The Snort Intrusion Detection System Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Snort is an open source intrusion detection system that can be run on many platforms including windows, BSD, Solaris or MacOS X and Linux [5], it uses a rule-based language combining signature, protocol and anomaly inspection methods [17]. Snort can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks [16].

Snort is consisting of many components that works together to detect attacks and generate required format from the detection system. The major components of snort are Packet Decoder, Preprocessors, Detection Engine, Logging and Alerting System and Output Modules.

Figure 2-1 Components of Snort

A brief description of each component of Snort is presented in this chapter.

The job of the packet decoder is to get packets from different type of network interface such as Ethernet, SLIP and PPP and prepare these packets to be preprocessed or sent to the detection engine.

Preprocessors are important components that can be used with snort to perform many important jobs on data packets before they pass to the detection engine. Preprocessors used to arrange and modify data packets to find out if the packet is being used by intruder, it can be used to prepare data packets to be analyzed against rules in the detection engine and some preprocessors can perform detection by finding anomalies in packets headers and generating alerts. Preprocessors are also used for packet defragmentation. When a large data chunk is transferred to a host, the packet is usually fragmented and on IDS, the packet should be reassemble before applying any rules or trying to find a signature. These functions are a very important part of the intrusion detection system.

2.2.3 The Detection Engine

The detection engine is the most important part of the snort, its apply snort rules on different parts of a packet such as the IP header, the transport layer header (TCP, UDP, ICMP or other transport layer headers), the application layer level header (DNS, FTP, SNMP, and SMTP header) and Packet payload to detect if any intrusion activity exists in that packet. After applying the rules against all packets, the detection engine will take appropriate action by logging the packet or generating alerts if a packet matches any rule or dropping the packet if not.

detection engine is the time critical component of snort, its efficiency and its amount of time to respond to different packets depends on many aspects, some of these aspects are number of rules have been defined, power of the machine that snort running on, speed of internal bus used in the snort machine and the load of the network.

The detection engine works in different ways for different versions of Snort. When comparing snort version 1.x with snort version 2.0 we can find a lot of differences that can be mentioned such as:

In Snort version 1.x the detection engine take its action by logging the packet or generating an alert depending on the first rule is matched if there is multiple rules regardless of the priority of the rule, this can led to the problem of generating the low priority alert even if a high priority rule meriting a high priority alert is located later in the rule chain. While in snort version 2.0 the highest priority rule is selected to generate the alert after matching all the rules against a packet.

The detection engine of snort version 2.0 may be up to eighteen times faster than the detection engine of snort version 1.x.

2.2.4 Logging and Alerting System

Packets sometimes used to log the activity or generate an alarm depending on what the detection engine find inside a packet. The logs are kept inside a simple text files, tcpdump-style files or some other form.

2.2.5 Output Modules

The main job of the output modules is to process alerts and logs and generate final output, output modules can do other things such as logging to files, sending SNMP traps, logging to a database like MySQL or Oracle, generating eXtensible Markup Language (XML) output, modifying configuration on routers and firewalls and sending Server Message Block (SMB) messages to Microsoft Windows-based machines.



Packet Decoder

Prepares packets for processing.

Preprocessors or Input Plugins

Used to normalize protocol headers, detect anomalies, packet reassembly and TCP stream re-assembly.

Detection Engine

Applies rules to packets

Logging and Alerting System

Generates alert and log messages

Output Modules

Process alerts and logs and generate final output.

Table 2-1 Components of Snort

2.3 Snort Modes

Snort can be run on different modes; network sniffer mode and Network intrusion detection mode are the two basic modes.

2.3.1 Network Sniffer Mode

Snort in network sniffer mode acts like tcdump, it can capture and read the packets from the network and display them in continues stream on the console or logging them to a log file, no configuration file is needed to run snort in this mode.

2.3.2 Network Intrusion Detection Mode

In network intrusion detection mode the network traffic analyzed and the rules apply to all captured packets, the packet is logged or an alert is generated only when the packet matches a rule, otherwise the packet is dropped silently and no log entry is created. A configuration file contains Snort rules or reference to other files that contain snort rules is needed in the network intrusion detection mode, the configuration file also contains information about input and output plug-ins [16].

