Snort3 on Ubuntu 20 - Learning a little about our installation - Getting Help, Running Snort3, etc
By Securitynik on 2021-02-05 22:29:59

In the previous post, we performed the install of Snort3. In this post, we learn a little about Snort3 before we start feeding it via rules and then perform some housekeeping.

Getting help!

securitynik@snort3:~$ snort --help

Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [<module prefix>] output matching commands
--help-config [<module prefix>] output matching config options
--help-counts [<module prefix>] output matching peg counts
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help
....

To get help for a particular component, we can then say.

securitynik@snort3:~$ snort --help-commands
appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging
appid.disable_debug(): disable appid debugging
appid.reload_third_party(): reload appid third-party module
appid.reload_detectors(): reload appid detectors
host_cache.dump(file_name): dump host cache
...

To learn about the plugins

securitynik@snort3:~$ snort --list-plugins | more
codec::arp v0 static
codec::auth v0 static
codec::bad_proto v0 static
codec::ciscometadata v0 static
codec::erspan2 v0 static
codec::erspan3 v0 static
codec::esp v0 static
codec::eth v0 static
codec::fabricpath v0 static
codec::gre v0 static
....

To see some of the command line options available, you can look at the --help-options.

securitynik@snort3:~$ snort --help-options
-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-i <iface>... list of interfaces
...

While this system has tcpdump installed by default, let's also install TShark.

securitynik@snort3:~$ sudo apt-get install tshark

Using tcpdump I captured over 21,044 packets, using the following.

securitynik@snort3:~$ securitynik@snort3:~$ sudo tcpdump -n --interface enp0s3 -v -w securitynik-sample.pcap
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
Got 1448

Got 1448
^C21044 packets captured
21044 packets received by filter
0 packets dropped by kernel

Using TShark, let's now see what is in this file.

securitynik@snort3:~$ tshark -n -r securitynik-sample.pcap -q -z io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:21044 bytes:178288931
  ip                                     frames:20780 bytes:178275019
    udp                                  frames:851 bytes:118457
      dns                                frames:819 bytes:115601
      ntp                                frames:24 bytes:2160
      mdns                               frames:8 bytes:696
    tcp                                  frames:19929 bytes:178156562
      http                               frames:156 bytes:28081
        media                            frames:1 bytes:1448
          tcp.segments                   frames:1 bytes:1448
      tls                                frames:7855 bytes:164523943
        tcp.segments                     frames:7572 bytes:164188303
          tls                            frames:7555 bytes:163997610
  arp                                    frames:256 bytes:13056
  ipv6                                   frames:8 bytes:856
    udp                                  frames:8 bytes:856
      mdns                               frames:8 bytes:856
===================================================================

Doing some basic processing on the file with Snort3, we see 1 PCAP with 21,044 records received and analyzed, just as we captured. We also got information on the timing for the processing of these packets. Looks like Snort3 processed all 21,044 packets in under 1 second.

securitynik@snort3:~$  snort --pcap-list securitynik-sample.pcap 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
-- [0] securitynik-sample.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 21044
                 analyzed: 21044
                    allow: 21044
                 rx_bytes: 16259569
--------------------------------------------------
codec
                    total: 21044       	(100.000%)
                 discards: 17392       	( 82.646%)
                      arp: 256         	(  1.216%)
                      eth: 21044       	(100.000%)
                     ipv4: 20780       	( 98.745%)
                     ipv6: 8           	(  0.038%)
                      tcp: 11046       	( 52.490%)
                      udp: 859         	(  4.082%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 21044
--------------------------------------------------
tcp
        bad_tcp4_checksum: 8071
--------------------------------------------------
udp
        bad_udp4_checksum: 430
        bad_udp6_checksum: 8
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.486754
                 pkts/sec: 21044
                Mbits/sec: 124
o")~   Snort exiting

If you wish to dump contents of the PCAP file add the "-L dump" option or go even further by adding the "-d" to dump the application data. In this case I will add "-n" to only show 1 packet.

securitynik@snort3:~$ snort --pcap-list securitynik-sample.pcap -L dump -d -n 1 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
pkt:1	
eth(DLT):  08:00:27:2A:BA:15 -> 52:54:00:12:35:02  type:0x0800
ipv4(0x0800):  10.0.2.15 -> 64.71.255.198
	Next:0x11 TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF

snort.raw[66]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
9F 59 00 35 00 42 4C 70  9C 9D 01 00 00 01 00 00  .Y.5.BLp ........
00 00 00 01 12 63 6F 6E  6E 65 63 74 69 76 69 74  .....con nectivit
79 2D 63 68 65 63 6B 06  75 62 75 6E 74 75 03 63  y-check. ubuntu.c
6F 6D 00 00 01 00 01 00  00 29 02 00 00 00 00 00  om...... .)......
00 00                                             ..
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

While reading back data from a PCAP file is cool, Snort3 is more than likely going to be running in live mode most of the time. Here is what it looks like once you decide to run snort from the command line.

First off, decide on the interface or interfaces you wish to capture traffic on. Here are my list of interfaces on my VM.

securitynik@snort3:~$  ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:2a:ba:15 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
       valid_lft 59259sec preferred_lft 59259sec
    inet6 fe80::8adb:ccd9:2479:82c3/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:eb:40:cd brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.116/24 brd 10.0.0.255 scope global dynamic noprefixroute enp0s8
       valid_lft 459sec preferred_lft 459sec
    inet6 fe80::2cf1:a00b:bcce:f58c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Let's tell Snort3 to capture traffic on the two non-loopback interfaces. Note, while I'm using two interfaces separated by colon, you can instead use 1 interface as would be the case on most installs of an IDS.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8
[sudo] password for securitynik: 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] enp0s3:enp0s8
...

You might notice above that "DAQ configured for passive". To enable inline mode operations, leverage the -Q option within your configuration.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
Inspection Policy : policy id 0 : 
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
...

You more than likely want to run snort in IDS or IPS mode. Thus you would take advantage of a configuration file. Let's use the default one which comes with Snort3 and which we used in the previous post.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
....

Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
Inspection Policy : policy id 0 : /usr/local/etc/snort/snort.lua
--------------------------------------------------
.....
stream_tcp:
             flush_factor: 0
                  max_pdu: 16384
               max_window: 0
                   no_ack: disabled
            overlap_limit: 0
                   policy: bsd
              queue_limit: { max_bytes = 1048576, max_segments = 2621 }
         reassemble_async: enabled
             require_3whs: -1 (disabled)
          session_timeout: 30
           small_segments: { count = 0, maximum_size = 0 }
               track_only: disabled
--------------------------------------------------
stream_udp:
          session_timeout: 30
--------------------------------------------------
stream_user:
          session_timeout: 30
--------------------------------------------------
telnet:
        ayt_attack_thresh: -1
          check_encrypted: disabled
        encrypted_traffic: disabled
                normalize: disabled
--------------------------------------------------
wizard:
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64

Let's see now what the "--talos" option shows us. The Snort reference manual is not very verbose on this. It simply says it "enables Talos tweak", whatever that means. Additionally, instead of using "--talos", you can use "--tweaks talos".

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -Q -c /usr/local/etc/snort/snort.lua \
--tweaks talos --pcap-list securitynik-sample.pcap -R local.rules -q

##### securitynik-sample.pcap #####
	[1:1:0] Nik Testing (alerts: 2825)
#####
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1     1   0      2908    2908   2825      1863         0         0             0        0        0

We see above information on our test rule. Not to worry, we will look at rules in the  next post where we feed the pig. Remember, rules gives the pig wings :-)

References:

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/344/original/snort_reference.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/343/original/snort_user.html

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2