In the previous post, we performed the install of Snort3. In this post, we learn a little about Snort3 before we start feeding it via rules and then perform some housekeeping.
Getting help!
securitynik@snort3:~$ snort --help Snort has several options to get more help: -? list command line options (same as --help) --help this overview of help --help-commands [<module prefix>] output matching commands --help-config [<module prefix>] output matching config options --help-counts [<module prefix>] output matching peg counts --help-limits print the int upper bounds denoted by max* --help-module <module> output description of given module --help-modules list all available modules with brief help ....
To get help for a particular component, we can then say.
securitynik@snort3:~$ snort --help-commands appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging appid.disable_debug(): disable appid debugging appid.reload_third_party(): reload appid third-party module appid.reload_detectors(): reload appid detectors host_cache.dump(file_name): dump host cache ...
securitynik@snort3:~$ snort --list-plugins | more codec::arp v0 static codec::auth v0 static codec::bad_proto v0 static codec::ciscometadata v0 static codec::erspan2 v0 static codec::erspan3 v0 static codec::esp v0 static codec::eth v0 static codec::fabricpath v0 static codec::gre v0 static ....
securitynik@snort3:~$ snort --help-options -? <option prefix> output matching command line option quick help (same as --help-options) (optional) -A <mode> set alert mode: none, cmg, or alert_* -B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask -C print out payloads with character data only (no hex) -c <conf> use this configuration -D run Snort in background (daemon) mode -d dump the Application Layer -e display the second layer header info -f turn off fflush() calls after binary log writes -G <0xid> (same as --logid) (0:65535) -g <gname> run snort gid as <gname> group (or gid) after initialization -H make hash tables deterministic -i <iface>... list of interfaces ...
securitynik@snort3:~$ sudo apt-get install tshark
securitynik@snort3:~$ securitynik@snort3:~$ sudo tcpdump -n --interface enp0s3 -v -w securitynik-sample.pcap tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes Got 1448 Got 1448 ^C21044 packets captured 21044 packets received by filter 0 packets dropped by kernel
Using TShark, let's now see what is in this file.
securitynik@snort3:~$ tshark -n -r securitynik-sample.pcap -q -z io,phs =================================================================== Protocol Hierarchy Statistics Filter: eth frames:21044 bytes:178288931 ip frames:20780 bytes:178275019 udp frames:851 bytes:118457 dns frames:819 bytes:115601 ntp frames:24 bytes:2160 mdns frames:8 bytes:696 tcp frames:19929 bytes:178156562 http frames:156 bytes:28081 media frames:1 bytes:1448 tcp.segments frames:1 bytes:1448 tls frames:7855 bytes:164523943 tcp.segments frames:7572 bytes:164188303 tls frames:7555 bytes:163997610 arp frames:256 bytes:13056 ipv6 frames:8 bytes:856 udp frames:8 bytes:856 mdns frames:8 bytes:856 ===================================================================
Doing some basic processing on the file with Snort3, we see 1 PCAP with 21,044 records received and analyzed, just as we captured. We also got information on the timing for the processing of these packets. Looks like Snort3 processed all 21,044 packets in under 1 second.
securitynik@snort3:~$ snort --pcap-list securitynik-sample.pcap -------------------------------------------------- o")~ Snort++ 3.1.0.0 -------------------------------------------------- -------------------------------------------------- pcap DAQ configured to read-file. Commencing packet processing ++ [0] securitynik-sample.pcap -- [0] securitynik-sample.pcap -------------------------------------------------- Packet Statistics -------------------------------------------------- daq pcaps: 1 received: 21044 analyzed: 21044 allow: 21044 rx_bytes: 16259569 -------------------------------------------------- codec total: 21044 (100.000%) discards: 17392 ( 82.646%) arp: 256 ( 1.216%) eth: 21044 (100.000%) ipv4: 20780 ( 98.745%) ipv6: 8 ( 0.038%) tcp: 11046 ( 52.490%) udp: 859 ( 4.082%) -------------------------------------------------- Module Statistics -------------------------------------------------- detection analyzed: 21044 -------------------------------------------------- tcp bad_tcp4_checksum: 8071 -------------------------------------------------- udp bad_udp4_checksum: 430 bad_udp6_checksum: 8 -------------------------------------------------- Summary Statistics -------------------------------------------------- timing runtime: 00:00:00 seconds: 0.486754 pkts/sec: 21044 Mbits/sec: 124 o")~ Snort exiting
If you wish to dump contents of the PCAP file add the "-L dump" option or go even further by adding the "-d" to dump the application data. In this case I will add "-n" to only show 1 packet.
