Snort Made Easy

The day after the Bugbear mass-mailing email worm began making the rounds, my company's heavy-duty color printer began to kick out garbage pages with printer-character gibberish. Because of a coding error in Bugbear, the worm can't tell the difference between a network share, which it's trying to infect, and a printer share, so often the first visible symptoms of a Bugbear-infected network are stacks of printer garbage pages. Had Bugbear slipped past all my security and antivirus defenses?

I quickly fired up Snort, the popular open-source lightweight network Intrusion Detection System (IDS), which you can download at Snort.org (http://www.snort.org). I used the Google search engine to locate another user's just-written Snort signature for Bugbear, copied the signature to my clipboard, pasted it into my Snort virus.rules file, and ran Snort again to sniff my network. However, Snort didn't find anything. The printing garbage turned out to be just a Windows 2000 printer driver compatibility problem.

Snort was the only tool I could think of that could double-check my malicious software (malware) defenses, and that's exactly what the tool's developers designed it to do. Unfortunately, many Windows-centric administrator friends don't use Snort because of its UNIX roots and stories of difficult installations and program calls that require long DOS-like commands. And those stories are true. However, new Snort tools are available that provide the typical "Next, Next, OK" installation routines Windows users are familiar with and that let you run the program with mouse clicks. Now you can easily install, configure, and manage Snort in a Windows environment. For a quick overview of the installation process, see the Web sidebar "Step-by-Step Snorting the Easy Way" at http://www.secadministrator.com, InstantDoc ID 37871.

Snort Basics
Snort is a free tool that's often described as a virus scanner for network packets. Snort has three modes: network sniffer, network packet logger, and network intrusion detector. Snort is perfect for detecting Denial of Service (DoS) attacks, fragmentation attacks, CodeRed infiltration, and Microsoft SQL Server injection attacks. Originally written by Martin Roesch in 1998 for his personal use, Snort enjoys a large open-source-community support system. You can connect Snort to external databases to ease packet and event logging and analysis, link it to reporting tools, manage it through centralized consoles, and enable it to participate in many types of alert systems.

Snort was originally a UNIX-only program, but it has been successfully ported to Windows. Before you install Snort on a Windows machine, you must download the latest binary and support files and make sure WinPcap is installed. WinPcap is the Windows version of the kernel-level packet-filter driver libpcap, which is necessary to capture and decode packets. You can download WinPcap 2.3 at http://winpcap.polito.it/install/bin/winpcap_2_3.exe.

Running Snort used to mean you had to learn about two dozen case-sensitive parameters and enter them at a command prompt or in a text-based configuration file. The following sample Snort command

snort -c snort.conf  -h 192.168.1.0/24 -dq -l  c:log -vyU net 192.168.1

is obviously not a command that Windows GUI­loving administrators are going to embrace.

The snort.exe program file is closely aligned with a configuration file, usually called snort.conf. Snort.conf can contain any of the parameter options you would otherwise type at a command prompt, so if you use snort.conf, instead of typing a long stream of directives each time you run the Snort command, you can just type

snort

The standard Snort configuration file that comes with most versions contains sections that tell Snort which IP addresses are and aren't on the local home network (typical Snort users are trying to protect inside machines from outside machines), configure and launch preprocessors and output plugins, and customize rule sets.

Snort plugins are modular pieces of code that extend the program's preprocessing functionality, detection functionality, and output options. Preprocessors are plugins and rules that perform a particular function, such as monitoring port scans, preventing fragmentation attacks, or detecting Trojan-horse packets. Preprocessor plugins are run once on each examined packet. Detection plugins look for specific data within a decoded packet (e.g., they might look for the word "victim" in the payload data), and they can run multiple times per packet. Output plugins let you pipe packet-logging messages and alert messages to different formats, such as HTML and XML, and to different databases, such as MySQL and syslog servers.

Rules are the heart of Snort; they define which packets and content Snort will look at and what occurrences will cause a noted event. Rules tell Snort to look at the status of different TCP flags and inspect the data payload for specific text. You can add rules one at a time to snort.conf, or you can collect many predefined rules into an external rule-set file so that snort.conf can load rules as needed. For example, if you add the statement

include virus.rules

to snort.conf, the program will run all the rules defined to catch viruses. The default virus.rules rule sets that accompany most Snort offerings aren't up-to-date with the latest viruses. In fact, most virus.rules rule sets wouldn't find 100 of the more than 40,000 types of malicious mobile programs in existence. Still, when Bugbear came out, I copied the rule that I found by using the Google search engine to my Snort version's virus.rules file so that Snort could identify Bugbear.

