rule generates an alert -- logged to an alert text file or to syslog --
when inbound traffic destined for port 16660 in the 22.214.171.124 address space is
The final rule looks for the pattern "90C8 C0FF FFFF|/bin/sh" in the packet payload
and generates an alert message. That string indicates an IMAP buffer overflow
Snort comes with several rule files -- scan-lib, web-lib, and misc-lib -- that are
worth examining. The best way to learn to write rules is by studying the existing rule
files and modifying them for your own network environment.
In our next installment, we'll conclude this series by showing you how to analyze
the data that Snort logs, how to generate reports, and where you should deploy the
probe on the network.