There are other modes that snort can run on such as:

Packet Logger Mode: This logs the packets to disk.

Inline (IPS) Mode: which allows snort to drop or pass packets based on the specific snort rules [1].

Packet Logger Mode: This mode logs the packets to the disk in their decoded ASCII format. This mode is activated merely by specifying a directory to log packets to with the "-l" switch. This will log packets into the specified logging directory in a heirarchy of directories based upon the IP addresses of the packets on the wire. To log the packets in terms of the network being monitored (i.e. the directories created under the logging directory are the IP addresses of the remote/non-home hosts) use the "-h" switch. To log the packets in their raw binary format to the disk, use the "-b" switch. Logging the packets in this format will allow them to be run through other tools like Ethereal, tcpdump, etc. Packet logger mode can be mixed with sniffer mode switches with no ill effects, however logging performance may be impacted by the slowness of the terminal.

2.4 Snort Rules

Snort rules are the most powerful part of snort, that are written in an easy way to understand syntax, they are used by the system to detect incidents and they can be used to generate an alert message, log a message or pass the data packet. Most of snort rules are written in a single line and they can be extended to multiple lines by using a backslash character at the end of lines, rules are usually kept in a configuration file and sometimes in multiple files by including them in a main configuration file.

2.4.1 Structure of a rule

Snort rules are divided into two logical sections rule header and rule options.

Figure 2-2 Basic structure of snort rules Rule Header

The rule header contains information about what action a rule takes. It also contains criteria for matching a rule against data packets. Rule header consists of the following parts:

Action This part decides which action should be taken after the criteria met and a rule is matched against a data packet such as generating an alert or log message or invoking another rule.

Protocol This part is responsible for applying the rule on packets for a particular protocol only such as IP, ICMP, and UDP.

Address This part is used to define the destination and source addresses based on the direction part. Address may be a single host, multiple hosts or network addresses; it can be also used to exclude some addresses from a complete network.

Port This part determines the source and destination ports of a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port numbers have no significance.

Direction Part of the rule actually determines which address and port number is used as source and which as destination.

Figure 2-3 Structure of snort rule header Rule Options

The rule option contains alert messages and information on which parts of the packet should be used to generate the alert message; it contains additional criteria for matching a rule against data packets.

Rule options follow the rule header and are enclosed inside a pair of parentheses. There may be one option or many that form a logical AND, and the options are separated with a semicolon. The action in the rule header is invoked only when all criteria in the options are true, an option may have two parts: a keyword and an argument, arguments are separated from the option keyword by a colon.

Figure 2-4 Rule Header and Options Details

The following example generates a warning if a packet containing the hex string 00 01 86 a5 in its payload arrives on the network destined for

alert tcp any any -> any (content:"|00 01 86 a5|";

msg: "mountd access" ;)

If the content is not enclosed by pipe signs ( | ), it's assumed to be plaintext, rather than hex. The following rule generates an alert if the string Login incorrect is sent from a machine running Telnet on the LAN to the Internet:

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login

incorrect"; flow:from_server,established; content:"Login incorrect";

reference:arachnids,127; classtype:bad-unknown; sid:718; rev:7;)

Note the use of variables to specify the IP address of clients inside the LAN allowing Telnet access ($TELNET_SERVERS) and the IP of the external network ($EXTERNAL_NET): variables such as these may be defined at the top of the Snort configuration file.

If you need to create your own rules (and bear in mind that Snort contains an extensive set of predefined rules/signatures), you can add them directly to snort.conf or-better yet-place them in their own file, and include this in snort.conf using an Include directive.

2.5 Snort Signatures

2.6 Snort Supported Platforms

There are number of supporting platforms and operating systems for snort such as (01314.pdf)

• Linux

• OpenBSD

• FreeBSD

• NetBSD

• Solaris (both Sparc and i386)




• MacOS

• Windows

Snort usually runs best under the OpenBSD, FreeBSD, and Linux systems. Although Snort works on windows, it is still not the perfect choice,it requires the Libpacap (Winpacap on windows) to be installed.