securitynik@snort3:~$ snort --pcap-list securitynik-sample.pcap -L dump -d -n 1 -------------------------------------------------- o")~ Snort++ 3.1.0.0 -------------------------------------------------- -------------------------------------------------- pcap DAQ configured to read-file. Commencing packet processing ++ [0] securitynik-sample.pcap pkt:1 eth(DLT): 08:00:27:2A:BA:15 -> 52:54:00:12:35:02 type:0x0800 ipv4(0x0800): 10.0.2.15 -> 64.71.255.198 Next:0x11 TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF snort.raw[66]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9F 59 00 35 00 42 4C 70 9C 9D 01 00 00 01 00 00 .Y.5.BLp ........ 00 00 00 01 12 63 6F 6E 6E 65 63 74 69 76 69 74 .....con nectivit 79 2D 63 68 65 63 6B 06 75 62 75 6E 74 75 03 63 y-check. ubuntu.c 6F 6D 00 00 01 00 01 00 00 29 02 00 00 00 00 00 om...... .)...... 00 00 .. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
securitynik@snort3:~$ ip address show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:2a:ba:15 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3 valid_lft 59259sec preferred_lft 59259sec inet6 fe80::8adb:ccd9:2479:82c3/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:eb:40:cd brd ff:ff:ff:ff:ff:ff inet 10.0.0.116/24 brd 10.0.0.255 scope global dynamic noprefixroute enp0s8 valid_lft 459sec preferred_lft 459sec inet6 fe80::2cf1:a00b:bcce:f58c/64 scope link noprefixroute valid_lft forever preferred_lft forever
securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 [sudo] password for securitynik: -------------------------------------------------- o")~ Snort++ 3.1.0.0 -------------------------------------------------- -------------------------------------------------- pcap DAQ configured to passive. Commencing packet processing ++ [0] enp0s3:enp0s8 ...
You might notice above that "DAQ configured for passive". To enable inline mode operations, leverage the -Q option within your configuration.
securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q -------------------------------------------------- o")~ Snort++ 3.1.0.0 -------------------------------------------------- -------------------------------------------------- Inspection Policy : policy id 0 : -------------------------------------------------- pcap DAQ configured to inline. -------------------------------------------------- host_cache memcap: 8388608 bytes Commencing packet processing ++ [0] enp0s3:enp0s8 Instance 0 daq pool size: 256 Instance 0 daq batch size: 64 ...
You more than likely want to run snort in IDS or IPS mode. Thus you would take advantage of a configuration file. Let's use the default one which comes with Snort3 and which we used in the previous post.
securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q -c /usr/local/etc/snort/snort.lua -------------------------------------------------- o")~ Snort++ 3.1.0.0 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: .... Finished /usr/local/etc/snort/snort.lua: -------------------------------------------------- Inspection Policy : policy id 0 : /usr/local/etc/snort/snort.lua -------------------------------------------------- ..... stream_tcp: flush_factor: 0 max_pdu: 16384 max_window: 0 no_ack: disabled overlap_limit: 0 policy: bsd queue_limit: { max_bytes = 1048576, max_segments = 2621 } reassemble_async: enabled require_3whs: -1 (disabled) session_timeout: 30 small_segments: { count = 0, maximum_size = 0 } track_only: disabled -------------------------------------------------- stream_udp: session_timeout: 30 -------------------------------------------------- stream_user: session_timeout: 30 -------------------------------------------------- telnet: ayt_attack_thresh: -1 check_encrypted: disabled encrypted_traffic: disabled normalize: disabled -------------------------------------------------- wizard: -------------------------------------------------- pcap DAQ configured to inline. -------------------------------------------------- host_cache memcap: 8388608 bytes Commencing packet processing ++ [0] enp0s3:enp0s8 Instance 0 daq pool size: 256 Instance 0 daq batch size: 64
securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -Q -c /usr/local/etc/snort/snort.lua \
--tweaks talos --pcap-list securitynik-sample.pcap -R local.rules -q ##### securitynik-sample.pcap ##### [1:1:0] Nik Testing (alerts: 2825) ##### -------------------------------------------------- rule profile (all, sorted by total_time) # gid sid rev checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends = === === === ====== ======= ====== ========= ========= ========= ============= ======== ======== 1 1 1 0 2908 2908 2825 1863 0 0 0 0 0