Network Monitoring (Snort IDS)

An Intrusion Detection System (IDS) is like a security camera for your network. It silently listens to all traffic passing through the wire and compares it in real-time against a database of malicious signatures. Snort is the world's most widely deployed IDS/IPS engine.

1. Snort Modes of Operation

• Sniffer Mode: Reads network packets and displays them continuously on the console.
• Packet Logger Mode: Logs packets to disk (.pcap files) for later forensic analysis (DFIR).
• NIDS Mode: Analyzes network traffic for anomalous behaviors, generating alerts based on a rules file.

2. Basic Configuration (snort.conf)

# 1. Define local network (HOME_NET)
ipvar HOME_NET 192.168.1.0/24

# 2. Define external network (EXTERNAL_NET)
ipvar EXTERNAL_NET !$HOME_NET

# 3. Include rule files
include $RULE_PATH/local.rules

3. Anatomy of a Snort Rule

A Snort rule is divided into two main parts: the Header and the Options.

Rule Header

[Action] [Protocol] [Src IP] [Src Port] -> [Dst IP] [Dst Port]

• Action: alert, log, drop.
• Protocol: tcp, udp, icmp, ip.
• Direction: -> (unidirectional), <> (bidirectional).

Rule Options

• msg: The message that will appear in the alert log.
• content: The text pattern or hexadecimal bytes to search for.
• sid: Snort ID (custom rules must use a SID > 1000000).

4. Practical Rule Examples

Detect Classic SQL Injection (Web)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SQL Injection Attempt"; content:"' OR 1=1"; nocase; sid:1000002; rev:1;)

Detect Nmap XMAS Scan

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Nmap XMAS Scan"; flags:F,P,U; sid:1000003; rev:1;)

Using Hexadecimal Bytes

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Malware C2 Beacon"; content:"|00 00 01 4A|"; sid:1000005;)

5. Execution (CLI)

# Test configuration syntax:
snort -T -c /etc/snort/snort.conf -i eth0

# Run printing alerts to console:
snort -A console -q -c /etc/snort/snort.conf -i eth0