Snort also works on many CPU architectures:





2.7 Type of Attacks

Snort can be used to detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

2.7.1Examples of attacks that snort can detect

Directory Traversal Intrusion

The first line displays the message "WEB-IIS cmd.exe access".

The source and destination IP addresses are displayed in line four

The last line of the alert provides a source of information concerning this exploit.

Figure right shows the accompanying log entry for this intrusion.

The first line displays the message "WEB-IIS cmd.exe access"

The second line displays the date, time, type, and length of the packet

The third line displays the source and destination IP addresses.

For this example, the box on the end of the sixth line contains the signature data that generated this alert. We recognize from previous discussion the Directory Traversal footprint Get /scripts/..%c1%c1../winnt/system32/cmd.exe?/c+dir.

CodeRed Detection Using Snort

In Figure here we see the Snort alert for CodeRed.

The first line displays the message"WEB-IIS ISAPI .ida attempt"

Line 2 classifies this attack as a Priority of 1.

The last line of the alert provides a source of information concerning this exploit.

Figure in right show the accompanying log entry for this intrusion.

The first line includes the message "WEB-IIS .ida attempt". The signature for the CodeRed exploit can be seen in the box at the end of line six. The display is truncated and includes only a few of the necessary 254 N" characters. The "N" characters have no particular significance except to overflow the buffer. The CodeRed II exploit used the same overflow mechanism with two hundred fifty four "X" characters.

Nimda Detection Using Snort

Figure here shows the Snort alert for the Nimda worm. The alert contains the

pertinent information for this exploit, including source and destination IP addresses as well as a reference to the CERT Advisory CA-2001-26.

The Nimda worm produced a virtual cornucopia of signatures, each intended to perform a specific exploit. The Snort log display of Figure here shows only one, the "scripts/root.exe" signature. The file used for this signature was left behind by the CodeRed II worm and is the result of copying the Windows CMD.exe as root.exe. Snort has detected Nimda's attempt to access this backdoor and has generated both an alert and a log entry.

.Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching in order to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real- time alerting capability as well, incorporating alerting mechanisms for syslog, user specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Snort has three primary functional modes. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.

Snort logs packets to many formats, including tcpdump(1) binary format or Snort's decoded ASCII format to a hierarcical set of directories that are named based on the IP address of the remote host.

Plugins allow the detection and reporting subsystems to be extended. Available plugins include database or XML logging, small fragment detection, portscan detection, and HTTP URI normalization, IP defragmentation, TCP stream reassembly and statistical anomaly detection.

2.8 snort notification

Snort Have two types of output facilities to notify the user about the attack. The first type is the alerting facilities that notify that something has happened; the second is the logging facility that logs the full packet information to the output format (pcap, ascii, database, etc).(antionline.pdf)

2.8.1 Alerting Mode

Alert is generating when a captured packet matches a snort rule, alert give information about the kind of attack, where it's coming from, where it's going and where to find more information about the attack. Snort can send alert in many modes that are configurable through command line and snort.conf file. Fast Mode

Fast alert mode logs the alert with a simple format with information about timestamp, alert message and source and destination IP /ports; the actual packet is not logged in this file when using this alert mode.


05/28-22:16:25.126150 [**] [1:0:0] Ping with TTL=100 [**]

{ICMP} ->

This alert message shows the following information:

Date and time the alert occurred.

Message present in the rule that generated this alert. In this example, the message is "Ping with TTL=100".

Source address which is

Destination address which is

Type of packet; in the above example, type of packet is ICMP. Full Mode

Full alert mode is the default mode that prints the alert message and the packet header.


[**] [1:0:0] Ping with TTL=100 [**]

05/28-22:14:37.766150 ->

ICMP TTL:100 TOS:0x0 ID:40172 IpLen:20 DgmLen:60

Type:8 Code:0 ID:768 Seq:20224 ECHO

Additional information about the packet header are included

Time to Live (TTL) value in the IP packet header.

The Type Of Service (TOS) value in the IP packet header.

