Configuring snort rules

From Notes_Wiki

Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Configuring very basic snort rules

Following steps can be used for configuring or testing very basic snort rules:

  • Create file /etc/snort/rules/local.rules using 'touch /etc/snort/rules/local.rules'
  • In file '/etc/snort/snort.conf' uncomment line 'include $RULE_PATH/local.rules'
  • Now we can put simple rules in local.rules file and test them with snort.



Snort rule syntax

Snort rules are in format

action   protocol   src_ip  src_port  direction   dst_ip   dst_port   (rule options)

Note:

  • Most snort rules are written in single line. We can write rules that span multiple lines by ending all but-last line with a backslash ('\') character.
  • It is not necessary for rules to have rule options, but most rules would have options to make them useful.


Sample rule is:

alert tcp any any <> 10.100.1.107 80 (flags:S; msg: "HTTP access on vm7"; sid:1000001; rev:1;)


Types of action

Snort rules can have one of the following actions:

alert Generate an alert using the selected alert method, and then log the packet. We can do different types of analysis on logged packets later on.
log Log the packet. Basically packet will get logged in snort log file and we can do different type of analysis on this logged packet later.
pass Ignore the packet. This is like ACCEPT target of iptables firewall rules.
activate Alert and then activate another dynamic rules. Dynamic rules are applied only when they are activated by some other rule. For example if we are checking for some HTTP GET related vulnerability, then we can first check whether connection is an HTTP GET connection and if it is, then activate HTTP GET related checks. This makes snort very efficient as many rules are checked only if some other rule activates them.
dynamic This rules are idle until activated by some other rule. After being activated they act as long rule. These are used to log packets only when some alert is triggered to avoid unnecessary logging of all packets most of which may not have any attack.
drop Block the packet and also log it.
reject Block the packet, log it and then also send TCP RST if connection is TCP based connection, or send ICMP unreachable packets if connection is UDP based connection.
sdrop Block the packet but do not log it.

Note:

  • alert, log, pass, activate, and dynamic are available by default in snort.
  • drop, reject and sdrop are available when snort is used in inline mode.


Types of protocol

At time of this writing snort supported following protocols:

  • TCP
  • UDP
  • IP
  • ICMP


Specifying source and destination IP

We can specify IP directly or use IP/mask method to specify a subnet. We can specify multiple IPs or subnets by enclosing them in square brackets ('[]') and by using (',') to separate two different IPs. Do not leave space between various IPs when using square brackets to specify a list of IPs. We can also use ! to negate specified set.

Examples:

  • 10.5.1.222
  • 192.168.1.0/24
  • !192.168.1.0/24
  • [192.168.1.0/24,10.1.1.0/24]
  • ![192.168.1.0/24,10.1.1.0/24]

Special IP address any means 0.0.0.0/0 and will match any IP address.



Specifying source and destination ports

We can specify single ports directly by number. We can specify port range using colon (':') operator. We can negate ports using ! operator. We can also specify list of ports using square brackets and comma same as that for IP address.

Examples:

  • '80' - Only port 80
  • ':1024' - Any port less than 1024
  • '1024:' - Any port greater than 1024
  • '512:1024' - Ports between 512 and 1024
  • '[80,800:8000]' - Port 80 or any port between 800 and 8000
  • '![80,800:8000]' - Port not between numbers 800 and 8000, also not port 80.



Types of direction operator

Two types of directional operators are available for writing snort rules:

  • '->' signifies unidirectional rules
  • '<>' specified bidirectional rules.

Note:There is no '<-' operator.




Snort rule options

Snort rule options help in providing ease of use, along with flexibility and power. All rule options are terminated using semicoloon (';') and arguments are separated from options using colon (':'). There are four major categories of rule options:

  1. General - These options provide information about the rule but do not have any affect during detection. Information about general snort rule options is available at snort general rule options page.
  2. Payload - These options all look for data inside the packet payload and can be inter-related. Information about payload snort rule options is available at snort payload rule options page.
  3. Non-payload - These options look for non-payload data. Information about non-payload snort rule options is available at snort non-payload rule options page.
  4. Post-detection - These options are rule specific triggers that happen after a rule has fired. Information about post-detection snort rule options is available at snort post-detection rule options page.



'Snort users manual' at http://www.snort.org/docs has a complete chapter on Writing snort rules can be referred for latest information on all types of snort rule options. The options listed here are the ones that I learned or are very common and hence used a lot.



Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Configuring very basic snort rules