Snort Open Source IDS

Snort is an open source Intrusion Detection System that you can use on your Linux systems.  This tutorial will go over basic configuration of Snort IDS and teach you how to create rules to detect different types of activities on the system.

For this tutorial the network we will use is:  Edit your /etc/snort/snort.conf file and and replace the “any” next to $HOME_NET with your network information as shown in the example screen shot below:

Alternatively you can also define specific IP addresses to monitor separated with comma between [ ] as shown in this screen shot:

Now let’s get started and run this command on the command line:

snort -d -l /var/log/snort/ -h -A console -c /etc/snort/snort.conf

d= tells snort to show data
l= determines the logs directory
h= specifies the network to monitor
A= instructs snort to print alerts in the console
c= specifies Snort the configuration file



Lets launch a fast scan from a different device using nmap:

And lets see what happens in the snort console:

Snort detected the scan, now, also from a different device lets attack with DoS using hping3

hping3 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand-source

The device displaying Snort is detecting bad traffic as shown here:

Since we instructed Snort to save logs, we can read them by running:

snort -r

Introduction to Snort Rules

Snort’s NIDS mode works based on rules specified in the /etc/snort/snort.conf file.

Within the snort.conf file we can find commented and uncommented rules as you can see below:

The rules path normally is /etc/snort/rules , there we can find the rules files:

Lets see the rules against backdoors:

There are several rules to prevent backdoor attacks, surprisingly there is a rule against NetBus, a trojan horse which became popular a couple of decades ago, lets look at it and I will explain its parts and how it works:

alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection
established"; flow:from_server,established;
flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|
05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;)

This rule instructs snort to alert about TCP connections on port 20034 transmitting to any source in a external network.

-> = specifies the traffic direction, in this case from our protected network to an external one

msg =  instructs the alert to include a specific message when displaying

content = search for specific content within the packet. It can include text if between “ “ or binary data if between | |
depth = Analysis intensity, in the rule above we see two different parameters for two different contents
offset = tells Snort the starting byte of each packet to start searching for the content
classtype = tells what kind of attack Snort is alerting about

sid:115 = rule identifier

Hyperledger Fabric Fundamentals (LFD271) $299

Creating our own rule

Now we’ll create a new rule to notify about incoming SSH connections.  Open /etc/snort/rules/yourrule.rules, and inside paste the following text:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH incoming";
flow:stateless; flags:S+; sid:100006927; rev:1;)

We are telling Snort to alert about any tcp connection from any external source to our ssh port (in this case the default port) including the text message “SSH INCOMING”, where stateless instructs Snort to ignore the connection’s state.

Now, we need to add the rule we created to our /etc/snort/snort.conf file. Open the config file in an editor and search for #7, which is the section with rules. Add an uncommented rule like in the image above by adding:

include $RULE_PATH/yourrule.rules

Instead of “yourrule.rules”, set your file name, in my case it was test3.rules.

Once it is done run Snort again and see what happens.

snort -d -l /var/log/snort/ -h -A console -c /etc/snort/snort.conf

ssh to your device from another device and see what happens:

You can see that SSH incoming was detected.

With this lesson I hope you know how to make basic rules and use them for detecting activity on a system.

Full article:

by Ivan Vanney

Cyber Security news / Risky Business Podcast



1 Comment

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.