Snort Made Easier
For users unfamiliar with Snort and its behavior, installing and configuring the program can take a day or longer. Several Snort mailing lists, commercial companies, and free deployment guides dedicated to installing Snort are available. Two helpful guides are "How to Build a Snort Server," October 2002, http://www.secadministrator.com, InstantDoc ID 26449, and "Snort Install on Win2000/XP with Acid, and MySQL for Dummies" (http://www.sans.org/rr/intrusion/snort_install.php). But even using these guides, most first-time users are still looking at a multihour installation.

Users who want to belong to the Snort point-and-click club can download Silicon Defense's excellent Snort Windows Installer beta at http://www.silicondefense.com/software/snort_windows_installer/index.htm and can use the installer's included IDScenter—a freeware program designed as a front-end GUI for Snort—to run and manage Snort. Although you still need to understand Snort's basic concepts, the installer and IDS console will save you hours. (I strongly recommend that first-time users download the Snort manual from and read the FAQ at http://www.snort.org.) The installer requires Win2K or Windows NT 4.0, and it will install Snort for Windows 1.8 with MySQL support and the IDScenter management console. Install the Snort Windows Installer on the C drive. You can install the application to other drive letters, but you'll have to reconfigure some settings to make Snort work, defeating the purpose of the automatic installation file.

Snort Windows Installer
Run the Snort Windows Installer program as you would any other setup routine, then perform the following steps:

You should see a Silicon Defense Snort support icon, which is an advertisement for commercial support and is, in my view, a small price to pay for a quick, smooth installation. You'll also see an IDScenter icon on the desktop, which launches the console to the taskbar so that you can administer your Snort sensor. Double-click the desktop icon, right-click the taskbar icon, and choose Settings. You should be at the main screen of IDScenter 1.08d, which Figure 1 shows. You can download the latest version of IDScenter, beta 2 (released June 20, 2002), and the IDScenter manual at http://www.packx.net.

IDScenter Console
IDScenter lets you easily configure Snort variables and rule sets, add preprocessor and output plugins, launch external programs in response to detected events, configure alerts, monitor files, and set up logging options. Three buttons at the top right of the IDScenter main screen let you stop and start Snort monitoring, clear alerts, and test the Snort configuration. If you click Test configuration, IDScenter opens a DOS window and runs Snort with the settings you used IDScenter to configure. The window lets you view the startup messages that command-line users of Snort typically see.

Nine buttons at the left of the main screen let you work with different Snort views. Let's look at those views.

General setup. The General setup area lets you perform general setup operations, such as defining your home network and subnet mask. Snort needs to know which machines are on your home network (LAN) and which are remote. The IDScenter console should have automatically detected the IP address of the host on which Snort is running. When defining the home network subnet mask, the console uses Classless Inter-Domain Routing (CIDR) addressing, where /24 means a 255.255.255.0 subnet mask. If you run Snort on only one PC and you want all other locations to be considered remote, use a /32 subnet mask (255.255.255.255).

You can define multiple network interfaces and IP addresses and easily switch between them. This feature becomes handy if you have Snort on a multihomed machine or on a laptop with a docking station. When my laptop is docked, it uses the docking station's network card and obtains a DHCP lease from my corporate LAN. When undocked, my laptop uses another IP address and an internal PC card.

Note: You can run Snort without using a valid IP interface address. Several Snort FAQs explain how to hide a Snort sensor from intruders. Depending on the platform and configuration, you can set the IP address to 0.0.0.0, remove the IP protocol from the NIC (the packet-level filter still captures the traffic), make a registry entry, or create your own "hiding" cable by removing the transmit pair wires from a network cable, which lets Snort listen but not respond, essentially hiding the Snort box.

You can also tell IDScenter to launch a visible copy of the usually hidden Snort console and restart the console if it crashes or errors out. IDScenter's ability to restart Snort if it crashes is meant as a safety measure against bugs or Snort-specific DoS attacks, but it has the annoying side effect of continually restarting the console if you select an invalid option.

