Our final test shows Snort running in its third mode, which is considered an inspection or intrusion detection mode. Activating this mode requires creating a configuration file, which we will call snortconf.test. That file contains the following:
Now we activate Snort in IDS mode using the -c switch, and send a single ICMP packet (not shown). Notice in the output that Snort recognizes the single rule contained in our snortconf.test file.
The action statistics section reports generating five alerts. A look in the tests directory shows an alert file with interesting contents.
The single ICMP echo and single ICMP echo reply produced five separate alerts. Four of the alerts were generated by Snort's packet decoder, as indicated by "(snort decoder)". These are not related to any rules. The only alert created by a rule is the LOCAL ICMP echo test alert.
These alerts are self-explanatory, mainly describing traffic involving the same source and destination IP addresses (127.0.0.1) and loopback traffic. Our custom rule fired simply because we told it to look for ICMP type 8 (echo) messages.
Inspecting the snort.log.1164036844 file shows the packets corresponding to each Snort alert. Notice that the first three are identical and the second two are identical.
IDS mode is the most common mode, and this section demonstrates how to simply validate that Snort is working as one expects.
Snort may also operate in an inline mode, where it makes pass or drop decisions based on certain actions. We will save that functionality for a future article.
Snort: Fundamentals and installation tips for the channel
Packet logger mode
Intrusion detection mode
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog (taosecurity.blogspot.com).
This was first published in December 2006