Length of IP packet header shown as IpLen:20.

Total length of IP packet shown as DgmLen:60.

ICMP Type field.

ICMP code value.

IP packet ID.

Sequence number.

ICMP packet type which is ECHO. UNIXSOCK

Sets up a UNIX domain socket and sends alerts to it. Sending Alerts to Syslog

Syslog is a system logger daemon and it generates log files for system events. in the syslog mode alerts will be send to Syslog daemon and depending on the configuration of the Syslog the alerts can be saved into a particular file. Sending Alerts to SNMP

In this mode an output plugin will be configure to send messages in the form of SNMP traps to a network management system. Sending Alerts to Windows

Snort can send alerts to Microsoft Windows machines in the form of pop-up windows. These pop-up windows are controlled by Windows Messenger Service. Windows Messenger Service must be running on Windows machine for pop-up windows to work.(16)

2.8.2 Logging Mode

The Logging mode just logs full packet information to the various sources without generating an alert.

The "alert" action in Snort is hard coded to do two things when an event is detected by Snort, write an event to the alert facility and log as much as

possible/desired to the output facility. The "log" action merely logs the current packet to the logging facility without generating an alert. This is done so you can log interesting things (telnet sessions, whatever) without having to generate an alert on every packet.

The database plugin is something of an anomaly because it doesn't separate the two functionalities very much. The "log" option attaches the log facility and the "alert" option attaches it to the alert facility. What this means in practical terms is that if the db plugin is in alert mode, it will only receive output from alert rules, whereas if it's in "log" mode it will receive output from both log and alert rules.

2.2 Why Snort

This question I had to ask, I really do not remember why i picked Snort to be my IDS of choice when i was starting out with IDS, but one thing is for certain there are many reasons you would pick Snort over other ID systems. So I asked Sieve (a developer for the PHLAK Linux distribution) why he picked Snort over other commercial ID systems, here is his answer:

"Snort is versatile, can be used as an IDS, IPS (intrusion prevention system), scrubber, Inline firewall, etc... It has a huge user-base that updates signatures all the time, It is open source so if you ever need to edit the code for a specific reason the code is available, and it is free. What is there not to like."

There are other reasons why you would choose Snort over other ID systems, some include:

1) Snort is passive, which leads it to monitor any system on your network with no configuration to the target computer.

2) Portable and Fast

3) Snort is able to log to numerous databases include Oracle, Microsoft SQL Server, MySQL, and PostGre SQL

4) Flexible and simple, Snort uses plugins for all of its functions so you could drop plugins and remove then as you wish.

5) Snort rule file (signatures) are easy to write and are effective

6) Snort is ported to every major operating system


Snort (Windows)


An IDS is a device (or application) that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.

That was an excerpt from Wikipedia on Intrusion Detection System (IDS). In my own term, IDS inspects network traffic, analyse the packets in real time and try to find any type of attack (e.g port scan, DDOS) as the packets are inspected. IDS also logs any attack and can be used to alert system administators. However, IDS does not prevent the attacks as it is only monitor network traffic. Let's install Snort, and see how IDS works.

Step 1: Download

1) WinPcap 4.1.1

2) Snort Release 2.8.6

3) * Snort Ruleset Snapshot 2.8.6

Note: * You need to register to download Sourcefire VRT Certified Rules - The Official Snort Ruleset (registered-user release).

Step 2: Install

1) Install WinPcap.

2) Install Snort.

Note: Leave everything to default unless mentioned.

Step 3: Extract Ruleset

1) Extract Snort Ruleset 2.8.6 (snortrules-snapshot-2853.tar.gz).

2) Copy rules, preproc_rules, so_rules folders and replace the ones in your previously installed Snort, C:\Snort\. Rulesets are basically used by Snort to analyze and categorize type of attack found in the network traffic.

Step 4: Configure

Open C:\Snort\etc\snort.conf with a word editor. (Always back up the original)

1) I want to set up IDS to protect this box on

var HOME_NET any change to var HOME_NET

2) Set path for dynamic module to point to Snort installation folder.