IDS rules. The IDS rules section of IDScenter lets you load snort.conf and manually turn on and off configuration parameters. To do so, you must understand the various sections of snort.conf (read the Snort manual), and you must remark (place a pound sign—#—character) or unremark certain lines in the configuration file. The Download button lets you download rule sets and configuration files from various security Web sites, but the links might be outdated, depending on your IDScenter version.

More recent versions of the IDScenter console include point-and-click wizards for configuring snort.conf, including setting variables, choosing rule sets, and loading and configuring plugins. These features alone make the new beta versions worth investigating.

In the Snort Windows Installer version of IDScenter console, click the Load config or Start editor buttons to load and edit the snort.conf file. You can use any combination of the two options to load, edit, and save snort.conf, although if you use both options at the same time, you could unintentionally overwrite new settings with old ones. Also, be sure to click Apply or Save to save any changes. Most of IDScenter's settings are stored in the HKEY_LOCAL_MACHINESOFTWAREEclipseIDScenter registry subkey. Use Test configuration on the main screen to determine whether any of your manual changes created an error condition with Snort's startup.

Logs/Alerts, View alerts, and Logs folder. You can use the Logs/Alerts section to set or change Snort's default logging directory, as Figure 2 shows. Snort saves alerts to a file called alert.ids. You can save logs to a remote syslog server or to Win2K, NT, or other external databases. In packet-sniffing or logging mode, Snort saves packet data to files in subdirectories named after an involved host's IP address (the host with the higher port number in the connection). The ASCII text files are named after the transport layer (e.g., UDP, TCP, and Internet Control Message Protocol—ICMP) and source and destination port numbers. For example, the subfolder might be named 192.168.10.12 and the log files might be called TCP_3910_80.IDS, UDP_1900_1024.IDS, and ICMP_ECHO.IDS. This system can be difficult to work with until you get accustomed to it. Note that if you select the Log alerts to eventlog (-E) check box, messages will appear in the Application event log.

You can also choose the level of detail to log about each packet and alert and whether you want to log any packet tracings. In binary logging or Fast mode, Snort saves all data to a tcpdump-formatted file, which lets the program capture more traffic on a busy link. You can read the tcpdump (a UNIX-only utility) file with the Windows-port version of the utility, WinDump, which you can download at http://windump.polito.it. You can also feed the file back into Snort by using the -r (readback mode) option, although the IDScenter console doesn't help with the readback process. You can turn off packet logging and still leave on Snort alerting. You can click Logs folder to see all the Snort logs and subfolders and click View alerts to read the alerts log.

E-Mail alert and Special options. The E-Mail alert area lets you configure Snort to send alerts through SMTP messages to preconfigured recipients. You can send messages to multiple receivers by placing a semicolon between each address.

In the Special options area, you can tell Snort to play a sound effect or execute an external program when it sends an alert. Some users create scripts that respond to particular events, such as telling the firewall to block all traffic originating from a malicious sender's IP address. You can find scripts on the Internet that work with various firewall programs.

Preferences and Overview. The Preferences area lets you tell IDScenter whether to use its internal log viewer or an external log viewer, such as wordpad.exe. You can also configure Snort to log output to HTML or other types of databases for easier analysis. You can configure IDScenter and Snort to automatically start when the Snort PC starts. This feature is useful if a power failure occurs on a Snort box stored in a remote location because Snort will restart when the PC gets power back.

The Overview area can tell you about any startup or runtime Snort errors. You can even view the Snort command-line instruction that you would have to type if you didn't use the IDScenter console. If you change any settings, you'll need to start and stop Snort to let the changes take effect. Be sure to click Apply—if it's presented—after making a change.

IDScenter—Not Perfect
Like most open-source projects that one person created or maintained, IDScenter has a few bugs. After a lot of changes in one reconfiguration session, IDScenter might display an error message or quit suddenly. Error messages are often in German or French. I've had better success by making one change, applying it, and testing the configuration before making the next change. Online IDScenter support is available at http://www.packx.net. The members of the IDScenter support forum have always responded to my questions in less than 24 hours. Also, for those who want to delve even deeper into computer forensics, advanced reading is available at the Honeynet Project Web site (http://www.honeynet.org).

Every Windows network should have an IDS such as Snort running as part of its proactive security toolkit. The Snort Windows Installer file makes installing Snort a snap, and the IDScenter console makes Snort significantly easier to configure and use. The process that used to take days can now take hours. Good luck Snorting!