# path to dynamic preprocessor libraries

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine

dynamicengine /usr/local/lib/snort_dynamicengine/

Change to:

# path to dynamic preprocessor libraries

dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor

# path to base preprocessor engine

dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll

Note: Notice the different? The existing settings are actually for Unix system. Since we are using Windows machine, some alteration is needed.

3) Create a file named alert.ids in C:\Snort\log. Search for "Step #6" in snort.conf, you will notice "Step #6" is all about configuring output, in other word how do we store the alert from Snort. There is an option to keep the data in database such MySQL but we are not going to do that just yet. Instead, we are going to output the data to a flat file.

Insert the line in any of the section in "Step #6"

output alert_fast: alert.ids

4) Search for "Step #7", this section is to enable what are the rules for Snort to catch a specifically type of attack. Uncomment # include $RULE_PATH/icmp.rules to include $RULE_PATH/icmp.rules (Without the "#"). Do the same with include $RULE_PATH/icmp-info.rules.

# include $RULE_PATH/icmp.rules

# include $RULE_PATH/icmp-info.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/icmp-info.rules

Note: If you want to include all the rules, uncomment all the way down.

5) Finally, delete C:\Snort\lib\snort_dynamicpreprocessor\sf_sdf.dll. Since, we did not enable the support for IPv6 in Snort installation earlier we have to delete sf_sdf.dll, if not Snort will produce some errors during run time.

Note: All lines begin with "#" are actually comments.

Step 5: Run

1) Open a command line and change to C:\Snort\bin.

2) Snort.exe -W. This command will list down interfaces installed in your machine. You might see Ethernet adapter, PPP adapter, and even your wireless. But we are particularly interested in Ethernet adapter (NIC). Notice the interface id (e.g 1, 2) on the left most column.

3) Press Ctrl+C to stop Snort.

4) Snort.exe -c ..\etc\snort.conf -l ..\log\ -i1

Note: The -iX, where X is a number for your interface id.

5) If you see, "Not Using PCAP_FRAMES" that means you have succesfully installed/run Snort. Yeah!

Step 5: Test

Now let's initiate some attacks for Snort to catch.

1) Ping from other machine, in my case it is (The machine where I installed Snort)

2) Open C:\Snort\log\alert.ids to check for the alert detected.

05/01-23:34:15.485305 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} ->

05/01-23:34:15.485305 [**] [1:382:7] ICMP PING Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} ->

Practical Example of using snort

After installing Snort 2.8.6 on my machine with windows 7 and learning how to write a rule, I create my own rule to test snort, and configured snort.conf file to include this rule.

First I configured snort.conf file to work on my machine

The following example is going to assume that a youtube user as an attacker, so the snort will alert if any person access to youtube from this machine.

Righting the rule

I used a simple program to write the rule "Programmers Notepad" and then saving the rule in the path c:\snort\rules with the name youtube.rules

Understanding the rule

Rule header:

Alert: This is the output format

TCP: This is the protocol that being used.

Any: this is the source ip address and by default it is any.

Any: this is the source port and by default it is set to any port

-> This arrow indicates direction of the conversation.

Any: this is the destination ip address and by default it is any.

Any: this is the destination port and by default it is set to any port

Rule options:

Content: Snort will try to match this content with the packet to find a match; in this case snort will match "" with the packet.

Msg: The message "someone visiting youtube" will be displayed by the alert.

sid:1000002: This is the rule unique identifier.

Rev:1: This option refers to the version number for the rule.

Configure the Snort.conf file

After writing and saving the rule the snort.conf file should be configured to include the youtube rule.

Using snort:

First I run the prompt command and changing the path to c:\snort\bin where the snort application exists than I wrote the command "snort -c c:\snort\etc\snort.conf -l c:\snort\log -A console -i 4" that tell the snort application to

Now the snort is running and waiting for attack to happen.

I opened internet explorer and accessed to the site at 2:41 am to check my rule

Now I back to the prompt command to check if the snort catches the attack or not, the following alert appeared

This alert means

After checking the folder C:\snort\log to find out if snort log the output there or not, I found that a new file with the name snort.log.1288741012 has been created.